Hello, Please help me. I'm a french student and I need to implement LDAP authentication with tomcat 4 for my project. The user authentication is correct but the authorization failed because of the role search. Tomcat is unable to get the corresponding role in my ldap directory.
Here's my LDAP directory definition (I use openldap): include /usr/local/etc/openldap/schema/core.schema pidfile /usr/local/var/slapd.pid argsfile /usr/local/var/slapd.args database ldbm suffix dc="mycompany",dc="com" rootdn "cn=Manager,dc=mycompany,dc=com" directory /usr/local/var/openldap-ldbm rootpw secret index objectClass eq Here's my LDAP directory (LDIF file): dn : dc=mycompany,dc=com objectclass: dcObject objectclass: organization o: Example Company # Define a user named 'tomcat' dn: cn=tomcat,dc=mycompany,dc=com cn: tomcat userPassword: tomcat sn: Tomcat User objectClass: person # Define a user named 'role1' dn: cn=role1,dc=mycompany,dc=com cn: role1 userPassword: tomcat sn: Role1 User objectClass: person # Define a user named 'both' dn: cn=both,dc=mycompany,dc=com cn: both userPassword: tomcat sn: Both User objectClass: person # Define an entry to base role searches on dn: dc=roles,dc=mycompany,dc=com cn: roles objectClass: person sn: Roles Entry # Define all members of the 'tomcat' role dn: cn=tomcat,dc=roles,dc=mycompany,dc=com cn: tomcat objectClass: groupOfUniqueNames uniqueMember: cn=tomcat,dc=mycompany,dc=com uniqueMember: cn=both,dc=mycompany,dc=com # Define all members of the 'role1' role dn: cn=role1,dc=roles,dc=mycompany,dc=com cn: role1 objectClass: groupOfUniqueNames uniqueMember: cn=role1,dc=mycompany,dc=com uniqueMember: cn=both,dc=mycompany,dc=com Here's my Tomcat 4 REALM declaration : <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionName="cn=Manager,dc=mycompany,dc=com" connectionPassword="secret" connectionURL="ldap://localhost" roleBase="dc=roles" roleName="cn" roleSearch="(uniqueMember={0})" roleSubtree="false" userPassword="userPassword" userPattern="cn={0},dc=mycompany,dc=com" /> Here's my catalina_log.2002-02-27.txt file : 2002-02-27 10:15:46 HttpConnector Opening server socket on all host IP addresses 2002-02-27 10:15:46 JNDIRealm[Standalone]: Connecting to URL ldap://localhost 2002-02-27 10:15:59 HttpConnector[8080] Starting background thread 2002-02-27 10:15:59 HttpProcessor[8080][1] Starting background thread 2002-02-27 10:15:59 HttpProcessor[8080][0] Starting background thread 2002-02-27 10:15:59 HttpProcessor[8080][2] Starting background thread 2002-02-27 10:15:59 HttpProcessor[8080][3] Starting background thread 2002-02-27 10:15:59 HttpProcessor[8080][4] Starting background thread 2002-02-27 10:16:19 JNDIRealm[Standalone]: getUserDN(tomcat) 2002-02-27 10:16:19 JNDIRealm[Standalone]: dn=cn=tomcat,dc=mycompany,dc=com 2002-02-27 10:16:19 JNDIRealm[Standalone]: retrieving attribute userPassword 2002-02-27 10:16:19 JNDIRealm[Standalone]: retrieving value 2002-02-27 10:16:19 JNDIRealm[Standalone]: validating credentials 2002-02-27 10:16:19 JNDIRealm[Standalone]: Username tomcat successfully authenticated 2002-02-27 10:16:19 JNDIRealm[Standalone]: getRoles(cn=tomcat,dc=mycompany,dc=com) 2002-02-27 10:16:19 JNDIRealm[Standalone]: Searching role base 'dc=roles' for attribute 'cn' 2002-02-27 10:16:19 JNDIRealm[Standalone]: With filter expression '(uniqueMember=cn=tomcat,dc=mycompany,dc=com)' 2002-02-27 10:16:19 JNDIRealm[Standalone]: Exception performing authentication javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'dc=roles' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2761) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2682) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2488) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1660) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1583) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:371) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:331) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:316) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:241) at org.apache.catalina.realm.JNDIRealm.getRoles(Unknown Source) at org.apache.catalina.realm.JNDIRealm.authenticate(Unknown Source) at org.apache.catalina.realm.JNDIRealm.authenticate(Unknown Source) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(Unknown Source) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown Source) at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown Source) at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source) at org.apache.catalina.core.ContainerBase.invoke(Unknown Source) at org.apache.catalina.core.StandardContext.invoke(Unknown Source) at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source) at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown Source) at org.apache.catalina.valves.AccessLogValve.invoke(Unknown Source) at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown Source) at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source) at org.apache.catalina.core.ContainerBase.invoke(Unknown Source) at org.apache.catalina.core.StandardEngineValve.invoke(Unknown Source) at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown Source) at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source) at org.apache.catalina.core.ContainerBase.invoke(Unknown Source) at org.apache.catalina.connector.http.HttpProcessor.process(Unknown Source) at org.apache.catalina.connector.http.HttpProcessor.run(Unknown Source) at java.lang.Thread.run(Thread.java:484) 2002-02-27 10:16:19 JNDIRealm[Standalone]: Closing directory context Thank you for helping me. It's very important because it's an important part of the work that I need to do in my training period. ------------------------------------------------------------------------ Frédéric RINALDI, [EMAIL PROTECTED], INRIA, FRANCE ------------------------------------------------------------------------