Re: JNDIRealm - mapping LDAP group to security role
I am trying to configure a JNDIRealm to authenticate against an Active Directory. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm The authentication seems to work but I wonder how to map LDAP groups to security roles. I do not want to add groups in the LDAP server, but to map existing ones to the roles defined in my web application instead. Is it possible ? I did not found any doc / post about this topic. You could write a custom JNDIRealm that does the mapping/authentication. I've seen this done with postgres, but not with an LDAP server (or AD), but it should be a similar process. Then you add it to tomca/lib and configure your context and web.xml to use the custom JNDIRealm instead of the provided realm Kev - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
2008/10/9 Kevin Jackson [EMAIL PROTECTED]: I am trying to configure a JNDIRealm to authenticate against an Active Directory. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm The authentication seems to work but I wonder how to map LDAP groups to security roles. I do not want to add groups in the LDAP server, but to map existing ones to the roles defined in my web application instead. Is it possible ? I did not found any doc / post about this topic. You could write a custom JNDIRealm that does the mapping/authentication. I've seen this done with postgres, but not with an LDAP server (or AD), but it should be a similar process. Then you add it to tomca/lib and configure your context and web.xml to use the custom JNDIRealm instead of the provided realm Kev Thanks Kevin, that's exactly what I finally done! ;-) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
Geronimo maps roles to security principals: http://cwiki.apache.org/GMOxDOC10/jboss-to-geronimo-security-migration.html Maybe this feature could be ported into tomcat. On Thu, Oct 9, 2008 at 3:18 PM, Kevin Jackson [EMAIL PROTECTED] wrote: I am trying to configure a JNDIRealm to authenticate against an Active Directory. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm The authentication seems to work but I wonder how to map LDAP groups to security roles. I do not want to add groups in the LDAP server, but to map existing ones to the roles defined in my web application instead. Is it possible ? I did not found any doc / post about this topic. You could write a custom JNDIRealm that does the mapping/authentication. I've seen this done with postgres, but not with an LDAP server (or AD), but it should be a similar process. Then you add it to tomca/lib and configure your context and web.xml to use the custom JNDIRealm instead of the provided realm Kev - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
2008/9/23 Jérôme Delattre [EMAIL PROTECTED] Hello, Env: Tomcat 6.0.18 / Java 6 / Windows I am trying to configure a JNDIRealm to authenticate against an Active Directory. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm The authentication seems to work but I wonder how to map LDAP groups to security roles. I do not want to add groups in the LDAP server, but to map existing ones to the roles defined in my web application instead. Is it possible ? I did not found any doc / post about this topic. Thanks, Jerome So for the log and if it can help someone, here is how I resolved my issue: I've extended the JNDIRealm class to override the getRoles(...) method. package org.apache.catalina.realm; ... public class CustomJNDIRealm extends JNDIRealm { ... @Override protected ListString getRoles(DirContext context, User user) throws NamingException { ListString ldapRoles = super.getRoles(context, user); // customized part return ldapRoles; } ... } The package needs to be the same as JNDIRealm class otherwise the class User is not visible. In the custom part of the method I read a properties file that describe the mapping between ldap roles and security roles. And I simply add security roles to the ldapRoles list before returning it. The properties file is in Tomcat's lib directory and looks like: securityrole1=group1,group2,group4 securityrole2=group3 securityrole3=group5,group6 ... And to be exhaustive, here is the realm configuration for Active Directory that works in my env: Realm className=org.apache.catalina.realm.CustomJNDIRealm debug=99 connectionURL=ldap://myADserver:389; connectionName=myADreadonlyUser connectionPassword=password referrals=follow userBase=DC=mycompany,DC=com userSearch=(sAMAccountName={0}) userSubtree=true roleBase=DC=mycompany,DC=com roleName=cn roleSearch=(member={0}) roleSubtree=true/ Cheers, Jerome
Re: JNDIRealm - mapping LDAP group to security role
