You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gary <gz...@gmail.com> on 2006/02/15 18:28:17 UTC
question about JNDIRealm and OpenLDAP with access control
Hi,
I have JDNIRealm set in the context.xml like this
<Context path="/project" docBase="project" debug="99">
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://localhost:389"
userPattern="uid={0},ou=people,dc=example,dc=com"
userRoleName="affiliation" />
</Context>
Authentication works fine until I added this to slapd.conf
access to *
by anonymous auth
by users read
Because I don't want to let anonymous users query ldap.
Now when I login, I get http status 403 (access denied).
Without ldap access control set, request.getUserPrincipal() prints
this: GenericPrincipal[gary(member,)]
but with access control, it print this: GenericPrincipal[gary()]
Not sure why the role information would be missing.
I am using tomcat 5.5.15, openldap 2.2.29
Thanks,
Gary
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: question about JNDIRealm and OpenLDAP with access control
Posted by Gary <gz...@gmail.com>.
Gary wrote:
> Hi,
>
> I have JDNIRealm set in the context.xml like this
>
> <Context path="/project" docBase="project" debug="99">
> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> connectionURL="ldap://localhost:389"
> userPattern="uid={0},ou=people,dc=example,dc=com"
> userRoleName="affiliation" />
> </Context>
>
> Authentication works fine until I added this to slapd.conf
>
> access to *
> by anonymous auth
> by users read
>
>
> Because I don't want to let anonymous users query ldap.
>
> Now when I login, I get http status 403 (access denied).
>
> Without ldap access control set, request.getUserPrincipal() prints
> this: GenericPrincipal[gary(member,)]
> but with access control, it print this: GenericPrincipal[gary()]
>
> Not sure why the role information would be missing.
Ok, I think I have this figured out... but correct me if I am wrong.
Authentication and authorization are done separately. The realm setting
I have above
was only able to succeed for the authentication part. And failed on the
authorization part,
it wasn't able to get the user role because my ldap access control
prohibited
read from anonymous users.
After I added connectionName, and connectionPassword to the realm tag.
It was able to use that to get the role information out of ldap.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org