tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: JNDIRealm - mapping LDAP group to security role
Date Wed, 08 Oct 2008 16:28:47 GMT
Hi Jerome,

have you thought about adding an extra attribute to the groups, so that
the mapping is done by a normal ldap query?

Consider having an objectClass tomcatRoleMapping which has one attribute
tomcatRole. Than with your mapping like below
> securityrole1=group1,group2,group4
> securityrole2=group3
> securityrole3=group5,group6
you would extend all groups with tomcatRoleMapping. The value of the
attribute tomcatRole could then be "securityrole1" for group1, group2
and group4 like this

dn: cn=group1,...
objectClass: tomcatRoleMapping
objectClass: ...
tomcatRole: securityrole1
cn: group1
...

Now just change the roleName attribute in your realm definition to
tomcatRole and you have got a mapping from groups to securityroles.

Bye 
 Felix

Am Mittwoch, den 08.10.2008, 11:32 +0200 schrieb Jérôme Delattre:
> 2008/9/23 Jérôme Delattre <jerome@delattre.org>
> 
> > Hello,
> >
> > Env: Tomcat 6.0.18 / Java 6 / Windows
> >
> > I am trying to configure a JNDIRealm to authenticate against an Active
> > Directory.
> > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
> >
> > The authentication seems to work but I wonder how to map LDAP groups
> > to security roles.
> > I do not want to add groups in the LDAP server, but to map existing
> > ones to the roles defined in my web application instead.
> >
> > Is it possible ? I did not found any doc / post about this topic.
> >
> > Thanks,
> > Jerome
> >
> 
> 
> So for the log and if it can help someone, here is how I resolved my issue:
> 
> I've extended the JNDIRealm class to override the getRoles(...) method.
> 
> package org.apache.catalina.realm;
> ...
> public class CustomJNDIRealm extends JNDIRealm {
> ...
>     @Override
>     protected List<String> getRoles(DirContext context, User user) throws
> NamingException {
>         List<String> ldapRoles = super.getRoles(context, user);
>         // customized part
>         return ldapRoles;
>     }
> ...
> }
> 
> The package needs to be the same as JNDIRealm class otherwise the class User
> is not visible.
> In the "custom part" of the method I read a properties file that describe
> the mapping between ldap roles and security roles.
> And I simply add security roles to the ldapRoles list before returning it.
> 
> The properties file is in Tomcat's lib directory and looks like:
> 
> securityrole1=group1,group2,group4
> securityrole2=group3
> securityrole3=group5,group6
> ...
> 
> And to be exhaustive, here is the realm configuration for Active Directory
> that works in my env:
> 
>     <Realm
>         className="org.apache.catalina.realm.CustomJNDIRealm"
>         debug="99"
>         connectionURL="ldap://myADserver:389"
>         connectionName="myADreadonlyUser"
>         connectionPassword="password"
>         referrals="follow"
>         userBase="DC=mycompany,DC=com"
>         userSearch="(sAMAccountName={0})"
>         userSubtree="true"
>         roleBase="DC=mycompany,DC=com"
>         roleName="cn"
>         roleSearch="(member={0})"
>         roleSubtree="true"/>
> 
> Cheers,
> Jerome


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message