Hello ! http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 I think, a common solution should be found for this, so i try again to push a discussion:
Questions: *) Are there some standards how to map an certificate to an user within an ldap-server *) If not, could/should we implement some of my code directly in an class (say) JNDIRealmCert, and one could simply override an abstract "certToUser" method. I have tried to use CLIENT-CERT to authenticate the user for our application. JNDIRealm do not support such authentication, so i have tried to implement it. For our infrastructure my solution works well, but i think (know) it is strongly bound to it. The way it works is to get a certificate for an user, and import this certificate to the ActiveDirectory Server. During authentication a user with the matching certificate is searched, and the "cn" for this user is used furthermore (getRoles() ...) First, I have created a new class JNDIRealmCertAD (JNDIRealm Certificate ActiveDirectory) and introduced a new property "certSearch". (I also have copied the *Pattern getter/setter for use with certificate, but havent tested it yet) Much of the code from JNDIRealm has to be copied, due to the private User class, however, this class is a prototype. The advantage (i think) of my solution is, that it does not use the Cert.getSubjectDN() for the username, instead it is using the "cn" (or any other attribute) for the ldap entry returned when searching the corresponding user for the certificate. With my class it is possible to use BASIC and CLIENT-CERT and always do have the same username for the application. I think the application should not be bothered with the type of authentication. However, currently this solution is bound to our Win2000-Domain. Comments are welcome !! Ciao, Mario