Hi Jerome, have you thought about adding an extra attribute to the groups, so that the mapping is done by a normal ldap query?
Consider having an objectClass tomcatRoleMapping which has one attribute tomcatRole. Than with your mapping like below > securityrole1=group1,group2,group4 > securityrole2=group3 > securityrole3=group5,group6 you would extend all groups with tomcatRoleMapping. The value of the attribute tomcatRole could then be "securityrole1" for group1, group2 and group4 like this dn: cn=group1,... objectClass: tomcatRoleMapping objectClass: ... tomcatRole: securityrole1 cn: group1 ... Now just change the roleName attribute in your realm definition to tomcatRole and you have got a mapping from groups to securityroles. Bye Felix Am Mittwoch, den 08.10.2008, 11:32 +0200 schrieb Jérôme Delattre: > 2008/9/23 Jérôme Delattre <[EMAIL PROTECTED]> > > > Hello, > > > > Env: Tomcat 6.0.18 / Java 6 / Windows > > > > I am trying to configure a JNDIRealm to authenticate against an Active > > Directory. > > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm > > > > The authentication seems to work but I wonder how to map LDAP groups > > to security roles. > > I do not want to add groups in the LDAP server, but to map existing > > ones to the roles defined in my web application instead. > > > > Is it possible ? I did not found any doc / post about this topic. > > > > Thanks, > > Jerome > > > > > So for the log and if it can help someone, here is how I resolved my issue: > > I've extended the JNDIRealm class to override the getRoles(...) method. > > package org.apache.catalina.realm; > ... > public class CustomJNDIRealm extends JNDIRealm { > ... > @Override > protected List<String> getRoles(DirContext context, User user) throws > NamingException { > List<String> ldapRoles = super.getRoles(context, user); > // customized part > return ldapRoles; > } > ... > } > > The package needs to be the same as JNDIRealm class otherwise the class User > is not visible. > In the "custom part" of the method I read a properties file that describe > the mapping between ldap roles and security roles. > And I simply add security roles to the ldapRoles list before returning it. > > The properties file is in Tomcat's lib directory and looks like: > > securityrole1=group1,group2,group4 > securityrole2=group3 > securityrole3=group5,group6 > ... > > And to be exhaustive, here is the realm configuration for Active Directory > that works in my env: > > <Realm > className="org.apache.catalina.realm.CustomJNDIRealm" > debug="99" > connectionURL="ldap://myADserver:389"; > connectionName="myADreadonlyUser" > connectionPassword="password" > referrals="follow" > userBase="DC=mycompany,DC=com" > userSearch="(sAMAccountName={0})" > userSubtree="true" > roleBase="DC=mycompany,DC=com" > roleName="cn" > roleSearch="(member={0})" > roleSubtree="true"/> > > Cheers, > Jerome --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
