Thanks for submitting the feature request.  I don't have any access to the
directory server as it is managed by another group, so I have to use what's
there.  I will check with the group that manages it to see if they can do
anything with indexing.

Thanks,

Travis



From:   Felix Schumacher <felix.schumac...@internetallee.de>
To:     users@tomcat.apache.org,
Date:   07/11/2013 10:37 AM
Subject:        Re: roleNested seems to not be working in tomcat 6



Am 11.07.2013 16:42, schrieb Travis Bowen:
>
> Thank you that does work but it takes a very long time since there are
> 10's of thousands of groups and many have thousands of users.  Using
> that search means that both the uniqueMember and uniqueGroup are
> searched initially instead of just searching for users member ship
> first then searching for uniqueGroups.  What is really needed is a
> separate search string for nested groups, something like subRoleSeacrh
> in the context configuration which the realm can use if roleNested is
> true.
>
I have opened a feature request for this under
https://issues.apache.org/bugzilla/show_bug.cgi?id=55243 since it may be
useful.

Have you looked wether indexes on your ldap server can speed up things?

Regards
  Felix
>
>
> Thanks,
>
> Travis
>
> Inactive hide details for Felix Schumacher ---07/10/2013 11:09:55
> AM---Am 10.07.2013 16:34, schrieb Travis Bowen: >Felix Schumacher
> ---07/10/2013 11:09:55 AM---Am 10.07.2013 16:34, schrieb Travis Bowen: >
>
> From: Felix Schumacher <felix.schumac...@internetallee.de>
> To: Tomcat Users List <users@tomcat.apache.org>,
> Date: 07/10/2013 11:09 AM
> Subject: Re: roleNested seems to not be working in tomcat 6
>
> ------------------------------------------------------------------------
>
>
>
> Am 10.07.2013 16:34, schrieb Travis Bowen:
> >
> > Thanks for the info.  However the issue is that groups are not stored
> > as uniqueMember but uniqueGroup so the roleSearch is not applicable.
> >
> You could try a roleSearch="|(uniqueMember={0})(uniqueGroup={0})". The
> {i} should be replaced multiple times.
>
> HTH
>  Felix
> >
> >
> > Thanks,
> >
> > Travis
> >
> > Inactive hide details for Felix Schumacher ---07/10/2013 12:14:30
> > AM---Am 10.07.2013 00:46, schrieb Travis Bowen: > Ok I found Felix
> > Schumacher ---07/10/2013 12:14:30 AM---Am 10.07.2013 00:46, schrieb
> > Travis Bowen: > Ok I found where it is being used in the getRoles metho
> >
> > From: Felix Schumacher <felix.schumac...@internetallee.de>
> > To: Tomcat Users List <users@tomcat.apache.org>,
> > Date: 07/10/2013 12:14 AM
> > Subject: Re: roleNested seems to not be working in tomcat 6
> >
> >
------------------------------------------------------------------------
> >
> >
> >
> > Am 10.07.2013 00:46, schrieb Travis Bowen:
> > > Ok I found where it is being used in the getRoles method however I'm
> > > still wondering why it doesn't work. I don't see any way to define
the
> > > member group attribute name, it is uniqueGroup in the dir server I am
> > > connecting to.
> >
> > roleSearch will be used for every group found.
> >
> >
> > Given your config and your groups/persons are as follows
> >
> > dn: cn=group1,ou=...
> > cn: group1
> > uniqueMember: cn=person1,ou=...
> >
> > dn: cn=group2,ou=...
> > cn: group2
> > uniqueMember: cn=group1,ou=...
> >
> > dn: cn=person1,ou=...
> > cn: person1
> > mail: person1@...
> >
> > When you log in as person1@... first thing the realm does is to look up
> > dn for that person using mail=person1@...
> > It will get dn: cn=person1,ou=... as dn and will try roleSearch with
{0}
> > equal the newly found dn.
> >
> > So the next lookup is uniqueMember=cn=person,ou=... which gives us
> > cn=group1,ou=...
> >
> > The attribute cn of that group will be stored as a role. Since
> > nestedRoles is enabled it will now do a new search with roleSearch and
> > the dn (and cn in your case).
> > The lookup will be uniqueMember=cn=group1,ou=... which will give us
> > cn=group2,ou=... and again the cn (group2) will be stored.
> >
> > So after that your user will have two roles (group1, group2).
> >
> > It looks to me that the logic for nested roles is reverse to the one
you
> > expected.
> >
> > If you want to get debug output, you can put the line
> >
> > org.apache.catalina.realm.JNDIRealm.level = FINE
> >
> > at the end of your conf/logging.properties. The attribute debug in your
> > realm definition is being ignored (and invalid).
> >
> > Regards
> >  Felix
> >
> > >
> > >  Thanks,
> > >
> > >  Travis
> > >
> > >  Travis Bowen---07/09/2013 02:43:58 PM---I am using
> > >
> >
>
|-----------------+--------------------------------+------------+-----+------------------

> > >
> > >  From: Travis Bowen/Tucson/IBM@IBMUS
> > >  To: users@tomcat.apache.org,
> > >  Date: 07/09/2013 02:43 PM
> > >  Subject: roleNested seems to not be working in tomcat 6
> > >
> > > -------------------------
> > >
> > >  I am using
> > >
> > > Apache Tomcat/6.0.37
> > > pxa6460sr13fp2-20130424_01 (SR13 FP2)
> > > IBM Corporation
> > > Linux
> > > 2.6.32-358.2.1.el6.x86_64
> > > amd64
> > >
> > >  I have the following context defined for my application:
> > >
> > >  <?xml version=_"1.0"_ encoding=_"UTF-8"_?>
> > >  <Context>
> > >  <Realm className=_"org.apache.catalina.realm.JNDIRealm"_
> > >  debug=_"99"_
> > >  connectionURL=_"ldaps://xxxx.xxxx.xxxx.com:636"_
> > >  userBase=_"ou=xxxxxxx,o=ibm.com"_
> > >  userSearch=_"(mail={0})"_
> > >  userSubtree=_"true"_
> > >  roleBase=_"ou=xxxxxx,ou=xxxxxxx,o=ibm.com"_
> > >  roleSubtree=_"false"_
> > >  roleNested=_"true"_
> > >  roleSearch=_"(uniqueMember={0})"_
> > >  roleName=_"cn"_ />
> > >  </Context>
> > >
> > >  I have a user defined who is a member of one group which is a member
> > > of another group under the roleBase. After authenticating I only get
> > > the role/group that the user is a direct member of, it doesn't return
> > > the role/group that the group is a member of.
> > >
> > >  I downloaded the source of org.apache.catalina.realm.JNDIRealm and
> > > the roleNested attribute is never used except in the setters and
> > > getters. Seems like it is being ignored. Is this feature available in
> > > tomcat 6? The docs say it is but it doesn't seem to work.
> > >
> > >  Thanks,
> > >
> > >  Travis
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
>

Reply via email to