Thanks for submitting the feature request. I don't have any access to the directory server as it is managed by another group, so I have to use what's there. I will check with the group that manages it to see if they can do anything with indexing.
Thanks, Travis From: Felix Schumacher <felix.schumac...@internetallee.de> To: users@tomcat.apache.org, Date: 07/11/2013 10:37 AM Subject: Re: roleNested seems to not be working in tomcat 6 Am 11.07.2013 16:42, schrieb Travis Bowen: > > Thank you that does work but it takes a very long time since there are > 10's of thousands of groups and many have thousands of users. Using > that search means that both the uniqueMember and uniqueGroup are > searched initially instead of just searching for users member ship > first then searching for uniqueGroups. What is really needed is a > separate search string for nested groups, something like subRoleSeacrh > in the context configuration which the realm can use if roleNested is > true. > I have opened a feature request for this under https://issues.apache.org/bugzilla/show_bug.cgi?id=55243 since it may be useful. Have you looked wether indexes on your ldap server can speed up things? Regards Felix > > > Thanks, > > Travis > > Inactive hide details for Felix Schumacher ---07/10/2013 11:09:55 > AM---Am 10.07.2013 16:34, schrieb Travis Bowen: >Felix Schumacher > ---07/10/2013 11:09:55 AM---Am 10.07.2013 16:34, schrieb Travis Bowen: > > > From: Felix Schumacher <felix.schumac...@internetallee.de> > To: Tomcat Users List <users@tomcat.apache.org>, > Date: 07/10/2013 11:09 AM > Subject: Re: roleNested seems to not be working in tomcat 6 > > ------------------------------------------------------------------------ > > > > Am 10.07.2013 16:34, schrieb Travis Bowen: > > > > Thanks for the info. However the issue is that groups are not stored > > as uniqueMember but uniqueGroup so the roleSearch is not applicable. > > > You could try a roleSearch="|(uniqueMember={0})(uniqueGroup={0})". The > {i} should be replaced multiple times. > > HTH > Felix > > > > > > Thanks, > > > > Travis > > > > Inactive hide details for Felix Schumacher ---07/10/2013 12:14:30 > > AM---Am 10.07.2013 00:46, schrieb Travis Bowen: > Ok I found Felix > > Schumacher ---07/10/2013 12:14:30 AM---Am 10.07.2013 00:46, schrieb > > Travis Bowen: > Ok I found where it is being used in the getRoles metho > > > > From: Felix Schumacher <felix.schumac...@internetallee.de> > > To: Tomcat Users List <users@tomcat.apache.org>, > > Date: 07/10/2013 12:14 AM > > Subject: Re: roleNested seems to not be working in tomcat 6 > > > > ------------------------------------------------------------------------ > > > > > > > > Am 10.07.2013 00:46, schrieb Travis Bowen: > > > Ok I found where it is being used in the getRoles method however I'm > > > still wondering why it doesn't work. I don't see any way to define the > > > member group attribute name, it is uniqueGroup in the dir server I am > > > connecting to. > > > > roleSearch will be used for every group found. > > > > > > Given your config and your groups/persons are as follows > > > > dn: cn=group1,ou=... > > cn: group1 > > uniqueMember: cn=person1,ou=... > > > > dn: cn=group2,ou=... > > cn: group2 > > uniqueMember: cn=group1,ou=... > > > > dn: cn=person1,ou=... > > cn: person1 > > mail: person1@... > > > > When you log in as person1@... first thing the realm does is to look up > > dn for that person using mail=person1@... > > It will get dn: cn=person1,ou=... as dn and will try roleSearch with {0} > > equal the newly found dn. > > > > So the next lookup is uniqueMember=cn=person,ou=... which gives us > > cn=group1,ou=... > > > > The attribute cn of that group will be stored as a role. Since > > nestedRoles is enabled it will now do a new search with roleSearch and > > the dn (and cn in your case). > > The lookup will be uniqueMember=cn=group1,ou=... which will give us > > cn=group2,ou=... and again the cn (group2) will be stored. > > > > So after that your user will have two roles (group1, group2). > > > > It looks to me that the logic for nested roles is reverse to the one you > > expected. > > > > If you want to get debug output, you can put the line > > > > org.apache.catalina.realm.JNDIRealm.level = FINE > > > > at the end of your conf/logging.properties. The attribute debug in your > > realm definition is being ignored (and invalid). > > > > Regards > > Felix > > > > > > > > Thanks, > > > > > > Travis > > > > > > Travis Bowen---07/09/2013 02:43:58 PM---I am using > > > > > > |-----------------+--------------------------------+------------+-----+------------------ > > > > > > From: Travis Bowen/Tucson/IBM@IBMUS > > > To: users@tomcat.apache.org, > > > Date: 07/09/2013 02:43 PM > > > Subject: roleNested seems to not be working in tomcat 6 > > > > > > ------------------------- > > > > > > I am using > > > > > > Apache Tomcat/6.0.37 > > > pxa6460sr13fp2-20130424_01 (SR13 FP2) > > > IBM Corporation > > > Linux > > > 2.6.32-358.2.1.el6.x86_64 > > > amd64 > > > > > > I have the following context defined for my application: > > > > > > <?xml version=_"1.0"_ encoding=_"UTF-8"_?> > > > <Context> > > > <Realm className=_"org.apache.catalina.realm.JNDIRealm"_ > > > debug=_"99"_ > > > connectionURL=_"ldaps://xxxx.xxxx.xxxx.com:636"_ > > > userBase=_"ou=xxxxxxx,o=ibm.com"_ > > > userSearch=_"(mail={0})"_ > > > userSubtree=_"true"_ > > > roleBase=_"ou=xxxxxx,ou=xxxxxxx,o=ibm.com"_ > > > roleSubtree=_"false"_ > > > roleNested=_"true"_ > > > roleSearch=_"(uniqueMember={0})"_ > > > roleName=_"cn"_ /> > > > </Context> > > > > > > I have a user defined who is a member of one group which is a member > > > of another group under the roleBase. After authenticating I only get > > > the role/group that the user is a direct member of, it doesn't return > > > the role/group that the group is a member of. > > > > > > I downloaded the source of org.apache.catalina.realm.JNDIRealm and > > > the roleNested attribute is never used except in the setters and > > > getters. Seems like it is being ignored. Is this feature available in > > > tomcat 6? The docs say it is but it doesn't seem to work. > > > > > > Thanks, > > > > > > Travis > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > >
