Re: JNDIRealm - mapping LDAP group to security role
Geronimo maps roles to security principals: http://cwiki.apache.org/GMOxDOC10/jboss-to-geronimo-security-migration.html Maybe this feature could be ported into tomcat. On Thu, Oct 9, 2008 at 3:18 PM, Kevin Jackson <[EMAIL PROTECTED]> wrote: >>> I am trying to configure a JNDIRealm to authenticate against an Active >>> Directory. >>> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm >>> >>> The authentication seems to work but I wonder how to map LDAP groups >>> to security roles. >>> I do not want to add groups in the LDAP server, but to map existing >>> ones to the roles defined in my web application instead. >>> >>> Is it possible ? I did not found any doc / post about this topic. > > You could write a custom JNDIRealm that does the > mapping/authentication. I've seen this done with postgres, but not > with an LDAP server (or AD), but it should be a similar process. Then > you add it to tomca/lib and configure your context and web.xml to use > the custom JNDIRealm instead of the provided realm > > Kev > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
2008/10/9 Kevin Jackson <[EMAIL PROTECTED]>: >>> I am trying to configure a JNDIRealm to authenticate against an Active >>> Directory. >>> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm >>> >>> The authentication seems to work but I wonder how to map LDAP groups >>> to security roles. >>> I do not want to add groups in the LDAP server, but to map existing >>> ones to the roles defined in my web application instead. >>> >>> Is it possible ? I did not found any doc / post about this topic. > > You could write a custom JNDIRealm that does the > mapping/authentication. I've seen this done with postgres, but not > with an LDAP server (or AD), but it should be a similar process. Then > you add it to tomca/lib and configure your context and web.xml to use > the custom JNDIRealm instead of the provided realm > > Kev Thanks Kevin, that's exactly what I finally done! ;-) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
>> I am trying to configure a JNDIRealm to authenticate against an Active >> Directory. >> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm >> >> The authentication seems to work but I wonder how to map LDAP groups >> to security roles. >> I do not want to add groups in the LDAP server, but to map existing >> ones to the roles defined in my web application instead. >> >> Is it possible ? I did not found any doc / post about this topic. You could write a custom JNDIRealm that does the mapping/authentication. I've seen this done with postgres, but not with an LDAP server (or AD), but it should be a similar process. Then you add it to tomca/lib and configure your context and web.xml to use the custom JNDIRealm instead of the provided realm Kev - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm - mapping LDAP group to security role
> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jérôme Delattre > Subject: Re: JNDIRealm - mapping LDAP group to security role > > What should I do with it? add the same for each > LDAP group to all my Servlets? sound strange... Yes, you're right; I missed that this was servlet-specific rather than applicable to the webapp as a whole. Methinks an enhancement to JSR 154 is in order. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
2008/10/8 Felix Schumacher <[EMAIL PROTECTED]>: > Hi Jerome, > > have you thought about adding an extra attribute to the groups, so that > the mapping is done by a normal ldap query? > > Consider having an objectClass tomcatRoleMapping which has one attribute > tomcatRole. Than with your mapping like below >> securityrole1=group1,group2,group4 >> securityrole2=group3 >> securityrole3=group5,group6 > you would extend all groups with tomcatRoleMapping. The value of the > attribute tomcatRole could then be "securityrole1" for group1, group2 > and group4 like this > > dn: cn=group1,... > objectClass: tomcatRoleMapping > objectClass: ... > tomcatRole: securityrole1 > cn: group1 > ... > > Now just change the roleName attribute in your realm definition to > tomcatRole and you have got a mapping from groups to securityroles. > > Bye > Felix Hi Felix, Thanks for your proposition, but I want to avoid any change on the LDAP server. The idea is: if you want to install my webapp in your environment, just map your existing groups to my webapp's roles before starting Tomcat and you're done. Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
2008/10/8 Caldarale, Charles R <[EMAIL PROTECTED]> > > > From: Felix Schumacher [mailto:[EMAIL PROTECTED] > > Subject: Re: JNDIRealm - mapping LDAP group to security role > > > > have you thought about adding an extra attribute to the > > groups, so that the mapping is done by a normal ldap query? > > Even that's not necessary. The servlet security model already has a built-in > mapping capability () that can be used to convert LDAP or > other database values to the roles declared in the web.xml file. > > - Chuck is a servlet attribute. What should I do with it? add the same for each LDAP group to all my Servlets? sound strange... And what happens if I call request.isUserInRole(myLDAPGroup) anywhere outside a declared Servlet? Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm - mapping LDAP group to security role
