tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Eric Miller" <jemil...@uchicago.edu>
Subject Re: Re[3]: Roles in JNDIRealms
Date Tue, 11 Jun 2002 23:43:00 GMT
I think you can use whatever objectClass you want. The only filter that it
uses for finding roles is the string that you set roleSearch to.

Jon

----- Original Message -----
From: "Cristina Perez Sanchez" <cgparrifo@yahoo.com>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Sent: Tuesday, June 11, 2002 3:36 AM
Subject: Re: Re[3]: Roles in JNDIRealms


> Hi,
>
> first, thanks for your answers.
>
> I would like to ask another question. I use Tomcat
> 4.0.3 and so I have to set roleSearch and create group
> objects that contain the DNs of users associated to.
> Which objectclass must be these group entries?
> groupOfUniqueNames objectclass? group class? Are both
> valid?
>
>
> Thanks,
>
> Cristina
>
>
> --- Jonathan Eric Miller <jemiller@uchicago.edu>
> wrote:
> > Jacob,
> >
> > I'm happy to say that there is a new "bind as user"
> > mode in Tomcat 4.1.3
> > which verifies the user password by binding as them
> > to the directory, rather
> > than querying the directory for the password. You
> > are correct, previously it
> > wouldn't work with Active Directory (as well as any
> > other directory that
> > didn't store it's passwords in the specific format
> > that Tomcat wanted), but,
> > now it does. Now, if you don't set the userPassword
> > attribute, it operates
> > in "bind as user" mode. They haven't updated the
> > main end-user documentation
> > on JNDIRealm yet, but, if you look at the Catalina
> > developer docs, you'll
> > see what I'm referring to if you look at the
> > JNDIRealm class.
> >
> > Jon
> >
> > ----- Original Message -----
> > From: "Ryan" <niespam@yahoo.com>
> > To: "Tomcat Users List"
> > <tomcat-user@jakarta.apache.org>; "Jacob Kjome"
> > <hoju@visi.com>
> > Sent: Monday, June 10, 2002 4:55 PM
> > Subject: Re: Re[2]: Roles in JNDIRealms
> >
> >
> > > Jacob,
> > > I took a quick look at the source, but it looks
> > like
> > > the passwords are digested here also (i.e. will
> > not
> > > work with Active Directory). From what I
> > understand,
> > > with AD the authentication has to be done _on_ the
> > > server.
> > > Thanks,
> > > Ryan
> > >
> > > --- Jacob Kjome <hoju@visi.com> wrote:
> > > > Hello Ryan,
> > > >
> > > > Check this out:
> > > >
> > http://www.peacetech.com/java/files/apache/tomcat/
> > > >
> > > > I haven't used it (nor have I used JNDIRealm at
> > all
> > > > so far), but I
> > > > grab stuff that looks like useful info off the
> > list
> > > > and put it in my
> > > > Vault ( http://www.personalmicrocosms.com/ )
> > from
> > > > time to time. Hopefully it is useful for you.
> > > >
> > > > Jake
> > > >
> > > > Monday, June 10, 2002, 3:18:15 PM, you wrote:
> > > >
> > > > R> Jonathan,
> > > > R> This is sort of off subject, but does your
> > Active
> > > > R> Directory setup work for Authentication?? It
> > > > seems to
> > > > R> me that it wouldn't since there is no
> > > > userPassword
> > > > R> attribute in AD, but I am hoping I'm wrong.
> > > > R> Thanks,
> > > > R> Ryan
> > > >
> > > > R> --- Jonathan Eric Miller
> > <jemiller@uchicago.edu>
> > > > R> wrote:
> > > > >> If you are using Tomcat 4.1.3, there are two
> > > > modes
> > > > >> that you can use for
> > > > >> checking roles. If you set roleSearch, it
> > will
> > > > look
> > > > >> for search for group
> > > > >> objects that contain a list of users for each
> > > > group.
> > > > >> If you set
> > > > >> userRoleName, it will get the group
> > information
> > > > out
> > > > >> of the user's entry
> > > > >> instead. i.e. you don't need separate group
> > > > objects.
> > > > >>
> > > > >> If you are using Active Directory, I found
> > that
> > > > you
> > > > >> can use a setup similar
> > > > >> to the following.
> > > > >>
> > > > >> This goes in server.xml,
> > > > >>
> > > > >> <Realm
> > > > >>
> > className="org.apache.catalina.realm.JNDIRealm"
> > > > >>  debug="99"
> > > > >>  connectionName="myadminuser@mydomain"
> > > > >>  connectionPassword="myadminpassword"
> > > > >>  connectionURL="ldap://mydomaincontroller"
> > > > >>  userBase="cn=Users, dc=mydomain"
> > > > >>  userRoleName="memberOf"
> > > > >>
> > userSearch="(userPrincipalName={0}@mydomain)"/>
> > > > >>
> > > > >> Group membership is stored in an attribute
> > named
> > > > >> memberOf in Active
> > > > >> Directory. myadminuser doesn't really have to
> > be
> > > > an
> > > > >> admin user in AD. It
> > > > >> just has to have read permission to the
> > memberOf
> > > > >> attribute which is visible
> > > > >> to normal user accounts by default.
> > > > >>
> > > > >> This goes in web.xml,
> > > > >>
> > > > >> <security-constraint>
> > > > >>  <web-resource-collection>
> > > > >>
> > <web-resource-name>Tomcat</web-resource-name>
> > > > >>   <url-pattern>/*</url-pattern>
> > > > >>  </web-resource-collection>
> > > > >>  <auth-constraint>
> > > > >>
> > > > >>
> > > > R>
> > > >
> > >
> >
> <role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name>
> > > > >>  </auth-constraint>
> > > > >> </security-constraint>
> > > > >> <login-config>
> > > > >>  <auth-method>BASIC</auth-method>
> > > > >>  <realm-name>Tomcat</realm-name>
> > > > >> </login-config>
> > > > >>
> > > > >> In the above example, I created a group in
> > the
> > > > Users
> > > > >> container named Tomcat.
> > > > >> If you want to see how things are organized
> > in
> > > > >> Active Directory, you can use
> > > > >> LDIFDE to dump the directory into an LDIF
> > file.
> > > > >> That's how I figured it out.
> > > > >>
> > > > >> Jon
> > > > >>
> > > > >> ----- Original Message -----
> > > > >> From: "Cristina Perez Sanchez"
> > > > <cgparrifo@yahoo.com>
> > > > >> To: <tomcat-user@jakarta.apache.org>
> > > > >> Sent: Monday, June 10, 2002 9:10 AM
> > > > >> Subject: Roles in JNDIRealms
> > > > >>
> > > > >>
> > > > >> > Hi,
> > > > >> >
> > > > >> > could anyone tell me what objectclass must
> > be
> > > > >> group
> > > > >> > entries that represent roles associated to
> > > > users
> > > > >> in
> > > > >> > JNDIRealms?? I use groupOfUniqueNames as
> > > > >> objectclass
> > > > >> > but I would like to know if the objectclass
> > > > group
> > > > >> is
> > > > >> > more proper or if the objectclass isnĀ“t
> > > > relevant.
> > > > >> >
> > > > >> >
> > > > >> > Thanks for advance,
> > > > >> >
> > > > >> > Cristina
> > > > >> >
> > > > >> >
> > > >
> > __________________________________________________
> > > > >> > Do You Yahoo!?
> > > > >> > Yahoo! - Official partner of 2002 FIFA
> > World
> > > > Cup
> > > > >> > http://fifaworldcup.yahoo.com
> > > > >> >
> >
> === message truncated ===
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message