Chris,
Thanks for the response. I think you are correct on the role definition
(could not find a way of escaping or wildcarding the role which struts
1.1 suggests is possible) - so have worked a little more on the AD realm
settings in Tomcat. By trail and error I have found the below to work:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://connection_ip:389";
connectionName="connection_username"
connectionPassword="password"
userRoleName="memberOf"
userBase="cn=Users,dc=xxxxxx,dc=yyyyyy"
userSearch="(sAMAccountName={0})"
roleBase="cn=Users,dc=xxxxxx,dc=yyyyyy"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="true"
userSubtree="true"
/>
This seems to return both the cn and DN, i.e. really twice as much role
data as I need - but at least it works.....
Thanks again
Rupert.
-----Original Message-----
From: Christopher Schultz [mailto:[EMAIL PROTECTED]
Sent: 08 April 2008 15:36
To: Tomcat Users List
Subject: Re: Apache Tomcat role authorisation against AD2003
This message should be regarded as confidential. If you have received this
email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by
an authorised signatory. The contents of this email may relate to dealings
with other companies within the Detica Group plc group of companies.
Detica Limited is registered in England under No: 1337451.
Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rupert,
Rupert Whitefield wrote:
|> Roles (users windows domain groups) are being returned, however the
|> issue is that AD is returning the DN, and not the 'cn'. Have tried
|> various values in the roleName field - but these have no effect.
Are CNs unique? I would be concerned that cn=admin,dc=admins would be
confused with cn=admin,dc=h4x0r5, if someone got ahold of your AD
server.
|> I can change the <role-name> definitions in the web.xml files to
|> match what is being returned - but this isn't ideal, and I still have
|> issues with the ',' in the role when using struts.....
Hmm... role-name elements in web.xml must be NMTOKENs, which means:
NameChar ::= Letter | Digit | '.' | '-' | '_' | CombiningChar | Extender
Nmtoken ::= (NameChar)+
(Where 'Letter' and 'Digit' are obvious)
'Extender' includes the '.' character and a bunch of higher-order
UNICODE characters. 'CombiningChar' also includes higher-order UNICODE
characters. I didn't bother looking any of them up, but you can use this
page for reference: http://www.w3.org/TR/1998/REC-xml-19980210
Perhaps commas are not legal in the role-name in the first place. That
could be a problem :(
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkf7grUACgkQ9CaO5/Lv0PDcLgCeKw9vFRml1kVxTe0M79uGX+4L
DMkAoI5TRYT8xlZKYjqSqcCJUuGVzG2a
=13Yo
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This message should be regarded as confidential. If you have received this
email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by
an authorised signatory. The contents of this email may relate to dealings
with other companies within the Detica Group plc group of companies.
Detica Limited is registered in England under No: 1337451.
Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