Am Mittwoch, den 08.10.2008, 12:04 -0500 schrieb Caldarale, Charles R: > > From: Felix Schumacher [mailto:[EMAIL PROTECTED] > > Subject: Re: JNDIRealm - mapping LDAP group to security role > > > > have you thought about adding an extra attribute to the > > groups, so that the mapping is done by a normal ldap query? > > Even that's not necessary. The servlet security model already has a built-in > mapping capability () that can be used to convert LDAP or > other database values to the roles declared in the web.xml file. Great to know, but you would have to change the files, if group mapping changed. If you have groups or roles reachable by LDAP, you could just use them. Felix > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm - mapping LDAP group to security role
> From: Felix Schumacher [mailto:[EMAIL PROTECTED] > Subject: Re: JNDIRealm - mapping LDAP group to security role > > have you thought about adding an extra attribute to the > groups, so that the mapping is done by a normal ldap query? Even that's not necessary. The servlet security model already has a built-in mapping capability () that can be used to convert LDAP or other database values to the roles declared in the web.xml file. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
Hi Jerome, have you thought about adding an extra attribute to the groups, so that the mapping is done by a normal ldap query? Consider having an objectClass tomcatRoleMapping which has one attribute tomcatRole. Than with your mapping like below > securityrole1=group1,group2,group4 > securityrole2=group3 > securityrole3=group5,group6 you would extend all groups with tomcatRoleMapping. The value of the attribute tomcatRole could then be "securityrole1" for group1, group2 and group4 like this dn: cn=group1,... objectClass: tomcatRoleMapping objectClass: ... tomcatRole: securityrole1 cn: group1 ... Now just change the roleName attribute in your realm definition to tomcatRole and you have got a mapping from groups to securityroles. Bye Felix Am Mittwoch, den 08.10.2008, 11:32 +0200 schrieb Jérôme Delattre: > 2008/9/23 Jérôme Delattre <[EMAIL PROTECTED]> > > > Hello, > > > > Env: Tomcat 6.0.18 / Java 6 / Windows > > > > I am trying to configure a JNDIRealm to authenticate against an Active > > Directory. > > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm > > > > The authentication seems to work but I wonder how to map LDAP groups > > to security roles. > > I do not want to add groups in the LDAP server, but to map existing > > ones to the roles defined in my web application instead. > > > > Is it possible ? I did not found any doc / post about this topic. > > > > Thanks, > > Jerome > > > > > So for the log and if it can help someone, here is how I resolved my issue: > > I've extended the JNDIRealm class to override the getRoles(...) method. > > package org.apache.catalina.realm; > ... > public class CustomJNDIRealm extends JNDIRealm { > ... > @Override > protected List getRoles(DirContext context, User user) throws > NamingException { > List ldapRoles = super.getRoles(context, user); > // customized part > return ldapRoles; > } > ... > } > > The package needs to be the same as JNDIRealm class otherwise the class User > is not visible. > In the "custom part" of the method I read a properties file that describe > the mapping between ldap roles and security roles. > And I simply add security roles to the ldapRoles list before returning it. > > The properties file is in Tomcat's lib directory and looks like: > > securityrole1=group1,group2,group4 > securityrole2=group3 > securityrole3=group5,group6 > ... > > And to be exhaustive, here is the realm configuration for Active Directory > that works in my env: > > className="org.apache.catalina.realm.CustomJNDIRealm" > debug="99" > connectionURL="ldap://myADserver:389"; > connectionName="myADreadonlyUser" > connectionPassword="password" > referrals="follow" > userBase="DC=mycompany,DC=com" > userSearch="(sAMAccountName={0})" > userSubtree="true" > roleBase="DC=mycompany,DC=com" > roleName="cn" > roleSearch="(member={0})" > roleSubtree="true"/> > > Cheers, > Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
2008/9/23 Jérôme Delattre <[EMAIL PROTECTED]> > Hello, > > Env: Tomcat 6.0.18 / Java 6 / Windows > > I am trying to configure a JNDIRealm to authenticate against an Active > Directory. > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm > > The authentication seems to work but I wonder how to map LDAP groups > to security roles. > I do not want to add groups in the LDAP server, but to map existing > ones to the roles defined in my web application instead. > > Is it possible ? I did not found any doc / post about this topic. > > Thanks, > Jerome > So for the log and if it can help someone, here is how I resolved my issue: I've extended the JNDIRealm class to override the getRoles(...) method. package org.apache.catalina.realm; ... public class CustomJNDIRealm extends JNDIRealm { ... @Override protected List getRoles(DirContext context, User user) throws