You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/01/27 22:35:49 UTC
DO NOT REPLY [Bug 48629] New: JNDIRealm and roleNested doesn't work
with roleSearch="(member={1})"
https://issues.apache.org/bugzilla/show_bug.cgi?id=48629
Summary: JNDIRealm and roleNested doesn't work with
roleSearch="(member={1})"
Product: Tomcat 6
Version: 6.0.24
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: glandon@piti.pf
Created an attachment (id=24898)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24898)
patch
roleNested introduced with Tomcat 6.0.24 works well with
roleSearch="(member={0})", but not with roleSearch="(member={1})"
>From tomcat doc :
"Use {0} to substitute the distinguished name (DN) of the user, and/or {1} to
substitute the username."
I've attached a patch to change line :
filter = roleFormat.format(new String[] { groupDN });
into :
filter = roleFormat.format(new String[] { groupDN, groupDN });
Like that it handles both {0} and {1}.
Regards,
Gabriel.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48629] JNDIRealm and roleNested doesn't work with
roleSearch="(member={1})"
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48629
--- Comment #2 from Konstantin Kolinko <kn...@gmail.com> 2010-01-30 15:58:10 UTC ---
I do not think that this patch is good.
See, groupDN is a full distinguished name of a role, while in your case {1} was
just a name. Does it work for your configuration?
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
For reference, previous discussion:
http://markmail.org/message/cv3i6set7yte57yr
In any case,
1) If your configuration works when you do
roleSearch="(member={1})" when {1} is a DN of a group,
then I think we would better provide a separate attribute to specify search
filter for the nested roles.
E.g.,
roleSearch="(member={1})" roleNestedSearch="(member={0})"
where {0} in the second case is a group DN, as it is now.
We can default roleNestedSearch to be the same as roleSearch when
roleNested="true", and to default roleNested="true" when roleNestedSearch is
explicitly specified.
2) If you need unqualified rolename,
it can be obtained, but the patch will be more complicated.
In the code we have
Set<String> newGroupDNs = new HashSet<String>(groupMap.keySet());
..
for (String groupDN : newGroupDNs) {
..
groupMap.put(dname, name);
We should replace Set<String> newGroupDNs with
Map<String,String> newGroups = new HashMap<String,String>(groupMap);
Perform iteration over entrySet of the map:
for (Map.Entry<String,String> newGroup : newGroups.entrySet()) {
Then, newGroup.getKey() will give us the groupDN and newGroup.getValue() will
give us the group name.
3) It would be nice to update realm-howto.html with documentation on using the
roleNested="true". It is not documented yet. Can you propose a patch for
/webapps/docs/realm-howto.xml, or at least describe your configuration so that
it can be provided as an example there?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48629] JNDIRealm and roleNested doesn't work with
roleSearch="(member={1})"
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48629
--- Comment #1 from Mark Thomas <ma...@apache.org> 2010-01-30 15:10:38 GMT ---
This has been fixed in trunk and proposed for 6.0.x.
Many thanks for the patch.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48629] JNDIRealm and roleNested doesn't work with
roleSearch="(member={1})"
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48629
felix.schumacher@internetallee.de changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #24898|0 |1
is obsolete| |
Attachment #24916|0 |1
is obsolete| |
--- Comment #5 from felix.schumacher@internetallee.de 2010-02-09 06:28:21 UTC ---
Created an attachment (id=24953)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24953)
bring {1} to work in JNDIRealm with nested roles
Made the corrections proposed by Konstantin Kolinko.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48629] JNDIRealm and roleNested doesn't work with
roleSearch="(member={1})"
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48629
--- Comment #4 from tahitiangabriel <gl...@piti.pf> 2010-02-01 10:30:40 UTC ---
Created an attachment (id=24916)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24916)
add roleNested entry in doc
Here's a small patch to add the roleNested entry in the doc.
Maybe it should be nice to add an example also.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48629] JNDIRealm and roleNested doesn't work with
roleSearch="(member={1})"
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48629
--- Comment #6 from Mark Thomas <ma...@apache.org> 2010-03-08 18:01:55 UTC ---
Thanks for the patch.
I have applied it to trunk and proposed it for 6.0.x.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48629] JNDIRealm and roleNested doesn't work with
roleSearch="(member={1})"
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48629
--- Comment #3 from tahitiangabriel <gl...@piti.pf> 2010-02-01 10:02:22 UTC ---
I think having roleNestedSearch="(member={0})" is a very good idea. Like that
it should work for all kind of configurations.
For the moment I've switched to the "member={0}" instead of "member={1}", so I
can use tomcat 6.0.24 in production.
Here's my conf (for a Domino 8.5) :
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="CN=XXXXXX,O=XXXXX"
connectionPassword="XXXXXX"
connectionURL="ldap://127.0.0.1:389"
roleName="cn"
roleNested="true"
roleSearch="(member={0})"
roleSubtree="true"
userSearch="(uid={0})"
userSubtree="true"/>
I'm not sure my english is good enough to update the doc...
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org