tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Travis Bowen <tbo...@us.ibm.com>
Subject Re: roleNested seems to not be working in tomcat 6
Date Wed, 10 Jul 2013 14:34:29 GMT

Thanks for the info.  However the issue is that groups are not stored as
uniqueMember but uniqueGroup so the roleSearch is not applicable.

Thanks,

Travis



From:	Felix Schumacher <felix.schumacher@internetallee.de>
To:	Tomcat Users List <users@tomcat.apache.org>,
Date:	07/10/2013 12:14 AM
Subject:	Re: roleNested seems to not be working in tomcat 6



Am 10.07.2013 00:46, schrieb Travis Bowen:
> Ok I found where it is being used in the getRoles method however I'm
> still wondering why it doesn't work. I don't see any way to define the
> member group attribute name, it is uniqueGroup in the dir server I am
> connecting to.

roleSearch will be used for every group found.


Given your config and your groups/persons are as follows

dn: cn=group1,ou=...
cn: group1
uniqueMember: cn=person1,ou=...

dn: cn=group2,ou=...
cn: group2
uniqueMember: cn=group1,ou=...

dn: cn=person1,ou=...
cn: person1
mail: person1@...

When you log in as person1@... first thing the realm does is to look up
dn for that person using mail=person1@...
It will get dn: cn=person1,ou=... as dn and will try roleSearch with {0}
equal the newly found dn.

So the next lookup is uniqueMember=cn=person,ou=... which gives us
cn=group1,ou=...

The attribute cn of that group will be stored as a role. Since
nestedRoles is enabled it will now do a new search with roleSearch and
the dn (and cn in your case).
The lookup will be uniqueMember=cn=group1,ou=... which will give us
cn=group2,ou=... and again the cn (group2) will be stored.

So after that your user will have two roles (group1, group2).

It looks to me that the logic for nested roles is reverse to the one you
expected.

If you want to get debug output, you can put the line

org.apache.catalina.realm.JNDIRealm.level = FINE

at the end of your conf/logging.properties. The attribute debug in your
realm definition is being ignored (and invalid).

Regards
  Felix

>
>  Thanks,
>
>  Travis
>
>  Travis Bowen---07/09/2013 02:43:58 PM---I am using
>
|-----------------+--------------------------------+------------+-----+------------------

>
>  From: Travis Bowen/Tucson/IBM@IBMUS
>  To: users@tomcat.apache.org,
>  Date: 07/09/2013 02:43 PM
>  Subject: roleNested seems to not be working in tomcat 6
>
> -------------------------
>
>  I am using
>
> Apache Tomcat/6.0.37
> pxa6460sr13fp2-20130424_01 (SR13 FP2)
> IBM Corporation
> Linux
> 2.6.32-358.2.1.el6.x86_64
> amd64
>
>  I have the following context defined for my application:
>
>  <?xml version=_"1.0"_ encoding=_"UTF-8"_?>
>  <Context>
>  <Realm className=_"org.apache.catalina.realm.JNDIRealm"_
>  debug=_"99"_
>  connectionURL=_"ldaps://xxxx.xxxx.xxxx.com:636"_
>  userBase=_"ou=xxxxxxx,o=ibm.com"_
>  userSearch=_"(mail={0})"_
>  userSubtree=_"true"_
>  roleBase=_"ou=xxxxxx,ou=xxxxxxx,o=ibm.com"_
>  roleSubtree=_"false"_
>  roleNested=_"true"_
>  roleSearch=_"(uniqueMember={0})"_
>  roleName=_"cn"_ />
>  </Context>
>
>  I have a user defined who is a member of one group which is a member
> of another group under the roleBase. After authenticating I only get
> the role/group that the user is a direct member of, it doesn't return
> the role/group that the group is a member of.
>
>  I downloaded the source of org.apache.catalina.realm.JNDIRealm and
> the roleNested attribute is never used except in the setters and
> getters. Seems like it is being ignored. Is this feature available in
> tomcat 6? The docs say it is but it doesn't seem to work.
>
>  Thanks,
>
>  Travis

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message