Brandon DuRette schrieb:
> While trying to track down an issue with logins taking a very long time, I
> just discovered in the 5.5.26 source code/Javadoc for JNDIRealm (likewise in
> the 6.0 documentation) that there's a big bold TODO to support connection
> pooling in the JNDIRealm. I think this may be part of the login problem I'm
> seeing.
>
> Looking over the current source code, I can see that it's going to require a
> fairly extensive refactoring of the JNDIRealm code. I'm willing to take a
> shot at fixing it, but wanted to first check with the list on a couple of
> ::::
> Thanks in advance for any pointers.
>
> Regards,
> Brandon
Dear Brandon,
re-doing JNDIRealm seems to me very necesary, but for an other
reason as yours, mentioned above.
As I said in my mail (27 Feb 2008 to bug 42579) JNDIRealm is hardly
useable with (Windows Server 2003) Active Directory Domains --
except for very small / trivial cases.
After a long history of frustrations, I solved all the
Tomcat+AD-issues by an own ADweRealms. Experiences are, so far,
100% good (with Apache Tomcat/6.0.16 on JDK1.6.0_05 and before
also with 5.5.x od 1.5.0_y). I offered the solution, already, in
mentioned mail. (got nil reactions)
Perhaps, you could make your newly designed JNDIRealm realy fit for
Active Directory. It would be warmly welcomed by all who tried to
use / would have liked to use (but, as I know from some, gave up)
Tomcat with AD.
Good luck
Albrecht
--------------
PS.: For your convinience follows part of mentioned mail, in the
hope of giving some pointers, you asked for in your mail.
--- Comment #2 from
Dr. Albrecht Weinert <[EMAIL PROTECTED]>
2008-02-27 22:48:41 ---
By the way of JNDI/Tomcat + Active Directory:
JNDIRealm is/was never quite happy with Active
Directory for a variety of reasons. After a bunch
of frustrations (of which the lying isUserInGruop()
was one of the worst), some time ago, I decided to
write a new Realm class, which I may contribute.
http://www.a-weinert.de/java/docs/aWeinertBib/de/a_weinert/realm/ADweRealm.html
ADweRealm searches only one way (performance!) from the
(authenticated) user to his groups. It follows
the quite important group-in-group relations (to
any depth), and so on.
Experiences in a Windows Server 2003 domain (3000+ user
accounts, hundreds of groups etc.) are quite encouraging.
None of the Tomcat + Active Directory problems, which
Google is full of, arised any more.
--
working config example,
part of C:\Programme\Apache\Tomcat\conf\server.xml:
<!-- ADweRealm added 17.02.2008, a Realm for Active Directory
Special development logging can be switched on by
devLog="C:\Programme\Apache\Tomcat\logs\awRe.log"
or
devLog=" "
which gives above as default.
Omit for no extra logging by de.a_weinert.realm.ADweRealm.DevLog
Default attributes (can be omitted if value fits) are:
userRoleName="memberOf"
userSubtree="true"
userSearch="(sAMAccountName={0})"
shortRoles="true" (or "both")
followRoles="true"
-->
<Realm name="ADsso" className="de.a_weinert.realm.ADweRealm"
devLog="C:\Programme\Apache\Tomcat\logs\awRe.log"
allRolesMode="authOnly"
connectionURL="ldap://193.175.115.2:389";
alternateURL="ldap://193.175.115.4:389";
connectionName="CN=l****,CN=Users,DC=FB3-MEVA,DC=fh-bochum,DC=de"
connectionPassword="ld****"
userBase="DC=FB3-MEVA,DC=fh-bochum,DC=de"
defaultRole="fb3-meva_user"
shortRoles="short"
/>
----------------------------------------+------------------------------
|
| Prof. Dr.-Ing. Albrecht Weinert Fachbereich 3
| Telefon +49 (0)234 / 32 - 10328 Elektrotechnik und Informatik
| Hochschule Bochum
| Lennershofstraße 140 Labor für Medien und
| 44801 Bochum verteilte Anwendungen
|
| Startseite: http://www.a-weinert.de
| E-Mail: [EMAIL PROTECTED] [EMAIL PROTECTED]
|
|
----------------------------------------+------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
