You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Felix Schumacher <fe...@internetallee.de> on 2014/10/07 19:16:12 UTC

JNDIRealm and TLS, was: Re: JNDIRealm Authentication and Roles

Am 07.10.2014 um 14:32 schrieb Igor Cicimov:
> Hi Felix,
>
> First thanks for your reply.
>
> On Tue, Oct 7, 2014 at 6:35 PM, Felix Schumacher <
> felix.schumacher@internetallee.de> wrote:
>
>> Hi Igor,
>>
>> Am 07.10.2014 07:07, schrieb Igor Cicimov:
>>
>>> Hi all,
>>>
>>> I've been setting up user authentication based on JNDIRealm and have
>>> couple
>>> of questions regarding the operation. I've been using one of the secured
>>> applications that come with the examples included in Tomcat source for
>>> testing. My setup with obfuscated names and passwords is as follows.
>>>
>> Which tomcat version do you use?
>>
> It's  7.0.52-1ubuntu0.1 from Ubuntu 14.04 repository, sorry I missed
> mentioning that.
>
>
>>> I have the following Realm in the default host:
>>>
>>>        <Host name="localhost"  appBase="webapps" unpackWARs="true"
>>> autoDeploy="false">
>>>          <Realm className="org.apache.catalina.realm.JNDIRealm"
>>>                 debug="99"
>>>
>> debug is not used anymore, so just delete it.
>>
> Done.
>
>
>>                  connectionURL="ldap://ldap1.mydomain.com:389"
>>>                 alternateURL="ldap://ldap2.mydomain.com:389"
>>>                 connectionName="cn=connect,ou=Users,dc=mydomain,dc=com"
>>>                 connectionPassword="password"
>>>                 userBase="ou=Users,dc=mydomain,dc=com"
>>>                 userSearch="uid={0}"
>>>                 roleBase="ou=Groups,dc=mydomain,dc=com"
>>>                 roleName="cn"
>>>                 roleSearch="memberUid={1}"
>>>
>>> contextFactory="org.apache.catalina.ldap.realm.LdapTlsContextFactory"/>
>>>
>> Do you need the LdapTlsContextFactory? If so, what is your ldap server
>> setup?
>>
> Good that you mentioned that I wanted to ask about this in a separate
> thread. I was searching for STARTTLS support in the JNDIRealm and this was
> the only solution I could find. I got the directions from here:
> http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo, so I compiled and
> installed the context factory since the TLS is a must fro my user case.
> It's working fine for me but still wanted to ask, since the above HowTo is
> from 2010, has this been maybe integrated in the Tomcat mainstream now and
> I have missed something in the documentation or is it still a (only) valid
> solution for TLS support?
If TLS is important to you, I hope you have changed the HostnameVerifier to
something more sensible :)

There is a bug request open 
https://issues.apache.org/bugzilla/show_bug.cgi?id=49785
but only very few people asked for it in the last four years. You can 
try to vote it up.

I have only used ldap servers, which would be reachable by ssl, so there 
was no
need for me to investigate further. Any reason why your ldap server 
can't be used with ssl?

Felix


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JNDIRealm and TLS, was: Re: JNDIRealm Authentication and Roles

Posted by Igor Cicimov <ic...@gmail.com>.

On Wed, Oct 8, 2014 at 4:16 AM, Felix Schumacher <
felix.schumacher@internetallee.de> wrote:

> Am 07.10.2014 um 14:32 schrieb Igor Cicimov:
>
>> Hi Felix,
>>
>> First thanks for your reply.
>>
>> On Tue, Oct 7, 2014 at 6:35 PM, Felix Schumacher <
>> felix.schumacher@internetallee.de> wrote:
>>
>>  Hi Igor,
>>>
>>> Am 07.10.2014 07:07, schrieb Igor Cicimov:
>>>
>>>  Hi all,
>>>>
>>>> I've been setting up user authentication based on JNDIRealm and have
>>>> couple
>>>> of questions regarding the operation. I've been using one of the secured
>>>> applications that come with the examples included in Tomcat source for
>>>> testing. My setup with obfuscated names and passwords is as follows.
>>>>
>>>>  Which tomcat version do you use?
>>>
>>>  It's  7.0.52-1ubuntu0.1 from Ubuntu 14.04 repository, sorry I missed
>> mentioning that.
>>
>>
>>  I have the following Realm in the default host:
>>>>
>>>>        <Host name="localhost"  appBase="webapps" unpackWARs="true"
>>>> autoDeploy="false">
>>>>          <Realm className="org.apache.catalina.realm.JNDIRealm"
>>>>                 debug="99"
>>>>
>>>>  debug is not used anymore, so just delete it.
>>>
>>>  Done.
>>
>>
>>                   connectionURL="ldap://ldap1.mydomain.com:389"
>>>
>>>>                 alternateURL="ldap://ldap2.mydomain.com:389"
>>>>                 connectionName="cn=connect,ou=Users,dc=mydomain,dc=com"
>>>>                 connectionPassword="password"
>>>>                 userBase="ou=Users,dc=mydomain,dc=com"
>>>>                 userSearch="uid={0}"
>>>>                 roleBase="ou=Groups,dc=mydomain,dc=com"
>>>>                 roleName="cn"
>>>>                 roleSearch="memberUid={1}"
>>>>
>>>> contextFactory="org.apache.catalina.ldap.realm.LdapTlsContextFactory"/>
>>>>
>>>>  Do you need the LdapTlsContextFactory? If so, what is your ldap server
>>> setup?
>>>
>>>  Good that you mentioned that I wanted to ask about this in a separate
>> thread. I was searching for STARTTLS support in the JNDIRealm and this was
>> the only solution I could find. I got the directions from here:
>> http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo, so I compiled and
>> installed the context factory since the TLS is a must fro my user case.
>> It's working fine for me but still wanted to ask, since the above HowTo is
>> from 2010, has this been maybe integrated in the Tomcat mainstream now and
>> I have missed something in the documentation or is it still a (only) valid
>> solution for TLS support?
>>
> If TLS is important to you, I hope you have changed the HostnameVerifier to
> something more sensible :)
>
> Hmmm was not aware of that will have a look for sure.


> There is a bug request open https://issues.apache.org/
> bugzilla/show_bug.cgi?id=49785
> but only very few people asked for it in the last four years. You can try
> to vote it up.
>
> Thanks for the link I up voted.


> I have only used ldap servers, which would be reachable by ssl, so there
> was no
> need for me to investigate further. Any reason why your ldap server can't
> be used with ssl?
>
> Well for ldap ssl is considered deprecated in favour of tls which I use
everywhere possible like ldap, postfix etc. I don't see a reason for using
ssl and opening another port on the server but that's maybe just me :-)



> Felix
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>