tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: JNDIRealm and TLS, was: Re: JNDIRealm Authentication and Roles
Date Tue, 07 Oct 2014 23:39:38 GMT
On Wed, Oct 8, 2014 at 4:16 AM, Felix Schumacher <
felix.schumacher@internetallee.de> wrote:

> Am 07.10.2014 um 14:32 schrieb Igor Cicimov:
>
>> Hi Felix,
>>
>> First thanks for your reply.
>>
>> On Tue, Oct 7, 2014 at 6:35 PM, Felix Schumacher <
>> felix.schumacher@internetallee.de> wrote:
>>
>>  Hi Igor,
>>>
>>> Am 07.10.2014 07:07, schrieb Igor Cicimov:
>>>
>>>  Hi all,
>>>>
>>>> I've been setting up user authentication based on JNDIRealm and have
>>>> couple
>>>> of questions regarding the operation. I've been using one of the secured
>>>> applications that come with the examples included in Tomcat source for
>>>> testing. My setup with obfuscated names and passwords is as follows.
>>>>
>>>>  Which tomcat version do you use?
>>>
>>>  It's  7.0.52-1ubuntu0.1 from Ubuntu 14.04 repository, sorry I missed
>> mentioning that.
>>
>>
>>  I have the following Realm in the default host:
>>>>
>>>>        <Host name="localhost"  appBase="webapps" unpackWARs="true"
>>>> autoDeploy="false">
>>>>          <Realm className="org.apache.catalina.realm.JNDIRealm"
>>>>                 debug="99"
>>>>
>>>>  debug is not used anymore, so just delete it.
>>>
>>>  Done.
>>
>>
>>                   connectionURL="ldap://ldap1.mydomain.com:389"
>>>
>>>>                 alternateURL="ldap://ldap2.mydomain.com:389"
>>>>                 connectionName="cn=connect,ou=Users,dc=mydomain,dc=com"
>>>>                 connectionPassword="password"
>>>>                 userBase="ou=Users,dc=mydomain,dc=com"
>>>>                 userSearch="uid={0}"
>>>>                 roleBase="ou=Groups,dc=mydomain,dc=com"
>>>>                 roleName="cn"
>>>>                 roleSearch="memberUid={1}"
>>>>
>>>> contextFactory="org.apache.catalina.ldap.realm.LdapTlsContextFactory"/>
>>>>
>>>>  Do you need the LdapTlsContextFactory? If so, what is your ldap server
>>> setup?
>>>
>>>  Good that you mentioned that I wanted to ask about this in a separate
>> thread. I was searching for STARTTLS support in the JNDIRealm and this was
>> the only solution I could find. I got the directions from here:
>> http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo, so I compiled and
>> installed the context factory since the TLS is a must fro my user case.
>> It's working fine for me but still wanted to ask, since the above HowTo is
>> from 2010, has this been maybe integrated in the Tomcat mainstream now and
>> I have missed something in the documentation or is it still a (only) valid
>> solution for TLS support?
>>
> If TLS is important to you, I hope you have changed the HostnameVerifier to
> something more sensible :)
>
> Hmmm was not aware of that will have a look for sure.


> There is a bug request open https://issues.apache.org/
> bugzilla/show_bug.cgi?id=49785
> but only very few people asked for it in the last four years. You can try
> to vote it up.
>
> Thanks for the link I up voted.


> I have only used ldap servers, which would be reachable by ssl, so there
> was no
> need for me to investigate further. Any reason why your ldap server can't
> be used with ssl?
>
> Well for ldap ssl is considered deprecated in favour of tls which I use
everywhere possible like ldap, postfix etc. I don't see a reason for using
ssl and opening another port on the server but that's maybe just me :-)



> Felix
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message