tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henri Gomez" <henri.go...@gmail.com>
Subject Re: JNDIRealm
Date Tue, 22 Apr 2008 19:20:00 GMT
Do you have a patch against the current JNDIRealm ?

2008/4/22, Seth Leger <seth.leger@raritan.com>:
> Henri Gomez wrote:
>
> > I do some search today and debugged TC 6.0.x trunk from my eclipse.
> > Authentification works great and the only remaining problem it so
> > setup roles in AD for users.
> >
> > I used :
> >
> >    <Realm
> className="org.apache.catalina.realm.JNDIRealm"
> >         connectionURL="ldap://ldap.mycorp.com:389"
> >         alternateURL="ldap://ldap.mycorp.com:389"
> >
> connectionName="cn=someldapaccounttobind,ou=MyCorp
> > Users,dc=mycorp,dc=com"
> >
> connectionPassword="someldapaccounttobindpassword"
> >           userBase="ou=MyCorp Users,dc=mycorp,dc=com"
> >           userSearch="(sAMAccountName={0})"
> >           userSubtree="true"
> >           referrals="follow"
> >           userRoleName="memberOf"
> >           debug="true"
> >           />
> >
> >
>  Yes, this use case will work with the current Tomcat 6.0.X JNDIRealm code
> because your Active Directory administrator has given you search credentials
> for the Active Directory server
> (cn=someldapaccounttobind,ou=MyCorpUsers,dc=mycorp,dc=com/someldapaccounttobindpassword).
> But not all Active Directory administrators are willing to give out a set of
> credentials like this (for instance, a strict, enterprise environment where
> password access is strictly controlled).
>
>  My patch removes that requirement from the JNDIRealm. Instead of relying on
> a hard-coded value for authentication, it can fall back to using the
> credentials being supplied to the authenticate() call to perform the JNDI
> search (which will succeed because users have permissions to view their own
> LDAP object instance, as far as I know this is always true). The password is
> never stored; it is only transmitted at login time to the server (and this
> transmission can be protected from interception with LDAP over SSL).
>
>  It's a pretty minor change, written similarly to the way that the current
> JNDIRealm code retries during connection timeouts.
>
>  Seth Leger
>  Sr. Software Engineer
>  Raritan, Inc.
>
> ---------------------------------------------------------------------
>  To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>  For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message