Thanks for the info. However the issue is that groups are not stored as uniqueMember but uniqueGroup so the roleSearch is not applicable.
Thanks, Travis From: Felix Schumacher <felix.schumac...@internetallee.de> To: Tomcat Users List <users@tomcat.apache.org>, Date: 07/10/2013 12:14 AM Subject: Re: roleNested seems to not be working in tomcat 6 Am 10.07.2013 00:46, schrieb Travis Bowen: > Ok I found where it is being used in the getRoles method however I'm > still wondering why it doesn't work. I don't see any way to define the > member group attribute name, it is uniqueGroup in the dir server I am > connecting to. roleSearch will be used for every group found. Given your config and your groups/persons are as follows dn: cn=group1,ou=... cn: group1 uniqueMember: cn=person1,ou=... dn: cn=group2,ou=... cn: group2 uniqueMember: cn=group1,ou=... dn: cn=person1,ou=... cn: person1 mail: person1@... When you log in as person1@... first thing the realm does is to look up dn for that person using mail=person1@... It will get dn: cn=person1,ou=... as dn and will try roleSearch with {0} equal the newly found dn. So the next lookup is uniqueMember=cn=person,ou=... which gives us cn=group1,ou=... The attribute cn of that group will be stored as a role. Since nestedRoles is enabled it will now do a new search with roleSearch and the dn (and cn in your case). The lookup will be uniqueMember=cn=group1,ou=... which will give us cn=group2,ou=... and again the cn (group2) will be stored. So after that your user will have two roles (group1, group2). It looks to me that the logic for nested roles is reverse to the one you expected. If you want to get debug output, you can put the line org.apache.catalina.realm.JNDIRealm.level = FINE at the end of your conf/logging.properties. The attribute debug in your realm definition is being ignored (and invalid). Regards Felix > > Thanks, > > Travis > > Travis Bowen---07/09/2013 02:43:58 PM---I am using > |-----------------+--------------------------------+------------+-----+------------------ > > From: Travis Bowen/Tucson/IBM@IBMUS > To: users@tomcat.apache.org, > Date: 07/09/2013 02:43 PM > Subject: roleNested seems to not be working in tomcat 6 > > ------------------------- > > I am using > > Apache Tomcat/6.0.37 > pxa6460sr13fp2-20130424_01 (SR13 FP2) > IBM Corporation > Linux > 2.6.32-358.2.1.el6.x86_64 > amd64 > > I have the following context defined for my application: > > <?xml version=_"1.0"_ encoding=_"UTF-8"_?> > <Context> > <Realm className=_"org.apache.catalina.realm.JNDIRealm"_ > debug=_"99"_ > connectionURL=_"ldaps://xxxx.xxxx.xxxx.com:636"_ > userBase=_"ou=xxxxxxx,o=ibm.com"_ > userSearch=_"(mail={0})"_ > userSubtree=_"true"_ > roleBase=_"ou=xxxxxx,ou=xxxxxxx,o=ibm.com"_ > roleSubtree=_"false"_ > roleNested=_"true"_ > roleSearch=_"(uniqueMember={0})"_ > roleName=_"cn"_ /> > </Context> > > I have a user defined who is a member of one group which is a member > of another group under the roleBase. After authenticating I only get > the role/group that the user is a direct member of, it doesn't return > the role/group that the group is a member of. > > I downloaded the source of org.apache.catalina.realm.JNDIRealm and > the roleNested attribute is never used except in the setters and > getters. Seems like it is being ignored. Is this feature available in > tomcat 6? The docs say it is but it doesn't seem to work. > > Thanks, > > Travis --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org