JNDIRealm/Tomcat group/role search as authenticated user

Question

How can I make tomcat/jndi use the authenticating user to bind to ldap for the group search?

The problem:

• Simple FORM-based Tomcat/jndiRealm/ldap authentication for a servlet
• Already setup so that the user does authenticate properly (Bind mode)
• However, the ldap server does not allow an anonymous bind to see the groups I'm interested in. The currently-authenticating-user can see these groups
• I don't want to use a connectionName and connectionPassword

I would like the Role Search to be done by the user who is currently authenticating, but even in Bind mode, wireshark shows that an anonymous bind is done after the initial user auth.

Workarounds that work, but are not what I want:

• using a connectionName and connectionPassword of a user that can see the groups
• setting a commonRole for the realm

(I have no control over the ldap server)

From my (non-working) server.xml

<Realm className="org.apache.catalina.realm.JNDIRealm"
   connectionURL="ldap://localhost:389"
   userPattern="cn={0},ou=people,o=myO,dc=myDc,dc=com"
   roleBase="ou=groups,o=myO,dc=myDc,dc=com"
   roleName="cn"
   roleSearch="member={0}" />

Answer 1

If you don't have any control over the LDAP server and Tomcat's JNDIRealm really behaves that way, you don't seem to have any choice but to use a connection name/password. It's easy enough to check the JNDIRealm source code: it's not a large file.