Allowing only specific users LDAP access
I have setup an https instance of Tomcat and I am trying to allow only
specific users access.
In the current configuration, anyone who is in LDAP can get in.
Here is the current configuration in the server.xml
connectionURL="ldap://ldap.domain.com:"
roleSearch="memberUid={0}"
allRolesMode="authOnly"
userPattern="uid={0},ou=People,dc=domain,dc=com"
/>
So I tried using userSearch=(user{1}) to allow only user1 in but that did
not limit access. I tried {1} since the docs mention that is to search for a
specific username.
Anyone know how I need to edit this to allow only a list of specific users
in? I will define them in this file.
Thanks,
Mark
--
View this message in context:
http://old.nabble.com/Allowing-only-specific-users-LDAP-access-tp28819437p28819437.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Allowing only specific users LDAP access
> If you can't use Chris' suggestion and you're on a current version of Tomcat, you can combine your > existing with an additional authenticator, possibly using a file where you specify the subset of > users you're willing to allow in. > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm > - Chuck I am using Tomcat 6.0.26. Thanks for the link. I'll check it out. Also, thanks Chris for your suggestion but unfortunately, I cannot add a new group to LDAP. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Allowing-only-specific-users-LDAP-access-tp28819437p28820106.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Allowing only specific users LDAP access
On Tue, 8 Jun 2010 08:25:04 -0700 (PDT), Mark-E wrote:
> I have setup an https instance of Tomcat and I am trying to allow only
> specific users access.
>
> In the current configuration, anyone who is in LDAP can get in.
>
> Here is the current configuration in the server.xml
>
> connectionName=
> connectionURL="ldap://ldap.domain.com:"
> roleSearch="memberUid={0}"
> allRolesMode="authOnly"
> userPattern="uid={0},ou=People,dc=domain,dc=com"
>/>
>
> So I tried using userSearch=(user{1}) to allow only user1 in but that
did
> not limit access. I tried {1} since the docs mention that is to search
for
> a
> specific username.
You can't use {1} in userSearch. You have to use {0}.
If you have only a very limited set of users and want to risk a management
nightmare, you can hardcode those users into the search pattern like
userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
But I think it would be better to use an attribute or a group for that
kind of thing:
userSearch="(&(uid={0})(specialAttribute=specialValue))"
Bye
Felix
>
> Anyone know how I need to edit this to allow only a list of specific
users
> in? I will define them in this file.
>
> Thanks,
> Mark
Hi Felix,
Thanks for the information. The easiest thing for me is to specify a list
of users by using your suggestion of:
userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
However, even with the entry setup like this, I still get in if I am NOT
user1 or user 2. I find that unless I also use the following entry, I do not
get in at all
userPattern="uid={0},ou=People,dc=domain,dc=com"
Do you know if I need to change userPattern as well? I tried substituting
userPattern="uid={0},ou=People,dc=domain,dc=com"
With:
userPattern="(&(uid={0})(|(uid=user1)(uid=user2))),ou=People,dc=domain,dc=com"
But that said that uid was invalid.
Thanks,
Mark
--
View this message in context:
http://old.nabble.com/Allowing-only-specific-users-LDAP-access-tp28819437p28822437.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Allowing only specific users LDAP access
Felix Schumacher wrote:
>
> On Tue, 8 Jun 2010 08:25:04 -0700 (PDT), Mark-E wrote:
>> I have setup an https instance of Tomcat and I am trying to allow only
>> specific users access.
>>
>> In the current configuration, anyone who is in LDAP can get in.
>>
>> Here is the current configuration in the server.xml
>>
>> > connectionName=
>> connectionURL="ldap://ldap.domain.com:"
>> roleSearch="memberUid={0}"
>> allRolesMode="authOnly"
>> userPattern="uid={0},ou=People,dc=domain,dc=com"
>>/>
>>
>> So I tried using userSearch=(user{1}) to allow only user1 in but that
> did
>> not limit access. I tried {1} since the docs mention that is to search
> for
>> a
>> specific username.
> You can't use {1} in userSearch. You have to use {0}.
>
> If you have only a very limited set of users and want to risk a management
> nightmare, you can hardcode those users into the search pattern like
>
> userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
>
> But I think it would be better to use an attribute or a group for that
> kind of thing:
>
> userSearch="(&(uid={0})(specialAttribute=specialValue))"
>
> Bye
> Felix
>>
>> Anyone know how I need to edit this to allow only a list of specific
> users
>> in? I will define them in this file.
>>
>> Thanks,
>> Mark
>
>
> Hi Felix,
>Thanks for the information. The easiest thing for me is to specify a
> list of users by using your suggestion of:
>
> userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
>
> However, even with the entry setup like this, I still get in if I am NOT
> user1 or user 2. I find that unless I also use the following entry, I do
> not get in at all
>
> userPattern="uid={0},ou=People,dc=domain,dc=com"
>
> Do you know if I need to change userPattern as well? I tried substituting
>
> userPattern="uid={0},ou=People,dc=domain,dc=com"
>
> With:
>
> userPattern="(&(uid={0})(|(uid=user1)(uid=user2))),ou=People,dc=domain,dc=com"
>
> But that said that uid was invalid.
>
> Thanks,
> Mark
>
Just wanted to let everyone know that I figured it out. I did some more
research and discovered that instead of using userPattern, I needed to use
the following:
userBase="ou=People,dc=domain,dc=com"
userSubtree="true"
Now, if I am listed as one of the 2, user1 or user2 and I try to login, I
get in, if not, I do not get in.
So the full entry in server.xml looks like this...
ldap://ldap.domain.com:"
roleSearch="memberUid={0}"
allRolesMode="authOnly"
userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
userBase="ou=People,dc=domain,dc=com"
userSubtree="true"
/>
Whew, learned a lot from this task.
Thanks,
Mark
--
View this message in context:
http://old.nabble.com/Allowing-only-specific-users-LDAP-access-tp28819437p28823014.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
