1

I'm looking for a way to refine my role management using Apache DS with Tomcat and an LDAP realm JNDI setup via a context.xml file. I'm not that proficient in these topics so please excuse any glaring terminology mistakes I make.

Context.xml

My current context.xml file is as such

<Realm className="org.apache.catalina.realm.JNDIRealm"
     connectionName="uid=admin,ou=system"
     connectionPassword="PASSWORD"
     roleBase="ou=Groups,dc=ff,dc=local"
     roleName="cn"
     roleNested="true"
     roleSearch="(uniqueMember={0})"
     roleSubtree="true"
     userBase="ou=People,dc=ff,dc=local"
     userSearch="(mail={0})"
     connectionURL="${ldapServer}"
  />

The way I understand it is as follows:

  • connectionName, connectionPassword, and connectionURL setup the credentials to log into ApacheDS

  • userBase sets the search path for users

  • userSearch="(mail={0})" means that it is going to search for users in ou=People,dc=ff,dc=local where there is an entry with mail equal to the search key (in our case a login email)

For example I have an entry called:

cn=A52Q7BBN9PVHHPH
sn=User
givenName=Test
mail=testUser@test.com
userPassword=SSHA-512 hashed password
... (some other non importnat fileds)

So my understanding is that if we login to the web server with testUser@test.com tomcat is going to do a query for cn where the attribute mail=testUser@test.com

This works great but where I'm running into issues is figuring out an easier way to do role management

Roles

I have an "entry?" called cn=ff-admin in ou=Groups, and as i understand any "entry" in this group is supposed to indicate a user with admin privileges. The problem is that the entries look like:

uniqueMember=cn=A52Q7BBN9PVHHPH,ou=People,dc=ff,dc=local

as opposed to something more readable like perhaps this:

uniqueMember=mail=testUser@test.com

I'm searching a way to modify my context.xml to make it easier to do user management via LDAP so that I do not have to attempt to cross reference a random cn to an actual email address.

I'm assuming i could change the roleSearch=.... entry but I wanted to reach out to the stack community before i started hacking away and possibly broke something.

roleBase="ou=Groups,dc=ff,dc=local"
roleName="cn"
roleNested="true"
roleSearch="(uniqueMember={0})"
roleSubtree="true"
Community
  • 1
  • 1
Jeef
  • 26,861
  • 21
  • 78
  • 156

0 Answers0