tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: JNDIRealm - Active Directory Roles
Date Sat, 15 Mar 2014 20:51:57 GMT
Am 13.03.2014 18:15, schrieb Bjoern.Becker@easycash.de:
> Hello,
>
> I try to implement the authentification for the tomcat manager application against active
directory.
>
> Unfortunately I don't understand the role concept. I like to give the users permissions
to open the manager when they're in this group:
>
>> memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
> server.xml:
>          <Realm className="org.apache.catalina.realm.JNDIRealm"  debug="99"
>                  connectionName="CN=SVC,OU=Service Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de"
>                  connectionPassword="_2VK!WHzybn1SJ8P"
>                  connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)"
>          
>                  userSearch="(sAMAccountName={0})"
>                  userSubtree="true"
>
>                  roleSearch="(memberof={0})"
>                  roleSubtree="true"
>                  userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
"
>              />
>
> <!--            roleBase="DC=DOM,DC=de"
>                  roleName="cn"
> -->
>
> With this configuration I can open the Manager, but got no permissions.
>
> Even if the user role relationship will found, I don't understand how I can assign tomcat
roles (e.g. manager-gui) to the user.
Looking at the documentation on 
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm

you have three settings which are most probably not correct.

  * roleSearch will only be used, if roleName is set (which is commented 
out in your configuration)
  * roleSearch will be used to search for objects that match the given 
filter. In your case you would find user objects instead of group objects.
  * userRoleName should be the name of an attribute in the user object 
(cn=... is not a name of an attribute, but rather a value)

So given your goal, that cn=tomcat admins,... should be a role, you have 
two options.

  * You could activate roleName=cn (or another attribute name) and 
change the roleSearch to member={0}. Then the realm would (hopefully) 
find the object cn=tomcat admins,...
  * You could change userRoleName to memberOf

In the first case your user would have a role with the name "Tomcat 
Admins". The second option would lead to a role name of "cn=Tomcat 
Admins,...".

In both cases you would have to change the security constraints in the 
webapp (those are defined in the WEB-INF/web.xml file).

If your role objects had other attributes with values that match the 
roles defined in web.xml you could simply change roleName in the first 
option above.

Regards
  Felix


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message