Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 54807 invoked from network); 1 Feb 2002 23:53:04 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 1 Feb 2002 23:53:04 -0000 Received: (qmail 8549 invoked by uid 97); 1 Feb 2002 23:52:31 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org Received: (qmail 8519 invoked by uid 97); 1 Feb 2002 23:52:30 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 8508 invoked from network); 1 Feb 2002 23:52:30 -0000 Message-Id: <5.1.0.14.0.20020202000311.0284bec0@imap.qmul.ac.uk> X-Sender: cgaa186@imap.qmul.ac.uk X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 02 Feb 2002 00:07:29 +0000 To: "Tomcat Users List" From: John Holman Subject: Re: JNDIRealm In-Reply-To: <3C56BA7C.DD96EC00@mdh.se> References: <5.1.0.14.0.20020129125900.05e9f0e0@imap.qmul.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Fredrik At 15:06 29/01/02, you wrote: >John Holman wrote: > > > > JNDIRealm works by retrieving the password from the directory server and > > comparing it explicitly with the value given by > > the user. Unfortunately AFAIK this mode of operation will not work with > > eDirectory. > >Reading the Realm HOWTO again made me realize that... Why would anyone >want the Realm to get the password from the server instead of doing a >simple LDAP bind? I agree - almost always a bind is better, unless you need to support HTTP digest authentication. > > There have been proposals (e.g. from me) to enhance JNDIRealm to allow it > > to authenticate the user by binding to the directory server, in the same > > way as auth_ldap. This should work with eDirectory, but isn't available > yet. > >Have the proposal been approved by the Tomcat developers, and are there >any people working on this issue? Similar proposals are in the draft functional specification for the JNDI realm, and I submitted a patch to the tomcat-dev list earlier today that implements the required functionality. You are more than welcome to try it, if you get the chance. I'm hoping that this patch will get incorporated into Tomcat ... John. >-- >Fredrik Westermarck > >-- >To unsubscribe: >For additional commands: >Troubles with the list: -- To unsubscribe: For additional commands: Troubles with the list: