On Wed, Oct 8, 2014 at 4:16 AM, Felix Schumacher < felix.schumac...@internetallee.de> wrote:
> Am 07.10.2014 um 14:32 schrieb Igor Cicimov: > >> Hi Felix, >> >> First thanks for your reply. >> >> On Tue, Oct 7, 2014 at 6:35 PM, Felix Schumacher < >> felix.schumac...@internetallee.de> wrote: >> >> Hi Igor, >>> >>> Am 07.10.2014 07:07, schrieb Igor Cicimov: >>> >>> Hi all, >>>> >>>> I've been setting up user authentication based on JNDIRealm and have >>>> couple >>>> of questions regarding the operation. I've been using one of the secured >>>> applications that come with the examples included in Tomcat source for >>>> testing. My setup with obfuscated names and passwords is as follows. >>>> >>>> Which tomcat version do you use? >>> >>> It's 7.0.52-1ubuntu0.1 from Ubuntu 14.04 repository, sorry I missed >> mentioning that. >> >> >> I have the following Realm in the default host: >>>> >>>> <Host name="localhost" appBase="webapps" unpackWARs="true" >>>> autoDeploy="false"> >>>> <Realm className="org.apache.catalina.realm.JNDIRealm" >>>> debug="99" >>>> >>>> debug is not used anymore, so just delete it. >>> >>> Done. >> >> >> connectionURL="ldap://ldap1.mydomain.com:389"; >>> >>>> alternateURL="ldap://ldap2.mydomain.com:389"; >>>> connectionName="cn=connect,ou=Users,dc=mydomain,dc=com" >>>> connectionPassword="password" >>>> userBase="ou=Users,dc=mydomain,dc=com" >>>> userSearch="uid={0}" >>>> roleBase="ou=Groups,dc=mydomain,dc=com" >>>> roleName="cn" >>>> roleSearch="memberUid={1}" >>>> >>>> contextFactory="org.apache.catalina.ldap.realm.LdapTlsContextFactory"/> >>>> >>>> Do you need the LdapTlsContextFactory? If so, what is your ldap server >>> setup? >>> >>> Good that you mentioned that I wanted to ask about this in a separate >> thread. I was searching for STARTTLS support in the JNDIRealm and this was >> the only solution I could find. I got the directions from here: >> http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo, so I compiled and >> installed the context factory since the TLS is a must fro my user case. >> It's working fine for me but still wanted to ask, since the above HowTo is >> from 2010, has this been maybe integrated in the Tomcat mainstream now and >> I have missed something in the documentation or is it still a (only) valid >> solution for TLS support? >> > If TLS is important to you, I hope you have changed the HostnameVerifier to > something more sensible :) > > Hmmm was not aware of that will have a look for sure. > There is a bug request open https://issues.apache.org/ > bugzilla/show_bug.cgi?id=49785 > but only very few people asked for it in the last four years. You can try > to vote it up. > > Thanks for the link I up voted. > I have only used ldap servers, which would be reachable by ssl, so there > was no > need for me to investigate further. Any reason why your ldap server can't > be used with ssl? > > Well for ldap ssl is considered deprecated in favour of tls which I use everywhere possible like ldap, postfix etc. I don't see a reason for using ssl and opening another port on the server but that's maybe just me :-) > Felix > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
