Felix Schumacher wrote:
>
> On Tue, 8 Jun 2010 08:25:04 -0700 (PDT), Mark-E <mer...@hbs.edu> wrote:
>> I have setup an https instance of Tomcat and I am trying to allow only
>> specific users access.
>>
>> In the current configuration, anyone who is in LDAP can get in.
>>
>> Here is the current configuration in the server.xml
>>
>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>> connectionName=<connection name>
>> connectionURL="ldap://ldap.domain.com:<port>"
>> roleSearch="memberUid={0}"
>> allRolesMode="authOnly"
>> userPattern="uid={0},ou=People,dc=domain,dc=com"
>> />
>>
>> So I tried using userSearch=(user{1}) to allow only user1 in but that
> did
>> not limit access. I tried {1} since the docs mention that is to search
> for
>> a
>> specific username.
> You can't use {1} in userSearch. You have to use {0}.
>
> If you have only a very limited set of users and want to risk a management
> nightmare, you can hardcode those users into the search pattern like
>
> userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
>
> But I think it would be better to use an attribute or a group for that
> kind of thing:
>
> userSearch="(&(uid={0})(specialAttribute=specialValue))"
>
> Bye
> Felix
>>
>> Anyone know how I need to edit this to allow only a list of specific
> users
>> in? I will define them in this file.
>>
>> Thanks,
>> Mark
>
>
> Hi Felix,
> Thanks for the information. The easiest thing for me is to specify a
> list of users by using your suggestion of:
>
> userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
>
> However, even with the entry setup like this, I still get in if I am NOT
> user1 or user 2. I find that unless I also use the following entry, I do
> not get in at all
>
> userPattern="uid={0},ou=People,dc=domain,dc=com"
>
> Do you know if I need to change userPattern as well? I tried substituting
>
> userPattern="uid={0},ou=People,dc=domain,dc=com"
>
> With:
>
> userPattern="(&(uid={0})(|(uid=user1)(uid=user2))),ou=People,dc=domain,dc=com"
>
> But that said that uid was invalid.
>
> Thanks,
> Mark
>
Just wanted to let everyone know that I figured it out. I did some more
research and discovered that instead of using userPattern, I needed to use
the following:
userBase="ou=People,dc=domain,dc=com"
userSubtree="true"
Now, if I am listed as one of the 2, user1 or user2 and I try to login, I
get in, if not, I do not get in.
So the full entry in server.xml looks like this...
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="<connection name>"
connectionPassword="<connection password>"
connectionURL="ldap://ldap.domain.com:<port>"
roleSearch="memberUid={0}"
allRolesMode="authOnly"
userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
userBase="ou=People,dc=domain,dc=com"
userSubtree="true"
/>
Whew, learned a lot from this task.
Thanks,
Mark
--
View this message in context:
http://old.nabble.com/Allowing-only-specific-users-LDAP-access-tp28819437p28823014.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
