tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eugène Adell <Eugene.Ad...@d2-si.eu>
Subject RE:RE:JNDI property roleSearchAsUser not working as expected
Date Thu, 14 Mar 2013 14:10:25 GMT

Thanks Felix,

I will choose the easy way by allowing the anonymous to bind the directory, against all security
logics, and strengthen the ACL to forbid anonymous search.

Anyway, the bug 19444 is closed saying the new parameter (introduced in 7.0.9  and corrected
in 7.0.30) allows role searching with the authenticating user. That's true, but we still need
either the anonymous or a technical user for the startup binding. It's not really compliant
to real-life LDAP management.

best regards



________________________________________
De : Felix Schumacher [felix.schumacher@internetallee.de]
Envoyé : jeudi 14 mars 2013 14:22
À : Tomcat Users List
Objet : RE:JNDI property roleSearchAsUser not working as expected

Am 14.03.2013 13:40, schrieb Eugène Adell:
> This doc is self-contradictory because it suggests "to setup a
> technical user" when we "don't want to configure a technical user",
> and it doesn't give any solution when we are not the admin of the
> directory.

I can't read that out of the docs for roleSearchAsUser as stated on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm

It is just a mechanism to switch from the credentials when searching
for roles.

That way you can restrict the rights to the anonymous/admin user, so
that it doesn't need to be able to lookup groups/roles for a user.

>
> Here we learn that Tomcat JNDI Realm only works in "Administrator
> Login Mode" with an administrator login/password (in fact the
> "technical user" discussed above) :
>
> http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html

I believe the "Administrator Login Mode" is used for retrieving
attributes out of an users object and comparing the values to some given
credentials. The "User Login Mode" is used when a bind is performed to
check the credentials. But either way, you will have to setup a
technical user, or open the directory server to allow anonymous binds
and searches for the user dn's.

>
> From this, it seems that roleSearchAsUser is only usefull when the
> anonymous bind is allowed. It's another contradiction here, because it
> seems logical to use this parameter especially when anonymous is not
> allowed.

You will not get to the point where the role is being searched, since
before that there are two points, where your directory is being
accessed.
  1. initial test of connection (which you reported in your first mail)
  2. look up of the user, which wants to login (and since the username
to bind with is not known, it will be hard to guess)

So as stated before the easiest thing is to just use a technical user
to connect to the directory.

Regards
  Felix
>
>
>
> ________________________________________
> De : Felix Schumacher [felix.schumacher@internetallee.de]
> Envoyé : jeudi 14 mars 2013 12:03
> À : Tomcat Users List
> Objet : Re: JNDI property roleSearchAsUser not working as expected
>
> Am 13.03.2013 21:46, schrieb Eugène Adell:
>> Hello
>>
>> I am running the following :
>>   java version "1.6.0_25"
>>   Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
>>   Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
>>   Tomcat 7.0.37
>>   CentOS release 6.3
>>
>> with this REALM  configuration in server.xml :
>>                         <Realm
>> className="org.apache.catalina.realm.JNDIRealm"
>>                           connectionURL="ldap://***.***.***.***:389"
>>
>> userPattern="cn={0},ou=users,dc=example,dc=com"
>>                           roleBase="ou=groups,dc=example,dc=com"
>>                           roleSubtree="true"
>>                           roleNested="true"
>>                           roleName="cn"
>>                           roleSearchAsUser="true"
>>                           roleSearch="(uniqueMember={0})" />
>>
>> and this triggers this error during the startup :
>> Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
>> WARNING: Exception performing authentication
>> javax.naming.AuthenticationNotSupportedException: [LDAP: error code
>> 48 - anonymous bind disallowed]
>>         at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
>>         at
>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
>>         at
>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
>>         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
>>         at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
>>         at
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
>>         at
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
>>         at
>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
>>         at
>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
>>         at
>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
>>         at
>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
>>         at javax.naming.InitialContext.init(InitialContext.java:223)
>>         at
>> javax.naming.InitialContext.<init>(InitialContext.java:197)
>>         at
>> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
>>         at
>> org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
>>         at
>> org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
> ...
>>         ... 27 more
>> Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
>> INFO: Server startup in 34 ms
>>
>>
>> From what I understand, roleSearchAsUser property was designed for
>> people who need to bind on any LDAP where anonymous bind is not
>> authorized. But it's just impossible to do this if the JNDI Realm
>> tries to authenticate anonymously by itself during the startup.
>
> I read the docs as follows:
>
> If your directory server does not allow to scan for roles as anonymous
> user and you don't want to configure a technical user (by specifying
> connectionName and connectionPassword) you can delegate the
> credentials
> of the user that is currently logging in.
>
> It is not intended to set the user credentials for all ldap
> operations.
>
> The easiest way to fix it, is to setup an technical user inside your
> directory, which has no right other than to login and lookup your
> users,
> which would be the next operation.
>
> Regards
>   Felix
>>
>> I suppose it's necessary to investigate further this bug :
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
>>
>>
>> Thanks
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message