Attached is an implementation of LDAPRealm for tomcat 4.0.  I noticed that
there is a JNDIRealm stub file in CVS w/o an implementation.  This uses
JNDI, but since the implementation is really for LDAP, this is how it was
named.  I have tested it for what I suppose is the "traditional" way
Netscape LDAP servers are set up (with groups that are represented by
objectclass groupOfUniqueNames that have distinguished names in the
uniquemember attribute) as well as by using attributes on the person object
to determine roles.  The latter method probably doesn't work well where you
might want to tell that a person has multiple roles, since the attribute
name will have one value, thus only one role can be represented by that
attribute.

Pasted below is an excerpt from conf/server.xml file for usage.

If you agree that it is useful, can someone with commit privileges place it
in the org.apache.catalina.realm package? (Naming it as JNDIRealm, if you
feel that that is more appropriate.)

Ellen Lockhart
Senior Software Engineer
eBuilt, Inc.

        <!--LDAPRealm settings -
            ldapDN - the string to match to find a unique person (must
             be in the format specified for dn) - %u will
             be replaced by userid entered at login for context
authentication
            ldapGroupContext - context under which groups (for role
assignments)
             will be located
            ldapGroupFilter - gives the search parameters under the group
             context for locating groups a user belongs to.
             The group filter allows two substitution variables:
               %u - the username as entered for login
               %dn - the distinguished name, as configured for ldapDN.
(after variable
                    substitution has occurred.)
            ldapRoleAttribute - the name of the attribute that describes a
users role

            NOTE: if an ampersand is needed in the filter, use the XML
notation "&amp;"

            example: using objectclass on person as role:
            ldapDN="cn=%u,ou=people,o=ebuilt.com"
            ldapGroupContext="ou=people,o=mycompany.com"
            ldapGroupFilter="(&amp;(cn=%u)(objectclass=*))"
            ldapRoleAttribute="objectclass"

            example: using departmentnumber of person as role:
            ldapDN="cn=%u,ou=people,o=mycompany.com"
            ldapGroupContext="ou=people,o=mycompany.com"
            ldapGroupFilter="(&amp;(cn=%u)(objectclass=*))"
            ldapRoleAttribute="departmentnumber"

            example: normal Netscape setup w/groupofuniquenames objectclass
holding distinguished
            name of person in uniquemember field:
            ldapDN="cn=%u,ou=people,o=mycompany.com"
            ldapGroupContext="ou=gorgoroles,o=mycompany.com"

ldapGroupFilter="(&amp;(uniquemember=%dn)(objectclass=groupOfUniqueNames))"
            ldapRoleAttribute="cn"

        -->

        <Realm className="org.apache.catalina.realm.LDAPRealm"
            ldapContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
            ldapServer="ldap.mycompany.com"
            ldapPort="389"
            ldapDN="cn=%u,ou=people,o=mycompany.com"
            ldapGroupContext="ou=groups,o=mycompany.com"

ldapGroupFilter="(&amp;(uniquemember=%dn)(objectclass=groupOfUniqueNames))"
            ldapRoleAttribute="cn"
            debug="99" />

LDAPRealm.java

Reply via email to