tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Seth Leger <seth.le...@raritan.com>
Subject Re: JNDIRealm
Date Wed, 23 Apr 2008 15:21:00 GMT
This patch will have some offset problems because it's off of my working 
copy of the JNDIRealm class. But you should be able to get the general 
idea of what's going on here.

-- Seth

Henri Gomez wrote:
> Do you have a patch against the current JNDIRealm ?
>
> 2008/4/22, Seth Leger <seth.leger@raritan.com>:
>   
>> Henri Gomez wrote:
>>
>>     
>>> I do some search today and debugged TC 6.0.x trunk from my eclipse.
>>> Authentification works great and the only remaining problem it so
>>> setup roles in AD for users.
>>>
>>> I used :
>>>
>>>    <Realm
>>>       
>> className="org.apache.catalina.realm.JNDIRealm"
>>     
>>>         connectionURL="ldap://ldap.mycorp.com:389"
>>>         alternateURL="ldap://ldap.mycorp.com:389"
>>>
>>>       
>> connectionName="cn=someldapaccounttobind,ou=MyCorp
>>     
>>> Users,dc=mycorp,dc=com"
>>>
>>>       
>> connectionPassword="someldapaccounttobindpassword"
>>     
>>>           userBase="ou=MyCorp Users,dc=mycorp,dc=com"
>>>           userSearch="(sAMAccountName={0})"
>>>           userSubtree="true"
>>>           referrals="follow"
>>>           userRoleName="memberOf"
>>>           debug="true"
>>>           />
>>>
>>>
>>>       
>>  Yes, this use case will work with the current Tomcat 6.0.X JNDIRealm code
>> because your Active Directory administrator has given you search credentials
>> for the Active Directory server
>> (cn=someldapaccounttobind,ou=MyCorpUsers,dc=mycorp,dc=com/someldapaccounttobindpassword).
>> But not all Active Directory administrators are willing to give out a set of
>> credentials like this (for instance, a strict, enterprise environment where
>> password access is strictly controlled).
>>
>>  My patch removes that requirement from the JNDIRealm. Instead of relying on
>> a hard-coded value for authentication, it can fall back to using the
>> credentials being supplied to the authenticate() call to perform the JNDI
>> search (which will succeed because users have permissions to view their own
>> LDAP object instance, as far as I know this is always true). The password is
>> never stored; it is only transmitted at login time to the server (and this
>> transmission can be protected from interception with LDAP over SSL).
>>
>>  It's a pretty minor change, written similarly to the way that the current
>> JNDIRealm code retries during connection timeouts.
>>
>>  Seth Leger
>>  Sr. Software Engineer
>>  Raritan, Inc.
>>
>> ---------------------------------------------------------------------
>>  To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>  For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>     
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>   

Mime
View raw message