Hello Tomcat-Users,
I've got a problem and I don't know if it's my lack (...but I've already
scanned this list).
In my environment I want to authenticate the users against MS AD by JNDI
LDAP. The user authentication is ok and also the roles found by
getRoles() are the right ones. But the returned roles are given in the
complete distinguished name (DN) of the role (i.e.
CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de) instead of the
single role name (attribute cn) (i.e. ERKUSAAdmin) so I have to
configure the fully DN in web.xml for a security-constraint what is very
undesireable:
Log in catalina.out (tomcat 4.1.7):
2004-05-13 11:33:44 JNDIRealm[Standalone]: Searching for goerlich
2004-05-13 11:33:44 JNDIRealm[Standalone]: base:
CN=Users,dc=local,dc=bremereb,dc=de filter: (sAMAccountName=goerlich)
2004-05-13 11:33:44 JNDIRealm[Standalone]: entry found for goerlich
with dn CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: retrieving values for
attribute memberOf
2004-05-13 11:33:44 JNDIRealm[Standalone]: validating credentials by
binding as the user
2004-05-13 11:33:44 JNDIRealm[Standalone]: binding as CN=Goerlich\,
Michael,CN=Users,dc=local,dc=bremereb,dc=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Username goerlich
successfully authenticated
2004-05-13 11:33:44 JNDIRealm[Standalone]: getRoles(CN=Goerlich\,
Michael,CN=Users,dc=local,dc=bremereb,dc=de)
2004-05-13 11:33:44 JNDIRealm[Standalone]: Searching role base
'CN=Users,dc=local,dc=bremereb,dc=de' for attribute 'cn'
2004-05-13 11:33:44 JNDIRealm[Standalone]: With filter expression
'member=CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de'
2004-05-13 11:33:44 JNDIRealm[Standalone]: Returning 7 roles
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=erkusaverwalter,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=tomcat,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=manager,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=_Gewerbekunden,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=_Dokumentation,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role
CN=_Team_SAP,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:44 JNDIRealm[Standalone]: Username goerlich has role
CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de
2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT
have role ERKUSAAdmin
2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT
have role ERKUSAVerwalter
2004-05-13 11:33:57 JNDIRealm[Standalone]: Username goerlich does NOT
have role ERKUSAAdmin
My configured JNDI-realm in server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=... (substituted)
userBase=CN=Users,dc=local,dc=bremereb,dc=de
userSearch=(sAMAccountName={0})
userRoleName=memberOf
roleBase=CN=Users,dc=local,dc=bremereb,dc=de
roleName=cn
roleSearch=member={0}
connectionName=[EMAIL PROTECTED]
connectionPassword=secret
roleSubtree=true
userSubtree=true /
I run this on tomcat 4.1.27.
The funny thing is that the same configuration on tomcat 5 return 14
roles (for the given example) what work for me, but I need that
functionality in tomcat 4:
Log in catalina.out (tomcat 5.0.24)
2004-05-13 11:59:31 JNDIRealm[Catalina]: Searching for goerlich
2004-05-13 11:59:31 JNDIRealm[Catalina]: base:
CN=Users,dc=local,dc=bremereb,dc=de filter: (sAMAccountName=goerlich)
2004-05-13 11:59:31 JNDIRealm[Catalina]: entry found for goerlich with
dn CN=Goerlich\, Michael,CN=Users,dc=local,dc=bremereb,dc=de
2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for
attribute memberOf
2004-05-13 11:59:31 JNDIRealm[Catalina]: validating credentials by
binding as the user
2004-05-13 11:59:31 JNDIRealm[Catalina]: binding as CN=Goerlich\,
Michael,CN=Users,dc=local,dc=bremereb,dc=de
2004-05-13 11:59:31 JNDIRealm[Catalina]: Username goerlich successfully
authenticated
2004-05-13 11:59:31 JNDIRealm[Catalina]: getRoles(CN=Goerlich\,
Michael,CN=Users,dc=local,dc=bremereb,dc=de)
2004-05-13 11:59:31 JNDIRealm[Catalina]: Searching role base
'CN=Users,DC=local,DC=bremereb,DC=de' for attribute 'cn'
2004-05-13 11:59:31 JNDIRealm[Catalina]: With filter expression
'member=CN=Goerlich\5c, Michael,CN=Users,dc=local,dc=bremereb,dc=de'
2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for
attribute cn
2004-05-13 11:59:31 JNDIRealm[Catalina]: retrieving values for
attribute