https://bz.apache.org/bugzilla/show_bug.cgi?id=62214
Bug ID: 62214
Summary: The "userSubtree=true" and "roleSubtree=true" in
JNDIRealm not working
Product: Tomcat 8
Version: 8.5.29
Hardware: PC
Status: NEW
Severity: major
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ----
Created attachment 35809
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35809&action=edit
ssotest users and groups in AD
In JNDIRealm the userSubtree=true does not perform as expected :
userSubtree:
Set to true if you want to search the entire subtree of the element specified
by the userBase property for the user's entry. The default value of false
causes only the top level to be searched. Not used if you are using the
userPattern expression.
Example below: the server.xml working configuration
Users under OU=testUsers,OU=users,OU=nonDefault,DC=pslab,DC=corp
Groups under OU=testGroups,OU=nonDefault,DC=pslab,DC=corp
JNDIRealm below not working for ssotestuser1...ssotestuser4
Results in failed LDAP authentication (and a 401 error returned to browser)
<Realm className="org.apache.catalina.realm.CombinedRealm" >
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global
JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="10"
connectionURL="ldap:///DC=pslab,DC=corp"
authentication="simple"
referrals="follow"
adCompat="true"
userSearch="(sAMAccountName={0})"
userSubtree="true"
userBase="OU=users,OU=nonDefault"
userRoleName="memberOf"
roleSubtree="true"
roleBase="OU=testGroups,OU=nonDefault"
roleName="cn"
roleSearch="(member={0})"
roleNested="true"
connectionName="CN=LDAP
Bind,OU=serviceAccounts,OU=users,OU=nonDefault,DC=pslab,DC=corp"
connectionPassword="removed"
/>
</Realm>
Exactly same configuration with userBase="OU=testUsers,OU=users,OU=nonDefault"
works fine.
Same apply for the roleBase. If in the working configuration we have
roleBase="OU=nonDefault" despite roleSubtree="true" authentication fails and
401 error is returned to the browser
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]