tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brandon DuRette <>
Subject Re: JNDIRealm userPattern DOMAIN/username
Date Thu, 10 Feb 2011 16:36:35 GMT
Hi All,

Time for a mea culpa. In my original message, I said that this used to work
in 6.0.20. That's wasn't correct. The 6.0.20 version we were using was
patched to fix this very issue, but we had not applied that patch to the
6.0.29 build. When we patched the 6.0.29 code, all works as expected.

The issue is that the getAttributes call requires a distinguished name and
throws an exception if you pass it DOMAIN\username. When a userPattern is
specified, JNDIRealm calls getAttributes using the formatted username even
when there are no attributes to request (when not using password comparison
and not querying for roles). The fix is to shortcut around the getAttributes
call in getUserByPattern if there are no attrIds requested. This fixes the
issue under the no attributes constraint, but there remains an issue when
there are attributes to query.

I'm including the patch here (vs. the 6_0_29 tag), but I'll also post on the
developers list with the patch.


On Tue, Feb 8, 2011 at 4:49 AM, Konstantin Kolinko

> 2011/2/4 Christopher Schultz <>:
> > "
> > Various JNDI realm improvements for Active Directory. These include the
> > ability to specify a default role, optional handling for nested roles
> > and an option to ignore PartialResultExceptions (markt).
> > "
> >
> > Unfortunately, there's no bug number listed and no revision number
> > mentioned, either, so you might have to dig through the svn logs to find
> > the appropriate update and see what changed.
> >
> Was there a stacktrace for that InvalidNameException ?
> Best regards,
> Konstantin Kolinko
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message