Hi Leo, On Mon, 8 Mar 2010 14:11:50 -0700, Leo Donahue - PLANDEVX <leodona...@mail.maricopa.gov> wrote: > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm > <http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html> > > Using Tomcat 6.0.24 on Windows Server 2003 Standard R2 SP2 > > 1. We use MS Active Directory, is the "uid" in the following example for > userPattern the same as the "sAMAccountName" ? "uid" is just an attribute like "sAMAccounName". So if your userid's are represented by "sAMAccountName" you can use it.
> > <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" > connectionURL="ldap://localhost:389"; > userPattern="uid={0},ou=people,dc=mycompany,dc=com" > roleBase="ou=groups,dc=mycompany,dc=com" > roleName="cn" > roleSearch="(uniqueMember={0})" > /> > > 2. The quick start section said to create a user account for the Tomcat > user, if required. That is the account Tomcat uses to browse the LDAP, I > understand that, but where is it used in the Realm? Is it the > connectionName and connectionPassword attributes? Yes, those two attributes are used to tell the realm to bind to the server. This is needed if you don't have anonymous access enabled in your LDAP server. > > The way Active Directory is setup for us looks something like this: > > dc=mycompany,dc=com > ou=mydept > ou=division1 > ou=division2 > ou=division...n > ou=service accounts (this is where we created the tomcat user account, > and the role accounts for the webapp) > ou=other depts, etc. > > I would like to set up the realm so that any user in any division, under > "mydept" will be found. Does this look right? (aside from changing the > connection url to ours) Or do I substitue the sAMAccountName for "uid"? > > <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" > connectionURL="ldap://localhost:389"; > connectionName="tomcat user account name" > connectionPassword="tomcat user account pw" > userPattern="uid={0},ou=mydept,dc=mycompany,dc=com" > roleBase="ou=mydept,dc=mycompany,dc=com" > roleName="ou=service accounts,cn=ourwebapprolename,dc=mycompany,dc=com" > roleSearch="(uniqueMember={0})" > userSubtree="true" > /> I think you will want to try userSearch="sAMAccountName={0}" userBase="ou=mydept,dc=mycompany,dc=com" userSubtree="true" instead of "userPattern=...". Using this JNDIRealm will do a subtree search with "ou=mydept,dc=mycompany,dc=com" as base and "sAMAccountName=USERNAME" as filter. Minor note: I think, that if you have a relatively new tomcat than the debug="99" statement will be ignored. Bye Felix > > > Leo Donahue > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
