Ok so I fixed my Realm :- <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://win-dc01.kerbtest.local:389"; userBase="cn=Users,dc=kerbtest,dc=local" userSearch="(cn={0})" userRoleName="memberOf" roleBase="cn=Users,dc=kerbtest,dc=local" roleName="cn" roleSearch="(uniqueMember={0})" debug="9"/>
<!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <!-- <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> --> However the AD group 'manager-gui' does not automatically become a role, how do I define the group to role mapping ? Krb5Context.unwrap: data=[30 84 00 00 00 10 02 01 06 65 84 00 00 00 07 0a 01 00 04 00 04 00 ] 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.CombinedRealm.authentic ate Authenticated user "test@KERBTEST.LOCAL" with realm "org.apache.catalina.realm.JNDIRealm" [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa se.register Authenticated 'test' with type 'SPNEGO' 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa se.register Session ID changed on authentication from [BA1A48564A9ECF1917107AF362AA9C2B] to [9BA70CD 7B088BEE077787CFD21FE4BC6] 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling accessControl() 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasResourcePe rmission Checking roles GenericPrincipal[test(CN=manager-gui,CN=Users,DC=kerbtest,DC=local,)] 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasRole Usern ame test does NOT have role manager-gui 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasResourcePe rmission No role found: manager-gui 30-Mar-2015 12:46:44.182 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed accessControl() test thanks! David ---------------------------------------- > From: dmars...@outlook.com > To: users@tomcat.apache.org > Subject: User Realm based Authorisation with Tomcat 8 > Date: Mon, 30 Mar 2015 12:09:47 +0100 > > So I have SPNEGO working and I want to use the JNDI realm for authorisation. > > I have this configured :- > > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionURL="ldap://win-dc01.kerbtest.local:389"; > userBase="ou=Users,dc=kerbtest,dc=local" > userSearch="(uid={0})" > userRoleName="memberOf" > roleBase="ou=Users,dc=kerbtest,dc=local" > roleName="cn" > roleSearch="(uniqueMember={0})"/> > > I would like to use AD groups to control authorisation in my application. > > However currently it appears the tomcat-users is being used :- > > <user username="test" password="testpass" roles="manager-gui"/> > > How do I configure tomcat Manager web app to use the realm and ignore the > users file ? > > Alternatively is there other example code I can use with the JNDI realm ? > > many thanks > > David > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
