RE: JNDIRealm

> While trying to track down an issue with logins taking a very long time, I
> just discovered in the 5.5.26 source code/Javadoc for JNDIRealm (likewise in
> the 6.0 documentation) that there's a big bold TODO to support connection
> pooling in the JNDIRealm.  I think this may be part of the login problem I'm
> seeing.
>
> Looking over the current source code, I can see that it's going to require a
> fairly extensive refactoring of the JNDIRealm code.  I'm willing to take a
> shot at fixing it, but wanted to first check with the list on a couple of
> ::::
> Thanks in advance for any pointers.
>
> Regards,
> Brandon

> Brandon DuRette schrieb:
> As I said in my mail (27 Feb 2008 to bug 42579) JNDIRealm is hardly
> useable with (Windows Server 2003) Active Directory Domains  --
> except for very small / trivial cases.
>
> After a long history of frustrations, I solved all the
> Tomcat+AD-issues by an own ADweRealms. Experiences are, so far,
> 100% good (with Apache Tomcat/6.0.16 on JDK1.6.0_05 and before
> also with 5.5.x od 1.5.0_y). I offered the solution, already, in
> mentioned mail. (got nil reactions)

> Brandon DuRette schrieb:
>  
>> While trying to track down an issue with logins taking a very long time, I
>> just discovered in the 5.5.26 source code/Javadoc for JNDIRealm (likewise in
>> the 6.0 documentation) that there's a big bold TODO to support connection
>> pooling in the JNDIRealm.  I think this may be part of the login problem I'm
>> seeing.
>>
>> Looking over the current source code, I can see that it's going to require a
>> fairly extensive refactoring of the JNDIRealm code.  I'm willing to take a
>> shot at fixing it, but wanted to first check with the list on a couple of
>> ::::
>> Thanks in advance for any pointers.
>>
>> Regards,
>> Brandon
>>    
>
> Dear Brandon,
>
> re-doing JNDIRealm seems to me very necesary, but for an other
> reason as yours, mentioned above.
>
> As I said in my mail (27 Feb 2008 to bug 42579) JNDIRealm is hardly
> useable with (Windows Server 2003) Active Directory Domains  --
> except for very small / trivial cases.
>
> After a long history of frustrations, I solved all the
> Tomcat+AD-issues by an own ADweRealms. Experiences are, so far,
> 100% good (with Apache Tomcat/6.0.16 on JDK1.6.0_05 and before
> also with 5.5.x od 1.5.0_y). I offered the solution, already, in
> mentioned mail. (got nil reactions)
>
> Perhaps, you could make your newly designed JNDIRealm realy fit for
> Active Directory. It would be warmly welcomed by all who tried to
> use / would have liked to use (but, as I know from some, gave up)
> Tomcat with AD.
>
> Good luck
>     Albrecht
>
> --------------
>
> PS.: For your convinience follows part of mentioned mail, in the
>      hope of giving some pointers, you asked for in your mail.
>
> --- Comment #2 from
> Dr. Albrecht Weinert <albrecht@...>
> 2008-02-27 22:48:41 ---
> By the way of JNDI/Tomcat + Active Directory:
>
> JNDIRealm is/was never quite happy with Active
> Directory for a variety of reasons. After a bunch
> of frustrations (of which the lying isUserInGruop()
> was one of the worst), some time ago, I decided to
> write a new Realm class, which I may contribute.
>
> http://www.a-weinert.de/java/docs/aWeinertBib/de/a_weinert/realm/ADweRealm.html
>
> ADweRealm searches only one way (performance!) from the
> (authenticated) user to his groups. It follows
> the quite important group-in-group relations (to
> any depth), and so on.
>
> Experiences in a Windows Server 2003 domain (3000+ user
> accounts, hundreds of groups etc.) are quite encouraging.
> None of the Tomcat + Active Directory problems, which
> Google is full of, arised any more.
>
>  

