JNDIRealm Authentication and Roles

Igor Cicimov Mon, 06 Oct 2014 22:08:15 -0700

Hi all,

I've been setting up user authentication based on JNDIRealm and have couple
of questions regarding the operation. I've been using one of the secured
applications that come with the examples included in Tomcat source for
testing. My setup with obfuscated names and passwords is as follows.


I have the following Realm in the default host:

      <Host name="localhost"  appBase="webapps" unpackWARs="true"
autoDeploy="false">
        <Realm className="org.apache.catalina.realm.JNDIRealm"
               debug="99"
               connectionURL="ldap://ldap1.mydomain.com:389";
               alternateURL="ldap://ldap2.mydomain.com:389";
               connectionName="cn=connect,ou=Users,dc=mydomain,dc=com"
               connectionPassword="password"
               userBase="ou=Users,dc=mydomain,dc=com"
               userSearch="uid={0}"
               roleBase="ou=Groups,dc=mydomain,dc=com"
               roleName="cn"
               roleSearch="memberUid={1}"

contextFactory="org.apache.catalina.ldap.realm.LdapTlsContextFactory"/>
        ...
      </Host>

 and have modified the security constraint roles in the web.xml of the
examples application to match my LDAP groups:

      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <!--<role-name>tomcat</role-name>-->
         <!--<role-name>role1</role-name>-->
         <role-name>MyCompany Users</role-name>
         <!--<role-name>tomcat-users</role-name>-->
      </auth-constraint>
      ...
      <security-role>
         <role-name>tomcat-users</role-name>
      </security-role>
      <security-role>
         <role-name>MyCompany Users</role-name>
      </security-role>

Now when I hit the protected application,
https://myserver/examples/jsp/security/protected/, I can successfully login
but only if the role-name is set to "MyCompany Users". When I replace it
with the tomcat-users, comment it out and uncomment the tomcat-users role
name, the authentication fails. The following are the traces from the
Tomcat log and LDAP log:

Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase hasRole
FINE: Username user1 does NOT have role tomcat-users
Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase
hasResourcePermission
FINE: No role found:  tomcat-users

Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND
dn="cn=connect,ou=Users,dc=mydomain,dc=com" method=128
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND
dn="cn=connect,ou=Users,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 RESULT tag=97 err=0 text=
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH
base="ou=Users,dc=mydomain,dc=com" scope=1 deref=3 filter="(uid=user1)"
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH attr=1.1
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND anonymous
mech=implicit ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND
dn="uid=user1,ou=Users,dc=mydomain,dc=com" method=128
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND
dn="uid=user1,ou=Users,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 RESULT tag=97 err=0 text=
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=4 SRCH base="" scope=0
deref=3 filter="(objectClass=*)"
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND anonymous
mech=implicit ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND
dn="cn=connect,ou=Users,dc=mydomain,dc=com" method=128
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND
dn="cn=connect,ou=Users,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 RESULT tag=97 err=0 text=
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SRCH
base="ou=Groups,dc=mydomain,dc=com" scope=1 deref=3
filter="(memberUid=user1)"
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SRCH attr=cn
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SEARCH RESULT tag=101
err=0 nentries=2 text=

So the LDAP server returns 2 entries for the role query (filtering by
attr=cn) which can be confirmed by the following LDAP command doing the
same:

$ ldapsearch -LLL -Z -H ldap://myldap:389/ -D
"cn=connect,ou=Users,dc=mydomain,dc=com" -W -b ou=Groups,dc=mydomain,dc=com
"(memberUid=user1)" cn
Enter LDAP Password:
dn: cn=tomcat-users,ou=Groups,dc=mydomain,dc=com
cn: MyCompany Users
cn: tomcat-users

dn: cn=user1,ou=Groups,dc=mydomain,dc=com
cn: MyCompany Users
cn: user1


Not sure if understand it correctly, but I thought the Realm would loop
through the cn's returned and find the right one before it fails but looks
like it picks up the first cn only? Is there something I can modify in my
Realm without changing anything on the LDAP side to fix this?

Thanks,
Igor

JNDIRealm Authentication and Roles

Reply via email to