Am 10.07.2013 00:46, schrieb Travis Bowen:
Ok I found where it is being used in the getRoles method however I'm
still wondering why it doesn't work. I don't see any way to define the
member group attribute name, it is uniqueGroup in the dir server I am
connecting to.
roleSearch will be used for every group found.
Given your config and your groups/persons are as follows
dn: cn=group1,ou=...
cn: group1
uniqueMember: cn=person1,ou=...
dn: cn=group2,ou=...
cn: group2
uniqueMember: cn=group1,ou=...
dn: cn=person1,ou=...
cn: person1
mail: person1@...
When you log in as person1@... first thing the realm does is to look up
dn for that person using mail=person1@...
It will get dn: cn=person1,ou=... as dn and will try roleSearch with {0}
equal the newly found dn.
So the next lookup is uniqueMember=cn=person,ou=... which gives us
cn=group1,ou=...
The attribute cn of that group will be stored as a role. Since
nestedRoles is enabled it will now do a new search with roleSearch and
the dn (and cn in your case).
The lookup will be uniqueMember=cn=group1,ou=... which will give us
cn=group2,ou=... and again the cn (group2) will be stored.
So after that your user will have two roles (group1, group2).
It looks to me that the logic for nested roles is reverse to the one you
expected.
If you want to get debug output, you can put the line
org.apache.catalina.realm.JNDIRealm.level = FINE
at the end of your conf/logging.properties. The attribute debug in your
realm definition is being ignored (and invalid).
Regards
Felix
Thanks,
Travis
Travis Bowen---07/09/2013 02:43:58 PM---I am using
|-----------------+--------------------------------+------------+-----+------------------
From: Travis Bowen/Tucson/IBM@IBMUS
To: users@tomcat.apache.org,
Date: 07/09/2013 02:43 PM
Subject: roleNested seems to not be working in tomcat 6
-------------------------
I am using
Apache Tomcat/6.0.37
pxa6460sr13fp2-20130424_01 (SR13 FP2)
IBM Corporation
Linux
2.6.32-358.2.1.el6.x86_64
amd64
I have the following context defined for my application:
<?xml version=_"1.0"_ encoding=_"UTF-8"_?>
<Context>
<Realm className=_"org.apache.catalina.realm.JNDIRealm"_
debug=_"99"_
connectionURL=_"ldaps://xxxx.xxxx.xxxx.com:636"_
userBase=_"ou=xxxxxxx,o=ibm.com"_
userSearch=_"(mail={0})"_
userSubtree=_"true"_
roleBase=_"ou=xxxxxx,ou=xxxxxxx,o=ibm.com"_
roleSubtree=_"false"_
roleNested=_"true"_
roleSearch=_"(uniqueMember={0})"_
roleName=_"cn"_ />
</Context>
I have a user defined who is a member of one group which is a member
of another group under the roleBase. After authenticating I only get
the role/group that the user is a direct member of, it doesn't return
the role/group that the group is a member of.
I downloaded the source of org.apache.catalina.realm.JNDIRealm and
the roleNested attribute is never used except in the setters and
getters. Seems like it is being ignored. Is this feature available in
tomcat 6? The docs say it is but it doesn't seem to work.
Thanks,
Travis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
