Hello,
Please help me.
I'm a french student and I need to implement LDAP authentication with
tomcat 4 for my project. The user authentication is correct but the
authorization failed because of the role search. Tomcat is unable to get
the corresponding role in my ldap directory.
Here's my LDAP directory definition (I use openldap):
include /usr/local/etc/openldap/schema/core.schema
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
database ldbm
suffix dc="mycompany",dc="com"
rootdn "cn=Manager,dc=mycompany,dc=com"
directory /usr/local/var/openldap-ldbm
rootpw secret
index objectClass eq
Here's my LDAP directory (LDIF file):
dn : dc=mycompany,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
# Define a user named 'tomcat'
dn: cn=tomcat,dc=mycompany,dc=com
cn: tomcat
userPassword: tomcat
sn: Tomcat User
objectClass: person
# Define a user named 'role1'
dn: cn=role1,dc=mycompany,dc=com
cn: role1
userPassword: tomcat
sn: Role1 User
objectClass: person
# Define a user named 'both'
dn: cn=both,dc=mycompany,dc=com
cn: both
userPassword: tomcat
sn: Both User
objectClass: person
# Define an entry to base role searches on
dn: dc=roles,dc=mycompany,dc=com
cn: roles
objectClass: person
sn: Roles Entry
# Define all members of the 'tomcat' role
dn: cn=tomcat,dc=roles,dc=mycompany,dc=com
cn: tomcat
objectClass: groupOfUniqueNames
uniqueMember: cn=tomcat,dc=mycompany,dc=com
uniqueMember: cn=both,dc=mycompany,dc=com
# Define all members of the 'role1' role
dn: cn=role1,dc=roles,dc=mycompany,dc=com
cn: role1
objectClass: groupOfUniqueNames
uniqueMember: cn=role1,dc=mycompany,dc=com
uniqueMember: cn=both,dc=mycompany,dc=com
Here's my Tomcat 4 REALM declaration :
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionName="cn=Manager,dc=mycompany,dc=com"
connectionPassword="secret"
connectionURL="ldap://localhost";
roleBase="dc=roles"
roleName="cn"
roleSearch="(uniqueMember={0})"
roleSubtree="false"
userPassword="userPassword"
userPattern="cn={0},dc=mycompany,dc=com"
/>
Here's my catalina_log.2002-02-27.txt file :
2002-02-27 10:15:46 HttpConnector Opening server socket on all host
IP addresses
2002-02-27 10:15:46 JNDIRealm[Standalone]: Connecting to URL
ldap://localhost
2002-02-27 10:15:59 HttpConnector[8080] Starting background thread
2002-02-27 10:15:59 HttpProcessor[8080][1] Starting background thread
2002-02-27 10:15:59 HttpProcessor[8080][0] Starting background thread
2002-02-27 10:15:59 HttpProcessor[8080][2] Starting background thread
2002-02-27 10:15:59 HttpProcessor[8080][3] Starting background thread
2002-02-27 10:15:59 HttpProcessor[8080][4] Starting background thread
2002-02-27 10:16:19 JNDIRealm[Standalone]: getUserDN(tomcat)
2002-02-27 10:16:19 JNDIRealm[Standalone]:
dn=cn=tomcat,dc=mycompany,dc=com
2002-02-27 10:16:19 JNDIRealm[Standalone]: retrieving attribute
userPassword
2002-02-27 10:16:19 JNDIRealm[Standalone]: retrieving value
2002-02-27 10:16:19 JNDIRealm[Standalone]: validating credentials
2002-02-27 10:16:19 JNDIRealm[Standalone]: Username tomcat
successfully authenticated
2002-02-27 10:16:19 JNDIRealm[Standalone]:
getRoles(cn=tomcat,dc=mycompany,dc=com)
2002-02-27 10:16:19 JNDIRealm[Standalone]: Searching role base
'dc=roles' for attribute 'cn'
2002-02-27 10:16:19 JNDIRealm[Standalone]: With filter expression
'(uniqueMember=cn=tomcat,dc=mycompany,dc=com)'
2002-02-27 10:16:19 JNDIRealm[Standalone]: Exception performing
authentication
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such
Object]; remaining name 'dc=roles'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2761)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2682)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2488)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1660)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1583)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:371)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:331)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:316)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:241)
at org.apache.catalina.realm.JNDIRealm.getRoles(Unknown Source)
at org.apache.catalina.realm.JNDIRealm.authenticate(Unknown Source)
at org.apache.catalina.realm.JNDIRealm.authenticate(Unknown Source)
at
org.apache.catalina.authenticator.FormAuthenticator.authenticate(Unknown
Source)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown
Source)
at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
Source)
at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
at org.apache.catalina.core.StandardContext.invoke(Unknown Source)
at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source)
at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
Source)
at org.apache.catalina.valves.AccessLogValve.invoke(Unknown Source)
at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
Source)
at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
at org.apache.catalina.core.StandardEngineValve.invoke(Unknown
Source)
at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
Source)
at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
at
org.apache.catalina.connector.http.HttpProcessor.process(Unknown Source)
at org.apache.catalina.connector.http.HttpProcessor.run(Unknown
Source)
at java.lang.Thread.run(Thread.java:484)
2002-02-27 10:16:19 JNDIRealm[Standalone]: Closing directory context
Thank you for helping me. It's very important because it's an important
part of the work that I need to do in my training period.
------------------------------------------------------------------------
Frédéric RINALDI, [EMAIL PROTECTED], INRIA, FRANCE
------------------------------------------------------------------------
