Am Mittwoch, den 01.03.2006, 08:40 +0100 schrieb Leucht, Axel: > Hi, > > I'm currently trying to protect a tomcat web-app via LDAP. This application > handled the protection against a LDAP server with a customized login > procedure before. As there is now some more sensible content in the web-app, > I wanted to protect the entire web-app by tomcat. Therefore I inserted a > JNDIRealm into the context: > <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" > connectionURL="ldap://gssun001:389"; > userBase="ou=LDAPusers,dc=prodv" > userSearch="(cn={0})" > roleBase="ou=LDAPusers,dc=prodv" > roleName="(cn={0})" > roleSearch="(userPassword={0})" > /> I think you will want to change roleSearch into something like roleSearch="(member={0})" and roleBase to ou=LDAPgroups,dc=prodv. A role can than be represented as a ldap group which is placed in ou=LDAPgroups,dc=prodv. If you create a ldap group with cn=manager,ou=LDAPgroups,dc=prodv which has member=cn=gast,ou=LDAPusers,dc=prodv, your user gast should get tomcat role manager.
Please read http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm > So, when I try to access the web-app the login.html is displayed as accepted. > When I give credentials that are stored in the LDAP server, the following > appears in the log: > > Searching for gast > base: ou=LDAPusers,dc=prodv filter: (cn=gast) > entry found for gast with dn cn=gast,ou=LDAPusers,dc=prodv > validating credentials by binding as the user > binding as cn=gast,ou=LDAPusers,dc=prodv > Username gast successfully authenticated > getRoles(cn=gast,ou=LDAPusers,dc=prodv) > Searching role base 'ou=LDAPusers,dc=prodv' for attribute '(cn={0})' > With filter expression '(userPassword=cn=gast,ou=LDAPusers,dc=prodv)' Tomcat tells you, that it is searching for ldap objects which pass the filter '(userPassword=cn=gast,ou=LDAPusers,dc=prodv)'. This is most probably not what you want. Bye Felix --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
