AW: AW: grab hostname from tomcat manager
-Ursprüngliche Nachricht- Von: Christopher Schultz [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 2. April 2014 22:33 An: Tomcat Users List Betreff: Re: AW: grab hostname from tomcat manager -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Bjorn, On 4/2/14, 10:54 AM, bjoern.bec...@easycash.de wrote: -Ursprüngliche Nachricht- Von: André Warnier [mailto:a...@ice-sa.com] Gesendet: Mittwoch, 2. April 2014 16:35 An: Tomcat Users List Betreff: Re: grab hostname from tomcat manager bjoern.bec...@easycash.de wrote: Hello, I need to grab the hostname from the tomcat manager somehow. Unfortunately this URL manager/text/serverinfo doesn't contain the hostname. Is there any other smart way to receive the hostname via tomcat manager app? For give me for asking, but how do you access the tomcat manager if you do not know the hostname ? Good question :). But I got a good reason for it. I got two servers with several tomcat instances. In front of them is a loadbalancer with is configured to do a failover. -LB- / \ Server1:8081 Server2:8081 I need to write a shell script to sync a specific directory and for each tomcat instance I need to know on which one the loadbalancer is targeting at the moment. How will you check to see which one the lb is targeting? That's the question. If tomcat 8081 on server 1 is down, the loadbalancer will point to server 2 tomcat 8081. I can find it out through the loadbalancer address only. You should probably set a jvmRoute in your Engine in server.xml. That way, you can detect which back-end server you are getting just by looking at the JSESSIONID cookie. That's the answer. When jvmroute is define I easily can receive the jsession id with wget: wget -q -O - --no-cache --keep-session-cookies --no-check-certificate --save-cookies cookies.txt https://loadbalanceraddress:8081/manager --user=user--password=secure 1/dev/null perfect! Thanks a lot! Björn - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTPHPuAAoJEBzwKT+lPKRYW+oQAKr/BQOhCwBxlA+0cboIWdoO HLQw8czwuYVqxag9cFiy7XiAUGmnph3pYfZTj6YcYXKDVBEeCuWEVPDFsSuRQG3u +I9UnWFnoFn8OCWJyv2RKKBfkZ3UhjJom3JmLnHxnWb4KbU9yz/ep5xNpJ43WY3x VxiPlkdksIKTiwycc6itM+5/URoHn5LzMSAdzb2ZFVhx/VlaubAfqaAo6fIVylTj TZ0JdZR9QNvL+KO+QPUN5c9j2unVk08oc1feNSyDOdWrs0Fg4e5i6qjORxroA17L 1uEZhnivHL8wvUt89F+oQ+1rqBIff+c242vdvDE7STJK4vUJfSk2JLPIvu/fApfl NhTgCCM8J7XOIUgCT556RHjioUhCumdzL24PUiIs30DSMYB2/5pC+jarF4+3iXI5 8tAeZR+vVaTaszKYoWjA37dV3WIC+06Us5v2hmmVcuyVxN+IE/hqrxpBkSORcbO4 5PpXJThPHQPvHMwJCywwIxaEDfLuxcWMXD4TJl5cogePt/BRA3p+9xafbuGJvEkN gaUDSNLXGMTd9iKUHdjH5g5arEPs0tIy5EJVpIcNk1X2QS0nfzH4P7TjrqNj432c fn3NPUUKn1QdIW6enyc6rgHnF+JHPFCETCtkmbX8lNfqr7rtorpmFXphvrFqcAFa B43OfQbSyuHsrkfVSoEx =RiHw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
grab hostname from tomcat manager
Hello, I need to grab the hostname from the tomcat manager somehow. Unfortunately this URL manager/text/serverinfo doesn't contain the hostname. Is there any other smart way to receive the hostname via tomcat manager app? Best Regards, Bjoern - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: grab hostname from tomcat manager
-Ursprüngliche Nachricht- Von: André Warnier [mailto:a...@ice-sa.com] Gesendet: Mittwoch, 2. April 2014 16:35 An: Tomcat Users List Betreff: Re: grab hostname from tomcat manager bjoern.bec...@easycash.de wrote: Hello, I need to grab the hostname from the tomcat manager somehow. Unfortunately this URL manager/text/serverinfo doesn't contain the hostname. Is there any other smart way to receive the hostname via tomcat manager app? For give me for asking, but how do you access the tomcat manager if you do not know the hostname ? Good question :). But I got a good reason for it. I got two servers with several tomcat instances. In front of them is a loadbalancer with is configured to do a failover. -LB- / \ Server1:8081Server2:8081 I need to write a shell script to sync a specific directory and for each tomcat instance I need to know on which one the loadbalancer is targeting at the moment. If tomcat 8081 on server 1 is down, the loadbalancer will point to server 2 tomcat 8081. I can find it out through the loadbalancer address only. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Realm ldaps
Hello,
I like to change my ldap jndirealm to ldaps.
Realm className=org.apache.catalina.realm.LockOutRealm
Realm className=org.apache.catalina.realm.UserDatabaseRealm
resourceName=UserDatabase/
Realm className=org.apache.catalina.realm.JNDIRealm
connectionName=CN=SVC_TomcatLdapQuery,OU=Service
Accounts,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC=de
connectionPassword=5o7tLm-2hei5ciJ2z9H-kCWGO2ZRPiLY
connectionURL=ldaps://ads1:636/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=de?sAMAccountName?sub?(objectClass=*)
alternateURL=ldaps://ads2:636/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
userRoleName=memberOf
/
/Realm
Unfortunately, it's not working yet. I guess I need to disabled client cert
verification, but I can't find any option for Realms.
Do you know such an option?
