Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C722310898 for ; Thu, 11 Jul 2013 17:35:05 +0000 (UTC) Received: (qmail 79750 invoked by uid 500); 11 Jul 2013 17:35:02 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 79360 invoked by uid 500); 11 Jul 2013 17:35:01 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 79347 invoked by uid 99); 11 Jul 2013 17:35:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Jul 2013 17:35:00 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [81.169.162.220] (HELO h1611079.stratoserver.net) (81.169.162.220) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Jul 2013 17:34:54 +0000 Received: from [192.168.178.36] (pD9E839E6.dip0.t-ipconnect.de [217.232.57.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by h1611079.stratoserver.net (Postfix) with ESMTPSA id D9113494800D for ; Thu, 11 Jul 2013 19:34:33 +0200 (CEST) Message-ID: <51DEECA9.5000503@internetallee.de> Date: Thu, 11 Jul 2013 19:34:33 +0200 From: Felix Schumacher User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: Re: roleNested seems to not be working in tomcat 6 References: <9c5f5f0afc4f25b9a1d758a2227f5bc3@mail.internetallee.de> <51DDA333.1020900@internetallee.de> In-Reply-To: Content-Type: multipart/alternative; boundary="------------010007000008090904070603" X-Virus-Checked: Checked by ClamAV on apache.org --------------010007000008090904070603 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Am 11.07.2013 16:42, schrieb Travis Bowen: > > Thank you that does work but it takes a very long time since there are > 10's of thousands of groups and many have thousands of users. Using > that search means that both the uniqueMember and uniqueGroup are > searched initially instead of just searching for users member ship > first then searching for uniqueGroups. What is really needed is a > separate search string for nested groups, something like subRoleSeacrh > in the context configuration which the realm can use if roleNested is > true. > I have opened a feature request for this under https://issues.apache.org/bugzilla/show_bug.cgi?id=55243 since it may be useful. Have you looked wether indexes on your ldap server can speed up things? Regards Felix > > > Thanks, > > Travis > > Inactive hide details for Felix Schumacher ---07/10/2013 11:09:55 > AM---Am 10.07.2013 16:34, schrieb Travis Bowen: >Felix Schumacher > ---07/10/2013 11:09:55 AM---Am 10.07.2013 16:34, schrieb Travis Bowen: > > > From: Felix Schumacher > To: Tomcat Users List , > Date: 07/10/2013 11:09 AM > Subject: Re: roleNested seems to not be working in tomcat 6 > > ------------------------------------------------------------------------ > > > > Am 10.07.2013 16:34, schrieb Travis Bowen: > > > > Thanks for the info. However the issue is that groups are not stored > > as uniqueMember but uniqueGroup so the roleSearch is not applicable. > > > You could try a roleSearch="|(uniqueMember={0})(uniqueGroup={0})". The > {i} should be replaced multiple times. > > HTH > Felix > > > > > > Thanks, > > > > Travis > > > > Inactive hide details for Felix Schumacher ---07/10/2013 12:14:30 > > AM---Am 10.07.2013 00:46, schrieb Travis Bowen: > Ok I found Felix > > Schumacher ---07/10/2013 12:14:30 AM---Am 10.07.2013 00:46, schrieb > > Travis Bowen: > Ok I found where it is being used in the getRoles metho > > > > From: Felix Schumacher > > To: Tomcat Users List , > > Date: 07/10/2013 12:14 AM > > Subject: Re: roleNested seems to not be working in tomcat 6 > > > > ------------------------------------------------------------------------ > > > > > > > > Am 10.07.2013 00:46, schrieb Travis Bowen: > > > Ok I found where it is being used in the getRoles method however I'm > > > still wondering why it doesn't work. I don't see any way to define the > > > member group attribute name, it is uniqueGroup in the dir server I am > > > connecting to. > > > > roleSearch will be used for every group found. > > > > > > Given your config and your groups/persons are as follows > > > > dn: cn=group1,ou=... > > cn: group1 > > uniqueMember: cn=person1,ou=... > > > > dn: cn=group2,ou=... > > cn: group2 > > uniqueMember: cn=group1,ou=... > > > > dn: cn=person1,ou=... > > cn: person1 > > mail: person1@... > > > > When you log in as person1@... first thing the realm does is to look up > > dn for that person using mail=person1@... > > It will get dn: cn=person1,ou=... as dn and will try roleSearch with {0} > > equal the newly found dn. > > > > So the next lookup is uniqueMember=cn=person,ou=... which gives us > > cn=group1,ou=... > > > > The attribute cn of that group will be stored as a role. Since > > nestedRoles is enabled it will now do a new search with roleSearch and > > the dn (and cn in your case). > > The lookup will be uniqueMember=cn=group1,ou=... which will give us > > cn=group2,ou=... and again the cn (group2) will be stored. > > > > So after that your user will have two roles (group1, group2). > > > > It looks to me that the logic for nested roles is reverse to the one you > > expected. > > > > If you want to get debug output, you can put the line > > > > org.apache.catalina.realm.JNDIRealm.level = FINE > > > > at the end of your conf/logging.properties. The attribute debug in your > > realm definition is being ignored (and invalid). > > > > Regards > > Felix > > > > > > > > Thanks, > > > > > > Travis > > > > > > Travis Bowen---07/09/2013 02:43:58 PM---I am using > > > > > > |-----------------+--------------------------------+------------+-----+------------------ > > > > > > From: Travis Bowen/Tucson/IBM@IBMUS > > > To: users@tomcat.apache.org, > > > Date: 07/09/2013 02:43 PM > > > Subject: roleNested seems to not be working in tomcat 6 > > > > > > ------------------------- > > > > > > I am using > > > > > > Apache Tomcat/6.0.37 > > > pxa6460sr13fp2-20130424_01 (SR13 FP2) > > > IBM Corporation > > > Linux > > > 2.6.32-358.2.1.el6.x86_64 > > > amd64 > > > > > > I have the following context defined for my application: > > > > > > > > > > > > > > debug=_"99"_ > > > connectionURL=_"ldaps://xxxx.xxxx.xxxx.com:636"_ > > > userBase=_"ou=xxxxxxx,o=ibm.com"_ > > > userSearch=_"(mail={0})"_ > > > userSubtree=_"true"_ > > > roleBase=_"ou=xxxxxx,ou=xxxxxxx,o=ibm.com"_ > > > roleSubtree=_"false"_ > > > roleNested=_"true"_ > > > roleSearch=_"(uniqueMember={0})"_ > > > roleName=_"cn"_ /> > > > > > > > > > I have a user defined who is a member of one group which is a member > > > of another group under the roleBase. After authenticating I only get > > > the role/group that the user is a direct member of, it doesn't return > > > the role/group that the group is a member of. > > > > > > I downloaded the source of org.apache.catalina.realm.JNDIRealm and > > > the roleNested attribute is never used except in the setters and > > > getters. Seems like it is being ignored. Is this feature available in > > > tomcat 6? The docs say it is but it doesn't seem to work. > > > > > > Thanks, > > > > > > Travis > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > > For additional commands, e-mail: users-help@tomcat.apache.org > > > > > > --------------010007000008090904070603--