1

I have a problem with the configuration of a LDAP server on Tomcat 8. I have a LDAP server configured and working on a WAS 8.5 server and I would like to configure the same LDAP on Tomcat. The WAS configuration is (translating from italian):

  • User filter: (&(cn=%v)(objectclass=inetOrgPerson))
  • Group filter: (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
  • User ID map: *:cn
  • Group ID map: *:cn
  • Map ID member of group: ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember

The Realm tag in server.xml on tomcat is:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="10"
                            connectionURL="ldap://192.168.0.3:389"
                            userBase="o=organization,c=it"
                            userSearch="(cn={0})"
                            userSubtree="true"
                            connectionName="cn=test,cn=Directory Administrators,o=organization,c=it"
                            connectionPassword="testpass"                          
            />

How can I fill the Realm tag with the role attributes? And in the web.xml, what role I have to specify? I just want to grant access to all authenticated users.

EpicPandaForce
  • 79,669
  • 27
  • 256
  • 428
Francesco D'Ambrosio
  • 50
  • 1
  • 7

1 Answers1

1

I think you are already well on your way to authenticate users with the above settings.

Roles

For roles/groups, you can translate the WAS settings as follows: 

<...your config...
 roleBase="o=organization,c=it"
 roleSubtree="true"
 roleSearch="(&(uniqueMember={0})(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))" 
 roleName="cn"/>

The roles that a user is assigned in Tomcat, will then be a list of group names from the directory. As this may vary, you will need to set up a number of groups beforehand which are listed in your web.xml. Assigning those groups to users will then give them the appropriate access.

Authenticated Users

If you just want to allow any authenticated user, you can set the attribute allRolesMode to authOnly like this:

<...your config...
 allRolesMode="authOnly"/>

Your web.xml should then use * for the role specification like this: 

<auth-constraint>
    <role-name>*</role-name>
</auth-constraint>

Maybe you should also set the security-role element as indicated here: Tomcat security constraint for valid user

Personally I have no setup which uses authOnly but I know it can be done and have seen it in action.

mvreijn
  • 2,807
  • 28
  • 40
  • Which did you apply? The groups approach or the allRolesMode? (btw you can mark an answer as 'accepted' when the solution works ;-) ) – mvreijn Sep 19 '18 at 07:48
  • With this roleSearch I get following error: The entity name must immediately follow the '&' in the entity reference. – Artur Linhart Jan 26 '23 at 10:01
  • 1
    I think the rolesearch should be rather (&(uniqueMember={0})(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))) – Artur Linhart Jan 27 '23 at 08:12
  • @ArturLinhart Yes, good catch, it is an XML file of course. – mvreijn Jan 27 '23 at 12:50