When using the JNDIRealm, no role checking succeeds. Looking at the debug, this is due to an incorrect search filter being created, prepending and appending invalid characters (\28 and \29) to the filter. The server.xml works fine on previous versions. This occurs on both Windows and Linux. Log output: 2004-01-27 14:48:02 JNDIRealm[Catalina]: Username tomcat successfully authenticated 2004-01-27 14:48:02 JNDIRealm[Catalina]: getRoles(uid=tomcat,dc=test,dc=com) 2004-01-27 14:48:02 JNDIRealm[Catalina]: Searching role base 'dc=test,dc=com' for attribute 'cn' 2004-01-27 14:48:02 JNDIRealm[Catalina]: With filter expression '\28uniqueMember=uid=tomcat,dc=test,dc=com\29'
I'll look at this and see if it has to do with my recent patch for an encoding issue. Could you please post your realm tag from server.xml, exactly as it appears?
Here's my server.xml: <Server port="8005" shutdown="SHUTDOWN"> <Service name="Catalina"> <Connector port="8080" /> <!-- This is here for compatibility only, not required --> <Connector port="8009" protocol="AJP/1.3" /> <Engine name="Catalina" defaultHost="localhost"> <Logger className="org.apache.catalina.logger.FileLogger" /> <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://lldapv.ldn.bzwint.com:389" debug="99" roleBase="ou=intranet,dc=barcapint,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" roleSubtree="true" userBase="ou=intranet,dc=barcapint,dc=com" userSearch="uid={0}" userSubtree="true" /> <Host name="localhost" appBase="webapps" /> </Engine> </Service> </Server>
Ahh, I see the problem. I did the RFC 2254 encoding on the whole search string we were using, whereas it should only be done on the DN that the user enters, so you would go from a DN of "some(Strange)Username" to a role search string of (uniqueMember=some\28Strange\29Username), not \28uniqueMember=some\28Strange\29Username\29 I'll post the simple patch to make the encoding more focused.
Created attachment 10244 [details] Simple fix in JNDIRealm for this problem against 5.x source
If somebody could commit this to Tomcat 5, and back port it (very very simple in this case since the JNDIRealm code is nearly identical in the two branches) to Tomcat 4, I would be much obliged. Thanks.
Patch applied to tomcat 4.1 and tomcat 5. Thanks Jeff!
*** Bug 26834 has been marked as a duplicate of this bug. ***
*** Bug 26888 has been marked as a duplicate of this bug. ***