[Bug 62214] New: The "userSubtree=true" and "roleSubtree=true" in JNDIRealm not working

Thu, 22 Mar 2018 14:45:57 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=62214

            Bug ID: 62214
           Summary: The "userSubtree=true" and "roleSubtree=true" in
                    JNDIRealm not working
           Product: Tomcat 8
           Version: 8.5.29
          Hardware: PC
            Status: NEW
          Severity: major
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: marian.romasc...@nuance.com
  Target Milestone: ----

Created attachment 35809
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35809&action=edit
ssotest users and groups in AD

In JNDIRealm the userSubtree=true does not perform as expected :
userSubtree:    
Set to true if you want to search the entire subtree of the element specified
by the userBase property for the user's entry. The default value of false
causes only the top level to be searched. Not used if you are using the
userPattern expression.

Example below: the server.xml working configuration
Users under  OU=testUsers,OU=users,OU=nonDefault,DC=pslab,DC=corp

Groups under OU=testGroups,OU=nonDefault,DC=pslab,DC=corp

JNDIRealm below not working for ssotestuser1...ssotestuser4
Results in failed LDAP authentication (and a 401 error returned to browser)

        <Realm className="org.apache.catalina.realm.CombinedRealm" >
          <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
            <Realm className="org.apache.catalina.realm.LockOutRealm">
              <!-- This Realm uses the UserDatabase configured in the global
JNDI
                 resources under the key "UserDatabase".  Any edits
                 that are performed against this UserDatabase are immediately
                 available for use by the Realm.  -->
                 <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                  resourceName="UserDatabase"/>
            </Realm>
            <Realm className="org.apache.catalina.realm.JNDIRealm"
                debug="10"
                connectionURL="ldap:///DC=pslab,DC=corp";
                            authentication="simple"
                referrals="follow"
                                adCompat="true"
                userSearch="(sAMAccountName={0})"
                userSubtree="true"
                userBase="OU=users,OU=nonDefault"
                userRoleName="memberOf"
                roleSubtree="true"
                roleBase="OU=testGroups,OU=nonDefault"
                roleName="cn"
                roleSearch="(member={0})"
                roleNested="true"
                connectionName="CN=LDAP
Bind,OU=serviceAccounts,OU=users,OU=nonDefault,DC=pslab,DC=corp"
                connectionPassword="removed"
            /> 
       </Realm>

Exactly same configuration with userBase="OU=testUsers,OU=users,OU=nonDefault"
works fine.

Same apply for the roleBase. If in the working configuration we have
roleBase="OU=nonDefault" despite roleSubtree="true" authentication fails and
401 error is returned to the browser

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to