I think you can use whatever objectClass you want. The only filter that it uses for finding roles is the string that you set roleSearch to.
Jon ----- Original Message ----- From: "Cristina Perez Sanchez" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Tuesday, June 11, 2002 3:36 AM Subject: Re: Re[3]: Roles in JNDIRealms > Hi, > > first, thanks for your answers. > > I would like to ask another question. I use Tomcat > 4.0.3 and so I have to set roleSearch and create group > objects that contain the DNs of users associated to. > Which objectclass must be these group entries? > groupOfUniqueNames objectclass? group class? Are both > valid? > > > Thanks, > > Cristina > > > --- Jonathan Eric Miller <[EMAIL PROTECTED]> > wrote: > > Jacob, > > > > I'm happy to say that there is a new "bind as user" > > mode in Tomcat 4.1.3 > > which verifies the user password by binding as them > > to the directory, rather > > than querying the directory for the password. You > > are correct, previously it > > wouldn't work with Active Directory (as well as any > > other directory that > > didn't store it's passwords in the specific format > > that Tomcat wanted), but, > > now it does. Now, if you don't set the userPassword > > attribute, it operates > > in "bind as user" mode. They haven't updated the > > main end-user documentation > > on JNDIRealm yet, but, if you look at the Catalina > > developer docs, you'll > > see what I'm referring to if you look at the > > JNDIRealm class. > > > > Jon > > > > ----- Original Message ----- > > From: "Ryan" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" > > <[EMAIL PROTECTED]>; "Jacob Kjome" > > <[EMAIL PROTECTED]> > > Sent: Monday, June 10, 2002 4:55 PM > > Subject: Re: Re[2]: Roles in JNDIRealms > > > > > > > Jacob, > > > I took a quick look at the source, but it looks > > like > > > the passwords are digested here also (i.e. will > > not > > > work with Active Directory). From what I > > understand, > > > with AD the authentication has to be done _on_ the > > > server. > > > Thanks, > > > Ryan > > > > > > --- Jacob Kjome <[EMAIL PROTECTED]> wrote: > > > > Hello Ryan, > > > > > > > > Check this out: > > > > > > http://www.peacetech.com/java/files/apache/tomcat/ > > > > > > > > I haven't used it (nor have I used JNDIRealm at > > all > > > > so far), but I > > > > grab stuff that looks like useful info off the > > list > > > > and put it in my > > > > Vault ( http://www.personalmicrocosms.com/ ) > > from > > > > time to time. Hopefully it is useful for you. > > > > > > > > Jake > > > > > > > > Monday, June 10, 2002, 3:18:15 PM, you wrote: > > > > > > > > R> Jonathan, > > > > R> This is sort of off subject, but does your > > Active > > > > R> Directory setup work for Authentication?? It > > > > seems to > > > > R> me that it wouldn't since there is no > > > > userPassword > > > > R> attribute in AD, but I am hoping I'm wrong. > > > > R> Thanks, > > > > R> Ryan > > > > > > > > R> --- Jonathan Eric Miller > > <[EMAIL PROTECTED]> > > > > R> wrote: > > > > >> If you are using Tomcat 4.1.3, there are two > > > > modes > > > > >> that you can use for > > > > >> checking roles. If you set roleSearch, it > > will > > > > look > > > > >> for search for group > > > > >> objects that contain a list of users for each > > > > group. > > > > >> If you set > > > > >> userRoleName, it will get the group > > information > > > > out > > > > >> of the user's entry > > > > >> instead. i.e. you don't need separate group > > > > objects. > > > > >> > > > > >> If you are using Active Directory, I found > > that > > > > you > > > > >> can use a setup similar > > > > >> to the following. > > > > >> > > > > >> This goes in server.xml, > > > > >> > > > > >> <Realm > > > > >> > > className="org.apache.catalina.realm.JNDIRealm" > > > > >> debug="99" > > > > >> connectionName="myadminuser@mydomain" > > > > >> connectionPassword="myadminpassword" > > > > >> connectionURL="ldap://mydomaincontroller" > > > > >> userBase="cn=Users, dc=mydomain" > > > > >> userRoleName="memberOf" > > > > >> > > userSearch="(userPrincipalName={0}@mydomain)"/> > > > > >> > > > > >> Group membership is stored in an attribute > > named > > > > >> memberOf in Active > > > > >> Directory. myadminuser doesn't really have to > > be > > > > an > > > > >> admin user in AD. It > > > > >> just has to have read permission to the > > memberOf > > > > >> attribute which is visible > > > > >> to normal user accounts by default. > > > > >> > > > > >> This goes in web.xml, > > > > >> > > > > >> <security-constraint> > > > > >> <web-resource-collection> > > > > >> > > <web-resource-name>Tomcat</web-resource-name> > > > > >> <url-pattern>/*</url-pattern> > > > > >> </web-resource-collection> > > > > >> <auth-constraint> > > > > >> > > > > >> > > > > R> > > > > > > > > > > <role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name> > > > > >> </auth-constraint> > > > > >> </security-constraint> > > > > >> <login-config> > > > > >> <auth-method>BASIC</auth-method> > > > > >> <realm-name>Tomcat</realm-name> > > > > >> </login-config> > > > > >> > > > > >> In the above example, I created a group in > > the > > > > Users > > > > >> container named Tomcat. > > > > >> If you want to see how things are organized > > in > > > > >> Active Directory, you can use > > > > >> LDIFDE to dump the directory into an LDIF > > file. > > > > >> That's how I figured it out. > > > > >> > > > > >> Jon > > > > >> > > > > >> ----- Original Message ----- > > > > >> From: "Cristina Perez Sanchez" > > > > <[EMAIL PROTECTED]> > > > > >> To: <[EMAIL PROTECTED]> > > > > >> Sent: Monday, June 10, 2002 9:10 AM > > > > >> Subject: Roles in JNDIRealms > > > > >> > > > > >> > > > > >> > Hi, > > > > >> > > > > > >> > could anyone tell me what objectclass must > > be > > > > >> group > > > > >> > entries that represent roles associated to > > > > users > > > > >> in > > > > >> > JNDIRealms?? I use groupOfUniqueNames as > > > > >> objectclass > > > > >> > but I would like to know if the objectclass > > > > group > > > > >> is > > > > >> > more proper or if the objectclass isnīt > > > > relevant. > > > > >> > > > > > >> > > > > > >> > Thanks for advance, > > > > >> > > > > > >> > Cristina > > > > >> > > > > > >> > > > > > > > __________________________________________________ > > > > >> > Do You Yahoo!? > > > > >> > Yahoo! - Official partner of 2002 FIFA > > World > > > > Cup > > > > >> > http://fifaworldcup.yahoo.com > > > > >> > > > > === message truncated === > > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>