I need to set up LDAP authentication against domain users group in AD; there is problem that ldap authenticatin seem to require that users are member of some other group than default domain users. However when there are 10000+ users its not a solution to assign all them to another group just for this tomcat purpose.
There must be another way? is it possible to check for primaryGroupID by editing server.xml or web.xml?
or is it possible to ignore GROUP check completely?
According to Realm Configuration HOW-TO,
The directory realm supports two approaches to the representation of roles in the directory:
- Roles as explicit directory entries
Roles may be represented by explicit directory entries. A role entry is usually an LDAP group entry with one attribute containing the name of the role and another whose values are the distinguished names or usernames of the users in that role. The following attributes configure a directory search to find the names of roles associated with the authenticated user:
roleBase- the base entry for the role search. If not specified, the search base is the top-level directory context.roleSubtree- the search scope. Set totrueif you wish to search the entire subtree rooted at theroleBaseentry. The default value offalserequests a single-level search including the top level only.roleSearch- the LDAP search filter for selecting role entries. It optionally includes pattern replacements "{0}" for the distinguished name and/or "{1}" for the username of the authenticated user.roleName- the attribute in a role entry containing the name of that role
- Roles as an attribute of the user entry
Role names may also be held as the values of an attribute in the user's directory entry. UseuserRoleNameto specify the name of this attribute.A combination of both approaches to role representation may be used.
So one way is to use an attribute if you have something appropriate. There are tools out there that can do "mass update" or "bulk modify" of AD attributes. If you don't want to contaminate the AD is to wrap it around with ADAM. You can create proxy objects in ADAM that points to AD users and either add attributes in ADAM. See Understanding ADAM bind redirection for more info.
Realm subclasses deriving from org.apache.catalina.realm.RealmBase have a configuration parameter, allRolesMode that controls the behavior when a role attribute (userRoleName) or entry (roleSearch, etc.) is not provided. This is left out of their configuration docs, but does appear in the Javadoc. You probably want allRolesMode="strictAuthOnly".