You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jacob Kjome <ho...@visi.com> on 2002/06/10 22:35:44 UTC
Re[2]: Roles in JNDIRealms
Hello Ryan,
Check this out:
http://www.peacetech.com/java/files/apache/tomcat/
I haven't used it (nor have I used JNDIRealm at all so far), but I
grab stuff that looks like useful info off the list and put it in my
Vault ( http://www.personalmicrocosms.com/ ) from time to time. Hopefully it is useful for you.
Jake
Monday, June 10, 2002, 3:18:15 PM, you wrote:
R> Jonathan,
R> This is sort of off subject, but does your Active
R> Directory setup work for Authentication?? It seems to
R> me that it wouldn't since there is no userPassword
R> attribute in AD, but I am hoping I'm wrong.
R> Thanks,
R> Ryan
R> --- Jonathan Eric Miller <je...@uchicago.edu>
R> wrote:
>> If you are using Tomcat 4.1.3, there are two modes
>> that you can use for
>> checking roles. If you set roleSearch, it will look
>> for search for group
>> objects that contain a list of users for each group.
>> If you set
>> userRoleName, it will get the group information out
>> of the user's entry
>> instead. i.e. you don't need separate group objects.
>>
>> If you are using Active Directory, I found that you
>> can use a setup similar
>> to the following.
>>
>> This goes in server.xml,
>>
>> <Realm
>> className="org.apache.catalina.realm.JNDIRealm"
>> debug="99"
>> connectionName="myadminuser@mydomain"
>> connectionPassword="myadminpassword"
>> connectionURL="ldap://mydomaincontroller"
>> userBase="cn=Users, dc=mydomain"
>> userRoleName="memberOf"
>> userSearch="(userPrincipalName={0}@mydomain)"/>
>>
>> Group membership is stored in an attribute named
>> memberOf in Active
>> Directory. myadminuser doesn't really have to be an
>> admin user in AD. It
>> just has to have read permission to the memberOf
>> attribute which is visible
>> to normal user accounts by default.
>>
>> This goes in web.xml,
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Tomcat</web-resource-name>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>>
>>
R> <role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name>
>> </auth-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>BASIC</auth-method>
>> <realm-name>Tomcat</realm-name>
>> </login-config>
>>
>> In the above example, I created a group in the Users
>> container named Tomcat.
>> If you want to see how things are organized in
>> Active Directory, you can use
>> LDIFDE to dump the directory into an LDIF file.
>> That's how I figured it out.
>>
>> Jon
>>
>> ----- Original Message -----
>> From: "Cristina Perez Sanchez" <cg...@yahoo.com>
>> To: <to...@jakarta.apache.org>
>> Sent: Monday, June 10, 2002 9:10 AM
>> Subject: Roles in JNDIRealms
>>
>>
>> > Hi,
>> >
>> > could anyone tell me what objectclass must be
>> group
>> > entries that represent roles associated to users
>> in
>> > JNDIRealms?? I use groupOfUniqueNames as
>> objectclass
>> > but I would like to know if the objectclass group
>> is
>> > more proper or if the objectclass isn´t relevant.
>> >
>> >
>> > Thanks for advance,
>> >
>> > Cristina
>> >
>> > __________________________________________________
>> > Do You Yahoo!?
>> > Yahoo! - Official partner of 2002 FIFA World Cup
>> > http://fifaworldcup.yahoo.com
>> >
>> > --
>> > To unsubscribe, e-mail:
>> <ma...@jakarta.apache.org>
>> > For additional commands, e-mail:
>> <ma...@jakarta.apache.org>
>> >
>>
>>
>> --
>> To unsubscribe, e-mail:
>> <ma...@jakarta.apache.org>
>> For additional commands, e-mail:
>> <ma...@jakarta.apache.org>
>>
R> __________________________________________________
R> Do You Yahoo!?
R> Yahoo! - Official partner of 2002 FIFA World Cup
R> http://fifaworldcup.yahoo.com
R> --
R> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
R> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
Best regards,
Jacob mailto:hoju@visi.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Re[3]: Roles in JNDIRealms
Posted by Cristina Perez Sanchez <cg...@yahoo.com>.
Hi Jon,
thanks for your help. I�ve tested group and
groupOfUniqueNames objectclass and JNDIRealm works
properly.
Thanks again,
Cristina
--- Jonathan Eric Miller <je...@uchicago.edu>
wrote:
> I think you can use whatever objectClass you want.
> The only filter that it
> uses for finding roles is the string that you set
> roleSearch to.
>
> Jon
>
> ----- Original Message -----
> From: "Cristina Perez Sanchez" <cg...@yahoo.com>
> To: "Tomcat Users List"
> <to...@jakarta.apache.org>
> Sent: Tuesday, June 11, 2002 3:36 AM
> Subject: Re: Re[3]: Roles in JNDIRealms
>
>
> > Hi,
> >
> > first, thanks for your answers.
> >
> > I would like to ask another question. I use Tomcat
> > 4.0.3 and so I have to set roleSearch and create
> group
> > objects that contain the DNs of users associated
> to.
> > Which objectclass must be these group entries?
> > groupOfUniqueNames objectclass? group class? Are
> both
> > valid?
