JNDIRealm doesn't work when binding as non-admin user

Mon, 29 Sep 2014 17:12:29 -0700 

I'm trying to configure Tomcat to authenticate against our Active Directory 
server.

I do not want to configure an administrative account to bind with; I want to 
bind as the user logging in.

The problem comes when JNDIRealm tries to get the list of roles that the user 
is a member of. From looking at the source code, it seems to strip out the 
login user's account credentials from the DirectoryContext. This causes the 
following exception when it tries to get a list of groups for the user:

> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: 
> DSID-0C09072B, comment: In order to perform this operation a successful bind 
> must be completed on the connection., data 0, v2580]; remaining name 
> 'cn=users,dc=360works,dc=com'
>       at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3107)
>       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
>       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
>       at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1829)
>       at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1752)
>       at 
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
>       at 
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
>       at 
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
>       at 
> javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
>       at com.prosc.JNDIRealm.getRoles(JNDIRealm.java:1750)
>       at com.prosc.JNDIRealm.authenticate(JNDIRealm.java:1136)
>       at com.prosc.JNDIRealm.authenticate(JNDIRealm.java:1019)
>       at 
> org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:164)
>       at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:573)
>    <snip>

This bug report seems to indicate that it should work the way I'm expecting, as 
of 7.0.9 and onwards.
https://issues.apache.org/bugzilla/show_bug.cgi?id=19444

I am running 7.0.52. Is there some configuration I need to do to tell Tomcat to 
use the user's credentials when getting a list of roles?

--Jesse Barnum, President, 360Works
http://www.360works.com
Product updates and news on http://facebook.com/360Works
(770) 234-9293
== Don't lose your data! http://360works.com/safetynet/ for FileMaker Server ==

Reply via email to