Re: JNDI Realm question

Tue, 09 Mar 2010 07:32:04 -0800 

Hi Leo,
in general I would recommend to use an LDAP tool like Apache Directory Studio in order to develop and verify the JNDI Realm specific parameters. 

http://directory.apache.org/studio/


If this works (authentication, authorization searches), add the 
parameters to your tomcat configuration in server.xml



The userPattern attribute is in almost all cases not appropriate for 
Active Directory (AD), because the users are not organized flat in the 
tree there (check with a tool). Use a search filter instead as Felix 
suggested.


userSearch="(&(objectCategory=user)(sAMAccountName={0}))"


Adding objectCategory to the search filter will lead to better 
performance, because it has an index in AD.


Greetings from Hamburg,
    StefanZ


Leo Donahue - PLANDEVX wrote:

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm <http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html> 


Using Tomcat 6.0.24 on Windows Server 2003 Standard R2 SP2

1. We use MS Active Directory, is the "uid" in the following example for userPattern the 
same as the "sAMAccountName" ?

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
        connectionURL="ldap://localhost:389";
        userPattern="uid={0},ou=people,dc=mycompany,dc=com"
        roleBase="ou=groups,dc=mycompany,dc=com"
        roleName="cn"
        roleSearch="(uniqueMember={0})"
/>

2. The quick start section said to create a user account for the Tomcat user, 
if required. That is the account Tomcat uses to browse the LDAP, I understand 
that, but where is it used in the Realm? Is it the connectionName and 
connectionPassword attributes?

The way Active Directory is setup for us looks something like this:

dc=mycompany,dc=com
  ou=mydept
    ou=division1
    ou=division2
    ou=division...n
    ou=service accounts (this is where we created the tomcat user account, and 
the role accounts for the webapp)
  ou=other depts, etc.

I would like to set up the realm so that any user in any division, under "mydept" will be 
found.  Does this look right?  (aside from changing the connection url to ours)  Or do I substitue 
the sAMAccountName for "uid"?

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
        connectionURL="ldap://localhost:389";
        connectionName="tomcat user account name"
        connectionPassword="tomcat user account pw"
        userPattern="uid={0},ou=mydept,dc=mycompany,dc=com"
        roleBase="ou=mydept,dc=mycompany,dc=com"
        roleName="ou=service accounts,cn=ourwebapprolename,dc=mycompany,dc=com"
        roleSearch="(uniqueMember={0})"
        userSubtree="true"
/>


 
Leo Donahue


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to