You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2014/11/13 23:40:58 UTC

[Bug 57209] New: JNDIRealm userSearch does not work against active directory with roles

https://issues.apache.org/bugzilla/show_bug.cgi?id=57209

            Bug ID: 57209
           Summary: JNDIRealm userSearch does not work against active
                    directory with roles
           Product: Tomcat 7
           Version: 7.0.57
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: jasonmcintosh@carfax.com

JNDIRealm without connectionPassword/connectionName on role lookups - role
search as user does not work as intended.  If you want to search the system as
the logged in user for roles:

userBase = DC=Company,DC=com
userSearch = (&(objectCategory=person)(sAMAccountName={0}))
userSubTree = true

This works fine and you can bind as a user, but searching fails.  Search fails
because there's no user credentials to bind with and binding anonymously is
disabled.  If you have isRoleSearchAsUser turned on the expectation

protected User getUser(DirContext context, String username, String credentials,
int curUserPattern) 
does not add the binding user credentials for searching.  A VERY simple fix
around line 1297 is to do the following so that searches work with the bound
user:


  // Use pattern or search for user entry
            if (userPatternFormatArray != null && curUserPattern >= 0) {
                user = getUserByPattern(context, username, credentials,
attrIds, curUserPattern);
            }
            else {
                if (isRoleSearchAsUser()) {
                    userCredentialsAdd(context, username, credentials);
                }
                user = getUserBySearch(context, username, attrIds);
            }

There's probably a cleaner way to do this, but this is how I've managed to get
things working at this point.  I'd imagine a property "userSearchDNPattern"
could be added so that you can specify the pattern for the DN to bind with. 
And switch the "userCredentialsAdd" to use that userSearchDNPattern" instead. 
With the above fix binding as a user and role lookups now work.  Another option
is to change "roleSearchAsUser" to something that says "do all operatins with
the authenticated user, assuming he's authorized"

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57209] JNDIRealm userSearch does not work against active directory with roles

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57209

--- Comment #2 from Mark Thomas <ma...@apache.org> ---
On reflection a new attribute userSearchAsUser seems more appropriate.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57209] JNDIRealm userSearch does not work against active directory with roles

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57209

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
The new attribute has been added to trunk, 8.0.x (for 8.0.16 onwards) and 7.0.x
(for 7.0.58 onwards).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57209] JNDIRealm userSearch does not work against active directory with roles

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57209

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
I think the answer here is to change roleSearchAsUser to searchAsUser and then
do as you suggest. There will need to be appropriate deprecation and support
for both in parallel.

I'll start work on a patch.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org