> When working on this, I would appreciate if bug 44645 could also be
> resolved. It's a fairly trivial patch.
>
>  https://issues.apache.org/bugzilla/show_bug.cgi?id=44645
>
>  I also have additional fixes for JNDIRealm that address problems in
> connecting to Active Directory. The biggest issue is that during the
> authenticate() call, an LDAP search is performed. The current implementation
> uses the bind DN/bind password to perform the search or null credentials (if
> the bind DN/bind password is not provided). However, it should also use the
> credentials being supplied to the authenticate() call; adding code to do
> this resolves a giant hurdle in getting AD authentication to work properly
> with most Active Directory setups.
>
>  There is also a lifecycle bug in the JNDIRealm that causes authentication
> problems if stop() -> start() calls are issued against it.
>
>  I was waiting to open bugs and supply patches for these additional issues
> until bug 44645 was resolved (since that would give me a new base for
> patching). Bug 44645 is a much more severe issue since it affects all LDAP
> servers that use invalid or expired SSL certificates. I'll paste the
> description I gave in the bug in case anyone sees this message via search
> engines:
>
>  "This [bug 44645 patch] is necessary so that you can perform customized SSL
> negotiation on the connection. For instance, it allows you to connect to an
> SSL server with an invalid, expired, self-signed, or otherwise untrusted
> certificate. To do this, you just need to write a
> javax.net.ssl.SSLSocketFactory that does not perform the normal certificate
> validation during the SSL handshake and then specify the classname on the
> new setSocketFactory() call added by this patch."
>
>  Seth Leger
>  Sr. Software Engineer
>  Raritan, Inc.
>
>
>  albrecht@... wrote:
>
> > Brandon DuRette schrieb:
> >
> >
> > > While trying to track down an issue with logins taking a very long time,
> I
> > > just discovered in the 5.5.26 source code/Javadoc for JNDIRealm
> (likewise in
> > > the 6.0 documentation) that there's a big bold TODO to support
> connection
> > > pooling in the JNDIRealm.  I think this may be part of the login problem
> I'm
> > > seeing.
> > >
> > > Looking over the current source code, I can see that it's going to
> require a
> > > fairly extensive refactoring of the JNDIRealm code.  I'm willing to take
> a
> > > shot at fixing it, but wanted to first check with the list on a couple
> of
> > > ::::
> > > Thanks in advance for any pointers.
> > >
> > > Regards,
> > > Brandon
> > >
> > >
> >
> > Dear Brandon,
> >
> > re-doing JNDIRealm seems to me very necesary, but for an other
> > reason as yours, mentioned above.
> >
> > As I said in my mail (27 Feb 2008 to bug 42579) JNDIRealm is hardly
> > useable with (Windows Server 2003) Active Directory Domains  --
> > except for very small / trivial cases.
> >
> > After a long history of frustrations, I solved all the
> > Tomcat+AD-issues by an own ADweRealms. Experiences are, so far,
> > 100% good (with Apache Tomcat/6.0.16 on JDK1.6.0_05 and before
> > also with 5.5.x od 1.5.0_y). I offered the solution, already, in
> > mentioned mail. (got nil reactions)
> >
> > Perhaps, you could make your newly designed JNDIRealm realy fit for
> > Active Directory. It would be warmly welcomed by all who tried to
> > use / would have liked to use (but, as I know from some, gave up)
> > Tomcat with AD.
> >
> > Good luck
> >    Albrecht
> >
> > --------------
> >
> > PS.: For your convinience follows part of mentioned mail, in the
> >     hope of giving some pointers, you asked for in your mail.
> >
> > --- Comment #2 from
> > Dr. Albrecht Weinert <albrecht@...>
> > 2008-02-27 22:48:41 ---
> > By the way of JNDI/Tomcat + Active Directory:
> >
> > JNDIRealm is/was never quite happy with Active
> > Directory for a variety of reasons. After a bunch
> > of frustrations (of which the lying isUserInGruop()
> > was one of the worst), some time ago, I decided to
> > write a new Realm class, which I may contribute.
> >
> >
> http://www.a-weinert.de/java/docs/aWeinertBib/de/a_weinert/realm/ADweRealm.html
> >
> > ADweRealm searches only one way (performance!) from the
> > (authenticated) user to his groups. It follows
> > the quite important group-in-group relations (to
> > any depth), and so on.
> >
> > Experiences in a Windows Server 2003 domain (3000+ user
> > accounts, hundreds of groups etc.) are quite encouraging.
> > None of the Tomcat + Active Directory problems, which
> > Google is full of, arised any more.
> >
> >
> >
>
> ---------------------------------------------------------------------
>  To unsubscribe, e-mail: dev-unsubscribe@...
>  For additional commands, e-mail: dev-help@...
>
>

