tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jérôme Delattre" <jer...@delattre.org>
Subject Re: JNDIRealm - mapping LDAP group to security role
Date Wed, 08 Oct 2008 09:32:02 GMT
2008/9/23 Jérôme Delattre <jerome@delattre.org>

> Hello,
>
> Env: Tomcat 6.0.18 / Java 6 / Windows
>
> I am trying to configure a JNDIRealm to authenticate against an Active
> Directory.
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
>
> The authentication seems to work but I wonder how to map LDAP groups
> to security roles.
> I do not want to add groups in the LDAP server, but to map existing
> ones to the roles defined in my web application instead.
>
> Is it possible ? I did not found any doc / post about this topic.
>
> Thanks,
> Jerome
>


So for the log and if it can help someone, here is how I resolved my issue:

I've extended the JNDIRealm class to override the getRoles(...) method.

package org.apache.catalina.realm;
...
public class CustomJNDIRealm extends JNDIRealm {
...
    @Override
    protected List<String> getRoles(DirContext context, User user) throws
NamingException {
        List<String> ldapRoles = super.getRoles(context, user);
        // customized part
        return ldapRoles;
    }
...
}

The package needs to be the same as JNDIRealm class otherwise the class User
is not visible.
In the "custom part" of the method I read a properties file that describe
the mapping between ldap roles and security roles.
And I simply add security roles to the ldapRoles list before returning it.

The properties file is in Tomcat's lib directory and looks like:

securityrole1=group1,group2,group4
securityrole2=group3
securityrole3=group5,group6
...

And to be exhaustive, here is the realm configuration for Active Directory
that works in my env:

    <Realm
        className="org.apache.catalina.realm.CustomJNDIRealm"
        debug="99"
        connectionURL="ldap://myADserver:389"
        connectionName="myADreadonlyUser"
        connectionPassword="password"
        referrals="follow"
        userBase="DC=mycompany,DC=com"
        userSearch="(sAMAccountName={0})"
        userSubtree="true"
        roleBase="DC=mycompany,DC=com"
        roleName="cn"
        roleSearch="(member={0})"
        roleSubtree="true"/>

Cheers,
Jerome

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message