https://bz.apache.org/bugzilla/show_bug.cgi?id=62214
--- Comment #3 from marian.romasc...@nuance.com --- Retested on a different AD domain controller and the recursion works - at least one level up from the OU's immediately above the users / roles. But there is a catch which might require a fix. This test involved multiple JNDIRealms. The issue is the following - a JNDIRealm entry coming first in the "combined realm" and matching the user but not the role will mask a JNDIRealm entry coming after matching both user and role. For instance let's assume we have: user "user1" under "OU=Users, OU=contains-user1-but-not-user2" member of "group1" but not "group2": user "user2" under "OU=Users, OU=contains-user2" member of "group2" but not "group1" JNDIRealm #1 userBase="OU=Users" roleBase="OU=contains-group1-but-not-group2" JNDIRealm #2 userBase="OU=Users" roleBase="OU=contains-group2" When user1 tries to authenticate via SSO it succeeds but when user2 tries to authenticate it fails. I think that's because the LDAP search logic in "combined realm" finds user2 under "OU=Users" in JNDIRealm entry #1 and then it checks if any the roles defined in the "security constraints" user2 match any of user2's member-of groups and whether any of these is present under roleBase="OU=contains-group1-but-not-group2". Which is not the case. The "combined realm" logic does not try the next JNDIRealm entry which would succeed for user2. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
