On 30/09/2014 01:11, Jesse Barnum wrote: > I'm trying to configure Tomcat to authenticate against our Active Directory > server. > > I do not want to configure an administrative account to bind with; I want to > bind as the user logging in. > > The problem comes when JNDIRealm tries to get the list of roles that the user > is a member of. From looking at the source code, it seems to strip out the > login user's account credentials from the DirectoryContext. This causes the > following exception when it tries to get a list of groups for the user:
<snip/> > This bug report seems to indicate that it should work the way I'm expecting, > as of 7.0.9 and onwards. > https://issues.apache.org/bugzilla/show_bug.cgi?id=19444 > > I am running 7.0.52. Is there some configuration I need to do to tell Tomcat > to use the user's credentials when getting a list of roles? To quote from the last comment in that bug report: <quote> I have added a new JNDIRealm option in Tomcat 7.0.x to optionally allow role searches as the user being authenticated rather than using using an anonymous user or using connectionName/connectionPassword. The new option will be included in 7.0.9 onwards. </quote> Looking at the docs for the JNDI Realm (since I can't remember what name I used for that option) this looks promising: <quote> roleSearchAsUser When searching for user roles, should the search be performed as the user currently being authenticated? If false, connectionName and connectionPassword will be used if specified, else an anonymous. If not specified, the default value of false is used. Note that when accessing the directory using delegated credentials, this attribute is always ignored and the search is performed using the delegated credentials. </quote> So, that begs two questions: 1. What configuration are you using for roleSearchAsUser 2. In the interests of improving the docs, what was it that meant you were unable to find this information in the JNDI Realm docs? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
