tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eugène Adell <Eugene.Ad...@d2-si.eu>
Subject RE:JNDI property roleSearchAsUser not working as expected
Date Thu, 14 Mar 2013 12:40:05 GMT

This doc is self-contradictory because it suggests "to setup a technical user" when we "don't
want to configure a technical user", and it doesn't give any solution when we are not the
admin of the directory.

Here we learn that Tomcat JNDI Realm only works in "Administrator Login Mode" with an administrator
login/password (in fact the "technical user" discussed above) :

http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html

>From this, it seems that roleSearchAsUser is only usefull when the anonymous bind is allowed.
It's another contradiction here, because it seems logical to use this parameter especially
when anonymous is not allowed.



________________________________________
De : Felix Schumacher [felix.schumacher@internetallee.de]
Envoyé : jeudi 14 mars 2013 12:03
À : Tomcat Users List
Objet : Re: JNDI property roleSearchAsUser not working as expected

Am 13.03.2013 21:46, schrieb Eugène Adell:
> Hello
>
> I am running the following :
>   java version "1.6.0_25"
>   Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
>   Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
>   Tomcat 7.0.37
>   CentOS release 6.3
>
> with this REALM  configuration in server.xml :
>                         <Realm
> className="org.apache.catalina.realm.JNDIRealm"
>                           connectionURL="ldap://***.***.***.***:389"
>
> userPattern="cn={0},ou=users,dc=example,dc=com"
>                           roleBase="ou=groups,dc=example,dc=com"
>                           roleSubtree="true"
>                           roleNested="true"
>                           roleName="cn"
>                           roleSearchAsUser="true"
>                           roleSearch="(uniqueMember={0})" />
>
> and this triggers this error during the startup :
> Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
> WARNING: Exception performing authentication
> javax.naming.AuthenticationNotSupportedException: [LDAP: error code
> 48 - anonymous bind disallowed]
>         at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
>         at
> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
>         at
> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
>         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
>         at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
>         at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
>         at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
>         at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
>         at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
>         at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
>         at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
>         at javax.naming.InitialContext.init(InitialContext.java:223)
>         at javax.naming.InitialContext.<init>(InitialContext.java:197)
>         at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
>         at
> org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
>         at
> org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
...
>         ... 27 more
> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
> INFO: Server startup in 34 ms
>
>
> From what I understand, roleSearchAsUser property was designed for
> people who need to bind on any LDAP where anonymous bind is not
> authorized. But it's just impossible to do this if the JNDI Realm
> tries to authenticate anonymously by itself during the startup.

I read the docs as follows:

If your directory server does not allow to scan for roles as anonymous
user and you don't want to configure a technical user (by specifying
connectionName and connectionPassword) you can delegate the credentials
of the user that is currently logging in.

It is not intended to set the user credentials for all ldap operations.

The easiest way to fix it, is to setup an technical user inside your
directory, which has no right other than to login and lookup your users,
which would be the next operation.

Regards
  Felix
>
> I suppose it's necessary to investigate further this bug :
> https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
>
>
> Thanks
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message