tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary <>
Subject Re: question about JNDIRealm and OpenLDAP with access control
Date Wed, 15 Feb 2006 19:58:16 GMT
Gary wrote:

> Hi,
> I have JDNIRealm set in the context.xml like this
> <Context path="/project" docBase="project" debug="99">            
> <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
>         connectionURL="ldap://localhost:389"
>           userPattern="uid={0},ou=people,dc=example,dc=com"
>          userRoleName="affiliation" />
> </Context>
> Authentication works fine until I added this to slapd.conf
> access to *
>       by anonymous auth
>       by users read
> Because I don't want to let anonymous users query ldap.
> Now when I login, I get http status 403 (access denied).
> Without ldap access control set, request.getUserPrincipal() prints
> this: GenericPrincipal[gary(member,)]
> but with access control, it print this: GenericPrincipal[gary()]
> Not sure why the role information would be missing.

Ok, I think I have this figured out... but correct me if I am wrong.

Authentication and authorization are done separately. The realm setting 
I have above
was only able to succeed for the authentication part.  And failed on the 
authorization part,
 it wasn't able to get the user role because my ldap access control 
read from anonymous users.

After I added  connectionName, and  connectionPassword  to the realm tag.
It was able to use that to get the role information out of ldap.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message