Hi all, I've been setting up user authentication based on JNDIRealm and have couple of questions regarding the operation. I've been using one of the secured applications that come with the examples included in Tomcat source for testing. My setup with obfuscated names and passwords is as follows.
I have the following Realm in the default host: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://ldap1.mydomain.com:389" alternateURL="ldap://ldap2.mydomain.com:389" connectionName="cn=connect,ou=Users,dc=mydomain,dc=com" connectionPassword="password" userBase="ou=Users,dc=mydomain,dc=com" userSearch="uid={0}" roleBase="ou=Groups,dc=mydomain,dc=com" roleName="cn" roleSearch="memberUid={1}" contextFactory="org.apache.catalina.ldap.realm.LdapTlsContextFactory"/> ... </Host> and have modified the security constraint roles in the web.xml of the examples application to match my LDAP groups: <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <!--<role-name>tomcat</role-name>--> <!--<role-name>role1</role-name>--> <role-name>MyCompany Users</role-name> <!--<role-name>tomcat-users</role-name>--> </auth-constraint> ... <security-role> <role-name>tomcat-users</role-name> </security-role> <security-role> <role-name>MyCompany Users</role-name> </security-role> Now when I hit the protected application, https://myserver/examples/jsp/security/protected/, I can successfully login but only if the role-name is set to "MyCompany Users". When I replace it with the tomcat-users, comment it out and uncomment the tomcat-users role name, the authentication fails. The following are the traces from the Tomcat log and LDAP log: Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase hasRole FINE: Username user1 does NOT have role tomcat-users Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase hasResourcePermission FINE: No role found: tomcat-users Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND dn="cn=connect,ou=Users,dc=mydomain,dc=com" method=128 Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND dn="cn=connect,ou=Users,dc=mydomain,dc=com" mech=SIMPLE ssf=0 Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 RESULT tag=97 err=0 text= Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH base="ou=Users,dc=mydomain,dc=com" scope=1 deref=3 filter="(uid=user1)" Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH attr=1.1 Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND anonymous mech=implicit ssf=0 Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND dn="uid=user1,ou=Users,dc=mydomain,dc=com" method=128 Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND dn="uid=user1,ou=Users,dc=mydomain,dc=com" mech=SIMPLE ssf=0 Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 RESULT tag=97 err=0 text= Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=4 SRCH base="" scope=0 deref=3 filter="(objectClass=*)" Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND anonymous mech=implicit ssf=0 Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND dn="cn=connect,ou=Users,dc=mydomain,dc=com" method=128 Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND dn="cn=connect,ou=Users,dc=mydomain,dc=com" mech=SIMPLE ssf=0 Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 RESULT tag=97 err=0 text= Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SRCH base="ou=Groups,dc=mydomain,dc=com" scope=1 deref=3 filter="(memberUid=user1)" Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SRCH attr=cn Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SEARCH RESULT tag=101 err=0 nentries=2 text= So the LDAP server returns 2 entries for the role query (filtering by attr=cn) which can be confirmed by the following LDAP command doing the same: $ ldapsearch -LLL -Z -H ldap://myldap:389/ -D "cn=connect,ou=Users,dc=mydomain,dc=com" -W -b ou=Groups,dc=mydomain,dc=com "(memberUid=user1)" cn Enter LDAP Password: dn: cn=tomcat-users,ou=Groups,dc=mydomain,dc=com cn: MyCompany Users cn: tomcat-users dn: cn=user1,ou=Groups,dc=mydomain,dc=com cn: MyCompany Users cn: user1 Not sure if understand it correctly, but I thought the Realm would loop through the cn's returned and find the right one before it fails but looks like it picks up the first cn only? Is there something I can modify in my Realm without changing anything on the LDAP side to fix this? Thanks, Igor