tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan <nies...@yahoo.com>
Subject Re: Re[2]: Roles in JNDIRealms
Date Mon, 10 Jun 2002 21:55:30 GMT
Jacob,
I took a quick look at the source, but it looks like
the passwords are digested here also (i.e. will not
work with Active Directory). From what I understand,
with AD the authentication has to be done _on_ the
server.
Thanks,
Ryan

--- Jacob Kjome <hoju@visi.com> wrote:
> Hello Ryan,
> 
> Check this out:
> http://www.peacetech.com/java/files/apache/tomcat/
> 
> I haven't used it (nor have I used JNDIRealm at all
> so far), but I
> grab stuff that looks like useful info off the list
> and put it in my
> Vault ( http://www.personalmicrocosms.com/ ) from
> time to time. Hopefully it is useful for you.
> 
> Jake
> 
> Monday, June 10, 2002, 3:18:15 PM, you wrote:
> 
> R> Jonathan,
> R> This is sort of off subject, but does your Active
> R> Directory setup work for Authentication?? It
> seems to
> R> me that it wouldn't since there is no
> userPassword
> R> attribute in AD, but I am hoping I'm wrong.
> R> Thanks,
> R> Ryan
> 
> R> --- Jonathan Eric Miller <jemiller@uchicago.edu>
> R> wrote:
> >> If you are using Tomcat 4.1.3, there are two
> modes
> >> that you can use for
> >> checking roles. If you set roleSearch, it will
> look
> >> for search for group
> >> objects that contain a list of users for each
> group.
> >> If you set
> >> userRoleName, it will get the group information
> out
> >> of the user's entry
> >> instead. i.e. you don't need separate group
> objects.
> >> 
> >> If you are using Active Directory, I found that
> you
> >> can use a setup similar
> >> to the following.
> >> 
> >> This goes in server.xml,
> >> 
> >> <Realm
> >> className="org.apache.catalina.realm.JNDIRealm"
> >>  debug="99"
> >>  connectionName="myadminuser@mydomain"
> >>  connectionPassword="myadminpassword"
> >>  connectionURL="ldap://mydomaincontroller"
> >>  userBase="cn=Users, dc=mydomain"
> >>  userRoleName="memberOf"
> >>  userSearch="(userPrincipalName={0}@mydomain)"/>
> >> 
> >> Group membership is stored in an attribute named
> >> memberOf in Active
> >> Directory. myadminuser doesn't really have to be
> an
> >> admin user in AD. It
> >> just has to have read permission to the memberOf
> >> attribute which is visible
> >> to normal user accounts by default.
> >> 
> >> This goes in web.xml,
> >> 
> >> <security-constraint>
> >>  <web-resource-collection>
> >>   <web-resource-name>Tomcat</web-resource-name>
> >>   <url-pattern>/*</url-pattern>
> >>  </web-resource-collection>
> >>  <auth-constraint>
> >>  
> >>
> R>
>
<role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name>
> >>  </auth-constraint>
> >> </security-constraint>
> >> <login-config>
> >>  <auth-method>BASIC</auth-method>
> >>  <realm-name>Tomcat</realm-name>
> >> </login-config>
> >> 
> >> In the above example, I created a group in the
> Users
> >> container named Tomcat.
> >> If you want to see how things are organized in
> >> Active Directory, you can use
> >> LDIFDE to dump the directory into an LDIF file.
> >> That's how I figured it out.
> >> 
> >> Jon
> >> 
> >> ----- Original Message -----
> >> From: "Cristina Perez Sanchez"
> <cgparrifo@yahoo.com>
> >> To: <tomcat-user@jakarta.apache.org>
> >> Sent: Monday, June 10, 2002 9:10 AM
> >> Subject: Roles in JNDIRealms
> >> 
> >> 
> >> > Hi,
> >> >
> >> > could anyone tell me what objectclass must be
> >> group
> >> > entries that represent roles associated to
> users
> >> in
> >> > JNDIRealms?? I use groupOfUniqueNames as
> >> objectclass
> >> > but I would like to know if the objectclass
> group
> >> is
> >> > more proper or if the objectclass isnīt
> relevant.
> >> >
> >> >
> >> > Thanks for advance,
> >> >
> >> > Cristina
> >> >
> >> >
> __________________________________________________
> >> > Do You Yahoo!?
> >> > Yahoo! - Official partner of 2002 FIFA World
> Cup
> >> > http://fifaworldcup.yahoo.com
> >> >
> >> > --
> >> > To unsubscribe, e-mail:
> >>
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> >> > For additional commands, e-mail:
> >> <mailto:tomcat-user-help@jakarta.apache.org>
> >> >
> >> 
> >> 
> >> --
> >> To unsubscribe, e-mail:  
> >>
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> >> For additional commands, e-mail:
> >> <mailto:tomcat-user-help@jakarta.apache.org>
> >> 
> 
> R>
> __________________________________________________
> R> Do You Yahoo!?
> R> Yahoo! - Official partner of 2002 FIFA World Cup
> R> http://fifaworldcup.yahoo.com
> 
> R> --
> R> To unsubscribe, e-mail:  
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> R> For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
> 
> 
> 
> -- 
> Best regards,
>  Jacob                           
> mailto:hoju@visi.com
> 
> 
> --
> To unsubscribe, e-mail:  
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
> 

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message