> >
> >
> > Thanks,
> >
> > Cristina
> >
> >
> > --- Jonathan Eric Miller <je...@uchicago.edu>
> > wrote:
> > > Jacob,
> > >
> > > I'm happy to say that there is a new "bind as
> user"
> > > mode in Tomcat 4.1.3
> > > which verifies the user password by binding as
> them
> > > to the directory, rather
> > > than querying the directory for the password.
> You
> > > are correct, previously it
> > > wouldn't work with Active Directory (as well as
> any
> > > other directory that
> > > didn't store it's passwords in the specific
> format
> > > that Tomcat wanted), but,
> > > now it does. Now, if you don't set the
> userPassword
> > > attribute, it operates
> > > in "bind as user" mode. They haven't updated the
> > > main end-user documentation
> > > on JNDIRealm yet, but, if you look at the
> Catalina
> > > developer docs, you'll
> > > see what I'm referring to if you look at the
> > > JNDIRealm class.
> > >
> > > Jon
> > >
> > > ----- Original Message -----
> > > From: "Ryan" <ni...@yahoo.com>
> > > To: "Tomcat Users List"
> > > <to...@jakarta.apache.org>; "Jacob Kjome"
> > > <ho...@visi.com>
> > > Sent: Monday, June 10, 2002 4:55 PM
> > > Subject: Re: Re[2]: Roles in JNDIRealms
> > >
> > >
> > > > Jacob,
> > > > I took a quick look at the source, but it
> looks
> > > like
> > > > the passwords are digested here also (i.e.
> will
> > > not
> > > > work with Active Directory). From what I
> > > understand,
> > > > with AD the authentication has to be done _on_
> the
> > > > server.
> > > > Thanks,
> > > > Ryan
> > > >
> > > > --- Jacob Kjome <ho...@visi.com> wrote:
> > > > > Hello Ryan,
> > > > >
> > > > > Check this out:
> > > > >
> > >
> http://www.peacetech.com/java/files/apache/tomcat/
> > > > >
> > > > > I haven't used it (nor have I used JNDIRealm
> at
> > > all
> > > > > so far), but I
> > > > > grab stuff that looks like useful info off
> the
> > > list
> > > > > and put it in my
> > > > > Vault ( http://www.personalmicrocosms.com/ )
> > > from
> > > > > time to time. Hopefully it is useful for
> you.
> > > > >
> > > > > Jake
> > > > >
> > > > > Monday, June 10, 2002, 3:18:15 PM, you
> wrote:
> > > > >
> > > > > R> Jonathan,
> > > > > R> This is sort of off subject, but does
> your
> > > Active
> > > > > R> Directory setup work for Authentication??
> It
> > > > > seems to
> > > > > R> me that it wouldn't since there is no
> > > > > userPassword
> > > > > R> attribute in AD, but I am hoping I'm
> wrong.
> > > > > R> Thanks,
> > > > > R> Ryan
> > > > >
> > > > > R> --- Jonathan Eric Miller
> > > <je...@uchicago.edu>
> > > > > R> wrote:
> > > > > >> If you are using Tomcat 4.1.3, there are
> two
> > > > > modes
> > > > > >> that you can use for
> > > > > >> checking roles. If you set roleSearch, it
> > > will
> > > > > look
> > > > > >> for search for group
> > > > > >> objects that contain a list of users for
> each
> > > > > group.
> > > > > >> If you set
> > > > > >> userRoleName, it will get the group
> > > information
> > > > > out
> > > > > >> of the user's entry
> > > > > >> instead. i.e. you don't need separate
> group
> > > > > objects.
> > > > > >>
> > > > > >> If you are using Active Directory, I
> found
> > > that
> > > > > you
> > > > > >> can use a setup similar
> > > > > >> to the following.
> > > > > >>
> > > > > >> This goes in server.xml,
> > > > > >>
> > > > > >> <Realm
> > > > > >>
> > > className="org.apache.catalina.realm.JNDIRealm"
> > > > > >> debug="99"
> > > > > >> connectionName="myadminuser@mydomain"
> > > > > >> connectionPassword="myadminpassword"
> > > > > >>
> connectionURL="ldap://mydomaincontroller"
> > > > > >> userBase="cn=Users, dc=mydomain"
> > > > > >> userRoleName="memberOf"
> > > > > >>
> > > userSearch="(userPrincipalName={0}@mydomain)"/>
> > > > > >>
> > > > > >> Group membership is stored in an
> attribute
> > > named
> > > > > >> memberOf in Active
> > > > > >> Directory. myadminuser doesn't really
> have to
> > > be
> > > > > an
> > > > > >> admin user in AD. It
> > > > > >> just has to have read permission to the
> > > memberOf
> > > > > >> attribute which is visible
> > > > > >> to normal user accounts by default.
> > > > > >>
> > > > > >> This goes in web.xml,
> > > > > >>
> > > > > >> <security-constraint>
> > > > > >> <web-resource-collection>
> > > > > >>
> > > <web-resource-name>Tomcat</web-resource-name>
> > > > > >> <url-pattern>/*</url-pattern>
> > > > > >> </web-resource-collection>
> > > > > >> <auth-constraint>
> > > > > >>
> > > > > >>
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Re[3]: Roles in JNDIRealms
Posted by Jonathan Eric Miller <je...@uchicago.edu>.
