tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Eric Miller" <jemil...@uchicago.edu>
Subject Re: Roles in JNDIRealms
Date Mon, 10 Jun 2002 19:44:56 GMT
If you are using Tomcat 4.1.3, there are two modes that you can use for
checking roles. If you set roleSearch, it will look for search for group
objects that contain a list of users for each group. If you set
userRoleName, it will get the group information out of the user's entry
instead. i.e. you don't need separate group objects.

If you are using Active Directory, I found that you can use a setup similar
to the following.

This goes in server.xml,

<Realm className="org.apache.catalina.realm.JNDIRealm"
 debug="99"
 connectionName="myadminuser@mydomain"
 connectionPassword="myadminpassword"
 connectionURL="ldap://mydomaincontroller"
 userBase="cn=Users, dc=mydomain"
 userRoleName="memberOf"
 userSearch="(userPrincipalName={0}@mydomain)"/>

Group membership is stored in an attribute named memberOf in Active
Directory. myadminuser doesn't really have to be an admin user in AD. It
just has to have read permission to the memberOf attribute which is visible
to normal user accounts by default.

This goes in web.xml,

<security-constraint>
 <web-resource-collection>
  <web-resource-name>Tomcat</web-resource-name>
  <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
  <role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name>
 </auth-constraint>
</security-constraint>
<login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>Tomcat</realm-name>
</login-config>

In the above example, I created a group in the Users container named Tomcat.
If you want to see how things are organized in Active Directory, you can use
LDIFDE to dump the directory into an LDIF file. That's how I figured it out.

Jon

----- Original Message -----
From: "Cristina Perez Sanchez" <cgparrifo@yahoo.com>
To: <tomcat-user@jakarta.apache.org>
Sent: Monday, June 10, 2002 9:10 AM
Subject: Roles in JNDIRealms


> Hi,
>
> could anyone tell me what objectclass must be group
> entries that represent roles associated to users in
> JNDIRealms?? I use groupOfUniqueNames as objectclass
> but I would like to know if the objectclass group is
> more proper or if the objectclass isnĀ“t relevant.
>
>
> Thanks for advance,
>
> Cristina
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message