tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrey Polozov <>
Subject JNDIRealm and multiple groups in LDAP.
Date Tue, 28 Dec 2004 22:09:16 GMT

I'm Trying to apply JNDIRealm to the LDAP structure, where each user
belong to some group (organizationalUnit):

dn: ou=Group1, o=myorg
  objectclass: organizationalUnit
  ou: Group1
dn: uid=user1, ou=Group1, o=myorg
  objectclass: person
  uid: user1
dn: ou=Group2, o=myorg
  objectclass: organizationalUnit
  ou: Group2
dn: uid=user2, ou=Group2, o=myorg
  objectclass: person
  uid: user2

Also there are roles, and each of them can be assigned to some groups:

dn: cn=readIt, o=myorg
  objectclass: organizationalRole
  cn: readIt
  roleOccupant: ou=Group1, o=myorg
  roleOccupant: ou=Group2, o=myorg
dn: cn=changeIt, o=myorg
  objectclass: organizationalRole
  cn: changeIt
  roleOccupant: ou=Group2, o=myorg

So technically, to find roles for a user, we need three steps:
- Search for (uid=username);
- Get the group DN by stripping the last component
   groupDN = userDN.getPrefix(userDN.size() - 1);
- search for roles (roleOccupant={groupDN});

Current implementation of JNDI assumes that roles should be assigned
to users, not to groups. So I can't use it directly.

Of course I could (and probably will) find a way to hack it (extend,
put some adapter, etc.), but I suspect that it's pretty common case,
and it could be resolved in more general and graceful way.
For instance, the inner User class could have additional attribute,
e.g. getGroup() and that value could be used as the third parameter in
roleSearch attribute.

What do you think? Is it worth trying to generalize usage of groups in

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message