I think you can use whatever objectClass you want. The only filter that it
uses for finding roles is the string that you set roleSearch to.
Jon
----- Original Message -----
From: "Cristina Perez Sanchez" <cg...@yahoo.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Tuesday, June 11, 2002 3:36 AM
Subject: Re: Re[3]: Roles in JNDIRealms
> Hi,
>
> first, thanks for your answers.
>
> I would like to ask another question. I use Tomcat
> 4.0.3 and so I have to set roleSearch and create group
> objects that contain the DNs of users associated to.
> Which objectclass must be these group entries?
> groupOfUniqueNames objectclass? group class? Are both
> valid?
>
>
> Thanks,
>
> Cristina
>
>
> --- Jonathan Eric Miller <je...@uchicago.edu>
> wrote:
> > Jacob,
> >
> > I'm happy to say that there is a new "bind as user"
> > mode in Tomcat 4.1.3
> > which verifies the user password by binding as them
> > to the directory, rather
> > than querying the directory for the password. You
> > are correct, previously it
> > wouldn't work with Active Directory (as well as any
> > other directory that
> > didn't store it's passwords in the specific format
> > that Tomcat wanted), but,
> > now it does. Now, if you don't set the userPassword
> > attribute, it operates
> > in "bind as user" mode. They haven't updated the
> > main end-user documentation
> > on JNDIRealm yet, but, if you look at the Catalina
> > developer docs, you'll
> > see what I'm referring to if you look at the
> > JNDIRealm class.
> >
> > Jon
> >
> > ----- Original Message -----
> > From: "Ryan" <ni...@yahoo.com>
> > To: "Tomcat Users List"
> > <to...@jakarta.apache.org>; "Jacob Kjome"
> > <ho...@visi.com>
> > Sent: Monday, June 10, 2002 4:55 PM
> > Subject: Re: Re[2]: Roles in JNDIRealms
> >
> >
> > > Jacob,
> > > I took a quick look at the source, but it looks
> > like
> > > the passwords are digested here also (i.e. will
> > not
> > > work with Active Directory). From what I
> > understand,
> > > with AD the authentication has to be done _on_ the
> > > server.
> > > Thanks,
> > > Ryan
> > >
> > > --- Jacob Kjome <ho...@visi.com> wrote:
> > > > Hello Ryan,
> > > >
> > > > Check this out:
> > > >
> > http://www.peacetech.com/java/files/apache/tomcat/
> > > >
> > > > I haven't used it (nor have I used JNDIRealm at
> > all
> > > > so far), but I
> > > > grab stuff that looks like useful info off the
> > list
> > > > and put it in my
> > > > Vault ( http://www.personalmicrocosms.com/ )
> > from
> > > > time to time. Hopefully it is useful for you.
> > > >
> > > > Jake
> > > >
> > > > Monday, June 10, 2002, 3:18:15 PM, you wrote:
> > > >
> > > > R> Jonathan,
> > > > R> This is sort of off subject, but does your
> > Active
> > > > R> Directory setup work for Authentication?? It
> > > > seems to
> > > > R> me that it wouldn't since there is no
> > > > userPassword
> > > > R> attribute in AD, but I am hoping I'm wrong.
> > > > R> Thanks,
> > > > R> Ryan
> > > >
> > > > R> --- Jonathan Eric Miller
> > <je...@uchicago.edu>
> > > > R> wrote:
> > > > >> If you are using Tomcat 4.1.3, there are two
> > > > modes
> > > > >> that you can use for
> > > > >> checking roles. If you set roleSearch, it
> > will
> > > > look
> > > > >> for search for group
> > > > >> objects that contain a list of users for each
> > > > group.
> > > > >> If you set
> > > > >> userRoleName, it will get the group
> > information
> > > > out
> > > > >> of the user's entry
> > > > >> instead. i.e. you don't need separate group
> > > > objects.
> > > > >>
> > > > >> If you are using Active Directory, I found
> > that
> > > > you
> > > > >> can use a setup similar
> > > > >> to the following.
> > > > >>
> > > > >> This goes in server.xml,
> > > > >>
> > > > >> <Realm
> > > > >>
> > className="org.apache.catalina.realm.JNDIRealm"
> > > > >> debug="99"
> > > > >> connectionName="myadminuser@mydomain"
> > > > >> connectionPassword="myadminpassword"
> > > > >> connectionURL="ldap://mydomaincontroller"
> > > > >> userBase="cn=Users, dc=mydomain"
> > > > >> userRoleName="memberOf"
> > > > >>
> > userSearch="(userPrincipalName={0}@mydomain)"/>
> > > > >>
> > > > >> Group membership is stored in an attribute
> > named
> > > > >> memberOf in Active
> > > > >> Directory. myadminuser doesn't really have to
> > be
> > > > an
> > > > >> admin user in AD. It
> > > > >> just has to have read permission to the
> > memberOf
> > > > >> attribute which is visible
> > > > >> to normal user accounts by default.
