The way that the JNDIRealm works is dependant on its implementation. Unless there is a configuration item for Tomcat 4.1.27 that allows the comparison to be done on the role name attribute (CN in this case) then you will have to put the full distinguished name into the configuration. I had a quick look at the JNDIRealm doco and I didn't see anything in there that would allow this.
It is strange however that the 4.1.27 implementation takes the roleName attribute that would be used in such a comparison and doesn't use it in the way that might be expected. Because otherwise there is no point in specifying the roleName attribute as its not required to determine membership of a user to a group through an LDAP search. Of course the doco says its used as a flag as to whether the userRoleName is used instead. I would image that the rationale of this implementation to use the DN is that the DN is unambiguous and would cater for a strongly heirachial LDAP tree that may have groups of the same name under different branches, from the starting point of the LDAP search. Another option of course is to compile your own Tomcat with the required change to the code or implement your own realm security manager. But thats a bit more work :) But without looking at the source, which I don't have time!, I can only speculate! Regards, Shane. -----Original Message----- From: Goerlich, Michael [mailto:[EMAIL PROTECTED] Sent: Monday, 17 May 2004 3:17 PM To: [EMAIL PROTECTED] Subject: Tomcat 4: How to get RoleName from LDAP Hi, In my environment I want to authenticate the users against MS Active Directory by JNDI LDAP. The user authentication is ok and also the roles found by getRoles() are the right ones. But the returned roles are given in their complete distinguished name (DN. In catalina.out: 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de instead of 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role ERKUSAAdmin So I have to configure the fully DN in web.xml for a security-constraint instead of the pure role name, what is highest undesireable. I run this on tomcat 4.1.27. The funny thing is that the same configuration on tomcat 5 works. For completion, here is my realm config (user- and rolebase are the same): <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="... (substituted)" userBase="CN=Users,dc=local,dc=bremereb,dc=de" userSearch="(sAMAccountName={0})" userRoleName="memberOf" roleBase="CN=Users,dc=local,dc=bremereb,dc=de" roleName="cn" roleSearch="member={0}" connectionName="[EMAIL PROTECTED]" connectionPassword="secret" roleSubtree="true" userSubtree="true" /> Can anybody tell me how to get the pure assigned role names for a authenticated user? Thanks --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