> Did someone as a example LDAP configuration against AD available
> against standard JNDIRealm  ?
>
> Regards.
>
> 2008/4/14, Seth Leger <seth.leger@...>:
>  
>> When working on this, I would appreciate if bug 44645 could also be
>> resolved. It's a fairly trivial patch.
>>
>>  https://issues.apache.org/bugzilla/show_bug.cgi?id=44645
>>
>>  I also have additional fixes for JNDIRealm that address problems in
>> connecting to Active Directory. The biggest issue is that during the
>> authenticate() call, an LDAP search is performed. The current implementation
>> uses the bind DN/bind password to perform the search or null credentials (if
>> the bind DN/bind password is not provided). However, it should also use the
>> credentials being supplied to the authenticate() call; adding code to do
>> this resolves a giant hurdle in getting AD authentication to work properly
>> with most Active Directory setups.
>>
>>  There is also a lifecycle bug in the JNDIRealm that causes authentication
>> problems if stop() -> start() calls are issued against it.
>>
>>  I was waiting to open bugs and supply patches for these additional issues
>> until bug 44645 was resolved (since that would give me a new base for
>> patching). Bug 44645 is a much more severe issue since it affects all LDAP
>> servers that use invalid or expired SSL certificates. I'll paste the
>> description I gave in the bug in case anyone sees this message via search
>> engines:
>>
>>  "This [bug 44645 patch] is necessary so that you can perform customized SSL
>> negotiation on the connection. For instance, it allows you to connect to an
>> SSL server with an invalid, expired, self-signed, or otherwise untrusted
>> certificate. To do this, you just need to write a
>> javax.net.ssl.SSLSocketFactory that does not perform the normal certificate
>> validation during the SSL handshake and then specify the classname on the
>> new setSocketFactory() call added by this patch."
>>
>>  Seth Leger
>>  Sr. Software Engineer
>>  Raritan, Inc.
>>
>>
>>  albrecht@... wrote:
>>
>>    
>>> Brandon DuRette schrieb:
>>>
>>>
>>>      
>>>> While trying to track down an issue with logins taking a very long time,
>>>>        
>> I
>>    
>>>> just discovered in the 5.5.26 source code/Javadoc for JNDIRealm
>>>>        
>> (likewise in
>>    
>>>> the 6.0 documentation) that there's a big bold TODO to support
>>>>        
>> connection
>>    
>>>> pooling in the JNDIRealm.  I think this may be part of the login problem
>>>>        
>> I'm
>>    
>>>> seeing.
>>>>
>>>> Looking over the current source code, I can see that it's going to
>>>>        
>> require a
>>    
>>>> fairly extensive refactoring of the JNDIRealm code.  I'm willing to take
>>>>        
>> a
>>    
>>>> shot at fixing it, but wanted to first check with the list on a couple
>>>>        
>> of
>>    
>>>> ::::
>>>> Thanks in advance for any pointers.
>>>>
>>>> Regards,
>>>> Brandon
>>>>
>>>>
>>>>        
>>> Dear Brandon,
>>>
>>> re-doing JNDIRealm seems to me very necesary, but for an other
>>> reason as yours, mentioned above.
>>>
>>> As I said in my mail (27 Feb 2008 to bug 42579) JNDIRealm is hardly
>>> useable with (Windows Server 2003) Active Directory Domains  --
>>> except for very small / trivial cases.
>>>
>>> After a long history of frustrations, I solved all the
>>> Tomcat+AD-issues by an own ADweRealms. Experiences are, so far,
>>> 100% good (with Apache Tomcat/6.0.16 on JDK1.6.0_05 and before
>>> also with 5.5.x od 1.5.0_y). I offered the solution, already, in
>>> mentioned mail. (got nil reactions)
>>>
>>> Perhaps, you could make your newly designed JNDIRealm realy fit for
>>> Active Directory. It would be warmly welcomed by all who tried to
>>> use / would have liked to use (but, as I know from some, gave up)
>>> Tomcat with AD.
>>>
>>> Good luck
>>>    Albrecht
>>>
>>> --------------
>>>
>>> PS.: For your convinience follows part of mentioned mail, in the
>>>     hope of giving some pointers, you asked for in your mail.
>>>
>>> --- Comment #2 from
>>> Dr. Albrecht Weinert <albrecht@...>
>>> 2008-02-27 22:48:41 ---
>>> By the way of JNDI/Tomcat + Active Directory:
>>>
>>> JNDIRealm is/was never quite happy with Active
>>> Directory for a variety of reasons. After a bunch
>>> of frustrations (of which the lying isUserInGruop()
>>> was one of the worst), some time ago, I decided to
>>> write a new Realm class, which I may contribute.
>>>
>>>
>>>      
>> http://www.a-weinert.de/java/docs/aWeinertBib/de/a_weinert/realm/ADweRealm.html
>>    
>>> ADweRealm searches only one way (performance!) from the
>>> (authenticated) user to his groups. It follows
>>> the quite important group-in-group relations (to
>>> any depth), and so on.
>>>
>>> Experiences in a Windows Server 2003 domain (3000+ user
>>> accounts, hundreds of groups etc.) are quite encouraging.
>>> None of the Tomcat + Active Directory problems, which
>>> Google is full of, arised any more.
>>>
>>>
>>>
>>>      
>> ---------------------------------------------------------------------
>>  To unsubscribe, e-mail: dev-unsubscribe@...
>>  For additional commands, e-mail: dev-help@...
>>
>>
>>    
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@...
> For additional commands, e-mail: dev-help@...
>
>
>  

