tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Travis Bowen <tbo...@us.ibm.com>
Subject Re: roleNested seems to not be working in tomcat 6
Date Thu, 11 Jul 2013 14:42:25 GMT

Thank you that does work but it takes a very long time since there are 10's
of thousands of groups and many have thousands of users.  Using that search
means that both the uniqueMember and uniqueGroup are searched initially
instead of just searching for users member ship first then searching for
uniqueGroups.  What is really needed is a separate search string for nested
groups, something like subRoleSeacrh in the context configuration which the
realm can use if roleNested is true.

Thanks,

Travis



From:	Felix Schumacher <felix.schumacher@internetallee.de>
To:	Tomcat Users List <users@tomcat.apache.org>,
Date:	07/10/2013 11:09 AM
Subject:	Re: roleNested seems to not be working in tomcat 6



Am 10.07.2013 16:34, schrieb Travis Bowen:
>
> Thanks for the info.  However the issue is that groups are not stored
> as uniqueMember but uniqueGroup so the roleSearch is not applicable.
>
You could try a roleSearch="|(uniqueMember={0})(uniqueGroup={0})". The
{i} should be replaced multiple times.

HTH
  Felix
>
>
> Thanks,
>
> Travis
>
> Inactive hide details for Felix Schumacher ---07/10/2013 12:14:30
> AM---Am 10.07.2013 00:46, schrieb Travis Bowen: > Ok I found Felix
> Schumacher ---07/10/2013 12:14:30 AM---Am 10.07.2013 00:46, schrieb
> Travis Bowen: > Ok I found where it is being used in the getRoles metho
>
> From: Felix Schumacher <felix.schumacher@internetallee.de>
> To: Tomcat Users List <users@tomcat.apache.org>,
> Date: 07/10/2013 12:14 AM
> Subject: Re: roleNested seems to not be working in tomcat 6
>
> ------------------------------------------------------------------------
>
>
>
> Am 10.07.2013 00:46, schrieb Travis Bowen:
> > Ok I found where it is being used in the getRoles method however I'm
> > still wondering why it doesn't work. I don't see any way to define the
> > member group attribute name, it is uniqueGroup in the dir server I am
> > connecting to.
>
> roleSearch will be used for every group found.
>
>
> Given your config and your groups/persons are as follows
>
> dn: cn=group1,ou=...
> cn: group1
> uniqueMember: cn=person1,ou=...
>
> dn: cn=group2,ou=...
> cn: group2
> uniqueMember: cn=group1,ou=...
>
> dn: cn=person1,ou=...
> cn: person1
> mail: person1@...
>
> When you log in as person1@... first thing the realm does is to look up
> dn for that person using mail=person1@...
> It will get dn: cn=person1,ou=... as dn and will try roleSearch with {0}
> equal the newly found dn.
>
> So the next lookup is uniqueMember=cn=person,ou=... which gives us
> cn=group1,ou=...
>
> The attribute cn of that group will be stored as a role. Since
> nestedRoles is enabled it will now do a new search with roleSearch and
> the dn (and cn in your case).
> The lookup will be uniqueMember=cn=group1,ou=... which will give us
> cn=group2,ou=... and again the cn (group2) will be stored.
>
> So after that your user will have two roles (group1, group2).
>
> It looks to me that the logic for nested roles is reverse to the one you
> expected.
>
> If you want to get debug output, you can put the line
>
> org.apache.catalina.realm.JNDIRealm.level = FINE
>
> at the end of your conf/logging.properties. The attribute debug in your
> realm definition is being ignored (and invalid).
>
> Regards
>  Felix
>
> >
> >  Thanks,
> >
> >  Travis
> >
> >  Travis Bowen---07/09/2013 02:43:58 PM---I am using
> >
>
|-----------------+--------------------------------+------------+-----+------------------

> >
> >  From: Travis Bowen/Tucson/IBM@IBMUS
> >  To: users@tomcat.apache.org,
> >  Date: 07/09/2013 02:43 PM
> >  Subject: roleNested seems to not be working in tomcat 6
> >
> > -------------------------
> >
> >  I am using
> >
> > Apache Tomcat/6.0.37
> > pxa6460sr13fp2-20130424_01 (SR13 FP2)
> > IBM Corporation
> > Linux
> > 2.6.32-358.2.1.el6.x86_64
> > amd64
> >
> >  I have the following context defined for my application:
> >
> >  <?xml version=_"1.0"_ encoding=_"UTF-8"_?>
> >  <Context>
> >  <Realm className=_"org.apache.catalina.realm.JNDIRealm"_
> >  debug=_"99"_
> >  connectionURL=_"ldaps://xxxx.xxxx.xxxx.com:636"_
> >  userBase=_"ou=xxxxxxx,o=ibm.com"_
> >  userSearch=_"(mail={0})"_
> >  userSubtree=_"true"_
> >  roleBase=_"ou=xxxxxx,ou=xxxxxxx,o=ibm.com"_
> >  roleSubtree=_"false"_
> >  roleNested=_"true"_
> >  roleSearch=_"(uniqueMember={0})"_
> >  roleName=_"cn"_ />
> >  </Context>
> >
> >  I have a user defined who is a member of one group which is a member
> > of another group under the roleBase. After authenticating I only get
> > the role/group that the user is a direct member of, it doesn't return
> > the role/group that the group is a member of.
> >
> >  I downloaded the source of org.apache.catalina.realm.JNDIRealm and
> > the roleNested attribute is never used except in the setters and
> > getters. Seems like it is being ignored. Is this feature available in
> > tomcat 6? The docs say it is but it doesn't seem to work.
> >
> >  Thanks,
> >
> >  Travis
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message