------------------------------------------------------------------------ --------------------------
Marc Boorshtein
Sr. Software Engineer, Octet String
[EMAIL PROTECTED]
On Apr 29, 2004, at 8:25 PM, Chong Yu Meng wrote:
Hi Paulo !
What is the Active Directory equivalent of "uid" in LDAP ? I had the same problem as you previously, when I was preparing material for a Novell eDirectory course. The "canonical" method of structuring the directory (at least in my part of the world) was to use the CN (like your ActiveDirectory example). I have a write-up on this at : http://cymulacrum.net/writings/adv_tomcat/c487.html
I suppose if you substitute the Active Directory equivalent for UID, you should be able to get it to work.
Hope this helps!
Regards, pascal chong
Paulo Alvim wrote:
Hi!
Is there anyone using MS ActiveDirectory with Tomcat 5?
I could authenticate using:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://plcbhdc:389"; userPattern="cn={0},cn=Users,dc=powerlogic" roleBase="cn=Users,dc=powerlogic" roleName="memberOf" roleSearch="(distinguishedName={0})" />
...but I had to use the full name (ex: Bill Gates) instead of the login (ex:
gates).
So I tried to use:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://plcbhdc:389"; userBase="cn=Users,dc=powerlogic" userSearch="(sAMAccountName={0})" userSubtree="true" roleBase="cn=Users,dc=powerlogic" roleName="memberOf" roleSearch="(distinguishedName={0})" />
... with lots of "userSearch" attributes such as "userPrincipalName", "givenName", etc.. but It didn't work.
I'm using the default ActiveDirectory installation...
Any help?
Thanks in advance!
Paulo Alvim
-----Mensagem original----- De: Chong Yu Meng [mailto:[EMAIL PROTECTED] Enviada em: domingo, 18 de abril de 2004 12:59 Para: Tomcat Users List Assunto: [spam] Re: Authentification against NT Domain Controller
Hi Frank !
I seem to remember ActiveDirectory being discussed here, on this mailing
list. The good thing about ActiveDirectory is that, if you do not have
an overly complicated schema, you can use the LDAP subset to query the
directory (you need to do a fair bit of tweaking to get ActiveDirectory
to output results in LDAP-compliant format though. I'm not an expert on
ActiveDirectory, so I really cannot advise you on this).
If you're using Windows NT as the PDC, I think you can't get the Tomcat
realm to work with it (Please, somebody, tell me otherwise!).
As for writing your own Realm implementation, unless you are a really
seasoned programmer, this can be a very daunting task. An easier way is
to download and look at SecurityFilter. The example webapp has source
code that you can look at, and not get confused by it. I highly
recommend this to implementing your own realm. However, this still does
not address the problem of extracting user credentials from a PDC.
There is another solution : use Novell's DirXML product to do a periodic
sync of data in Active Directory or NTLM into an LDAP directory, then
use the JNDI realm in Tomcat. This is not a free solution, and it does
require you to read up on another product, but this product is also very
good for syncing data between different directories (OpenLDAP, Netscape
Directory Server, Novell eDirectory, even flat files).
Hope this helps !
Frank Schaare wrote:
Hi,(http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm- howto.html#Standard%2
we´re building an Intranet application running on Tomcat 4.1.30 (Client OS is Win2K). It would be very suitable to authentificate the users against the NT Domain Controller to avoid a second login.
I searched this ML and Google but did not find very much about this theme.
There is a SourceForce Project called NTDCRealm which seems to fit our
needs, but has absolutely no documentation.
Probably, we need to nest a custom NTDCRealm Tag in our WebApp
context. To learn, how to do this, i searched the Tomcat documentation
0Realm%20Implementations)
and again, there is a gap:
"It is also possible to write your own Realm implementation, and
integrate it with Tomcat 4. However, doing this is beyond the scope of
this document. See (FIXME - reference to developer stuff) for more
information."
Here are my questions:
Does this reference to developer stuff exist anywhere ? Does anyone ever made the NTDCRealm to work ? Does anyone knows another (documentatet) Implementation of NT authentification ?
Any hints, links, documents about this theme are warmly welcome.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- A complex system that works is invariably found to have evolved from a simple system that works. +----------------------------------------------------------------+ | Pascal Chong | | email: [EMAIL PROTECTED] | | | | Please visit my site at : http://cymulacrum.net | | If you're using my documentation, please read the Terms and | | and Conditions at http://cymulacrum.net/terms.html | +----------------------------------------------------------------+
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