>  b) Anonymous searches (with null credentials) are successful against the
> server
>
>  (b) is highly unlikely because by default, Active Directory does not allow
> searches of the user tree for anonymous users. It is not desirable to enable
> this behavior in many cases because it allows any network client to discover
> the Active Directory user list without credentials.
>
>  For (a) to work, the Active Directory administrator must give bind DN and
> password of a user with search permissions to the Tomcat administrator. This
> could either be the Administrator password or the password of a dummy user
> that is set up for this purpose. However, this is also undesirable in many
> cases because it means that the LDAP administrator is giving out an
> Administrator-level password that is likely being stored in plain text
> inside the Tomcat configuration. This is more secure than anonymous access
> but still isn't acceptable for many users.
>
>  My patch changes the behavior so that the credentials provided during
> authentication are used during a login to perform the LDAP search.

> I do some search today and debugged TC 6.0.x trunk from my eclipse.
> Authentification works great and the only remaining problem it so
> setup roles in AD for users.
>
> I used :
>
>     <Realm   className="org.apache.catalina.realm.JNDIRealm"
>          connectionURL="ldap://ldap.mycorp.com:389"
>          alternateURL="ldap://ldap.mycorp.com:389"
>          connectionName="cn=someldapaccounttobind,ou=MyCorp
> Users,dc=mycorp,dc=com"
>          connectionPassword="someldapaccounttobindpassword"
>            userBase="ou=MyCorp Users,dc=mycorp,dc=com"
>            userSearch="(sAMAccountName={0})"
>            userSubtree="true"
>            referrals="follow"
>            userRoleName="memberOf"
>            debug="true"
>            />
>  

> Henri Gomez wrote:
>
> > I do some search today and debugged TC 6.0.x trunk from my eclipse.
> > Authentification works great and the only remaining problem it so
> > setup roles in AD for users.
> >
> > I used :
> >
> >    <Realm
> className="org.apache.catalina.realm.JNDIRealm"
> >         connectionURL="ldap://ldap.mycorp.com:389"
> >         alternateURL="ldap://ldap.mycorp.com:389"
> >
> connectionName="cn=someldapaccounttobind,ou=MyCorp
> > Users,dc=mycorp,dc=com"
> >
> connectionPassword="someldapaccounttobindpassword"
> >           userBase="ou=MyCorp Users,dc=mycorp,dc=com"
> >           userSearch="(sAMAccountName={0})"
> >           userSubtree="true"
> >           referrals="follow"
> >           userRoleName="memberOf"
> >           debug="true"
> >           />
> >
> >
>  Yes, this use case will work with the current Tomcat 6.0.X JNDIRealm code
> because your Active Directory administrator has given you search credentials
> for the Active Directory server
> (cn=someldapaccounttobind,ou=MyCorpUsers,dc=mycorp,dc=com/someldapaccounttobindpassword).
> But not all Active Directory administrators are willing to give out a set of
> credentials like this (for instance, a strict, enterprise environment where
> password access is strictly controlled).
>
>  My patch removes that requirement from the JNDIRealm. Instead of relying on
> a hard-coded value for authentication, it can fall back to using the
> credentials being supplied to the authenticate() call to perform the JNDI
> search (which will succeed because users have permissions to view their own
> LDAP object instance, as far as I know this is always true). The password is
> never stored; it is only transmitted at login time to the server (and this
> transmission can be protected from interception with LDAP over SSL).
>
>  It's a pretty minor change, written similarly to the way that the current
> JNDIRealm code retries during connection timeouts.
>
>  Seth Leger
>  Sr. Software Engineer
>  Raritan, Inc.
>
> ---------------------------------------------------------------------
>  To unsubscribe, e-mail: dev-unsubscribe@...
>  For additional commands, e-mail: dev-help@...
>
>