Hi Jerome, have you thought about adding an extra attribute to the groups, so that the mapping is done by a normal ldap query? Consider having an objectClass tomcatRoleMapping which has one attribute tomcatRole. Than with your mapping like below securityrole1=group1,group2,group4 securityrole2=group3 securityrole3=group5,group6 you would extend all groups with tomcatRoleMapping. The value of the attribute tomcatRole could then be securityrole1 for group1, group2 and group4 like this dn: cn=group1,... objectClass: tomcatRoleMapping objectClass: ... tomcatRole: securityrole1 cn: group1 ... Now just change the roleName attribute in your realm definition to tomcatRole and you have got a mapping from groups to securityroles. Bye Felix Am Mittwoch, den 08.10.2008, 11:32 +0200 schrieb Jérôme Delattre: 2008/9/23 Jérôme Delattre [EMAIL PROTECTED] Hello, Env: Tomcat 6.0.18 / Java 6 / Windows I am trying to configure a JNDIRealm to authenticate against an Active Directory. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm The authentication seems to work but I wonder how to map LDAP groups to security roles. I do not want to add groups in the LDAP server, but to map existing ones to the roles defined in my web application instead. Is it possible ? I did not found any doc / post about this topic. Thanks, Jerome So for the log and if it can help someone, here is how I resolved my issue: I've extended the JNDIRealm class to override the getRoles(...) method. package org.apache.catalina.realm; ... public class CustomJNDIRealm extends JNDIRealm { ... @Override protected ListString getRoles(DirContext context, User user) throws NamingException { ListString ldapRoles = super.getRoles(context, user); // customized part return ldapRoles; } ... } The package needs to be the same as JNDIRealm class otherwise the class User is not visible. In the custom part of the method I read a properties file that describe the mapping between ldap roles and security roles. And I simply add security roles to the ldapRoles list before returning it. The properties file is in Tomcat's lib directory and looks like: securityrole1=group1,group2,group4 securityrole2=group3 securityrole3=group5,group6 ... And to be exhaustive, here is the realm configuration for Active Directory that works in my env: Realm className=org.apache.catalina.realm.CustomJNDIRealm debug=99 connectionURL=ldap://myADserver:389; connectionName=myADreadonlyUser connectionPassword=password referrals=follow userBase=DC=mycompany,DC=com userSearch=(sAMAccountName={0}) userSubtree=true roleBase=DC=mycompany,DC=com roleName=cn roleSearch=(member={0}) roleSubtree=true/ Cheers, Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm - mapping LDAP group to security role
From: Felix Schumacher [mailto:[EMAIL PROTECTED] Subject: Re: JNDIRealm - mapping LDAP group to security role have you thought about adding an extra attribute to the groups, so that the mapping is done by a normal ldap query? Even that's not necessary. The servlet security model already has a built-in mapping capability (security-role-ref) that can be used to convert LDAP or other database values to the roles declared in the web.xml file. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm - mapping LDAP group to security role
Am Mittwoch, den 08.10.2008, 12:04 -0500 schrieb Caldarale, Charles R: From: Felix Schumacher [mailto:[EMAIL PROTECTED] Subject: Re: JNDIRealm - mapping LDAP group to security role have you thought about adding an extra attribute to the groups, so that the mapping is done by a normal ldap query? Even that's not necessary. The servlet security model already has a built-in mapping capability (security-role-ref) that can be used to convert LDAP or other database values to the roles declared in the web.xml file. Great to know, but you would have to change the files, if group mapping changed. If you have groups or roles reachable by LDAP, you could just use them. Felix - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
2008/10/8 Caldarale, Charles R [EMAIL PROTECTED] From: Felix Schumacher [mailto:[EMAIL PROTECTED] Subject: Re: JNDIRealm - mapping LDAP group to security role have you thought about adding an extra attribute to the groups, so that the mapping is done by a normal ldap query? Even that's not necessary. The servlet security model already has a built-in mapping capability (security-role-ref) that can be used to convert LDAP or other database values to the roles declared in the web.xml file. - Chuck security-role-ref is a servlet attribute. What should I do with it? add the same security-role-ref for each LDAP group to all my Servlets? sound strange... And what happens if I call request.isUserInRole(myLDAPGroup) anywhere outside a declared Servlet? Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