> > > > >>
> > > > >> This goes in web.xml,
> > > > >>
> > > > >> <security-constraint>
> > > > >> <web-resource-collection>
> > > > >>
> > <web-resource-name>Tomcat</web-resource-name>
> > > > >> <url-pattern>/*</url-pattern>
> > > > >> </web-resource-collection>
> > > > >> <auth-constraint>
> > > > >>
> > > > >>
> > > > R>
> > > >
> > >
> >
> <role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name>
> > > > >> </auth-constraint>
> > > > >> </security-constraint>
> > > > >> <login-config>
> > > > >> <auth-method>BASIC</auth-method>
> > > > >> <realm-name>Tomcat</realm-name>
> > > > >> </login-config>
> > > > >>
> > > > >> In the above example, I created a group in
> > the
> > > > Users
> > > > >> container named Tomcat.
> > > > >> If you want to see how things are organized
> > in
> > > > >> Active Directory, you can use
> > > > >> LDIFDE to dump the directory into an LDIF
> > file.
> > > > >> That's how I figured it out.
> > > > >>
> > > > >> Jon
> > > > >>
> > > > >> ----- Original Message -----
> > > > >> From: "Cristina Perez Sanchez"
> > > > <cg...@yahoo.com>
> > > > >> To: <to...@jakarta.apache.org>
> > > > >> Sent: Monday, June 10, 2002 9:10 AM
> > > > >> Subject: Roles in JNDIRealms
> > > > >>
> > > > >>
> > > > >> > Hi,
> > > > >> >
> > > > >> > could anyone tell me what objectclass must
> > be
> > > > >> group
> > > > >> > entries that represent roles associated to
> > > > users
> > > > >> in
> > > > >> > JNDIRealms?? I use groupOfUniqueNames as
> > > > >> objectclass
> > > > >> > but I would like to know if the objectclass
> > > > group
> > > > >> is
> > > > >> > more proper or if the objectclass isn´t
> > > > relevant.
> > > > >> >
> > > > >> >
> > > > >> > Thanks for advance,
> > > > >> >
> > > > >> > Cristina
> > > > >> >
> > > > >> >
> > > >
> > __________________________________________________
> > > > >> > Do You Yahoo!?
> > > > >> > Yahoo! - Official partner of 2002 FIFA
> > World
> > > > Cup
> > > > >> > http://fifaworldcup.yahoo.com
> > > > >> >
> >
> === message truncated ===
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Re[3]: Roles in JNDIRealms
Posted by Cristina Perez Sanchez <cg...@yahoo.com>.
Hi,
first, thanks for your answers.
I would like to ask another question. I use Tomcat
4.0.3 and so I have to set roleSearch and create group
objects that contain the DNs of users associated to.
Which objectclass must be these group entries?
groupOfUniqueNames objectclass? group class? Are both
valid?
Thanks,
Cristina
--- Jonathan Eric Miller <je...@uchicago.edu>
wrote:
> Jacob,
>
> I'm happy to say that there is a new "bind as user"
> mode in Tomcat 4.1.3
> which verifies the user password by binding as them
> to the directory, rather
> than querying the directory for the password. You
> are correct, previously it
> wouldn't work with Active Directory (as well as any
> other directory that
> didn't store it's passwords in the specific format
> that Tomcat wanted), but,
> now it does. Now, if you don't set the userPassword
> attribute, it operates
> in "bind as user" mode. They haven't updated the
> main end-user documentation
> on JNDIRealm yet, but, if you look at the Catalina
> developer docs, you'll
> see what I'm referring to if you look at the
> JNDIRealm class.
>
> Jon
>
> ----- Original Message -----
> From: "Ryan" <ni...@yahoo.com>
> To: "Tomcat Users List"
> <to...@jakarta.apache.org>; "Jacob Kjome"
> <ho...@visi.com>
> Sent: Monday, June 10, 2002 4:55 PM
> Subject: Re: Re[2]: Roles in JNDIRealms
>
>
> > Jacob,
> > I took a quick look at the source, but it looks
> like
> > the passwords are digested here also (i.e. will
> not
> > work with Active Directory). From what I
> understand,
> > with AD the authentication has to be done _on_ the
> > server.
> > Thanks,
> > Ryan
> >
> > --- Jacob Kjome <ho...@visi.com> wrote:
> > > Hello Ryan,
> > >
> > > Check this out:
> > >
> http://www.peacetech.com/java/files/apache/tomcat/
> > >
> > > I haven't used it (nor have I used JNDIRealm at
> all
> > > so far), but I
> > > grab stuff that looks like useful info off the
> list
> > > and put it in my
> > > Vault ( http://www.personalmicrocosms.com/ )
> from
> > > time to time. Hopefully it is useful for you.
> > >
> > > Jake
> > >
> > > Monday, June 10, 2002, 3:18:15 PM, you wrote:
> > >
> > > R> Jonathan,
> > > R> This is sort of off subject, but does your
> Active
> > > R> Directory setup work for Authentication?? It
> > > seems to
> > > R> me that it wouldn't since there is no
> > > userPassword
> > > R> attribute in AD, but I am hoping I'm wrong.
> > > R> Thanks,
> > > R> Ryan
> > >
> > > R> --- Jonathan Eric Miller
> <je...@uchicago.edu>
> > > R> wrote:
> > > >> If you are using Tomcat 4.1.3, there are two
> > > modes
> > > >> that you can use for
> > > >> checking roles. If you set roleSearch, it
> will
> > > look
> > > >> for search for group
> > > >> objects that contain a list of users for each
> > > group.
