Am 09.04.2015 um 16:36 schrieb Philippe Anctil:
Hi,
I have setup Tomcat to authenticate users against openldap. I want
roles to be retrieved from the user record itself.
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://127.0.0.1:389";
userPattern="uid={0},ou=users,dc=admin,dc=company,dc=com"
userRoleName="ou"
/>
Authentication did not work initially because of an openldap acl I had in place.
access to *
by self write
by anonymous auth
by *
I checked the network trace in wireshark. The acl did not prevent the
bind to succeed. However, it blocked the anonymous search request
Tomcat performs after the bind.
...
257 2015-04-09 09:59:51.614162 127.0.0.1 127.0.0.1 LDAP
80 bindResponse(11) success
258 2015-04-09 09:59:51.614311 127.0.0.1 127.0.0.1 LDAP
134 searchRequest(12) "<ROOT>" baseObject
259 2015-04-09 09:59:51.614416 127.0.0.1 127.0.0.1 LDAP
116 searchResEntry(12) "<ROOT>"
260 2015-04-09 09:59:51.614436 127.0.0.1 127.0.0.1 LDAP
80 searchResDone(12) success [1 result]
What is the reason of this final search request? Should I change my
acl? Or is Tomcat wrong doing this last search request?
The searchRequest(12) is done in JNDIRealm#bindAsUser to trigger an
request with the credentials of the user. If that searchRequest
succeeds, the credentials are marked as valid.
Regards
Felix
This is with Tomcat 7.0.53.
Thanks.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
