tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Eric Miller" <jemil...@uchicago.edu>
Subject Re: Re[2]: Roles in JNDIRealms
Date Mon, 10 Jun 2002 23:55:58 GMT
Jacob,

I'm happy to say that there is a new "bind as user" mode in Tomcat 4.1.3
which verifies the user password by binding as them to the directory, rather
than querying the directory for the password. You are correct, previously it
wouldn't work with Active Directory (as well as any other directory that
didn't store it's passwords in the specific format that Tomcat wanted), but,
now it does. Now, if you don't set the userPassword attribute, it operates
in "bind as user" mode. They haven't updated the main end-user documentation
on JNDIRealm yet, but, if you look at the Catalina developer docs, you'll
see what I'm referring to if you look at the JNDIRealm class.

Jon

----- Original Message -----
From: "Ryan" <niespam@yahoo.com>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>; "Jacob Kjome"
<hoju@visi.com>
Sent: Monday, June 10, 2002 4:55 PM
Subject: Re: Re[2]: Roles in JNDIRealms


> Jacob,
> I took a quick look at the source, but it looks like
> the passwords are digested here also (i.e. will not
> work with Active Directory). From what I understand,
> with AD the authentication has to be done _on_ the
> server.
> Thanks,
> Ryan
>
> --- Jacob Kjome <hoju@visi.com> wrote:
> > Hello Ryan,
> >
> > Check this out:
> > http://www.peacetech.com/java/files/apache/tomcat/
> >
> > I haven't used it (nor have I used JNDIRealm at all
> > so far), but I
> > grab stuff that looks like useful info off the list
> > and put it in my
> > Vault ( http://www.personalmicrocosms.com/ ) from
> > time to time. Hopefully it is useful for you.
> >
> > Jake
> >
> > Monday, June 10, 2002, 3:18:15 PM, you wrote:
> >
> > R> Jonathan,
> > R> This is sort of off subject, but does your Active
> > R> Directory setup work for Authentication?? It
> > seems to
> > R> me that it wouldn't since there is no
> > userPassword
> > R> attribute in AD, but I am hoping I'm wrong.
> > R> Thanks,
> > R> Ryan
> >
> > R> --- Jonathan Eric Miller <jemiller@uchicago.edu>
> > R> wrote:
> > >> If you are using Tomcat 4.1.3, there are two
> > modes
> > >> that you can use for
> > >> checking roles. If you set roleSearch, it will
> > look
> > >> for search for group
> > >> objects that contain a list of users for each
> > group.
> > >> If you set
> > >> userRoleName, it will get the group information
> > out
> > >> of the user's entry
> > >> instead. i.e. you don't need separate group
> > objects.
> > >>
> > >> If you are using Active Directory, I found that
> > you
> > >> can use a setup similar
> > >> to the following.
> > >>
> > >> This goes in server.xml,
> > >>
> > >> <Realm
> > >> className="org.apache.catalina.realm.JNDIRealm"
> > >>  debug="99"
> > >>  connectionName="myadminuser@mydomain"
> > >>  connectionPassword="myadminpassword"
> > >>  connectionURL="ldap://mydomaincontroller"
> > >>  userBase="cn=Users, dc=mydomain"
> > >>  userRoleName="memberOf"
> > >>  userSearch="(userPrincipalName={0}@mydomain)"/>
> > >>
> > >> Group membership is stored in an attribute named
> > >> memberOf in Active
> > >> Directory. myadminuser doesn't really have to be
> > an
> > >> admin user in AD. It
> > >> just has to have read permission to the memberOf
> > >> attribute which is visible
> > >> to normal user accounts by default.
> > >>
> > >> This goes in web.xml,
> > >>
> > >> <security-constraint>
> > >>  <web-resource-collection>
> > >>   <web-resource-name>Tomcat</web-resource-name>
> > >>   <url-pattern>/*</url-pattern>
> > >>  </web-resource-collection>
> > >>  <auth-constraint>
> > >>
> > >>
> > R>
> >
> <role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name>
> > >>  </auth-constraint>
> > >> </security-constraint>
> > >> <login-config>
> > >>  <auth-method>BASIC</auth-method>
> > >>  <realm-name>Tomcat</realm-name>
> > >> </login-config>
> > >>
> > >> In the above example, I created a group in the
> > Users
> > >> container named Tomcat.
> > >> If you want to see how things are organized in
> > >> Active Directory, you can use
> > >> LDIFDE to dump the directory into an LDIF file.
> > >> That's how I figured it out.
> > >>
> > >> Jon
> > >>
> > >> ----- Original Message -----
> > >> From: "Cristina Perez Sanchez"
> > <cgparrifo@yahoo.com>
> > >> To: <tomcat-user@jakarta.apache.org>
> > >> Sent: Monday, June 10, 2002 9:10 AM
> > >> Subject: Roles in JNDIRealms
> > >>
> > >>
> > >> > Hi,
> > >> >
> > >> > could anyone tell me what objectclass must be
> > >> group
> > >> > entries that represent roles associated to
> > users
> > >> in
> > >> > JNDIRealms?? I use groupOfUniqueNames as
> > >> objectclass
> > >> > but I would like to know if the objectclass
> > group
> > >> is
> > >> > more proper or if the objectclass isnĀ“t
> > relevant.
> > >> >
> > >> >
> > >> > Thanks for advance,
> > >> >
> > >> > Cristina
> > >> >
> > >> >
> > __________________________________________________
> > >> > Do You Yahoo!?
> > >> > Yahoo! - Official partner of 2002 FIFA World
> > Cup
> > >> > http://fifaworldcup.yahoo.com
> > >> >
> > >> > --
> > >> > To unsubscribe, e-mail:
> > >>
> > <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > >> > For additional commands, e-mail:
> > >> <mailto:tomcat-user-help@jakarta.apache.org>
> > >> >
> > >>
> > >>
> > >> --
> > >> To unsubscribe, e-mail:
> > >>
> > <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > >> For additional commands, e-mail:
> > >> <mailto:tomcat-user-help@jakarta.apache.org>
> > >>
> >
> > R>
> > __________________________________________________
> > R> Do You Yahoo!?
> > R> Yahoo! - Official partner of 2002 FIFA World Cup
> > R> http://fifaworldcup.yahoo.com
> >
> > R> --
> > R> To unsubscribe, e-mail:
> > <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > R> For additional commands, e-mail:
> > <mailto:tomcat-user-help@jakarta.apache.org>
> >
> >
> >
> > --
> > Best regards,
> >  Jacob
> > mailto:hoju@visi.com
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:tomcat-user-help@jakarta.apache.org>
> >
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message