> > > >> If you set
> > > >> userRoleName, it will get the group
> information
> > > out
> > > >> of the user's entry
> > > >> instead. i.e. you don't need separate group
> > > objects.
> > > >>
> > > >> If you are using Active Directory, I found
> that
> > > you
> > > >> can use a setup similar
> > > >> to the following.
> > > >>
> > > >> This goes in server.xml,
> > > >>
> > > >> <Realm
> > > >>
> className="org.apache.catalina.realm.JNDIRealm"
> > > >> debug="99"
> > > >> connectionName="myadminuser@mydomain"
> > > >> connectionPassword="myadminpassword"
> > > >> connectionURL="ldap://mydomaincontroller"
> > > >> userBase="cn=Users, dc=mydomain"
> > > >> userRoleName="memberOf"
> > > >>
> userSearch="(userPrincipalName={0}@mydomain)"/>
> > > >>
> > > >> Group membership is stored in an attribute
> named
> > > >> memberOf in Active
> > > >> Directory. myadminuser doesn't really have to
> be
> > > an
> > > >> admin user in AD. It
> > > >> just has to have read permission to the
> memberOf
> > > >> attribute which is visible
> > > >> to normal user accounts by default.
> > > >>
> > > >> This goes in web.xml,
> > > >>
> > > >> <security-constraint>
> > > >> <web-resource-collection>
> > > >>
> <web-resource-name>Tomcat</web-resource-name>
> > > >> <url-pattern>/*</url-pattern>
> > > >> </web-resource-collection>
> > > >> <auth-constraint>
> > > >>
> > > >>
> > > R>
> > >
> >
>
<role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name>
> > > >> </auth-constraint>
> > > >> </security-constraint>
> > > >> <login-config>
> > > >> <auth-method>BASIC</auth-method>
> > > >> <realm-name>Tomcat</realm-name>
> > > >> </login-config>
> > > >>
> > > >> In the above example, I created a group in
> the
> > > Users
> > > >> container named Tomcat.
> > > >> If you want to see how things are organized
> in
> > > >> Active Directory, you can use
> > > >> LDIFDE to dump the directory into an LDIF
> file.
> > > >> That's how I figured it out.
> > > >>
> > > >> Jon
> > > >>
> > > >> ----- Original Message -----
> > > >> From: "Cristina Perez Sanchez"
> > > <cg...@yahoo.com>
> > > >> To: <to...@jakarta.apache.org>
> > > >> Sent: Monday, June 10, 2002 9:10 AM
> > > >> Subject: Roles in JNDIRealms
> > > >>
> > > >>
> > > >> > Hi,
> > > >> >
> > > >> > could anyone tell me what objectclass must
> be
> > > >> group
> > > >> > entries that represent roles associated to
> > > users
> > > >> in
> > > >> > JNDIRealms?? I use groupOfUniqueNames as
> > > >> objectclass
> > > >> > but I would like to know if the objectclass
> > > group
> > > >> is
> > > >> > more proper or if the objectclass isn�t
> > > relevant.
> > > >> >
> > > >> >
> > > >> > Thanks for advance,
> > > >> >
> > > >> > Cristina
> > > >> >
> > > >> >
> > >
> __________________________________________________
> > > >> > Do You Yahoo!?
> > > >> > Yahoo! - Official partner of 2002 FIFA
> World
> > > Cup
> > > >> > http://fifaworldcup.yahoo.com
> > > >> >
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Re[2]: Roles in JNDIRealms
Posted by Ryan <ni...@yahoo.com>.
Jon,
Excellent! Thanks for the info.
Ryan
--- Jonathan Eric Miller <je...@uchicago.edu>
wrote:
> Jacob,
>
> I'm happy to say that there is a new "bind as user"
> mode in Tomcat 4.1.3
> which verifies the user password by binding as them
> to the directory, rather
> than querying the directory for the password. You
> are correct, previously it
> wouldn't work with Active Directory (as well as any
> other directory that
> didn't store it's passwords in the specific format
> that Tomcat wanted), but,
> now it does. Now, if you don't set the userPassword
> attribute, it operates
> in "bind as user" mode. They haven't updated the
> main end-user documentation
> on JNDIRealm yet, but, if you look at the Catalina
> developer docs, you'll
> see what I'm referring to if you look at the
> JNDIRealm class.
>
> Jon
>
> ----- Original Message -----
> From: "Ryan" <ni...@yahoo.com>
> To: "Tomcat Users List"
> <to...@jakarta.apache.org>; "Jacob Kjome"
> <ho...@visi.com>
> Sent: Monday, June 10, 2002 4:55 PM
> Subject: Re: Re[2]: Roles in JNDIRealms
>
>
> > Jacob,
> > I took a quick look at the source, but it looks
> like
> > the passwords are digested here also (i.e. will
> not
> > work with Active Directory). From what I
> understand,
> > with AD the authentication has to be done _on_ the
> > server.
> > Thanks,
> > Ryan
> >
> > --- Jacob Kjome <ho...@visi.com> wrote:
> > > Hello Ryan,
> > >
> > > Check this out:
> > >
> http://www.peacetech.com/java/files/apache/tomcat/
> > >
> > > I haven't used it (nor have I used JNDIRealm at
> all
> > > so far), but I
> > > grab stuff that looks like useful info off the
> list
> > > and put it in my
> > > Vault ( http://www.personalmicrocosms.com/ )
> from
> > > time to time. Hopefully it is useful for you.
