Here is what we did with the JNDIRealm on NetWare 6.5, just so you
know:
1) For roles, we created groups in an organizational unit called
Tomcat-Roles. The name of the group corresponds to the role name. The
important thing to note here is that you must add the [Public] object as
a trustee to this OU or the anonymous bind to do authorization will
fail. If you use ConsoleOne to add this trustee, just accept the
default rights it grants that object. I think it is [All Attribute
Rights] of Browse and Compare (inheritable) and [Entry Rights] of Read
(inheritable), though I might have the browse/compare and read exactly
backwards there.
So, we create groups named "admin" and "manager", adding in the
installing admin user as members of those groups by default.
2) We specify the user pattern of userPattern="{0},O=novell", with the
"novell" part being replaced by the Organization container (or
OU=something,O=something) of the installing admin user.
Here is the Realm definition on my server, for instance:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://localhost:636"; debug="0"
userPattern="cn={0},O=novell" protocol="ssl"
authentication="simple"
roleBase="ou=Tomcat-Roles,O=novell" roleName="cn"
roleSearch="member={0}" />
We are looking at changing this to not use userPattern but instead do a
subcontext search in future versions of NetWare, since having only the
one context is quite limiting. But there are some defects and issues in
JNDIRealm that need to be addressed first for that to be feasible. We
want to go that way since then we could use Dynamic groups for the
roles, greatly decreasing the need of hands-on administration of the
roles once they are properly set up.
It looks like Tim already fixed the bug you reported as well. He is
actively (this week and last) working on JNDIRealm issues, so your
questions are timely. If your investigations elicit any new bugs, they
have a high possibility of being fixed this week.
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
>>> [EMAIL PROTECTED] 8/8/03 2:39:52 PM >>>
I am having trouble setting up the JNDI Realm in tomcat (I am using
4.1.27).
I can bind to the ldap server, authenticate the user, but when it
goes
to checking roles, I am unsure how to organize my directory, and what
the application wants back when it does a filtered search. My ldap
server is Novell Netware 6 eDirectory. I want to test the JNDI for
the
Admin and Manager functions of tomcat first, then set it up for my own
applicatons.
I have a context called ou=zpar,o=med that I have two users defined
cn=adminx,ou=zpar,o=med
cn=test,ou=zpar,o=med
I also have two groups setup that test is a member of:
cn=admin,ou=zpar,o=med
cn=manager,ou=zpar,o=med
This is my Realm definition in server.xml
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="0"
connectionURL="ldap://192.168.1.23:389";
connectionName="cn=adminx,ou=zpar,o=med"
connectionPassword="zparpwd"
userPattern="cn={0},ou=zpar,o=med"
roleBase="ou=zpar,o=med"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
This is a snip of my ldap trace log from the ldap server when tomcat
connects:
DoSearch on connection 0xc9206aa0
Search request:
base: "ou=zpar,o=med"
scope:1 derefence:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(uniqueMember=cn=test,ou=zpar,o=med)"
attribute: "cn"
Sending search result entry "cn=manager,ou=zpar,o=med" to connection
0xc9206aa0
Sending search result entry "cn=admin,ou=zpar,o=med" to connection
0xc9206aa0
Sending operation result 0:"":"" to connection 0xc9206aa0
This is a snip from my catalina log (note: there is a bug that I
reported in JNDIRealm.java that crashes when using debug > 2 in the
getRoles() method), so I can't figure out what is setup right so I can
continue. Any thoughts?
2003-08-07 22:23:16 JNDIRealm[Standalone]: lookupUser(test)
2003-08-07 22:23:16 JNDIRealm[Standalone]: dn=cn=test,ou=zpar,o=med
2003-08-07 22:23:16 JNDIRealm[Standalone]: validating credentials by
binding as the user
2003-08-07 22:23:16 JNDIRealm[Standalone]: binding as
cn=test,ou=zpar,o=med
2003-08-07 22:23:16 JNDIRealm[Standalone]: Username test successfully
authenticated
2003-08-07 22:23:16 JNDIRealm[Standalone]:
getRoles(cn=test,ou=zpar,o=med)
2003-08-07 22:23:16 JNDIRealm[Standalone]: Searching role base
'ou=zpar,o=med' for attribute 'cn'
2003-08-07 22:23:16 JNDIRealm[Standalone]: With filter expression
'(uniqueMember=cn=test,ou=zpar,o=med)'
2003-08-07 22:23:16 JNDIRealm[Standalone]: retrieving values for
attribute cn
2003-08-07 22:23:16 JNDIRealm[Standalone]: retrieving values for
attribute cn
2003-08-07 22:23:16 CoyoteAdapter An exception or error occurred in
the
container during the request processing
java.lang.NullPointerException
at
org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1282)
...more modules in the exception....
Scott Blanchard
IT Manager
MED Institute, Inc.
West Lafayette, IN 47906
Ph: (765) 463-7537
FAX: (765) 497-0641
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
