Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6BFB0EAD8 for ; Thu, 14 Mar 2013 12:40:47 +0000 (UTC) Received: (qmail 46782 invoked by uid 500); 14 Mar 2013 12:40:44 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 46716 invoked by uid 500); 14 Mar 2013 12:40:43 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 46684 invoked by uid 99); 14 Mar 2013 12:40:42 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Mar 2013 12:40:42 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of Eugene.Adell@d2-si.eu designates 207.46.163.25 as permitted sender) Received: from [207.46.163.25] (HELO co9outboundpool.messaging.microsoft.com) (207.46.163.25) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Mar 2013 12:40:36 +0000 Received: from mail218-co9-R.bigfish.com (10.236.132.241) by CO9EHSOBE017.bigfish.com (10.236.130.80) with Microsoft SMTP Server id 14.1.225.23; Thu, 14 Mar 2013 12:40:15 +0000 Received: from mail218-co9 (localhost [127.0.0.1]) by mail218-co9-R.bigfish.com (Postfix) with ESMTP id 24B616014C for ; Thu, 14 Mar 2013 12:40:15 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.248.37;KIP:(null);UIP:(null);IPV:NLI;H:AMSPRD0410HT003.eurprd04.prod.outlook.com;RD:none;EFVD:NLI X-SpamScore: 4 X-BigFish: PS4(z38daoz9371Ic89bhd772h1432I62a3Izz1ee6h1d18h1202h1e76h1d2ahzz17326ah8275dhz2fh2a8h668h839h947hd25hf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1155h) Received-SPF: pass (mail218-co9: domain of d2-si.eu designates 157.56.248.37 as permitted sender) client-ip=157.56.248.37; envelope-from=Eugene.Adell@d2-si.eu; helo=AMSPRD0410HT003.eurprd04.prod.outlook.com ;.outlook.com ; Received: from mail218-co9 (localhost.localdomain [127.0.0.1]) by mail218-co9 (MessageSwitch) id 1363264812322088_6062; Thu, 14 Mar 2013 12:40:12 +0000 (UTC) Received: from CO9EHSMHS018.bigfish.com (unknown [10.236.132.252]) by mail218-co9.bigfish.com (Postfix) with ESMTP id 4CBEF3C0074 for ; Thu, 14 Mar 2013 12:40:12 +0000 (UTC) Received: from AMSPRD0410HT003.eurprd04.prod.outlook.com (157.56.248.37) by CO9EHSMHS018.bigfish.com (10.236.130.28) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 14 Mar 2013 12:40:11 +0000 Received: from AMSPRD0410MB349.eurprd04.prod.outlook.com ([169.254.3.186]) by AMSPRD0410HT003.eurprd04.prod.outlook.com ([10.255.41.38]) with mapi id 14.16.0275.006; Thu, 14 Mar 2013 12:40:05 +0000 From: =?iso-8859-1?Q?Eug=E8ne_Adell?= To: Tomcat Users List Subject: RE:JNDI property roleSearchAsUser not working as expected Thread-Topic: JNDI property roleSearchAsUser not working as expected Thread-Index: Ac4gKcYrnMy72OSiRNaGgA5ittaYpgAeb/QAAABEvuI= Date: Thu, 14 Mar 2013 12:40:05 +0000 Message-ID: References: ,<0c4c92595a53ef5d32e26791a1f23450@mail.internetallee.de> In-Reply-To: <0c4c92595a53ef5d32e26791a1f23450@mail.internetallee.de> Accept-Language: fr-FR, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [195.13.36.9] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: d2-si.eu X-Virus-Checked: Checked by ClamAV on apache.org This doc is self-contradictory because it suggests "to setup a technical us= er" when we "don't want to configure a technical user", and it doesn't give= any solution when we are not the admin of the directory. Here we learn that Tomcat JNDI Realm only works in "Administrator Login Mod= e" with an administrator login/password (in fact the "technical user" discu= ssed above) : http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html >From this, it seems that roleSearchAsUser is only usefull when the anonymou= s bind is allowed. It's another contradiction here, because it seems logica= l to use this parameter especially when anonymous is not allowed. ________________________________________ De : Felix Schumacher [felix.schumacher@internetallee.de] Envoy=E9 : jeudi 14 mars 2013 12:03 =C0 : Tomcat Users List Objet : Re: JNDI property roleSearchAsUser not working as expected Am 13.03.2013 21:46, schrieb Eug=E8ne Adell: > Hello > > I am running the following : > java version "1.6.0_25" > Java(TM) SE Runtime Environment (build 1.6.0_25-b06) > Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing) > Tomcat 7.0.37 > CentOS release 6.3 > > with this REALM configuration in server.xml : > className=3D"org.apache.catalina.realm.JNDIRealm" > connectionURL=3D"ldap://***.***.***.***:389" > > userPattern=3D"cn=3D{0},ou=3Dusers,dc=3Dexample,dc=3Dcom" > roleBase=3D"ou=3Dgroups,dc=3Dexample,dc=3Dcom" > roleSubtree=3D"true" > roleNested=3D"true" > roleName=3D"cn" > roleSearchAsUser=3D"true" > roleSearch=3D"(uniqueMember=3D{0})" /> > > and this triggers this error during the startup : > Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open > WARNING: Exception performing authentication > javax.naming.AuthenticationNotSupportedException: [LDAP: error code > 48 - anonymous bind disallowed] > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032) > at > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987) > at > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703) > at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:293) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:1= 36) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66= ) > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) > at javax.naming.InitialContext.init(InitialContext.java:223) > at javax.naming.InitialContext.(InitialContext.java:197) > at > javax.naming.directory.InitialDirContext.(InitialDirContext.java:82= ) > at > org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150) > at > org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241) ... > ... 27 more > Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start > INFO: Server startup in 34 ms > > > From what I understand, roleSearchAsUser property was designed for > people who need to bind on any LDAP where anonymous bind is not > authorized. But it's just impossible to do this if the JNDI Realm > tries to authenticate anonymously by itself during the startup. I read the docs as follows: If your directory server does not allow to scan for roles as anonymous user and you don't want to configure a technical user (by specifying connectionName and connectionPassword) you can delegate the credentials of the user that is currently logging in. It is not intended to set the user credentials for all ldap operations. The easiest way to fix it, is to setup an technical user inside your directory, which has no right other than to login and lookup your users, which would be the next operation. Regards Felix > > I suppose it's necessary to investigate further this bug : > https://issues.apache.org/bugzilla/show_bug.cgi?id=3D19444 > > > Thanks > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org