tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ar...@EASTPOINT.COM
Subject RE: Tomcat with LDAP/OpenLDAP
Date Wed, 23 Apr 2003 20:53:18 GMT
Having the groups anonymous accessible does not sound like a good thing. I
may pursue tweaking the JNDIRealm as you suggest if Tomcat needs the roles
to be anonymous. I was thinking a bit about making changes to it anyway to
allow more flexibility in the user and group patterns (probably nothing
generally useful). Hopefully I can extend vs. replace to accommodate this.

Thank You Very Much,
Art

-----Original Message-----
From: Mark R. Diggory [mailto:mdiggory@latte.harvard.edu] 
Sent: Wednesday, April 23, 2003 4:12 PM
To: Tomcat Users List
Subject: Re: Tomcat with LDAP/OpenLDAP


Ahhhh, we allow anonymous access to our group membership right now. I 
recall a discussion I had with the Tomcat Group concerning using the 
"Authentication bind context" to do the role searching, some folks 
didn't have positive things to say about doing it. I didn't really agree 
with them.

 The Tomcat Documentation on JNDI Realm suggests this

> An example |Realm| element for the OpenLDAP directory server
> configured as described above might look like this, assuming that 
> users use their uid (e.g. jjones) to login to the application and that 
> an anonymous connection is sufficient to search the directory and 
> retrieve role information:
>
>
><Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
>     connectionURL="ldap://localhost:389"
>       userPattern="uid={0},ou=people,dc=mycompany,dc=com"
>          roleBase="ou=groups,dc=mycompany,dc=com"
>          roleName="cn"
>        roleSearch="(uniqueMember={0})"
>/>
>

I really wish they'd made it an option when I suggested it. I've learned 
more about Realms since then, it wouldn't be difficult to copy the 
JNDIRealm code and tweek it support role search in the Authentication 
Context then install it for your own use in the tomcat4/server/ directory.

-Mark

art_w@EASTPOINT.COM wrote:

>This is encouraging, so it should be able to work.
>
>I am using the uniqueMember attribute of the groupOfUniqueNames 
>objectClass. My groups are right under the ou=Groups element.
>
>I tried roleSubtree="true" anyway and it did not make any difference - 
>still does not work.
>
>If I paste the filter from the Tomcat log into an LBE (LDAP 
>Browser\Editor) search it finds it.
>
>I was just looking at the LDAP log. I see the word anonymous in there, 
>could Tomcat be authenticating to LDAP as anonymous to get the roles? 
>Wouldn't it use the already established and authenticated connection? 
>Here is what I
>see:
>
>Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=6 BIND 
>dn="cn=Admin,ou=People,o=EastPoint,c=us" method=128 Apr 23 15:33:45 
>dev1 slapd[34706]: conn=113 op=6 AUTHZ 
>dn="cn=Admin,ou=People,o=EastPoint,c=us" mech=simple ssf=0 Apr 23 
>15:33:45 dev1 slapd[34706]: conn=113 op=6 RESULT tag=97 err=0 text= Apr 
>23 15:33:45 dev1 slapd[34706]: conn=113 op=7 SRCH base="" scope=0 
>filter="(objectClass=*)" Apr 23 15:33:45 dev1 slapd[34706]: conn=113 
>op=7 RESULT tag=101 err=0 text= Apr 23 15:33:45 dev1 slapd[34706]: 
>conn=113 op=9 AUTHZ anonymous mech=implicit ssf=0
>Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=9 BIND dn="" method=128
>Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=9 RESULT tag=97 err=0 text=
>Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=10 SRCH
>base="ou=Groups,o=EastPoint,c=us" scope=2
>filter="(uniqueMember=cn=admin,ou=people,o=eastpoint,c=us)"
>
>Maybe I am reading this wrong, I do not find the OpenLDAP log the 
>easiest thing to parse.
>
>Thank You,
>Art
>
>-----Original Message-----
>From: Mark R. Diggory [mailto:mdiggory@latte.harvard.edu]
>Sent: Wednesday, April 23, 2003 2:47 PM
>To: Tomcat Users List
>Subject: Re: Tomcat with LDAP/OpenLDAP
>
>
>Do your groups store users under the "uniqueMember" attribute or
>"member" attribute? We are now using JNDI realm successfully on tomcat 
>4.1.24. here's my config for it:
>
><Context debug="0" reloadable="true" docBase="VDC" path="/VDC"> <Realm 
>className="org.apache.catalina.realm.JNDIRealm"
>connectionURL="ldap://your.host.here:389"
>userPattern="uid={0},ou=vdcid,ou=osprey,o=vdc" roleBase="o=vdc" 
>roleName="vdcGroup" roleSearch="(member={0})" roleSubtree="true"/>
></Context>
>
>Our groups are stored in  custom "vdcGroup" entiries, users are stored
>in the "member" attribute.
>
>I may be the case your missing the roleSubtree if your groups aren't 
>all
>one level inside your roleBase.
>
>-Mark
>
>art_w@EASTPOINT.COM wrote:
>
>  
>
>>Hi,
>>
>>I am new to the Tomcat user list (just signed up a few minutes ago). I
>>have been trying to get Tomcat authentication working with OpenLDAP. I 
>>got it to the point where the user appears to be getting authenticated 
>>OK, but the roles do not seem to be getting resolved. I have roleBase, 
>>roleName, and roleSearch set so that they should find the roles in the 
>>directory, but they are never found.
>>
>>In desperation I started looking all over (google, etc) in the hope
>>that someone else had encountered this problem and reported a solution. 
>>Eventually I came across the message below from Jonathan Eric Miller 
>>that indicates that "JNDIRealm is broken and unusable". Is this 
>>correct? Is there a Bugzilla entry for this, I could not find a bug 
>>that indicated that it was completely broken (but may have missed it).
>>
>>I hope that Jonathan is referring to Tomcat 5 (or 3 or something). I 
>>am
>>using Tomcat 4.1.24.
>>
>>Any suggestions? My roleSearch looks like:
>>roleSearch="(uniqueMember={0})"
>>
>>Oh, for now the application that I am trying to get working is "Tomcat
>>Administration", so it should be looking for the "admin" role.
>>
>>In the log I have:
>>2003-04-22 20:28:41 JNDIRealm[Standalone]: Connecting to URL
>>ldap://localhost:389 2003-04-22 20:30:41 JNDIRealm[Standalone]: 
>>lookupUser(Admin) 2003-04-22 20:30:41 JNDIRealm[Standalone]:
>>dn=cn=Admin,ou=People,o=EastPoint,c=us
>>2003-04-22 20:30:41 JNDIRealm[Standalone]:   validating credentials by
>>binding as the user
>>2003-04-22 20:30:41 JNDIRealm[Standalone]:   binding as
>>cn=Admin,ou=People,o=EastPoint,c=us
>>2003-04-22 20:30:41 JNDIRealm[Standalone]: Username Admin successfully
>>authenticated
>>2003-04-22 20:30:41 JNDIRealm[Standalone]:
>>getRoles(cn=Admin,ou=People,o=EastPoint,c=us)
>>2003-04-22 20:30:41 JNDIRealm[Standalone]:   Searching role base
>>'ou=Groups,o=EastPoint,c=us' for attribute 'cn'
>>2003-04-22 20:30:41 JNDIRealm[Standalone]:   With filter expression
>>'(uniqueMember=cn=Admin,ou=People,o=EastPoint,c=us)'
>>2003-04-22 20:30:42 JNDIRealm[Standalone]:   Returning 0 roles
>>2003-04-22 20:30:42 JNDIRealm[Standalone]: Username Admin does NOT have
>>    
>>
>role
>  
>
>>admin
>>
>>
>>Thank You,
>>Art
>>
>>Re: Tomcat with LDAP
>>
>>*	From: Jonathan Eric Miller 
>>*	Subject: Re: Tomcat with LDAP 
>>*	Date: Wed, 02 Apr 2003 13:32:27 -0800 
>>
>>JNDIRealm is broken and unusable.
>>
>>Jon
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>> 
>>
>>    
>>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message