Bug 57209 - JNDIRealm userSearch does not work against active directory with roles
Summary: JNDIRealm userSearch does not work against active directory with roles
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.57
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2014-11-13 22:40 UTC by Jason McIntosh
Modified: 2014-12-14 13:11 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Jason McIntosh 2014-11-13 22:40:58 UTC
JNDIRealm without connectionPassword/connectionName on role lookups - role search as user does not work as intended.  If you want to search the system as the logged in user for roles:

userBase = DC=Company,DC=com
userSearch = (&(objectCategory=person)(sAMAccountName={0}))
userSubTree = true

This works fine and you can bind as a user, but searching fails.  Search fails because there's no user credentials to bind with and binding anonymously is disabled.  If you have isRoleSearchAsUser turned on the expectation

protected User getUser(DirContext context, String username, String credentials, int curUserPattern) 
does not add the binding user credentials for searching.  A VERY simple fix around line 1297 is to do the following so that searches work with the bound user:

  // Use pattern or search for user entry
            if (userPatternFormatArray != null && curUserPattern >= 0) {
                user = getUserByPattern(context, username, credentials, attrIds, curUserPattern);
            else {
                if (isRoleSearchAsUser()) {
                    userCredentialsAdd(context, username, credentials);
                user = getUserBySearch(context, username, attrIds);

There's probably a cleaner way to do this, but this is how I've managed to get things working at this point.  I'd imagine a property "userSearchDNPattern" could be added so that you can specify the pattern for the DN to bind with.  And switch the "userCredentialsAdd" to use that userSearchDNPattern" instead.  With the above fix binding as a user and role lookups now work.  Another option is to change "roleSearchAsUser" to something that says "do all operatins with the authenticated user, assuming he's authorized"
Comment 1 Mark Thomas 2014-12-12 19:39:51 UTC
I think the answer here is to change roleSearchAsUser to searchAsUser and then do as you suggest. There will need to be appropriate deprecation and support for both in parallel.

I'll start work on a patch.
Comment 2 Mark Thomas 2014-12-12 20:04:51 UTC
On reflection a new attribute userSearchAsUser seems more appropriate.
Comment 3 Mark Thomas 2014-12-14 13:11:33 UTC
The new attribute has been added to trunk, 8.0.x (for 8.0.16 onwards) and 7.0.x (for 7.0.58 onwards).