Re: Allowing only specific users LDAP access

Mark-E Tue, 08 Jun 2010 13:01:44 -0700


On Tue, 8 Jun 2010 08:25:04 -0700 (PDT), Mark-E <mer...@hbs.edu> wrote:
> I have setup an https instance of Tomcat and I am trying to allow only
> specific users access. 
> 
> In the current configuration, anyone who is in LDAP can get in. 
> 
> Here is the current configuration in the server.xml
> 
>       <Realm className="org.apache.catalina.realm.JNDIRealm"
>              connectionName=<connection name>
>              connectionURL="ldap://ldap.domain.com:<port>"
>              roleSearch="memberUid={0}"
>              allRolesMode="authOnly"
>              userPattern="uid={0},ou=People,dc=domain,dc=com"
>        />
> 
> So I tried using userSearch=(user{1}) to allow only user1 in but that
did
> not limit access. I tried {1} since the docs mention that is to search
for
> a
> specific username.
You can't use {1} in userSearch. You have to use {0}.


If you have only a very limited set of users and want to risk a management
nightmare, you can hardcode those users into the search pattern like

userSearch="(&amp;(uid={0})(|(uid=user1)(uid=user2)))"

But I think it would be better to use an attribute or a group for that
kind of thing:

userSearch="(&amp;(uid={0})(specialAttribute=specialValue))"

Bye
 Felix 
> 
> Anyone know how I need to edit this to allow only a list of specific
users
> in?  I will define them in this file.
> 
> Thanks,
> Mark


Hi Felix,
   Thanks for the information. The easiest thing for me is to specify a list
of users by using your suggestion of: 

userSearch="(&amp;(uid={0})(|(uid=user1)(uid=user2)))"

However, even with the entry setup like this, I still get in if I am NOT
user1 or user 2. I find that unless I also use the following entry, I do not
get in at all

userPattern="uid={0},ou=People,dc=domain,dc=com"

Do you know if I need to change userPattern as well?  I tried substituting

userPattern="uid={0},ou=People,dc=domain,dc=com"

With:

userPattern="(&amp;(uid={0})(|(uid=user1)(uid=user2))),ou=People,dc=domain,dc=com"

But that said that uid was invalid. 

Thanks,
Mark
-- 
View this message in context: 
http://old.nabble.com/Allowing-only-specific-users-LDAP-access-tp28819437p28822437.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Allowing only specific users LDAP access

Reply via email to