tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <>
Subject JNDIRealm and TLS, was: Re: JNDIRealm Authentication and Roles
Date Tue, 07 Oct 2014 17:16:12 GMT
Am 07.10.2014 um 14:32 schrieb Igor Cicimov:
> Hi Felix,
> First thanks for your reply.
> On Tue, Oct 7, 2014 at 6:35 PM, Felix Schumacher <
>> wrote:
>> Hi Igor,
>> Am 07.10.2014 07:07, schrieb Igor Cicimov:
>>> Hi all,
>>> I've been setting up user authentication based on JNDIRealm and have
>>> couple
>>> of questions regarding the operation. I've been using one of the secured
>>> applications that come with the examples included in Tomcat source for
>>> testing. My setup with obfuscated names and passwords is as follows.
>> Which tomcat version do you use?
> It's  7.0.52-1ubuntu0.1 from Ubuntu 14.04 repository, sorry I missed
> mentioning that.
>>> I have the following Realm in the default host:
>>>        <Host name="localhost"  appBase="webapps" unpackWARs="true"
>>> autoDeploy="false">
>>>          <Realm className="org.apache.catalina.realm.JNDIRealm"
>>>                 debug="99"
>> debug is not used anymore, so just delete it.
> Done.
>>                  connectionURL="ldap://"
>>>                 alternateURL="ldap://"
>>>                 connectionName="cn=connect,ou=Users,dc=mydomain,dc=com"
>>>                 connectionPassword="password"
>>>                 userBase="ou=Users,dc=mydomain,dc=com"
>>>                 userSearch="uid={0}"
>>>                 roleBase="ou=Groups,dc=mydomain,dc=com"
>>>                 roleName="cn"
>>>                 roleSearch="memberUid={1}"
>>> contextFactory="org.apache.catalina.ldap.realm.LdapTlsContextFactory"/>
>> Do you need the LdapTlsContextFactory? If so, what is your ldap server
>> setup?
> Good that you mentioned that I wanted to ask about this in a separate
> thread. I was searching for STARTTLS support in the JNDIRealm and this was
> the only solution I could find. I got the directions from here:
>, so I compiled and
> installed the context factory since the TLS is a must fro my user case.
> It's working fine for me but still wanted to ask, since the above HowTo is
> from 2010, has this been maybe integrated in the Tomcat mainstream now and
> I have missed something in the documentation or is it still a (only) valid
> solution for TLS support?
If TLS is important to you, I hope you have changed the HostnameVerifier to
something more sensible :)

There is a bug request open
but only very few people asked for it in the last four years. You can 
try to vote it up.

I have only used ldap servers, which would be reachable by ssl, so there 
was no
need for me to investigate further. Any reason why your ldap server 
can't be used with ssl?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message