Here is what we did with the JNDIRealm on NetWare 6.5, just so you know: 1) For roles, we created groups in an organizational unit called Tomcat-Roles. The name of the group corresponds to the role name. The important thing to note here is that you must add the [Public] object as a trustee to this OU or the anonymous bind to do authorization will fail. If you use ConsoleOne to add this trustee, just accept the default rights it grants that object. I think it is [All Attribute Rights] of Browse and Compare (inheritable) and [Entry Rights] of Read (inheritable), though I might have the browse/compare and read exactly backwards there. So, we create groups named "admin" and "manager", adding in the installing admin user as members of those groups by default. 2) We specify the user pattern of userPattern="{0},O=novell", with the "novell" part being replaced by the Organization container (or OU=something,O=something) of the installing admin user.
Here is the Realm definition on my server, for instance: <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://localhost:636" debug="0" userPattern="cn={0},O=novell" protocol="ssl" authentication="simple" roleBase="ou=Tomcat-Roles,O=novell" roleName="cn" roleSearch="member={0}" /> We are looking at changing this to not use userPattern but instead do a subcontext search in future versions of NetWare, since having only the one context is quite limiting. But there are some defects and issues in JNDIRealm that need to be addressed first for that to be feasible. We want to go that way since then we could use Dynamic groups for the roles, greatly decreasing the need of hands-on administration of the roles once they are properly set up. It looks like Tim already fixed the bug you reported as well. He is actively (this week and last) working on JNDIRealm issues, so your questions are timely. If your investigations elicit any new bugs, they have a high possibility of being fixed this week. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com >>> [EMAIL PROTECTED] 8/8/03 2:39:52 PM >>> I am having trouble setting up the JNDI Realm in tomcat (I am using 4.1.27). I can bind to the ldap server, authenticate the user, but when it goes to checking roles, I am unsure how to organize my directory, and what the application wants back when it does a filtered search. My ldap server is Novell Netware 6 eDirectory. I want to test the JNDI for the Admin and Manager functions of tomcat first, then set it up for my own applicatons. I have a context called ou=zpar,o=med that I have two users defined cn=adminx,ou=zpar,o=med cn=test,ou=zpar,o=med I also have two groups setup that test is a member of: cn=admin,ou=zpar,o=med cn=manager,ou=zpar,o=med This is my Realm definition in server.xml <Realm className="org.apache.catalina.realm.JNDIRealm" debug="0" connectionURL="ldap://192.168.1.23:389" connectionName="cn=adminx,ou=zpar,o=med" connectionPassword="zparpwd" userPattern="cn={0},ou=zpar,o=med" roleBase="ou=zpar,o=med" roleName="cn" roleSearch="(uniqueMember={0})" /> This is a snip of my ldap trace log from the ldap server when tomcat connects: DoSearch on connection 0xc9206aa0 Search request: base: "ou=zpar,o=med" scope:1 derefence:3 sizelimit:0 timelimit:0 attrsonly:0 filter: "(uniqueMember=cn=test,ou=zpar,o=med)" attribute: "cn" Sending search result entry "cn=manager,ou=zpar,o=med" to connection 0xc9206aa0 Sending search result entry "cn=admin,ou=zpar,o=med" to connection 0xc9206aa0 Sending operation result 0:"":"" to connection 0xc9206aa0 This is a snip from my catalina log (note: there is a bug that I reported in JNDIRealm.java that crashes when using debug > 2 in the getRoles() method), so I can't figure out what is setup right so I can continue. Any thoughts? 2003-08-07 22:23:16 JNDIRealm[Standalone]: lookupUser(test) 2003-08-07 22:23:16 JNDIRealm[Standalone]: dn=cn=test,ou=zpar,o=med 2003-08-07 22:23:16 JNDIRealm[Standalone]: validating credentials by binding as the user 2003-08-07 22:23:16 JNDIRealm[Standalone]: binding as cn=test,ou=zpar,o=med 2003-08-07 22:23:16 JNDIRealm[Standalone]: Username test successfully authenticated 2003-08-07 22:23:16 JNDIRealm[Standalone]: getRoles(cn=test,ou=zpar,o=med) 2003-08-07 22:23:16 JNDIRealm[Standalone]: Searching role base 'ou=zpar,o=med' for attribute 'cn' 2003-08-07 22:23:16 JNDIRealm[Standalone]: With filter expression '(uniqueMember=cn=test,ou=zpar,o=med)' 2003-08-07 22:23:16 JNDIRealm[Standalone]: retrieving values for attribute cn 2003-08-07 22:23:16 JNDIRealm[Standalone]: retrieving values for attribute cn 2003-08-07 22:23:16 CoyoteAdapter An exception or error occurred in the container during the request processing java.lang.NullPointerException at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1282) ...more modules in the exception.... Scott Blanchard IT Manager MED Institute, Inc. West Lafayette, IN 47906 Ph: (765) 463-7537 FAX: (765) 497-0641 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]