tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Grey Karapetyan <karapetyan.g...@yandex.ru>
Subject tomcat 5.5.17, fails group(roles) authentication in ldap
Date Sat, 10 Oct 2009 20:35:06 GMT
hello Guys, 
need help...
i use tomcat 5.5.17

1)server.xml

 <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
           connectionURL="ldap://x.x.x.x:xxx"
           allRolesMode="AuthOnly"
           referrals="follow"
           userBase="ou=Users,dc=mydomain"
           userSubtree="true"
           userSearch="(uid={0})"
           roleBase="ou=Groups,dc=mydomain"
           roleName="cn"
           roleSubtree="true"
           roleSearch="(memberUid={1})"
        />

in ldap 
all groups has attribute
cn - group name.
list attributes memberUid - list members.



2)./webapps/ucaldav/WEB-INF/web.xml


<security-constraint>
    <web-resource-collection>
      <web-resource-name>Bedework</web-resource-name>
      <description>Bedework user</description>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>no description</description>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>personal calendar</realm-name>
  </login-config>


  <security-role>
    <description>A calendar system user</description>
    <role-name>*</role-name>
  </security-role>


3)in options.xml (run-time options for web application)
/webapps/ucaldav/WEB-INF/classes/properties/calendar/options.xml

<user-ldap-group classname="org.bedework.calfacade.configs.LdapConfigProperties">
            <principalRoot>/principals</principalRoot>
            <userPrincipalRoot>/principals/users</userPrincipalRoot>
            <groupPrincipalRoot>/principals/groups</groupPrincipalRoot>
            <resourcePrincipalRoot>/principals/resources</resourcePrincipalRoot>
            <venuePrincipalRoot>/principals/locations</venuePrincipalRoot>
            <ticketPrincipalRoot>/principals/tickets</ticketPrincipalRoot>
            <hostPrincipalRoot>/principals/hosts</hostPrincipalRoot>

            <domains>test</domains>
            <defaultDomain>test</defaultDomain>

            <initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory>
            <providerUrl>ldap://x.x.x.x:xxx/</providerUrl>
            <groupContextDn>ou=Groups, dc=tander</groupContextDn>
            <groupMemberAttr>memberUid</groupMemberAttr>
            <userDnPrefix>uid=</userDnPrefix>
            <userDnSuffix>,ou=Users, dc=mydomain</userDnSuffix>
            <groupDnPrefix>cn</groupDnPrefix>
            <groupDnSuffix>,ou=Groups, dc=mydomain</groupDnSuffix>
            <debug>true</debug>
</user-ldap-group>


if i use this configuration, user authentication work well. 

But if user "alex" has no access permissions, but he is member in group "agroup"(that has
rwx access permissions), authentication not occurs...
i run catalina.sh debug:

00:14:28,697 INFO  [CalSvc] Authenticated user alex logged on
***
[AccessUtil] Check access for object BwCalendar ident=/user/alex/Inbox
00:21:33,431 DEBUG [Acl] Check access for 'WONyAI05 /user WU04 alexyA WG06 agroupyA WANyFySI05
/user ' with authenticated = true isOwner = false...For authenticated got: PrivilegeSet[????Y?????YYYY???]...Check
access denied !allowed) PrivilegeSet[nnnnYnnnnnYYYYnnn]
**
===================================
so, if in webapplication authentication fails i try test authentication in tomcat:
1)server.xml
allRolesMode="AuthOnly" change to: allRolesMode="strictAuthOnly"

2)web.xml

<auth-constraint>
      <role-name>*</role-name>
</auth-constraint>

change to:

<auth-constraint>
      <role-name>agroup</role-name>
</auth-constraint>

--
 <security-role>
    <description>A calendar system user</description>
    <role-name>*</role-name>
  </security-role>

change to:

 <security-role>
    <description>A calendar system user</description>
    <role-name>agroup</role-name>
  </security-role>

===
in this case user "alex" generally cant authenticate in tomcat-level...

any ideas?
and how i can debug only JNDI?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message