#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2009
    Posts
    2
    Rep Power
    0

    Using Tomcat with LDAP JNDI


    Hello,

    I am setting up my Tomcat JNDI realm as:

    <Realm className="org.apache.catalina.realm.JNDIRealm"
    connectionURL="ldap://Au-dc1:389"
    connectionName="CN=Ken Rubin,OU=Development,OU=Corporate,DC=mycompany,DC=com"
    connectionPassword="mallory1"
    userBase="OU=Development,OU=Corporate,DC=mycompany,DC=com"
    userSearch="(sAMAccountName={0})"
    userSubtree="true"
    userRoleName="cn"
    />

    I am only able to log onto Tomcat Manager if I set
    userRoleName="cn", when as an attribute = "Ken Rubin". In web.xml for the Tomcat manager, I had to
    set my name as a role. ie.

    web.xml
    <auth-constraint>
    <role-name>Ken Rubin</role-name>
    </auth-constraint>
    </security-constraint>

    <security-role>
    <role-name>Ken Rubin</role-name>
    </security-role>

    My directory in LDAP is at "CN=Ken Rubin,OU=Development,OU=Corporate,DC=mycompany,DC=com".

    I had wished to set userRoleName="memberOf" and return the roles for me, one these roles would be in my web.xml
    instead of Ken Rubin. But I have been unable to do this.

    One thing I noticed is that none of our company roles have any attributes listed under them.

    Also I don't know how to get the logger to give me more possible information about why I am failing.

    Any help would be greatly appreciated!

    Thank you,
    Ken
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2009
    Location
    Charlotte, NC
    Posts
    111
    Rep Power
    9
    you can set userRoleName="objectcatagory" and then set "person" in the web.xml for the role name. Then anyone in the Active Directory can authenticate to your application. The 'memberOf' attribute should work but is seems your company is not assigning groups to the user accounts, which seems really odd to me.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2009
    Posts
    2
    Rep Power
    0
    Hi ldapswandog,

    Thank you for the response!

    In reference to what you said,"The 'memberOf' attribute should work but is seems your company is not assigning groups to the user accounts, which seems really odd to me."

    Are you implying that since our company roles don't have any attributes listed under them that 1) this might cause the memberOf not to work or 2) that its just unusual to be missing these entries? I think you mean the second one but I just wanted to make sure.

    Thanks,
    Ken
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2009
    Location
    Charlotte, NC
    Posts
    111
    Rep Power
    9
    Perhaps you are seeing this because the memberof attrubite is truly empty.
    The memberof attribute will be blank for users until they are added to
    groups other than the domain users group.
    The membership in the 'domain users' is special in that it it is built
    dynamically on the users login and is based on their primary group ID.
    This is to get around the 5000 limit on the members attribute for groups. Other group membership must be manually setup by the AD administrators.

IMN logo majestic logo threadwatch logo seochat tools logo