Hi, first, thanks for your answers.
I would like to ask another question. I use Tomcat 4.0.3 and so I have to set roleSearch and create group objects that contain the DNs of users associated to. Which objectclass must be these group entries? groupOfUniqueNames objectclass? group class? Are both valid? Thanks, Cristina --- Jonathan Eric Miller <[EMAIL PROTECTED]> wrote: > Jacob, > > I'm happy to say that there is a new "bind as user" > mode in Tomcat 4.1.3 > which verifies the user password by binding as them > to the directory, rather > than querying the directory for the password. You > are correct, previously it > wouldn't work with Active Directory (as well as any > other directory that > didn't store it's passwords in the specific format > that Tomcat wanted), but, > now it does. Now, if you don't set the userPassword > attribute, it operates > in "bind as user" mode. They haven't updated the > main end-user documentation > on JNDIRealm yet, but, if you look at the Catalina > developer docs, you'll > see what I'm referring to if you look at the > JNDIRealm class. > > Jon > > ----- Original Message ----- > From: "Ryan" <[EMAIL PROTECTED]> > To: "Tomcat Users List" > <[EMAIL PROTECTED]>; "Jacob Kjome" > <[EMAIL PROTECTED]> > Sent: Monday, June 10, 2002 4:55 PM > Subject: Re: Re[2]: Roles in JNDIRealms > > > > Jacob, > > I took a quick look at the source, but it looks > like > > the passwords are digested here also (i.e. will > not > > work with Active Directory). From what I > understand, > > with AD the authentication has to be done _on_ the > > server. > > Thanks, > > Ryan > > > > --- Jacob Kjome <[EMAIL PROTECTED]> wrote: > > > Hello Ryan, > > > > > > Check this out: > > > > http://www.peacetech.com/java/files/apache/tomcat/ > > > > > > I haven't used it (nor have I used JNDIRealm at > all > > > so far), but I > > > grab stuff that looks like useful info off the > list > > > and put it in my > > > Vault ( http://www.personalmicrocosms.com/ ) > from > > > time to time. Hopefully it is useful for you. > > > > > > Jake > > > > > > Monday, June 10, 2002, 3:18:15 PM, you wrote: > > > > > > R> Jonathan, > > > R> This is sort of off subject, but does your > Active > > > R> Directory setup work for Authentication?? It > > > seems to > > > R> me that it wouldn't since there is no > > > userPassword > > > R> attribute in AD, but I am hoping I'm wrong. > > > R> Thanks, > > > R> Ryan > > > > > > R> --- Jonathan Eric Miller > <[EMAIL PROTECTED]> > > > R> wrote: > > > >> If you are using Tomcat 4.1.3, there are two > > > modes > > > >> that you can use for > > > >> checking roles. If you set roleSearch, it > will > > > look > > > >> for search for group > > > >> objects that contain a list of users for each > > > group. > > > >> If you set > > > >> userRoleName, it will get the group > information > > > out > > > >> of the user's entry > > > >> instead. i.e. you don't need separate group > > > objects. > > > >> > > > >> If you are using Active Directory, I found > that > > > you > > > >> can use a setup similar > > > >> to the following. > > > >> > > > >> This goes in server.xml, > > > >> > > > >> <Realm > > > >> > className="org.apache.catalina.realm.JNDIRealm" > > > >> debug="99" > > > >> connectionName="myadminuser@mydomain" > > > >> connectionPassword="myadminpassword" > > > >> connectionURL="ldap://mydomaincontroller"; > > > >> userBase="cn=Users, dc=mydomain" > > > >> userRoleName="memberOf" > > > >> > userSearch="(userPrincipalName={0}@mydomain)"/> > > > >> > > > >> Group membership is stored in an attribute > named > > > >> memberOf in Active > > > >> Directory. myadminuser doesn't really have to > be > > > an > > > >> admin user in AD. It > > > >> just has to have read permission to the > memberOf > > > >> attribute which is visible > > > >> to normal user accounts by default. > > > >> > > > >> This goes in web.xml, > > > >> > > > >> <security-constraint> > > > >> <web-resource-collection> > > > >> > <web-resource-name>Tomcat</web-resource-name> > > > >> <url-pattern>/*</url-pattern> > > > >> </web-resource-collection> > > > >> <auth-constraint> > > > >> > > > >> > > > R> > > > > > > <role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name> > > > >> </auth-constraint> > > > >> </security-constraint> > > > >> <login-config> > > > >> <auth-method>BASIC</auth-method> > > > >> <realm-name>Tomcat</realm-name> > > > >> </login-config> > > > >> > > > >> In the above example, I created a group in > the > > > Users > > > >> container named Tomcat. > > > >> If you want to see how things are organized > in > > > >> Active Directory, you can use > > > >> LDIFDE to dump the directory into an LDIF > file. > > > >> That's how I figured it out. > > > >> > > > >> Jon > > > >> > > > >> ----- Original Message ----- > > > >> From: "Cristina Perez Sanchez" > > > <[EMAIL PROTECTED]> > > > >> To: <[EMAIL PROTECTED]> > > > >> Sent: Monday, June 10, 2002 9:10 AM > > > >> Subject: Roles in JNDIRealms > > > >> > > > >> > > > >> > Hi, > > > >> > > > > >> > could anyone tell me what objectclass must > be > > > >> group > > > >> > entries that represent roles associated to > > > users > > > >> in > > > >> > JNDIRealms?? I use groupOfUniqueNames as > > > >> objectclass > > > >> > but I would like to know if the objectclass > > > group > > > >> is > > > >> > more proper or if the objectclass isn�t > > > relevant. > > > >> > > > > >> > > > > >> > Thanks for advance, > > > >> > > > > >> > Cristina > > > >> > > > > >> > > > > > __________________________________________________ > > > >> > Do You Yahoo!? > > > >> > Yahoo! - Official partner of 2002 FIFA > World > > > Cup > > > >> > http://fifaworldcup.yahoo.com > > > >> > > === message truncated === __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
