You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark-E <me...@hbs.edu> on 2010/06/08 17:25:04 UTC
Allowing only specific users LDAP access
I have setup an https instance of Tomcat and I am trying to allow only
specific users access.
In the current configuration, anyone who is in LDAP can get in.
Here is the current configuration in the server.xml
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName=<connection name>
connectionURL="ldap://ldap.domain.com:<port>"
roleSearch="memberUid={0}"
allRolesMode="authOnly"
userPattern="uid={0},ou=People,dc=domain,dc=com"
/>
So I tried using userSearch=(user{1}) to allow only user1 in but that did
not limit access. I tried {1} since the docs mention that is to search for a
specific username.
Anyone know how I need to edit this to allow only a list of specific users
in? I will define them in this file.
Thanks,
Mark
--
View this message in context: http://old.nabble.com/Allowing-only-specific-users-LDAP-access-tp28819437p28819437.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Allowing only specific users LDAP access
Posted by Mark-E <me...@hbs.edu>.
Felix Schumacher wrote:
>
> On Tue, 8 Jun 2010 08:25:04 -0700 (PDT), Mark-E <me...@hbs.edu> wrote:
>> I have setup an https instance of Tomcat and I am trying to allow only
>> specific users access.
>>
>> In the current configuration, anyone who is in LDAP can get in.
>>
>> Here is the current configuration in the server.xml
>>
>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>> connectionName=<connection name>
>> connectionURL="ldap://ldap.domain.com:<port>"
>> roleSearch="memberUid={0}"
>> allRolesMode="authOnly"
>> userPattern="uid={0},ou=People,dc=domain,dc=com"
>> />
>>
>> So I tried using userSearch=(user{1}) to allow only user1 in but that
> did
>> not limit access. I tried {1} since the docs mention that is to search
> for
>> a
>> specific username.
> You can't use {1} in userSearch. You have to use {0}.
>
> If you have only a very limited set of users and want to risk a management
> nightmare, you can hardcode those users into the search pattern like
>
> userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
>
> But I think it would be better to use an attribute or a group for that
> kind of thing:
>
> userSearch="(&(uid={0})(specialAttribute=specialValue))"
>
> Bye
> Felix
>>
>> Anyone know how I need to edit this to allow only a list of specific
> users
>> in? I will define them in this file.
>>
>> Thanks,
>> Mark
>
>
> Hi Felix,
> Thanks for the information. The easiest thing for me is to specify a
> list of users by using your suggestion of:
>
> userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
>
> However, even with the entry setup like this, I still get in if I am NOT
> user1 or user 2. I find that unless I also use the following entry, I do
> not get in at all
>
> userPattern="uid={0},ou=People,dc=domain,dc=com"
>
> Do you know if I need to change userPattern as well? I tried substituting
>
> userPattern="uid={0},ou=People,dc=domain,dc=com"
>
> With:
>
> userPattern="(&(uid={0})(|(uid=user1)(uid=user2))),ou=People,dc=domain,dc=com"
>
> But that said that uid was invalid.
>
> Thanks,
> Mark
>
Just wanted to let everyone know that I figured it out. I did some more
research and discovered that instead of using userPattern, I needed to use
the following:
userBase="ou=People,dc=domain,dc=com"
userSubtree="true"
Now, if I am listed as one of the 2, user1 or user2 and I try to login, I
get in, if not, I do not get in.
So the full entry in server.xml looks like this...
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="<connection name>"
connectionPassword="<connection password>"
connectionURL="ldap://ldap.domain.com:<port>"
roleSearch="memberUid={0}"
allRolesMode="authOnly"
userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
userBase="ou=People,dc=domain,dc=com"
userSubtree="true"
/>
Whew, learned a lot from this task.
Thanks,
Mark
--
View this message in context: http://old.nabble.com/Allowing-only-specific-users-LDAP-access-tp28819437p28823014.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Allowing only specific users LDAP access
Posted by Mark-E <me...@hbs.edu>.
