tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: roleNested seems to not be working in tomcat 6
Date Wed, 10 Jul 2013 18:08:51 GMT
Am 10.07.2013 16:34, schrieb Travis Bowen:
>
> Thanks for the info.  However the issue is that groups are not stored 
> as uniqueMember but uniqueGroup so the roleSearch is not applicable.
>
You could try a roleSearch="|(uniqueMember={0})(uniqueGroup={0})". The 
{i} should be replaced multiple times.

HTH
  Felix
>
>
> Thanks,
>
> Travis
>
> Inactive hide details for Felix Schumacher ---07/10/2013 12:14:30 
> AM---Am 10.07.2013 00:46, schrieb Travis Bowen: > Ok I found Felix 
> Schumacher ---07/10/2013 12:14:30 AM---Am 10.07.2013 00:46, schrieb 
> Travis Bowen: > Ok I found where it is being used in the getRoles metho
>
> From: Felix Schumacher <felix.schumacher@internetallee.de>
> To: Tomcat Users List <users@tomcat.apache.org>,
> Date: 07/10/2013 12:14 AM
> Subject: Re: roleNested seems to not be working in tomcat 6
>
> ------------------------------------------------------------------------
>
>
>
> Am 10.07.2013 00:46, schrieb Travis Bowen:
> > Ok I found where it is being used in the getRoles method however I'm
> > still wondering why it doesn't work. I don't see any way to define the
> > member group attribute name, it is uniqueGroup in the dir server I am
> > connecting to.
>
> roleSearch will be used for every group found.
>
>
> Given your config and your groups/persons are as follows
>
> dn: cn=group1,ou=...
> cn: group1
> uniqueMember: cn=person1,ou=...
>
> dn: cn=group2,ou=...
> cn: group2
> uniqueMember: cn=group1,ou=...
>
> dn: cn=person1,ou=...
> cn: person1
> mail: person1@...
>
> When you log in as person1@... first thing the realm does is to look up
> dn for that person using mail=person1@...
> It will get dn: cn=person1,ou=... as dn and will try roleSearch with {0}
> equal the newly found dn.
>
> So the next lookup is uniqueMember=cn=person,ou=... which gives us
> cn=group1,ou=...
>
> The attribute cn of that group will be stored as a role. Since
> nestedRoles is enabled it will now do a new search with roleSearch and
> the dn (and cn in your case).
> The lookup will be uniqueMember=cn=group1,ou=... which will give us
> cn=group2,ou=... and again the cn (group2) will be stored.
>
> So after that your user will have two roles (group1, group2).
>
> It looks to me that the logic for nested roles is reverse to the one you
> expected.
>
> If you want to get debug output, you can put the line
>
> org.apache.catalina.realm.JNDIRealm.level = FINE
>
> at the end of your conf/logging.properties. The attribute debug in your
> realm definition is being ignored (and invalid).
>
> Regards
>  Felix
>
> >
> >  Thanks,
> >
> >  Travis
> >
> >  Travis Bowen---07/09/2013 02:43:58 PM---I am using
> > 
> |-----------------+--------------------------------+------------+-----+------------------
> >
> >  From: Travis Bowen/Tucson/IBM@IBMUS
> >  To: users@tomcat.apache.org,
> >  Date: 07/09/2013 02:43 PM
> >  Subject: roleNested seems to not be working in tomcat 6
> >
> > -------------------------
> >
> >  I am using
> >
> > Apache Tomcat/6.0.37
> > pxa6460sr13fp2-20130424_01 (SR13 FP2)
> > IBM Corporation
> > Linux
> > 2.6.32-358.2.1.el6.x86_64
> > amd64
> >
> >  I have the following context defined for my application:
> >
> >  <?xml version=_"1.0"_ encoding=_"UTF-8"_?>
> >  <Context>
> >  <Realm className=_"org.apache.catalina.realm.JNDIRealm"_
> >  debug=_"99"_
> >  connectionURL=_"ldaps://xxxx.xxxx.xxxx.com:636"_
> >  userBase=_"ou=xxxxxxx,o=ibm.com"_
> >  userSearch=_"(mail={0})"_
> >  userSubtree=_"true"_
> >  roleBase=_"ou=xxxxxx,ou=xxxxxxx,o=ibm.com"_
> >  roleSubtree=_"false"_
> >  roleNested=_"true"_
> >  roleSearch=_"(uniqueMember={0})"_
> >  roleName=_"cn"_ />
> >  </Context>
> >
> >  I have a user defined who is a member of one group which is a member
> > of another group under the roleBase. After authenticating I only get
> > the role/group that the user is a direct member of, it doesn't return
> > the role/group that the group is a member of.
> >
> >  I downloaded the source of org.apache.catalina.realm.JNDIRealm and
> > the roleNested attribute is never used except in the setters and
> > getters. Seems like it is being ignored. Is this feature available in
> > tomcat 6? The docs say it is but it doesn't seem to work.
> >
> >  Thanks,
> >
> >  Travis
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message