You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Robert J. Carr" <rj...@gmail.com> on 2012/10/19 17:07:56 UTC
documentation comment about jndi realms
I've been using tomcat for many years (so thanks to the devs!) but
this is the first time I've had to use LDAP for authentication.
Reading over the docs on this page were very useful:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm
However, at the bottom of the section where it talks about using 'userRoleName':
This realm configuration would satisfy the new requirements:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://localhost:389"
userBase="ou=people,dc=mycompany,dc=com"
userSearch="(mail={0})"
userRoleName="memberOf"
roleBase="ou=groups,dc=mycompany,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
I think the last 3 attributes for role are unnecessary, and if so,
then they're confusing. In my test, which is similar to the LDIF
right above it:
dn: uid=jjones,ou=people,dc=mycompany,dc=com
objectClass: inetOrgPerson
uid: jjones
sn: jones
cn: janet jones
mail: j.jones@mycompany.com
memberOf: role2
memberOf: role3
userPassword: janet
I didn't need those last 3 role entries and everything worked fine.
Just a note because this section is already confusing enough and I
thought that made it worse.
Sorry if I'm wrong in my assumptions.
Thanks-
Robert
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: documentation comment about jndi realms
Posted by Daniel Mikusa <dm...@vmware.com>.
On Oct 19, 2012, at 11:07 AM, Robert J. Carr wrote:
> I've been using tomcat for many years (so thanks to the devs!) but
> this is the first time I've had to use LDAP for authentication.
> Reading over the docs on this page were very useful:
>
> http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm
>
> However, at the bottom of the section where it talks about using 'userRoleName':
>
> This realm configuration would satisfy the new requirements:
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://localhost:389"
> userBase="ou=people,dc=mycompany,dc=com"
> userSearch="(mail={0})"
> userRoleName="memberOf"
> roleBase="ou=groups,dc=mycompany,dc=com"
> roleName="cn"
> roleSearch="(uniqueMember={0})"
> />
>
> I think the last 3 attributes for role are unnecessary, and if so,
> then they're confusing. In my test, which is similar to the LDIF
> right above it:
>
> dn: uid=jjones,ou=people,dc=mycompany,dc=com
> objectClass: inetOrgPerson
> uid: jjones
> sn: jones
> cn: janet jones
> mail: j.jones@mycompany.com
> memberOf: role2
> memberOf: role3
> userPassword: janet
>
> I didn't need those last 3 role entries and everything worked fine.
You may not need all of the settings. It really depends on the way your LDAP server is structured. In your particular case you didn't need them. Some people will though. For an example of when you will need them see the LDIF used by the documentation.
Dan
> Just a note because this section is already confusing enough and I
> thought that made it worse.
>
> Sorry if I'm wrong in my assumptions.
>
> Thanks-
> Robert
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org