On Tue, 8 Jun 2010 08:25:04 -0700 (PDT), Mark-E <me...@hbs.edu> wrote:
> I have setup an https instance of Tomcat and I am trying to allow only
> specific users access.
>
> In the current configuration, anyone who is in LDAP can get in.
>
> Here is the current configuration in the server.xml
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionName=<connection name>
> connectionURL="ldap://ldap.domain.com:<port>"
> roleSearch="memberUid={0}"
> allRolesMode="authOnly"
> userPattern="uid={0},ou=People,dc=domain,dc=com"
> />
>
> So I tried using userSearch=(user{1}) to allow only user1 in but that
did
> not limit access. I tried {1} since the docs mention that is to search
for
> a
> specific username.
You can't use {1} in userSearch. You have to use {0}.
If you have only a very limited set of users and want to risk a management
nightmare, you can hardcode those users into the search pattern like
userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
But I think it would be better to use an attribute or a group for that
kind of thing:
userSearch="(&(uid={0})(specialAttribute=specialValue))"
Bye
Felix
>
> Anyone know how I need to edit this to allow only a list of specific
users
> in? I will define them in this file.
>
> Thanks,
> Mark
Hi Felix,
Thanks for the information. The easiest thing for me is to specify a list
of users by using your suggestion of:
userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
However, even with the entry setup like this, I still get in if I am NOT
user1 or user 2. I find that unless I also use the following entry, I do not
get in at all
userPattern="uid={0},ou=People,dc=domain,dc=com"
Do you know if I need to change userPattern as well? I tried substituting
userPattern="uid={0},ou=People,dc=domain,dc=com"
With:
userPattern="(&(uid={0})(|(uid=user1)(uid=user2))),ou=People,dc=domain,dc=com"
But that said that uid was invalid.
Thanks,
Mark
--
View this message in context: http://old.nabble.com/Allowing-only-specific-users-LDAP-access-tp28819437p28822437.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Allowing only specific users LDAP access
Posted by Felix Schumacher <fe...@internetallee.de>.
On Tue, 8 Jun 2010 08:25:04 -0700 (PDT), Mark-E <me...@hbs.edu> wrote:
> I have setup an https instance of Tomcat and I am trying to allow only
> specific users access.
>
> In the current configuration, anyone who is in LDAP can get in.
>
> Here is the current configuration in the server.xml
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionName=<connection name>
> connectionURL="ldap://ldap.domain.com:<port>"
> roleSearch="memberUid={0}"
> allRolesMode="authOnly"
> userPattern="uid={0},ou=People,dc=domain,dc=com"
> />
>
> So I tried using userSearch=(user{1}) to allow only user1 in but that
did
> not limit access. I tried {1} since the docs mention that is to search
for
> a
> specific username.
You can't use {1} in userSearch. You have to use {0}.
If you have only a very limited set of users and want to risk a management
nightmare, you can hardcode those users into the search pattern like
userSearch="(&(uid={0})(|(uid=user1)(uid=user2)))"
But I think it would be better to use an attribute or a group for that
kind of thing:
userSearch="(&(uid={0})(specialAttribute=specialValue))"
Bye
Felix
>
> Anyone know how I need to edit this to allow only a list of specific
users
> in? I will define them in this file.
>
> Thanks,
> Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Allowing only specific users LDAP access
Posted by Mark-E <me...@hbs.edu>.
> If you can't use Chris' suggestion and you're on a current version of
Tomcat, you can combine your > existing <Realm> with an additional
authenticator, possibly using a file where you specify the subset of >
users you're willing to allow in.
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm
> - Chuck
I am using Tomcat 6.0.26. Thanks for the link. I'll check it out. Also,
thanks Chris for your suggestion but unfortunately, I cannot add a new group
to LDAP.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
--
View this message in context: http://old.nabble.com/Allowing-only-specific-users-LDAP-access-tp28819437p28820106.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Allowing only specific users LDAP access
Posted by Felix Schumacher <fe...@internetallee.de>.
