https://bz.apache.org/bugzilla/show_bug.cgi?id=61977
--- Comment #15 from marian.romasc...@nuance.com --- Yes it seems to work. Just tested it wit JDK 8u162 and without the JNDIREalm patch. The only hic of the fix, whatever that is,is the side effect that might break other applications running on same Tomcat instance. The same issue reported with the JNDIRealm patch - the standard DN-style userBase and roleBase will no longer work - as if the trailing dot removal makes these relative to the domain DN in the connectionURL. Namely: This was working fine in JDK8u144 to 8u152 but with host-based connectionURL in JNDIREalm connectionURL="ldap://dc=dchost1,dc=testdomain1,dc=example,dc=org" ... userBase="OU=ouUserBase1,DC=testdomain1,DC=example,DC=org" roleBase="OU=ouRoleBase1,DC=testdomain1,DC=example,DC=org" ... Now with JDK 8u162 connectionURL="ldap://dc=testdomain1,dc=example,dc=org" The above userBase/roleBase are broken - looking at the LDAP search the domain part is sent in double: "OU=ouUserBase1,DC=testdomain1,DC=example,DC=org,DC=testdomain1,DC=example,DC=org" Must remove the domain parts to move on and the LDAP search works userBase="OU=ouUserBase1" roleBase="OU=ouRoleBase1" userBase="OU=ouUserBase2" roleBase="OU=ouRoleBase2" -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org