Hello.

I try to set up the following features :
- Client authentication using client SSL certificates
- Client authorization using the JNDI realm, against an iPlanet LDAP
directory

I first tested a simpler configuration using the LDAP realm with BASIC
authentication, and it works fine. The realm configuration, set up in the
server.xml application context is :

                <Context        path="/test"
                                        docBase="../_PHILIPPE_/TEST-CONTEXT"
                                        debug="0"
                                        reloadable="true"
                                        crossContext="true"
                        >
                        <Logger className="org.apache.catalina.logger.FileLogger"
                                        prefix="localhost_test-context_log."
                                        suffix=".txt"
                                        timestamp="true"
                        />
                        <Realm  className="org.apache.catalina.realm.JNDIRealm"
                                        debug="99"
                                        
connectionName="uid=Tomcat,ou=People,dc=moon.net"
                                        connectionPassword="tomcat"
                                        connectionURL="ldap://localhost:389";
                                        roleBase="ou=Roles,ou=TomcatRealm,dc=moon.net"
                                        roleName="cn"
                                        roleSearch="(uniqueMember={0})"
                                        roleSubtree="false"
                                        userBase="ou=Users,ou=TomcatRealm,dc=moon.net"
                                        userSearch="(cn={0})"
                        />
                </Context>

According to this configuration, when a user tries to access a secured URL
and provides its BASIC login and password, the realm correctly checks the
credentials against the directory, binding with the DN using the userBase
and userSearch parameters.

On the other hand, i tried another configuration, using SSL client
authentication and the default realm, adding a user entry in the
tomcat-users.xml file with the complete DN as username :
"cn=SomeBody,ou=Users,ou=TomcatRealm,dc=moon.net". As expected, the
certificate is successfully verified in the trust cacerts store, and the
default realm correctly matches the user with the issuer DN extracted from
the client certificate.

In this last case, i assumed the DN provided by the client certificate is
the exact expression used by the realm to match the users identity.

Now, i don't understand how it should be possible to configure both the JNDI
realm and the SSL connector to indicate how the client certificates DN must
be used to check the user identity in the LDAP directory. It seems obvious
that using the full DN from the client certificate as a single user
identifier (cn, uid, etc.) fails, since the search filter doesn't match.
Should it be sensible to use the key alias from the trust keystore as the
directory identifier value ? Perhaps i don't go the right way !...

Thanks for your help.

Philippe Maseres


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to