Jonathan, This is sort of off subject, but does your Active Directory setup work for Authentication?? It seems to me that it wouldn't since there is no userPassword attribute in AD, but I am hoping I'm wrong. Thanks, Ryan
--- Jonathan Eric Miller <[EMAIL PROTECTED]> wrote: > If you are using Tomcat 4.1.3, there are two modes > that you can use for > checking roles. If you set roleSearch, it will look > for search for group > objects that contain a list of users for each group. > If you set > userRoleName, it will get the group information out > of the user's entry > instead. i.e. you don't need separate group objects. > > If you are using Active Directory, I found that you > can use a setup similar > to the following. > > This goes in server.xml, > > <Realm > className="org.apache.catalina.realm.JNDIRealm" > debug="99" > connectionName="myadminuser@mydomain" > connectionPassword="myadminpassword" > connectionURL="ldap://mydomaincontroller"; > userBase="cn=Users, dc=mydomain" > userRoleName="memberOf" > userSearch="(userPrincipalName={0}@mydomain)"/> > > Group membership is stored in an attribute named > memberOf in Active > Directory. myadminuser doesn't really have to be an > admin user in AD. It > just has to have read permission to the memberOf > attribute which is visible > to normal user accounts by default. > > This goes in web.xml, > > <security-constraint> > <web-resource-collection> > <web-resource-name>Tomcat</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > > <role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>Tomcat</realm-name> > </login-config> > > In the above example, I created a group in the Users > container named Tomcat. > If you want to see how things are organized in > Active Directory, you can use > LDIFDE to dump the directory into an LDIF file. > That's how I figured it out. > > Jon > > ----- Original Message ----- > From: "Cristina Perez Sanchez" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, June 10, 2002 9:10 AM > Subject: Roles in JNDIRealms > > > > Hi, > > > > could anyone tell me what objectclass must be > group > > entries that represent roles associated to users > in > > JNDIRealms?? I use groupOfUniqueNames as > objectclass > > but I would like to know if the objectclass group > is > > more proper or if the objectclass isn�t relevant. > > > > > > Thanks for advance, > > > > Cristina > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! - Official partner of 2002 FIFA World Cup > > http://fifaworldcup.yahoo.com > > > > -- > > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
