I have a problem with the configuration of a LDAP server on Tomcat 8. I have a LDAP server configured and working on a WAS 8.5 server and I would like to configure the same LDAP on Tomcat. The WAS configuration is (translating from italian):
The Realm tag in server.xml on tomcat is:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="10"
connectionURL="ldap://192.168.0.3:389"
userBase="o=organization,c=it"
userSearch="(cn={0})"
userSubtree="true"
connectionName="cn=test,cn=Directory Administrators,o=organization,c=it"
connectionPassword="testpass"
/>
How can I fill the Realm tag with the role attributes? And in the web.xml, what role I have to specify? I just want to grant access to all authenticated users.
I think you are already well on your way to authenticate users with the above settings.
Roles
For roles/groups, you can translate the WAS settings as follows:
<...your config...
roleBase="o=organization,c=it"
roleSubtree="true"
roleSearch="(&(uniqueMember={0})(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))"
roleName="cn"/>
The roles that a user is assigned in Tomcat, will then be a list of group names from the directory. As this may vary, you will need to set up a number of groups beforehand which are listed in your web.xml. Assigning those groups to users will then give them the appropriate access.
Authenticated Users
If you just want to allow any authenticated user, you can set the attribute allRolesMode to authOnly like this:
<...your config...
allRolesMode="authOnly"/>
Your web.xml should then use * for the role specification like this:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
Maybe you should also set the security-role element as indicated here: Tomcat security constraint for valid user
Personally I have no setup which uses authOnly but I know it can be done and have seen it in action.