No worries fixed it :- <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://win-dc01.kerbtest.local:389"; userBase="cn=Users,dc=kerbtest,dc=local" userSearch="(cn={0})" userRoleName="memberOf" roleBase="cn=Users,dc=kerbtest,dc=local" roleName="cn" roleSearch="(member={0})" debug="9"/>
Seems uniqueMember is no good as I have multiple groups... ---------------------------------------- > From: dmars...@outlook.com > To: users@tomcat.apache.org > Subject: RE: User Realm based Authorisation with Tomcat 8 > Date: Mon, 30 Mar 2015 12:50:52 +0100 > > Ok so I fixed my Realm :- > > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionURL="ldap://win-dc01.kerbtest.local:389"; > userBase="cn=Users,dc=kerbtest,dc=local" > userSearch="(cn={0})" > userRoleName="memberOf" > roleBase="cn=Users,dc=kerbtest,dc=local" > roleName="cn" > roleSearch="(uniqueMember={0})" > debug="9"/> > > > > > However the AD group 'manager-gui' does not automatically become a role, how > do I define the group to role mapping ? > > Krb5Context.unwrap: data=[30 84 00 00 00 10 02 01 06 65 84 00 00 00 07 0a 01 > 00 04 00 04 00 ] > 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] > org.apache.catalina.realm.CombinedRealm.authentic > ate Authenticated user "test@KERBTEST.LOCAL" with realm > "org.apache.catalina.realm.JNDIRealm" > [Krb5LoginModule]: Entering logout > [Krb5LoginModule]: logged out Subject > 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] > org.apache.catalina.authenticator.AuthenticatorBa > se.register Authenticated 'test' with type 'SPNEGO' > 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] > org.apache.catalina.authenticator.AuthenticatorBa > se.register Session ID changed on authentication from > [BA1A48564A9ECF1917107AF362AA9C2B] to [9BA70CD > 7B088BEE077787CFD21FE4BC6] > 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] > org.apache.catalina.authenticator.AuthenticatorBa > se.invoke Calling accessControl() > 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] > org.apache.catalina.realm.RealmBase.hasResourcePe > rmission Checking roles > GenericPrincipal[test(CN=manager-gui,CN=Users,DC=kerbtest,DC=local,)] > 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] > org.apache.catalina.realm.RealmBase.hasRole Usern > ame test does NOT have role manager-gui > 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] > org.apache.catalina.realm.RealmBase.hasResourcePe > rmission No role found: manager-gui > 30-Mar-2015 12:46:44.182 FINE [http-nio-80-exec-2] > org.apache.catalina.authenticator.AuthenticatorBa > se.invoke Failed accessControl() test > > > thanks! > > David > > ---------------------------------------- >> From: dmars...@outlook.com >> To: users@tomcat.apache.org >> Subject: User Realm based Authorisation with Tomcat 8 >> Date: Mon, 30 Mar 2015 12:09:47 +0100 >> >> So I have SPNEGO working and I want to use the JNDI realm for authorisation. >> >> I have this configured :- >> >> <Realm className="org.apache.catalina.realm.JNDIRealm" >> connectionURL="ldap://win-dc01.kerbtest.local:389"; >> userBase="ou=Users,dc=kerbtest,dc=local" >> userSearch="(uid={0})" >> userRoleName="memberOf" >> roleBase="ou=Users,dc=kerbtest,dc=local" >> roleName="cn" >> roleSearch="(uniqueMember={0})"/> >> >> I would like to use AD groups to control authorisation in my application. >> >> However currently it appears the tomcat-users is being used :- >> >> <user username="test" password="testpass" roles="manager-gui"/> >> >> How do I configure tomcat Manager web app to use the realm and ignore the >> users file ? >> >> Alternatively is there other example code I can use with the JNDI realm ? >> >> many thanks >> >> David >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