NamingException { List ldapRoles = super.getRoles(context, user); // customized part return ldapRoles; } ... } The package needs to be the same as JNDIRealm class otherwise the class User is not visible. In the "custom part" of the method I read a properties file that describe the mapping between ldap roles and security roles. And I simply add security roles to the ldapRoles list before returning it. The properties file is in Tomcat's lib directory and looks like: securityrole1=group1,group2,group4 securityrole2=group3 securityrole3=group5,group6 ... And to be exhaustive, here is the realm configuration for Active Directory that works in my env: ldap://myADserver:389"; connectionName="myADreadonlyUser" connectionPassword="password" referrals="follow" userBase="DC=mycompany,DC=com" userSearch="(sAMAccountName={0})" userSubtree="true" roleBase="DC=mycompany,DC=com" roleName="cn" roleSearch="(member={0})" roleSubtree="true"/> Cheers, Jerome
Re: JNDIRealm - mapping LDAP group to security role
No idea? I thought it was a common use case ... Jerome 2008/9/23 Jérôme Delattre <[EMAIL PROTECTED]> > Hello, > > Env: Tomcat 6.0.18 / Java 6 / Windows > > I am trying to configure a JNDIRealm to authenticate against an Active > Directory. > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm > > The authentication seems to work but I wonder how to map LDAP groups > to security roles. > I do not want to add groups in the LDAP server, but to map existing > ones to the roles defined in my web application instead. > > Is it possible ? I did not found any doc / post about this topic. > > Thanks, > Jerome >
Re: JNDIRealm - mapping LDAP group to security role
>> If I remember well the just creates an alias on an >> existing for servlets. >> It's not related to the mapping between my "system" groups and the >> application roles. > > O.k., I'm confused. Isn't an alias just what you need to do the mapping from > any role names used internally in your webapp to the roles (groups) obtained > from the LDAP server? > Yes an alias is what I need :-) But is not done for that (unless I missed something). Quoting: http://java.sun.com/developer/technicalArticles/Servlets/servletapi2.3/ secret ... mgr manager ... manager the servlet secret can call isUserInRole("mgr") or isUserInRole("manager") -- they will give the same behavior. Basically, security-role-ref acts to create an alias, but isn't necessary. /Quote What I am looking for is more a security role mapping descriptor or configuration. Like one can do in SunAS: myapprole myldapgroup - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm - mapping LDAP group to security role
> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jérôme Delattre > Subject: Re: JNDIRealm - mapping LDAP group to security role > > If I remember well the just creates an alias on an > existing for servlets. > It's not related to the mapping between my "system" groups and the > application roles. O.k., I'm confused. Isn't an alias just what you need to do the mapping from any role names used internally in your webapp to the roles (groups) obtained from the LDAP server? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
>> I do not want to add groups in the LDAP server, but to map existing >> ones to the roles defined in my web application instead. > > Perhaps you can use the declaration; look in section 12 > of the servlet spec. > If I remember well the just creates an alias on an existing for servlets. It's not related to the mapping between my "system" groups and the application roles. The section 12.4 of the servlet spec says : "A security role is a logical grouping of users defined by the Application Developer or Assembler.When the application is deployed, roles are mapped by a Deployer to principals or groups in the runtime environment." That's exactly what I am looking for. Something like: In the tomcat-users.xml file but for my LDAP realm. Cheers, Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm - mapping LDAP group to security role
> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jérôme Delattre > Subject: JNDIRealm - mapping LDAP group to security role > > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm > > The authentication seems to work but I wonder how to map LDAP groups > to security roles. The reference above includes an example of using LDAP groups as role names. > I do not want to add groups in the LDAP server, but to map existing > ones to the roles defined in my web application instead. Perhaps you can use the declaration; look in section 12 of the servlet spec. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm - mapping LDAP group to security role
Hello, Env: Tomcat 6.0.18 / Java 6 / Windows I am trying to configure a JNDIRealm to authenticate against an Active Directory. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm The authentication seems to work but I wonder how to map LDAP groups to security roles. I do not want to add groups in the LDAP server, but to map existing ones to the roles defined in my web application instead. Is it possible ? I did not found any doc / post about this topic. Thanks, Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]