> > >
> > > Jake
> > >
> > > Monday, June 10, 2002, 3:18:15 PM, you wrote:
> > >
> > > R> Jonathan,
> > > R> This is sort of off subject, but does your
> Active
> > > R> Directory setup work for Authentication?? It
> > > seems to
> > > R> me that it wouldn't since there is no
> > > userPassword
> > > R> attribute in AD, but I am hoping I'm wrong.
> > > R> Thanks,
> > > R> Ryan
> > >
> > > R> --- Jonathan Eric Miller
> <je...@uchicago.edu>
> > > R> wrote:
> > > >> If you are using Tomcat 4.1.3, there are two
> > > modes
> > > >> that you can use for
> > > >> checking roles. If you set roleSearch, it
> will
> > > look
> > > >> for search for group
> > > >> objects that contain a list of users for each
> > > group.
> > > >> If you set
> > > >> userRoleName, it will get the group
> information
> > > out
> > > >> of the user's entry
> > > >> instead. i.e. you don't need separate group
> > > objects.
> > > >>
> > > >> If you are using Active Directory, I found
> that
> > > you
> > > >> can use a setup similar
> > > >> to the following.
> > > >>
> > > >> This goes in server.xml,
> > > >>
> > > >> <Realm
> > > >>
> className="org.apache.catalina.realm.JNDIRealm"
> > > >> debug="99"
> > > >> connectionName="myadminuser@mydomain"
> > > >> connectionPassword="myadminpassword"
> > > >> connectionURL="ldap://mydomaincontroller"
> > > >> userBase="cn=Users, dc=mydomain"
> > > >> userRoleName="memberOf"
> > > >>
> userSearch="(userPrincipalName={0}@mydomain)"/>
> > > >>
> > > >> Group membership is stored in an attribute
> named
> > > >> memberOf in Active
> > > >> Directory. myadminuser doesn't really have to
> be
> > > an
> > > >> admin user in AD. It
> > > >> just has to have read permission to the
> memberOf
> > > >> attribute which is visible
> > > >> to normal user accounts by default.
> > > >>
> > > >> This goes in web.xml,
> > > >>
> > > >> <security-constraint>
> > > >> <web-resource-collection>
> > > >>
> <web-resource-name>Tomcat</web-resource-name>
> > > >> <url-pattern>/*</url-pattern>
> > > >> </web-resource-collection>
> > > >> <auth-constraint>
> > > >>
> > > >>
> > > R>
> > >
> >
>
<role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name>
> > > >> </auth-constraint>
> > > >> </security-constraint>
> > > >> <login-config>
> > > >> <auth-method>BASIC</auth-method>
> > > >> <realm-name>Tomcat</realm-name>
> > > >> </login-config>
> > > >>
> > > >> In the above example, I created a group in
> the
> > > Users
> > > >> container named Tomcat.
> > > >> If you want to see how things are organized
> in
> > > >> Active Directory, you can use
> > > >> LDIFDE to dump the directory into an LDIF
> file.
> > > >> That's how I figured it out.
> > > >>
> > > >> Jon
> > > >>
> > > >> ----- Original Message -----
> > > >> From: "Cristina Perez Sanchez"
> > > <cg...@yahoo.com>
> > > >> To: <to...@jakarta.apache.org>
> > > >> Sent: Monday, June 10, 2002 9:10 AM
> > > >> Subject: Roles in JNDIRealms
> > > >>
> > > >>
> > > >> > Hi,
> > > >> >
> > > >> > could anyone tell me what objectclass must
> be
> > > >> group
> > > >> > entries that represent roles associated to
> > > users
> > > >> in
> > > >> > JNDIRealms?? I use groupOfUniqueNames as
> > > >> objectclass
> > > >> > but I would like to know if the objectclass
> > > group
> > > >> is
> > > >> > more proper or if the objectclass isn�t
> > > relevant.
> > > >> >
> > > >> >
> > > >> > Thanks for advance,
> > > >> >
> > > >> > Cristina
> > > >> >
> > > >> >
> > >
> __________________________________________________
> > > >> > Do You Yahoo!?
> > > >> > Yahoo! - Official partner of 2002 FIFA
> World
> > > Cup
> > > >> > http://fifaworldcup.yahoo.com
> > > >> >
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Re[2]: Roles in JNDIRealms
Posted by Jonathan Eric Miller <je...@uchicago.edu>.
Jacob,
I'm happy to say that there is a new "bind as user" mode in Tomcat 4.1.3
which verifies the user password by binding as them to the directory, rather
than querying the directory for the password. You are correct, previously it
wouldn't work with Active Directory (as well as any other directory that
didn't store it's passwords in the specific format that Tomcat wanted), but,
now it does. Now, if you don't set the userPassword attribute, it operates
in "bind as user" mode. They haven't updated the main end-user documentation
on JNDIRealm yet, but, if you look at the Catalina developer docs, you'll
see what I'm referring to if you look at the JNDIRealm class.
