On Sep 30, 2014, at 2:43 AM, Mark Thomas <ma...@apache.org> wrote: > On 30/09/2014 01:11, Jesse Barnum wrote: >> I'm trying to configure Tomcat to authenticate against our Active Directory >> server. >> >> I do not want to configure an administrative account to bind with; I want to >> bind as the user logging in. >> >> The problem comes when JNDIRealm tries to get the list of roles that the >> user is a member of. From looking at the source code, it seems to strip out >> the login user's account credentials from the DirectoryContext. This causes >> the following exception when it tries to get a list of groups for the user: > > <snip/> > >> This bug report seems to indicate that it should work the way I'm expecting, >> as of 7.0.9 and onwards. >> https://issues.apache.org/bugzilla/show_bug.cgi?id=19444 >> >> I am running 7.0.52. Is there some configuration I need to do to tell Tomcat >> to use the user's credentials when getting a list of roles? > > To quote from the last comment in that bug report: > <quote> > I have added a new JNDIRealm option in Tomcat 7.0.x to optionally allow > role searches as the user being authenticated rather than using using an > anonymous user or using connectionName/connectionPassword. > > The new option will be included in 7.0.9 onwards. > </quote> > > Looking at the docs for the JNDI Realm (since I can't remember what name > I used for that option) this looks promising: > <quote> > roleSearchAsUser > > When searching for user roles, should the search be performed as the > user currently being authenticated? If false, connectionName and > connectionPassword will be used if specified, else an anonymous. If not > specified, the default value of false is used. Note that when accessing > the directory using delegated credentials, this attribute is always > ignored and the search is performed using the delegated credentials. > </quote> > > So, that begs two questions: > > 1. What configuration are you using for roleSearchAsUser
Mark, thanks for the fast response. I did not have that attribute set. I've changed it to true. Here is my Realm definition after making the change: > <Realm className="org.apache.catalina.realm.JNDIRealm" > > connectionURL="ldap://activedirectory.360works.com/cn=Users,dc=360works,dc=com"; > userPattern="cn={0},cn=Users,dc=360works,dc=com" > roleBase="" > roleName="cn" > roleSearch="(member={0})" > roleSearchAsUser="true" > /> By the way, I've noticed that I get a NPE if I don't define roleBase with an empty string (it should be optional, since I've specified the search base in my connectionURL). I don't have to define userBase; it seems like the behavior should be consistent for these two attributes. After adding the roleSearchAsUser attribute, I'm getting a new error: > FINE: Checking constraint 'SecurityConstraint[Protected Area]' against GET > /index.html --> true > Sep 30, 2014 10:12:22 AM org.apache.catalina.authenticator.AuthenticatorBase > invoke > FINE: Calling hasUserDataPermission() > Sep 30, 2014 10:12:22 AM org.apache.catalina.realm.RealmBase > hasUserDataPermission > FINE: User data constraint has no restrictions > Sep 30, 2014 10:12:22 AM org.apache.catalina.authenticator.AuthenticatorBase > invoke > FINE: Calling authenticate() > Sep 30, 2014 10:12:22 AM org.apache.catalina.realm.CombinedRealm authenticate > FINE: Attempting to authenticate user "Jesse Barnum" with realm > "org.apache.catalina.realm.JNDIRealm/1.0" > Sep 30, 2014 10:12:22 AM org.apache.catalina.realm.JNDIRealm authenticate > INFO: Exception performing authentication. Retrying... > java.lang.NullPointerException > at java.util.Hashtable.put(Hashtable.java:394) > at javax.naming.InitialContext.addToEnvironment(InitialContext.java:514) > at > org.apache.catalina.realm.JNDIRealm.userCredentialsAdd(JNDIRealm.java:1635) > at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1734) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1169) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) > at > org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146) > at > org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180) > at > org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:164) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:573) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) > at java.lang.Thread.run(Thread.java:695) > > > 2. In the interests of improving the docs, what was it that meant you > were unable to find this information in the JNDI Realm docs? There is no mention of 'roleSearchAsUser' on these pages: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html It is mentioned in the method-specific docs on this page, but I didn't see that because I was setting all of my attributes based on the class-level JavaDocs that outline the various parameters: https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/JNDIRealm.html > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --Jesse Barnum, President, 360Works http://www.360works.com Product updates and news on http://facebook.com/360Works (770) 234-9293 == Don't lose your data! http://360works.com/safetynet/ for FileMaker Server == --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