2008/10/8 Felix Schumacher [EMAIL PROTECTED]: Hi Jerome, have you thought about adding an extra attribute to the groups, so that the mapping is done by a normal ldap query? Consider having an objectClass tomcatRoleMapping which has one attribute tomcatRole. Than with your mapping like below securityrole1=group1,group2,group4 securityrole2=group3 securityrole3=group5,group6 you would extend all groups with tomcatRoleMapping. The value of the attribute tomcatRole could then be securityrole1 for group1, group2 and group4 like this dn: cn=group1,... objectClass: tomcatRoleMapping objectClass: ... tomcatRole: securityrole1 cn: group1 ... Now just change the roleName attribute in your realm definition to tomcatRole and you have got a mapping from groups to securityroles. Bye Felix Hi Felix, Thanks for your proposition, but I want to avoid any change on the LDAP server. The idea is: if you want to install my webapp in your environment, just map your existing groups to my webapp's roles before starting Tomcat and you're done. Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm - mapping LDAP group to security role
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jérôme Delattre Subject: Re: JNDIRealm - mapping LDAP group to security role What should I do with it? add the same security-role-ref for each LDAP group to all my Servlets? sound strange... Yes, you're right; I missed that this was servlet-specific rather than applicable to the webapp as a whole. Methinks an enhancement to JSR 154 is in order. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
No idea? I thought it was a common use case ... Jerome 2008/9/23 Jérôme Delattre [EMAIL PROTECTED] Hello, Env: Tomcat 6.0.18 / Java 6 / Windows I am trying to configure a JNDIRealm to authenticate against an Active Directory. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm The authentication seems to work but I wonder how to map LDAP groups to security roles. I do not want to add groups in the LDAP server, but to map existing ones to the roles defined in my web application instead. Is it possible ? I did not found any doc / post about this topic. Thanks, Jerome
Re: JNDIRealm - mapping LDAP group to security role
I do not want to add groups in the LDAP server, but to map existing ones to the roles defined in my web application instead. Perhaps you can use the security-role-ref declaration; look in section 12 of the servlet spec. If I remember well the security-role-ref just creates an alias on an existing security-role for servlets. It's not related to the mapping between my system groups and the application roles. The section 12.4 of the servlet spec says : A security role is a logical grouping of users defined by the Application Developer or Assembler.When the application is deployed, roles are mapped by a Deployer to principals or groups in the runtime environment. That's exactly what I am looking for. Something like: user username=john password=doe roles=role1,role2/ In the tomcat-users.xml file but for my LDAP realm. Cheers, Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm - mapping LDAP group to security role
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jérôme Delattre Subject: Re: JNDIRealm - mapping LDAP group to security role If I remember well the security-role-ref just creates an alias on an existing security-role for servlets. It's not related to the mapping between my system groups and the application roles. O.k., I'm confused. Isn't an alias just what you need to do the mapping from any role names used internally in your webapp to the roles (groups) obtained from the LDAP server? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
If I remember well the security-role-ref just creates an alias on an existing security-role for servlets. It's not related to the mapping between my system groups and the application roles. O.k., I'm confused. Isn't an alias just what you need to do the mapping from any role names used internally in your webapp to the roles (groups) obtained from the LDAP server? Yes an alias is what I need :-) But security-role-ref is not done for that (unless I missed something). Quoting: http://java.sun.com/developer/technicalArticles/Servlets/servletapi2.3/ servlet servlet-name secret /servlet-name ... security-role-ref role-name mgr !-- name used by servlet -- /role-name role-link manager !-- name used in deployment descriptor -- /role-link /security-role-ref /servlet ... security-role role-name manager /role-name /security-role the servlet secret can call isUserInRole(mgr) or isUserInRole(manager) -- they will give the same behavior. Basically, security-role-ref acts to create an alias, but isn't necessary. /Quote What I am looking for is more a security role mapping descriptor or configuration. Like one can do in SunAS: security-role-mapping role-namemyapprole/role-name group-namemyldapgroup/group-name /security-role-mapping - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]