Okay, I figured out the problem.
My password had some the '$' characters in it. Originally, back in 5.0,
to get this to work, I had to escape the '$' with
another '$'. It looks like this 'problem' has been 'fixed' in 5.5.
So in summary, if you had a 5.0 password of "$imple" then you had to
use "$$imple" in you realm definition. But for 5.5 you
just use "$imple" in your realm definition, as there is no need to
escape the dollar sign.
Hope this helps other who may encounter this problem.
|)ave
-----Original Message-----
From: David Owens
Sent: Monday, March 21, 2005 10:41 AM
To: 'tomcat-user@jakarta.apache.org'
Subject: LDAP/JNDI Realm Tomcat 5.0 vs 5.5
I am doing some investigation into upgrading from our Tomcat 5.0.x
servers to Tomcat 5.5.x and I am
trying to get everything working. In the old tomcat 5.0.x I was able to
create a realm which authenticated
against our ADS server. However, I cannot get it to work in Tomcat
5.5.7.
The only thing I have changed besides the version of tomcat is the
location of the file containing the
realm information. Originally I had put it in as
$CATALINA_HOME/conf/Catalina/localhost/myapp.xml
but for Tomcat 5.5 I have put the realm information in
webapps/myapp/META-INF/context.xml.
My understanding is that the location/name of the context information
should not change how the
realm works, but I thought it worth mentioning.
Here is the realm definition I used for both Tomcat 5.0.27 and Tomcat
5.5.7
<Context ...>
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="1"
connectionURL="ldap://test.testtrust.com:389";
alternateURL="ldap://192.168.0.10:389";
connectionName="CN=ADSAdmin,OU=Service
Accounts,DC=testtrust,DC=com"
connectionPassword="secretpassword"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
authentication="simple"
referrals="follow"
userBase="OU=People,DC=testtrust,DC=com"
userRoleName="memberOf"
userSubtree="true"
userSearch="(samaccountname={0})"
roleBase="OU=Groups,DC=testtrust,DC=com"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="true"
/>
.
.
.
</Context>
The error I get when deploying the app is:
SEVERE: Error deploying web application archive myapp.war
java.lang.IllegalStateException: ContainerBase.addChild: start:
LifecycleException: Exception opening directory server connection:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e,
v893 ]
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.ja
va:763)
.
.
.
My understanding is that it is picking up my realm information, and
trying to use it,
but his error means it is not properly authenticating.
So my question is, why did this exact realm setup work under Tomcat
5.0.x and not 5.5.x?
Any help would be greatly appreciated!
Thanks in advance,
Dave