Jon
----- Original Message -----
From: "Ryan" <ni...@yahoo.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>; "Jacob Kjome"
<ho...@visi.com>
Sent: Monday, June 10, 2002 4:55 PM
Subject: Re: Re[2]: Roles in JNDIRealms
> Jacob,
> I took a quick look at the source, but it looks like
> the passwords are digested here also (i.e. will not
> work with Active Directory). From what I understand,
> with AD the authentication has to be done _on_ the
> server.
> Thanks,
> Ryan
>
> --- Jacob Kjome <ho...@visi.com> wrote:
> > Hello Ryan,
> >
> > Check this out:
> > http://www.peacetech.com/java/files/apache/tomcat/
> >
> > I haven't used it (nor have I used JNDIRealm at all
> > so far), but I
> > grab stuff that looks like useful info off the list
> > and put it in my
> > Vault ( http://www.personalmicrocosms.com/ ) from
> > time to time. Hopefully it is useful for you.
> >
> > Jake
> >
> > Monday, June 10, 2002, 3:18:15 PM, you wrote:
> >
> > R> Jonathan,
> > R> This is sort of off subject, but does your Active
> > R> Directory setup work for Authentication?? It
> > seems to
> > R> me that it wouldn't since there is no
> > userPassword
> > R> attribute in AD, but I am hoping I'm wrong.
> > R> Thanks,
> > R> Ryan
> >
> > R> --- Jonathan Eric Miller <je...@uchicago.edu>
> > R> wrote:
> > >> If you are using Tomcat 4.1.3, there are two
> > modes
> > >> that you can use for
> > >> checking roles. If you set roleSearch, it will
> > look
> > >> for search for group
> > >> objects that contain a list of users for each
> > group.
> > >> If you set
> > >> userRoleName, it will get the group information
> > out
> > >> of the user's entry
> > >> instead. i.e. you don't need separate group
> > objects.
> > >>
> > >> If you are using Active Directory, I found that
> > you
> > >> can use a setup similar
> > >> to the following.
> > >>
> > >> This goes in server.xml,
> > >>
> > >> <Realm
> > >> className="org.apache.catalina.realm.JNDIRealm"
> > >> debug="99"
> > >> connectionName="myadminuser@mydomain"
> > >> connectionPassword="myadminpassword"
> > >> connectionURL="ldap://mydomaincontroller"
> > >> userBase="cn=Users, dc=mydomain"
> > >> userRoleName="memberOf"
> > >> userSearch="(userPrincipalName={0}@mydomain)"/>
> > >>
> > >> Group membership is stored in an attribute named
> > >> memberOf in Active
> > >> Directory. myadminuser doesn't really have to be
> > an
> > >> admin user in AD. It
> > >> just has to have read permission to the memberOf
> > >> attribute which is visible
> > >> to normal user accounts by default.
> > >>
> > >> This goes in web.xml,
> > >>
> > >> <security-constraint>
> > >> <web-resource-collection>
> > >> <web-resource-name>Tomcat</web-resource-name>
> > >> <url-pattern>/*</url-pattern>
> > >> </web-resource-collection>
> > >> <auth-constraint>
> > >>
> > >>
> > R>
> >
> <role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name>
> > >> </auth-constraint>
> > >> </security-constraint>
> > >> <login-config>
> > >> <auth-method>BASIC</auth-method>
> > >> <realm-name>Tomcat</realm-name>
> > >> </login-config>
> > >>
> > >> In the above example, I created a group in the
> > Users
> > >> container named Tomcat.
> > >> If you want to see how things are organized in
> > >> Active Directory, you can use
> > >> LDIFDE to dump the directory into an LDIF file.
> > >> That's how I figured it out.
> > >>
> > >> Jon
> > >>
> > >> ----- Original Message -----
> > >> From: "Cristina Perez Sanchez"
> > <cg...@yahoo.com>
> > >> To: <to...@jakarta.apache.org>
> > >> Sent: Monday, June 10, 2002 9:10 AM
> > >> Subject: Roles in JNDIRealms
> > >>
> > >>
> > >> > Hi,
> > >> >
> > >> > could anyone tell me what objectclass must be
> > >> group
> > >> > entries that represent roles associated to
> > users
> > >> in
> > >> > JNDIRealms?? I use groupOfUniqueNames as
> > >> objectclass
> > >> > but I would like to know if the objectclass
> > group
> > >> is
> > >> > more proper or if the objectclass isn´t
> > relevant.
> > >> >
> > >> >
> > >> > Thanks for advance,
> > >> >
> > >> > Cristina
> > >> >
> > >> >
> > __________________________________________________
> > >> > Do You Yahoo!?
> > >> > Yahoo! - Official partner of 2002 FIFA World
> > Cup
> > >> > http://fifaworldcup.yahoo.com
> > >> >
> > >> > --
> > >> > To unsubscribe, e-mail:
> > >>
> > <ma...@jakarta.apache.org>
> > >> > For additional commands, e-mail:
> > >> <ma...@jakarta.apache.org>
> > >> >
> > >>
> > >>
> > >> --
> > >> To unsubscribe, e-mail:
> > >>
> > <ma...@jakarta.apache.org>
> > >> For additional commands, e-mail:
> > >> <ma...@jakarta.apache.org>
> > >>
> >
> > R>
> > __________________________________________________
> > R> Do You Yahoo!?
