Do you have a patch against the current JNDIRealm ? 2008/4/22, Seth Leger <[EMAIL PROTECTED]>: > Henri Gomez wrote: > > > I do some search today and debugged TC 6.0.x trunk from my eclipse. > > Authentification works great and the only remaining problem it so > > setup roles in AD for users. > > > > I used : > > > > <Realm > className="org.apache.catalina.realm.JNDIRealm" > > connectionURL="ldap://ldap.mycorp.com:389"; > > alternateURL="ldap://ldap.mycorp.com:389"; > > > connectionName="cn=someldapaccounttobind,ou=MyCorp > > Users,dc=mycorp,dc=com" > > > connectionPassword="someldapaccounttobindpassword" > > userBase="ou=MyCorp Users,dc=mycorp,dc=com" > > userSearch="(sAMAccountName={0})" > > userSubtree="true" > > referrals="follow" > > userRoleName="memberOf" > > debug="true" > > /> > > > > > Yes, this use case will work with the current Tomcat 6.0.X JNDIRealm code > because your Active Directory administrator has given you search credentials > for the Active Directory server > (cn=someldapaccounttobind,ou=MyCorpUsers,dc=mycorp,dc=com/someldapaccounttobindpassword). > But not all Active Directory administrators are willing to give out a set of > credentials like this (for instance, a strict, enterprise environment where > password access is strictly controlled). > > My patch removes that requirement from the JNDIRealm. Instead of relying on > a hard-coded value for authentication, it can fall back to using the > credentials being supplied to the authenticate() call to perform the JNDI > search (which will succeed because users have permissions to view their own > LDAP object instance, as far as I know this is always true). The password is > never stored; it is only transmitted at login time to the server (and this > transmission can be protected from interception with LDAP over SSL). > > It's a pretty minor change, written similarly to the way that the current > JNDIRealm code retries during connection timeouts. > > Seth Leger > Sr. Software Engineer > Raritan, Inc. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
