You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gary <gz...@gmail.com> on 2006/02/15 18:28:17 UTC

question about JNDIRealm and OpenLDAP with access control

Hi,

I have JDNIRealm set in the context.xml like this

<Context path="/project" docBase="project" debug="99">         
    <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
         connectionURL="ldap://localhost:389"
           userPattern="uid={0},ou=people,dc=example,dc=com"
          userRoleName="affiliation" />
</Context>

Authentication works fine until I added this to slapd.conf

access to *
       by anonymous auth
       by users read


Because I don't want to let anonymous users query ldap.

Now when I login, I get http status 403 (access denied).

Without ldap access control set, request.getUserPrincipal() prints
this: GenericPrincipal[gary(member,)]
but with access control, it print this: GenericPrincipal[gary()]

Not sure why the role information would be missing.
I am using tomcat 5.5.15, openldap 2.2.29

Thanks,
Gary

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: question about JNDIRealm and OpenLDAP with access control

Posted by Gary <gz...@gmail.com>.
Gary wrote:

> Hi,
>
> I have JDNIRealm set in the context.xml like this
>
> <Context path="/project" docBase="project" debug="99">            
> <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
>         connectionURL="ldap://localhost:389"
>           userPattern="uid={0},ou=people,dc=example,dc=com"
>          userRoleName="affiliation" />
> </Context>
>
> Authentication works fine until I added this to slapd.conf
>
> access to *
>       by anonymous auth
>       by users read
>
>
> Because I don't want to let anonymous users query ldap.
>
> Now when I login, I get http status 403 (access denied).
>
> Without ldap access control set, request.getUserPrincipal() prints
> this: GenericPrincipal[gary(member,)]
> but with access control, it print this: GenericPrincipal[gary()]
>
> Not sure why the role information would be missing.



Ok, I think I have this figured out... but correct me if I am wrong.

Authentication and authorization are done separately. The realm setting 
I have above
was only able to succeed for the authentication part.  And failed on the 
authorization part,
 it wasn't able to get the user role because my ldap access control 
prohibited
read from anonymous users.

After I added  connectionName, and  connectionPassword  to the realm tag.
It was able to use that to get the role information out of ldap.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org