If you are using Tomcat 4.1.3, there are two modes that you can use for checking roles. If you set roleSearch, it will look for search for group objects that contain a list of users for each group. If you set userRoleName, it will get the group information out of the user's entry instead. i.e. you don't need separate group objects.
If you are using Active Directory, I found that you can use a setup similar to the following. This goes in server.xml, <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionName="myadminuser@mydomain" connectionPassword="myadminpassword" connectionURL="ldap://mydomaincontroller"; userBase="cn=Users, dc=mydomain" userRoleName="memberOf" userSearch="(userPrincipalName={0}@mydomain)"/> Group membership is stored in an attribute named memberOf in Active Directory. myadminuser doesn't really have to be an admin user in AD. It just has to have read permission to the memberOf attribute which is visible to normal user accounts by default. This goes in web.xml, <security-constraint> <web-resource-collection> <web-resource-name>Tomcat</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Tomcat</realm-name> </login-config> In the above example, I created a group in the Users container named Tomcat. If you want to see how things are organized in Active Directory, you can use LDIFDE to dump the directory into an LDIF file. That's how I figured it out. Jon ----- Original Message ----- From: "Cristina Perez Sanchez" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 10, 2002 9:10 AM Subject: Roles in JNDIRealms > Hi, > > could anyone tell me what objectclass must be group > entries that represent roles associated to users in > JNDIRealms?? I use groupOfUniqueNames as objectclass > but I would like to know if the objectclass group is > more proper or if the objectclass isnīt relevant. > > > Thanks for advance, > > Cristina > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
