Hi Jon, thanks for your help. I�ve tested group and groupOfUniqueNames objectclass and JNDIRealm works properly.
Thanks again, Cristina --- Jonathan Eric Miller <[EMAIL PROTECTED]> wrote: > I think you can use whatever objectClass you want. > The only filter that it > uses for finding roles is the string that you set > roleSearch to. > > Jon > > ----- Original Message ----- > From: "Cristina Perez Sanchez" <[EMAIL PROTECTED]> > To: "Tomcat Users List" > <[EMAIL PROTECTED]> > Sent: Tuesday, June 11, 2002 3:36 AM > Subject: Re: Re[3]: Roles in JNDIRealms > > > > Hi, > > > > first, thanks for your answers. > > > > I would like to ask another question. I use Tomcat > > 4.0.3 and so I have to set roleSearch and create > group > > objects that contain the DNs of users associated > to. > > Which objectclass must be these group entries? > > groupOfUniqueNames objectclass? group class? Are > both > > valid? > > > > > > Thanks, > > > > Cristina > > > > > > --- Jonathan Eric Miller <[EMAIL PROTECTED]> > > wrote: > > > Jacob, > > > > > > I'm happy to say that there is a new "bind as > user" > > > mode in Tomcat 4.1.3 > > > which verifies the user password by binding as > them > > > to the directory, rather > > > than querying the directory for the password. > You > > > are correct, previously it > > > wouldn't work with Active Directory (as well as > any > > > other directory that > > > didn't store it's passwords in the specific > format > > > that Tomcat wanted), but, > > > now it does. Now, if you don't set the > userPassword > > > attribute, it operates > > > in "bind as user" mode. They haven't updated the > > > main end-user documentation > > > on JNDIRealm yet, but, if you look at the > Catalina > > > developer docs, you'll > > > see what I'm referring to if you look at the > > > JNDIRealm class. > > > > > > Jon > > > > > > ----- Original Message ----- > > > From: "Ryan" <[EMAIL PROTECTED]> > > > To: "Tomcat Users List" > > > <[EMAIL PROTECTED]>; "Jacob Kjome" > > > <[EMAIL PROTECTED]> > > > Sent: Monday, June 10, 2002 4:55 PM > > > Subject: Re: Re[2]: Roles in JNDIRealms > > > > > > > > > > Jacob, > > > > I took a quick look at the source, but it > looks > > > like > > > > the passwords are digested here also (i.e. > will > > > not > > > > work with Active Directory). From what I > > > understand, > > > > with AD the authentication has to be done _on_ > the > > > > server. > > > > Thanks, > > > > Ryan > > > > > > > > --- Jacob Kjome <[EMAIL PROTECTED]> wrote: > > > > > Hello Ryan, > > > > > > > > > > Check this out: > > > > > > > > > http://www.peacetech.com/java/files/apache/tomcat/ > > > > > > > > > > I haven't used it (nor have I used JNDIRealm > at > > > all > > > > > so far), but I > > > > > grab stuff that looks like useful info off > the > > > list > > > > > and put it in my > > > > > Vault ( http://www.personalmicrocosms.com/ ) > > > from > > > > > time to time. Hopefully it is useful for > you. > > > > > > > > > > Jake > > > > > > > > > > Monday, June 10, 2002, 3:18:15 PM, you > wrote: > > > > > > > > > > R> Jonathan, > > > > > R> This is sort of off subject, but does > your > > > Active > > > > > R> Directory setup work for Authentication?? > It > > > > > seems to > > > > > R> me that it wouldn't since there is no > > > > > userPassword > > > > > R> attribute in AD, but I am hoping I'm > wrong. > > > > > R> Thanks, > > > > > R> Ryan > > > > > > > > > > R> --- Jonathan Eric Miller > > > <[EMAIL PROTECTED]> > > > > > R> wrote: > > > > > >> If you are using Tomcat 4.1.3, there are > two > > > > > modes > > > > > >> that you can use for > > > > > >> checking roles. If you set roleSearch, it > > > will > > > > > look > > > > > >> for search for group > > > > > >> objects that contain a list of users for > each > > > > > group. > > > > > >> If you set > > > > > >> userRoleName, it will get the group > > > information > > > > > out > > > > > >> of the user's entry > > > > > >> instead. i.e. you don't need separate > group > > > > > objects. > > > > > >> > > > > > >> If you are using Active Directory, I > found > > > that > > > > > you > > > > > >> can use a setup similar > > > > > >> to the following. > > > > > >> > > > > > >> This goes in server.xml, > > > > > >> > > > > > >> <Realm > > > > > >> > > > className="org.apache.catalina.realm.JNDIRealm" > > > > > >> debug="99" > > > > > >> connectionName="myadminuser@mydomain" > > > > > >> connectionPassword="myadminpassword" > > > > > >> > connectionURL="ldap://mydomaincontroller"; > > > > > >> userBase="cn=Users, dc=mydomain" > > > > > >> userRoleName="memberOf" > > > > > >> > > > userSearch="(userPrincipalName={0}@mydomain)"/> > > > > > >> > > > > > >> Group membership is stored in an > attribute > > > named > > > > > >> memberOf in Active > > > > > >> Directory. myadminuser doesn't really > have to > > > be > > > > > an > > > > > >> admin user in AD. It > > > > > >> just has to have read permission to the > > > memberOf > > > > > >> attribute which is visible > > > > > >> to normal user accounts by default. > > > > > >> > > > > > >> This goes in web.xml, > > > > > >> > > > > > >> <security-constraint> > > > > > >> <web-resource-collection> > > > > > >> > > > <web-resource-name>Tomcat</web-resource-name> > > > > > >> <url-pattern>/*</url-pattern> > > > > > >> </web-resource-collection> > > > > > >> <auth-constraint> > > > > > >> > > > > > >> > === message truncated === __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
