tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henri Gomez" <henri.go...@gmail.com>
Subject Re: JNDIRealm
Date Tue, 22 Apr 2008 16:21:32 GMT
> It is possible to perform successful authentication against an Active
> Directory server with the standard JNDIRealm but only if:
>
>  a) A bind DN and bind password is supplied to JNDIRealm

got that

>  b) Anonymous searches (with null credentials) are successful against the
> server
>
>  (b) is highly unlikely because by default, Active Directory does not allow
> searches of the user tree for anonymous users. It is not desirable to enable
> this behavior in many cases because it allows any network client to discover
> the Active Directory user list without credentials.
>
>  For (a) to work, the Active Directory administrator must give bind DN and
> password of a user with search permissions to the Tomcat administrator. This
> could either be the Administrator password or the password of a dummy user
> that is set up for this purpose. However, this is also undesirable in many
> cases because it means that the LDAP administrator is giving out an
> Administrator-level password that is likely being stored in plain text
> inside the Tomcat configuration. This is more secure than anonymous access
> but still isn't acceptable for many users.
>
>  My patch changes the behavior so that the credentials provided during
> authentication are used during a login to perform the LDAP search.

I do some search today and debugged TC 6.0.x trunk from my eclipse.
Authentification works great and the only remaining problem it so
setup roles in AD for users.

I used :

    <Realm   className="org.apache.catalina.realm.JNDIRealm"
         connectionURL="ldap://ldap.mycorp.com:389"
         alternateURL="ldap://ldap.mycorp.com:389"
         connectionName="cn=someldapaccounttobind,ou=MyCorp
Users,dc=mycorp,dc=com"
         connectionPassword="someldapaccounttobindpassword"
           userBase="ou=MyCorp Users,dc=mycorp,dc=com"
           userSearch="(sAMAccountName={0})"
           userSubtree="true"
           referrals="follow"
           userRoleName="memberOf"
           debug="true"
           />

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message