Dear List
We have a user (uid=user1,ou=people,ou=users,dc=ou,dc=beispiel,dc=de)
defined as following:
cn: user1
gidNumber: 513
homeDirectory: /home/user1
objectClass: top
objectClass: inetOrgPerson
sn: user1
uid: user1
uidNumber: 1021
Here is the group(cn=manager,ou=groups,dc=ou,dc=beispiel,dc=de):
cn: manager
displayName: manager
gidNumber: 1020
memberUid: user1
memberUid: user2
objectClass: posixGroup
What I want to do is to get the role "manager" for the user "user1". I
configured it the following way:
(I replaced some IDs).
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldaps://my.host.ip.here:636"
userPattern="uid={0},ou=people,ou=users,dc=ou,dc=beispiel,dc=de"
roleBase="ou=groups,dc=ou,dc=beispiel,dc=de"
roleName="cn"
roleSearch="(memberUid={1})"
/>
The access to LDAP is restricted for anonymous users; anonymous users
are not allowed to retrieve anything.
Passwort authorization is done in the LDAP system. In the example above
the user "user1" should authenticate against the LDAP with his passwort.
As I understand the catalina-logfile this works quite well.
2006-04-27 11:40:50 JNDIRealm[Catalina]: lookupUser(user1)
2006-04-27 11:40:50 JNDIRealm[Catalina]:
dn=uid=user1,ou=people,ou=users,dc=ou,dc=beispiel,dc=de
2006-04-27 11:40:50 JNDIRealm[Catalina]: validating credentials by
binding as the user
2006-04-27 11:40:50 JNDIRealm[Catalina]: binding as
uid=user1,ou=people,ou=users,dc=ou,dc=beispiel,dc=de
2006-04-27 11:40:50 JNDIRealm[Catalina]: Username user1 successfully
authenticated
2006-04-27 11:40:50 JNDIRealm[Catalina]:
getRoles(uid=user1,ou=people,ou=users,dc=ou,dc=beispiel,dc=de)
2006-04-27 11:40:50 JNDIRealm[Catalina]: Searching role base
'ou=groups,dc=ou,dc=beispiel,dc=de' for attribute 'cn'
2006-04-27 11:40:50 JNDIRealm[Catalina]: With filter expression
'(memberUid=user1)'
2006-04-27 11:40:50 JNDIRealm[Catalina]: Returning 0 roles
As it seems I have a problem getting the roles.
I got an excerpt from our LDAP-server administrator, which seems quite
interesting:
Apr 27 11:44:30 pdc slapd[14964]: conn=13 op=21 BIND
dn="uid=user1,ou=people,ou=users,dc=ou,dc=beispiel,dc=de" method=128
Apr 27 11:44:30 pdc slapd[14964]: conn=13 op=21 BIND
dn="uid=user1,ou=people,ou=users,dc=ou,dc=beispiel,dc=de" mech=SIMPLE ssf=0
Apr 27 11:44:30 pdc slapd[14964]: conn=13 op=21 RESULT tag=97 err=0 text=
Apr 27 11:44:30 pdc slapd[14964]: conn=13 op=22 SRCH base="" scope=0
deref=3 filter="(objectClass=*)"
Apr 27 11:44:30 pdc slapd[14964]: conn=13 op=22 SEARCH RESULT tag=101
err=0nentries=1 text=
Apr 27 11:44:30 pdc slapd[14964]: conn=13 op=23 BIND anonymous
mech=implicit ssf=0
Apr 27 11:44:30 pdc slapd[14964]: conn=13 op=23 BIND dn="" method=128
Apr 27 11:44:30 pdc slapd[14964]: conn=13 op=23 RESULT tag=97 err=0 text=
Apr 27 11:44:30 pdc slapd[14964]: conn=13 op=24 SRCH
base="ou=groups,dc=ou,dc=beispiel,dc=de" scope=2 deref=3
filter="(memberUid=user1)"
Apr 27 11:44:30 pdc slapd[14964]: conn=13 op=24 SRCH attr=cn
Apr 27 11:44:30 pdc slapd[14964]: conn=13 op=24 SEARCH RESULT tag=101
err=0nentries=0 text=
My interpretation of the logfile is the following:
- first we have a successful authentication for user1 as there is BIND
on LDAP server for the user 'user1'.
- when it comes to retrieve the roles/group, there is an additional BIND
- this is anonymous; as a anonymous user is NOT allowed to retrieve
anything from the LDAP (auth only), no roles are returned.
Am I right with my interpretation?
Is this a bug or a feature?
How can I change the behaviour of the JNDIRealm so that the second
request (for the group) is executed by the authenticated "user1"? We are
not able to change the LDAP servers configuration :-(
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
