hello Guys,
need help...
i use tomcat 5.5.17
1)server.xml
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://x.x.x.x:xxx";
allRolesMode="AuthOnly"
referrals="follow"
userBase="ou=Users,dc=mydomain"
userSubtree="true"
userSearch="(uid={0})"
roleBase="ou=Groups,dc=mydomain"
roleName="cn"
roleSubtree="true"
roleSearch="(memberUid={1})"
/>
in ldap
all groups has attribute
cn - group name.
list attributes memberUid - list members.
2)./webapps/ucaldav/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Bedework</web-resource-name>
<description>Bedework user</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>personal calendar</realm-name>
</login-config>
<security-role>
<description>A calendar system user</description>
<role-name>*</role-name>
</security-role>
3)in options.xml (run-time options for web application)
/webapps/ucaldav/WEB-INF/classes/properties/calendar/options.xml
<user-ldap-group
classname="org.bedework.calfacade.configs.LdapConfigProperties">
<principalRoot>/principals</principalRoot>
<userPrincipalRoot>/principals/users</userPrincipalRoot>
<groupPrincipalRoot>/principals/groups</groupPrincipalRoot>
<resourcePrincipalRoot>/principals/resources</resourcePrincipalRoot>
<venuePrincipalRoot>/principals/locations</venuePrincipalRoot>
<ticketPrincipalRoot>/principals/tickets</ticketPrincipalRoot>
<hostPrincipalRoot>/principals/hosts</hostPrincipalRoot>
<domains>test</domains>
<defaultDomain>test</defaultDomain>
<initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory>
<providerUrl>ldap://x.x.x.x:xxx/</providerUrl>
<groupContextDn>ou=Groups, dc=tander</groupContextDn>
<groupMemberAttr>memberUid</groupMemberAttr>
<userDnPrefix>uid=</userDnPrefix>
<userDnSuffix>,ou=Users, dc=mydomain</userDnSuffix>
<groupDnPrefix>cn</groupDnPrefix>
<groupDnSuffix>,ou=Groups, dc=mydomain</groupDnSuffix>
<debug>true</debug>
</user-ldap-group>
if i use this configuration, user authentication work well.
But if user "alex" has no access permissions, but he is member in group
"agroup"(that has rwx access permissions), authentication not occurs...
i run catalina.sh debug:
00:14:28,697 INFO [CalSvc] Authenticated user alex logged on
***
[AccessUtil] Check access for object BwCalendar ident=/user/alex/Inbox
00:21:33,431 DEBUG [Acl] Check access for 'WONyAI05 /user WU04 alexyA WG06
agroupyA WANyFySI05 /user ' with authenticated = true isOwner = false...For
authenticated got: PrivilegeSet[????Y?????YYYY???]...Check access denied
!allowed) PrivilegeSet[nnnnYnnnnnYYYYnnn]
**
===================================
so, if in webapplication authentication fails i try test authentication in
tomcat:
1)server.xml
allRolesMode="AuthOnly" change to: allRolesMode="strictAuthOnly"
2)web.xml
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
change to:
<auth-constraint>
<role-name>agroup</role-name>
</auth-constraint>
--
<security-role>
<description>A calendar system user</description>
<role-name>*</role-name>
</security-role>
change to:
<security-role>
<description>A calendar system user</description>
<role-name>agroup</role-name>
</security-role>
===
in this case user "alex" generally cant authenticate in tomcat-level...
any ideas?
and how i can debug only JNDI?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
