tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan <nies...@yahoo.com>
Subject Re: Re[2]: Roles in JNDIRealms
Date Tue, 11 Jun 2002 16:46:56 GMT
Jon,
Excellent! Thanks for the info.
Ryan

--- Jonathan Eric Miller <jemiller@uchicago.edu>
wrote:
> Jacob,
> 
> I'm happy to say that there is a new "bind as user"
> mode in Tomcat 4.1.3
> which verifies the user password by binding as them
> to the directory, rather
> than querying the directory for the password. You
> are correct, previously it
> wouldn't work with Active Directory (as well as any
> other directory that
> didn't store it's passwords in the specific format
> that Tomcat wanted), but,
> now it does. Now, if you don't set the userPassword
> attribute, it operates
> in "bind as user" mode. They haven't updated the
> main end-user documentation
> on JNDIRealm yet, but, if you look at the Catalina
> developer docs, you'll
> see what I'm referring to if you look at the
> JNDIRealm class.
> 
> Jon
> 
> ----- Original Message -----
> From: "Ryan" <niespam@yahoo.com>
> To: "Tomcat Users List"
> <tomcat-user@jakarta.apache.org>; "Jacob Kjome"
> <hoju@visi.com>
> Sent: Monday, June 10, 2002 4:55 PM
> Subject: Re: Re[2]: Roles in JNDIRealms
> 
> 
> > Jacob,
> > I took a quick look at the source, but it looks
> like
> > the passwords are digested here also (i.e. will
> not
> > work with Active Directory). From what I
> understand,
> > with AD the authentication has to be done _on_ the
> > server.
> > Thanks,
> > Ryan
> >
> > --- Jacob Kjome <hoju@visi.com> wrote:
> > > Hello Ryan,
> > >
> > > Check this out:
> > >
> http://www.peacetech.com/java/files/apache/tomcat/
> > >
> > > I haven't used it (nor have I used JNDIRealm at
> all
> > > so far), but I
> > > grab stuff that looks like useful info off the
> list
> > > and put it in my
> > > Vault ( http://www.personalmicrocosms.com/ )
> from
> > > time to time. Hopefully it is useful for you.
> > >
> > > Jake
> > >
> > > Monday, June 10, 2002, 3:18:15 PM, you wrote:
> > >
> > > R> Jonathan,
> > > R> This is sort of off subject, but does your
> Active
> > > R> Directory setup work for Authentication?? It
> > > seems to
> > > R> me that it wouldn't since there is no
> > > userPassword
> > > R> attribute in AD, but I am hoping I'm wrong.
> > > R> Thanks,
> > > R> Ryan
> > >
> > > R> --- Jonathan Eric Miller
> <jemiller@uchicago.edu>
> > > R> wrote:
> > > >> If you are using Tomcat 4.1.3, there are two
> > > modes
> > > >> that you can use for
> > > >> checking roles. If you set roleSearch, it
> will
> > > look
> > > >> for search for group
> > > >> objects that contain a list of users for each
> > > group.
> > > >> If you set
> > > >> userRoleName, it will get the group
> information
> > > out
> > > >> of the user's entry
> > > >> instead. i.e. you don't need separate group
> > > objects.
> > > >>
> > > >> If you are using Active Directory, I found
> that
> > > you
> > > >> can use a setup similar
> > > >> to the following.
> > > >>
> > > >> This goes in server.xml,
> > > >>
> > > >> <Realm
> > > >>
> className="org.apache.catalina.realm.JNDIRealm"
> > > >>  debug="99"
> > > >>  connectionName="myadminuser@mydomain"
> > > >>  connectionPassword="myadminpassword"
> > > >>  connectionURL="ldap://mydomaincontroller"
> > > >>  userBase="cn=Users, dc=mydomain"
> > > >>  userRoleName="memberOf"
> > > >> 
> userSearch="(userPrincipalName={0}@mydomain)"/>
> > > >>
> > > >> Group membership is stored in an attribute
> named
> > > >> memberOf in Active
> > > >> Directory. myadminuser doesn't really have to
> be
> > > an
> > > >> admin user in AD. It
> > > >> just has to have read permission to the
> memberOf
> > > >> attribute which is visible
> > > >> to normal user accounts by default.
> > > >>
> > > >> This goes in web.xml,
> > > >>
> > > >> <security-constraint>
> > > >>  <web-resource-collection>
> > > >>  
> <web-resource-name>Tomcat</web-resource-name>
> > > >>   <url-pattern>/*</url-pattern>
> > > >>  </web-resource-collection>
> > > >>  <auth-constraint>
> > > >>
> > > >>
> > > R>
> > >
> >
>
<role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name>
> > > >>  </auth-constraint>
> > > >> </security-constraint>
> > > >> <login-config>
> > > >>  <auth-method>BASIC</auth-method>
> > > >>  <realm-name>Tomcat</realm-name>
> > > >> </login-config>
> > > >>
> > > >> In the above example, I created a group in
> the
> > > Users
> > > >> container named Tomcat.
> > > >> If you want to see how things are organized
> in
> > > >> Active Directory, you can use
> > > >> LDIFDE to dump the directory into an LDIF
> file.
> > > >> That's how I figured it out.
> > > >>
> > > >> Jon
> > > >>
> > > >> ----- Original Message -----
> > > >> From: "Cristina Perez Sanchez"
> > > <cgparrifo@yahoo.com>
> > > >> To: <tomcat-user@jakarta.apache.org>
> > > >> Sent: Monday, June 10, 2002 9:10 AM
> > > >> Subject: Roles in JNDIRealms
> > > >>
> > > >>
> > > >> > Hi,
> > > >> >
> > > >> > could anyone tell me what objectclass must
> be
> > > >> group
> > > >> > entries that represent roles associated to
> > > users
> > > >> in
> > > >> > JNDIRealms?? I use groupOfUniqueNames as
> > > >> objectclass
> > > >> > but I would like to know if the objectclass
> > > group
> > > >> is
> > > >> > more proper or if the objectclass isnīt
> > > relevant.
> > > >> >
> > > >> >
> > > >> > Thanks for advance,
> > > >> >
> > > >> > Cristina
> > > >> >
> > > >> >
> > >
> __________________________________________________
> > > >> > Do You Yahoo!?
> > > >> > Yahoo! - Official partner of 2002 FIFA
> World
> > > Cup
> > > >> > http://fifaworldcup.yahoo.com
> > > >> >
> 
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message