tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hendrik Dev <hendrikde...@gmail.com>
Subject JNDI Realm and GSSAPI problems with TC 7
Date Thu, 05 Dec 2013 14:48:07 GMT
Hi,

i have a few questions about the JNDIRealm, GSSAPI (Kerberos 5 mech)
authentication and the SPNEGO Authenticator Valve in TC 7.0.47:

Preface: In the docs SPNEGO Authenticator Valve/JNDIRealm is called
"30) Windows Authentication" but i guess its not only working for
windows? I see no code which is explicitly tied to windows or active
directory so i assume its also working for Linux/MIT Kerberos/OpenLDAP
setup, is this true?

What i try to achieve is that the JNDIRealm will use the user's (
which is authenticated by the spnego valve) delegated credentials to
connect to the LDAP server and then query the roles to which the users
belongs to. This is not working for me for two reasons:

1) JndiRealm tries initially on startup to make a connection to the
LDAP server which makes no sense because there are no GSSAPI
credentials yet -> JndiRealm.startInternal() (Line 2225)

2) After temporarily solving issue 1) the JNDI Realm prompt me for
username and password. This seems to be originating from the SASL
Client default callback. I tried to register my own callbackhandler
(setting java.naming.security.sasl.callback) but it’s ignored.
Inspecting the code of JNDIRealm.java it seems that such a scenario is
not indented but the docs argue the converse
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Tomcat_instance

Any help is appreciated.

Thanks
Hendrik

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message