October 2nd, 2009, 06:39 PM
Using Tomcat with LDAP JNDI
I am setting up my Tomcat JNDI realm as:
I am only able to log onto Tomcat Manager if I set
userRoleName="cn", when as an attribute = "Ken Rubin". In web.xml for the Tomcat manager, I had to
set my name as a role. ie.
My directory in LDAP is at "CN=Ken Rubin,OU=Development,OU=Corporate,DC=mycompany,DC=com".
I had wished to set userRoleName="memberOf" and return the roles for me, one these roles would be in my web.xml
instead of Ken Rubin. But I have been unable to do this.
One thing I noticed is that none of our company roles have any attributes listed under them.
Also I don't know how to get the logger to give me more possible information about why I am failing.
Any help would be greatly appreciated!
October 4th, 2009, 09:52 AM
you can set userRoleName="objectcatagory" and then set "person" in the web.xml for the role name. Then anyone in the Active Directory can authenticate to your application. The 'memberOf' attribute should work but is seems your company is not assigning groups to the user accounts, which seems really odd to me.
October 5th, 2009, 10:13 AM
Thank you for the response!
In reference to what you said,"The 'memberOf' attribute should work but is seems your company is not assigning groups to the user accounts, which seems really odd to me."
Are you implying that since our company roles don't have any attributes listed under them that 1) this might cause the memberOf not to work or 2) that its just unusual to be missing these entries? I think you mean the second one but I just wanted to make sure.
October 11th, 2009, 07:00 AM
Perhaps you are seeing this because the memberof attrubite is truly empty.
The memberof attribute will be blank for users until they are added to
groups other than the domain users group.
The membership in the 'domain users' is special in that it it is built
dynamically on the users login and is based on their primary group ID.
This is to get around the 5000 limit on the members attribute for groups. Other group membership must be manually setup by the AD administrators.