Henri Gomez wrote:
I do some search today and debugged TC 6.0.x trunk from my eclipse.
Authentification works great and the only remaining problem it so
setup roles in AD for users.
I used :
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://ldap.mycorp.com:389";
alternateURL="ldap://ldap.mycorp.com:389";
connectionName="cn=someldapaccounttobind,ou=MyCorp
Users,dc=mycorp,dc=com"
connectionPassword="someldapaccounttobindpassword"
userBase="ou=MyCorp Users,dc=mycorp,dc=com"
userSearch="(sAMAccountName={0})"
userSubtree="true"
referrals="follow"
userRoleName="memberOf"
debug="true"
/>
Yes, this use case will work with the current Tomcat 6.0.X JNDIRealm
code because your Active Directory administrator has given you search
credentials for the Active Directory server
(cn=someldapaccounttobind,ou=MyCorpUsers,dc=mycorp,dc=com/someldapaccounttobindpassword).
But not all Active Directory administrators are willing to give out a
set of credentials like this (for instance, a strict, enterprise
environment where password access is strictly controlled).
My patch removes that requirement from the JNDIRealm. Instead of relying
on a hard-coded value for authentication, it can fall back to using the
credentials being supplied to the authenticate() call to perform the
JNDI search (which will succeed because users have permissions to view
their own LDAP object instance, as far as I know this is always true).
The password is never stored; it is only transmitted at login time to
the server (and this transmission can be protected from interception
with LDAP over SSL).
It's a pretty minor change, written similarly to the way that the
current JNDIRealm code retries during connection timeouts.
Seth Leger
Sr. Software Engineer
Raritan, Inc.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