> > R> Yahoo! - Official partner of 2002 FIFA World Cup
> > R> http://fifaworldcup.yahoo.com
> >
> > R> --
> > R> To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > R> For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> >
> >
> >
> > --
> > Best regards,
> > Jacob
> > mailto:hoju@visi.com
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> >
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Re[2]: Roles in JNDIRealms
Posted by Ryan <ni...@yahoo.com>.
Jacob,
I took a quick look at the source, but it looks like
the passwords are digested here also (i.e. will not
work with Active Directory). From what I understand,
with AD the authentication has to be done _on_ the
server.
Thanks,
Ryan
--- Jacob Kjome <ho...@visi.com> wrote:
> Hello Ryan,
>
> Check this out:
> http://www.peacetech.com/java/files/apache/tomcat/
>
> I haven't used it (nor have I used JNDIRealm at all
> so far), but I
> grab stuff that looks like useful info off the list
> and put it in my
> Vault ( http://www.personalmicrocosms.com/ ) from
> time to time. Hopefully it is useful for you.
>
> Jake
>
> Monday, June 10, 2002, 3:18:15 PM, you wrote:
>
> R> Jonathan,
> R> This is sort of off subject, but does your Active
> R> Directory setup work for Authentication?? It
> seems to
> R> me that it wouldn't since there is no
> userPassword
> R> attribute in AD, but I am hoping I'm wrong.
> R> Thanks,
> R> Ryan
>
> R> --- Jonathan Eric Miller <je...@uchicago.edu>
> R> wrote:
> >> If you are using Tomcat 4.1.3, there are two
> modes
> >> that you can use for
> >> checking roles. If you set roleSearch, it will
> look
> >> for search for group
> >> objects that contain a list of users for each
> group.
> >> If you set
> >> userRoleName, it will get the group information
> out
> >> of the user's entry
> >> instead. i.e. you don't need separate group
> objects.
> >>
> >> If you are using Active Directory, I found that
> you
> >> can use a setup similar
> >> to the following.
> >>
> >> This goes in server.xml,
> >>
> >> <Realm
> >> className="org.apache.catalina.realm.JNDIRealm"
> >> debug="99"
> >> connectionName="myadminuser@mydomain"
> >> connectionPassword="myadminpassword"
> >> connectionURL="ldap://mydomaincontroller"
> >> userBase="cn=Users, dc=mydomain"
> >> userRoleName="memberOf"
> >> userSearch="(userPrincipalName={0}@mydomain)"/>
> >>
> >> Group membership is stored in an attribute named
> >> memberOf in Active
> >> Directory. myadminuser doesn't really have to be
> an
> >> admin user in AD. It
> >> just has to have read permission to the memberOf
> >> attribute which is visible
> >> to normal user accounts by default.
> >>
> >> This goes in web.xml,
> >>
> >> <security-constraint>
> >> <web-resource-collection>
> >> <web-resource-name>Tomcat</web-resource-name>
> >> <url-pattern>/*</url-pattern>
> >> </web-resource-collection>
> >> <auth-constraint>
> >>
> >>
> R>
>
<role-name>CN=Tomcat,CN=Users,DC=mydomain</role-name>
> >> </auth-constraint>
> >> </security-constraint>
> >> <login-config>
> >> <auth-method>BASIC</auth-method>
> >> <realm-name>Tomcat</realm-name>
> >> </login-config>
> >>
> >> In the above example, I created a group in the
> Users
> >> container named Tomcat.
> >> If you want to see how things are organized in
> >> Active Directory, you can use
> >> LDIFDE to dump the directory into an LDIF file.
> >> That's how I figured it out.
> >>
> >> Jon
> >>
> >> ----- Original Message -----
> >> From: "Cristina Perez Sanchez"
> <cg...@yahoo.com>
> >> To: <to...@jakarta.apache.org>
> >> Sent: Monday, June 10, 2002 9:10 AM
> >> Subject: Roles in JNDIRealms
> >>
> >>
> >> > Hi,
> >> >
> >> > could anyone tell me what objectclass must be
> >> group
> >> > entries that represent roles associated to
> users
> >> in
> >> > JNDIRealms?? I use groupOfUniqueNames as
> >> objectclass
> >> > but I would like to know if the objectclass
> group
> >> is
> >> > more proper or if the objectclass isn�t
> relevant.
> >> >
> >> >
> >> > Thanks for advance,
> >> >
> >> > Cristina
> >> >
> >> >
> __________________________________________________
> >> > Do You Yahoo!?
> >> > Yahoo! - Official partner of 2002 FIFA World
> Cup
> >> > http://fifaworldcup.yahoo.com
> >> >
> >> > --
> >> > To unsubscribe, e-mail:
> >>
> <ma...@jakarta.apache.org>
> >> > For additional commands, e-mail:
> >> <ma...@jakarta.apache.org>
> >> >
> >>
> >>
> >> --
> >> To unsubscribe, e-mail:
> >>
> <ma...@jakarta.apache.org>
> >> For additional commands, e-mail:
> >> <ma...@jakarta.apache.org>
> >>
>
> R>
> __________________________________________________
> R> Do You Yahoo!?
> R> Yahoo! - Official partner of 2002 FIFA World Cup
> R> http://fifaworldcup.yahoo.com
>
> R> --
> R> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> R> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
>
> --
> Best regards,
> Jacob
> mailto:hoju@visi.com
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>