tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: Configure JNDI Realm For Active Directory Under Tomcat 5.5.12 on OSX
Date Sat, 08 Apr 2006 08:16:50 GMT
Am Freitag, den 07.04.2006, 17:35 -0400 schrieb John Leyden:
...
> 2) SERVER.XML excerpt:
> 
>      <!-- Define the top level container in our container hierarchy -->
>      <Engine name="Catalina" defaultHost="localhost">
> 
>       [snip]
> 
>        <Realm className="org.apache.catalina.realm.JNDIRealm"
> 		debug="99"
> 		connectionURL="ldap://[primary domain controller ip]:389"
> 		alternateURL="ldap://[backup domain controller ip]:389"
> 		referrals="follow"
> 		userBase="CN=Users,DC=[mydepartment],DC=[mydivision],DC= 
> [ourintranetdomain]"
> 		userSearch="(sAMAccountName={0})"
> 		userSubtree="true"
> 		userRoleName="memberOf"
Using userRoleName you tell tomcat to use that attribute in the user
object to be used as the name of the role. In your ldap excerpt memberOf
contains the full distinguished name, but in your web.xml you try to use
the common name. Since they are not equal, your users are not members of
the role. So either specify the cn in an user attribute, or use
roleName, roleSearch, roleSubtree and roleBase config attributes in your
jndi-Realm.

HTH
 Felix
> 		rolename="cn"
>        />
> 
>       [big snip]
> 
> 3) Excerpt from ldap directory (obtained via LDP):
> 
> Expanding base '	CN=Firstname  
> Lastname,CN=Users,DC=mydepartment,DC=mydivision,DC=ourintranetdomain'...
> Result <0> (null)
> Matched DNs:
> Getting 1 entries:
>  >> Dn: CN=Firstname  
> Lastname,CN=Users,DC=mydepartment,DC=mydivision,DC=ourintranetdomain
> 	4> memberOf:  
> CN=GroupName1,CN=Users,DC=mydepartment,DC=mydivision,DC=ourintranetdomai 
> n;
> 		 
> CN=GroupName2,CN=Users,DC=mydepartment,DC=mydivision,DC=ourintranetdomai 
> n;
> 	1> sAMAccountName=jl;
> 
> 4) All other realms commented-out of server.xml.  I am led to believe  
> that an engine may possess exactly one authentication realm.
> 
> 5) Application WEB.XML excerpt:
> 
>     <security-constraint>
> ...
>           <role-name>GroupName1</role-name>
> 	 <role-name>GroupName2</role-name>
>        </auth-constraint>
>      </security-constraint>
> 
>      <!-- Default login configuration uses form-based authentication -->
>  ...
>      <!-- Security roles referenced by this web application -->
>      <security-role>
>        <role-name>GroupName1</role-name>
>      </security-role>
>      <security-role>
>        <role-name>GroupName2</role-name>
>      </security-role>
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message