On Tue, 8 Jun 2010 10:16:01 -0700, Leo Donahue - PLANDEVX
<Le...@mail.maricopa.gov> wrote:
>> -----Original Message-----
>> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
>> Sent: Tuesday, June 08, 2010 9:12 AM
>> To: Tomcat Users List
>> Subject: RE: Allowing only specific users LDAP access
>>
>>> I am trying to allow only specific users access.
>
>> If you can't use Chris' suggestion and you're on a current version of
>> Tomcat, you can combine your existing <Realm> with an additional
>> authenticator, possibly > using a file where you specify the subset of
>> users you're willing to allow in.
>
>> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm
>
>> - Chuck
>
>
> Does Tomcat allow you to specify separate userBase's? Or can you only
> have one per Realm?
You can only have on userBase, userSearch, ... per realm.
But you could use the CombinedRealm as hinted by Chuck to use multiple
userBases.
Bye
Felix
>
> userBase="CN=User1,OU=somegroup,DC=yourdomain,DC=com"
> userSearch="(&(objectCategory=person)(sAMAccountName={0}))"
> userSubtree="true"
> userRoleName="memberOf"
>
> userBase="CN=User2,OU=somegroup,DC=yourdomain,DC=com"
> userSearch="(&(objectCategory=person)(sAMAccountName={0}))"
> userSubtree="true"
> userRoleName="memberOf"
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Allowing only specific users LDAP access
Posted by Leo Donahue - PLANDEVX <Le...@mail.maricopa.gov>.
> -----Original Message-----
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Sent: Tuesday, June 08, 2010 9:12 AM
> To: Tomcat Users List
> Subject: RE: Allowing only specific users LDAP access
>
>> I am trying to allow only specific users access.
> If you can't use Chris' suggestion and you're on a current version of Tomcat, you can combine your existing <Realm> with an additional authenticator, possibly > using a file where you specify the subset of users you're willing to allow in.
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm
> - Chuck
Does Tomcat allow you to specify separate userBase's? Or can you only have one per Realm?
userBase="CN=User1,OU=somegroup,DC=yourdomain,DC=com"
userSearch="(&(objectCategory=person)(sAMAccountName={0}))"
userSubtree="true"
userRoleName="memberOf"
userBase="CN=User2,OU=somegroup,DC=yourdomain,DC=com"
userSearch="(&(objectCategory=person)(sAMAccountName={0}))"
userSubtree="true"
userRoleName="memberOf"
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Allowing only specific users LDAP access
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mark-E [mailto:meramo@hbs.edu]
> Subject: Allowing only specific users LDAP access
>
> I have setup an https instance of Tomcat
Any particular version? (Be precise.)
> I am trying to allow only specific users access.
If you can't use Chris' suggestion and you're on a current version of Tomcat, you can combine your existing <Realm> with an additional authenticator, possibly using a file where you specify the subset of users you're willing to allow in.
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Allowing only specific users LDAP access
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 6/8/2010 11:25 AM, Mark-E wrote:
> In the current configuration, anyone who is in LDAP can get in.
>
> Here is the current configuration in the server.xml
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionName=<connection name>
> connectionURL="ldap://ldap.domain.com:<port>"
> roleSearch="memberUid={0}"
> allRolesMode="authOnly"
> userPattern="uid={0},ou=People,dc=domain,dc=com"
> />
>
> So I tried using userSearch=(user{1}) to allow only user1 in but that did
> not limit access. I tried {1} since the docs mention that is to search for a
> specific username.
>
> Anyone know how I need to edit this to allow only a list of specific users
> in? I will define them in this file.
How about creating a new group in your directory and using that instead
of just "ou=People"? Maybe "ou=TomcatPeople"?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwOY4cACgkQ9CaO5/Lv0PCJzQCeOrdHo9ppde7A1qsaCp3dZsPV
pvAAoLhbRVCuTN382T2LKZnGXnzY7ikU
=hUf5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org