Tomcat 6 Realm Config with Windows AD

Question

We have Tomcat 6 connecting to a Win2k3 Server running AD.

The realm is configured as such

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" referrals="follow"
   connectionURL="<url>" 
   connectionName="CN=Query Account,OU=Service Accounts,DC=company,DC=com" 
   connectionPassword="<pwd>" 
   userBase="OU=Users,DC=company,DC=com" userSubtree="true" userSearch="(sAMAccountName={0})" userRoleName="member" 
   roleBase="OU=Security Groups,DC=company,DC=com" roleName="cn" roleSearch="(member={0})" roleSubtree="true"/>

Our groups in AD are such

  Security Groups (OU)
   IT (OU)
     IT Support (OU)
       Support Staff (CN)

The LDAP security works if in the web.xml, I speficy Support Staff. i.e works for Common names.

We want ANY user under Security Groups OU to have access to the application and not just the CN. Tomcat does not search OU's and it just searches CN's in our case. How do we configure our settings so we can do OU level authorization and not just CN level ?

thanks Mat

Answer 1

Wouldn't the "security groups" group also have a CN? I think you would need to assign your users to the Security Groups group then query that way. I don't think the Realm stuff can query in the way you are wishing it to.

Some things that might help you

referrals="follow" use this or it wont attempt to traverse directories to find your groups.

That maybe whats tripping you up.

Good Luck