Best Regards,
Bjoern
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Realm ldaps
-Ursprüngliche Nachricht- Von: Leo Donahue [mailto:donahu...@gmail.com] Gesendet: Donnerstag, 27. März 2014 17:54 An: Tomcat Users List Betreff: Re: Realm ldaps On Thu, Mar 27, 2014 at 8:45 AM, bjoern.bec...@easycash.de wrote: Hello, I like to change my ldap jndirealm to ldaps. Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Realm className=org.apache.catalina.realm.JNDIRealm connectionName=CN=SVC_TomcatLdapQuery,OU=Service Accounts,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC=de How do you get away with an empty domainComponent? DC= ? Sorry for confusing, this seems to be a mistake. In my orginal config I of course got DC=DOM,DC=de. This doesn't say you can't have an empty name, but why would you. Just curious. http://msdn.microsoft.com/en-us/library/aa366101%28v=vs.85%29.aspx - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: JNDIRealm - Active Directory Roles
Hallo Felix,
thanks for explaination! I got it now!
What helps was to enable debugging:
# conf/logging.conf
# This would turn on trace-level for everything
# the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST
or ALL
#org.apache.catalina.level = ALL
#org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
I got this realm config now:
Realm className=org.apache.catalina.realm.JNDIRealm
connectionName=CN=SVC_TomcatLdapQuery,OU=Service
Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=
connectionPassword=PASS
connectionURL=ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSubtree=true
roleName=CN
userRoleName=memberOf
/
And I copy the manager-gui constraint in web.xml of the manager application and
put in my new role:
role-nameCN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle
Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=easycash,DC=de/role-name
Thanks a lot!
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Gesendet: Samstag, 15. März 2014 21:52
An: users@tomcat.apache.org
Betreff: Re: JNDIRealm - Active Directory Roles
Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:
Hello,
I try to implement the authentification for the tomcat manager application
against active directory.
Unfortunately I don't understand the role concept. I like to give the users
permissions to open the manager when they're in this group:
memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=CN=SVC,OU=Service
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
connectionPassword=_2VK!WHzybn1SJ8P
connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSearch=(memberof={0})
roleSubtree=true
userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
/
!--roleBase=DC=DOM,DC=de
roleName=cn
--
With this configuration I can open the Manager, but got no permissions.
Even if the user role relationship will found, I don't understand how I can
assign tomcat roles (e.g. manager-gui) to the user.
Looking at the documentation on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
you have three settings which are most probably not correct.
* roleSearch will only be used, if roleName is set (which is commented out in
your configuration)
* roleSearch will be used to search for objects that match the given filter.
In your case you would find user objects instead of group objects.
* userRoleName should be the name of an attribute in the user object (cn=...
is not a name of an attribute, but rather a value)
So given your goal, that cn=tomcat admins,... should be a role, you have two
options.
* You could activate roleName=cn (or another attribute name) and change the
roleSearch to member={0}. Then the realm would (hopefully) find the object
cn=tomcat admins,...
* You could change userRoleName to memberOf
In the first case your user would have a role with the name Tomcat Admins.
The second option would lead to a role name of cn=Tomcat Admins,
In both cases you would have to change the security constraints in the webapp
(those are defined in the WEB-INF/web.xml file).
If your role objects had other attributes with values that match the roles
defined in web.xml you could simply change roleName in the first option above.
Regards
Felix
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
AW: JNDIRealm - Active Directory Roles
Well, I still got a problem.
After activating my active directory realm the applications don't anymore.
I got this error:
Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor
Schwerwiegend: Error deploying configuration descriptor
/app/tomcat2/tomcat/conf/Catalina/localhost/app.xml
java.lang.IllegalStateException: ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app]]
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Becker, Björn
Gesendet: Montag, 17. März 2014 13:06
An: users@tomcat.apache.org
Betreff: AW: JNDIRealm - Active Directory Roles
Hallo Felix,
thanks for explaination! I got it now!
What helps was to enable debugging:
# conf/logging.conf
# This would turn on trace-level for everything # the possible levels are:
SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
#org.apache.catalina.level = ALL #org.apache.catalina.handlers =
2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
I got this realm config now:
Realm className=org.apache.catalina.realm.JNDIRealm
connectionName=CN=SVC_TomcatLdapQuery,OU=Service
Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=
connectionPassword=PASS
connectionURL=ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSubtree=true
roleName=CN
userRoleName=memberOf
/
And I copy the manager-gui constraint in web.xml of the manager application and
put in my new role:
role-nameCN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle
Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC= /role-name
Thanks a lot!
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Gesendet: Samstag, 15. März 2014 21:52
An: users@tomcat.apache.org
Betreff: Re: JNDIRealm - Active Directory Roles
Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:
Hello,
I try to implement the authentification for the tomcat manager application
against active directory.
Unfortunately I don't understand the role concept. I like to give the users
permissions to open the manager when they're in this group:
memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=CN=SVC,OU=Service
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
connectionPassword=_2VK!WHzybn1SJ8P
connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSearch=(memberof={0})
roleSubtree=true
userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
/
!--roleBase=DC=DOM,DC=de
roleName=cn
--
With this configuration I can open the Manager, but got no permissions.
Even if the user role relationship will found, I don't understand how I can
assign tomcat roles (e.g. manager-gui) to the user.
Looking at the documentation on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
you have three settings which are most probably not correct.
* roleSearch will only be used, if roleName is set (which is commented out in
your configuration)
* roleSearch will be used to search for objects that match the given filter.
In your case you would find user
AW: JNDIRealm - Active Directory Roles
Yes, I found this error: Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm startInternal Schwerwiegend: Exception looking up UserDatabase under key UserDatabase javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this Context. Unable to find [UserDatabase]. at org.apache.naming.NamingContext.lookup(NamingContext.java:820) at org.apache.naming.NamingContext.lookup(NamingContext.java:168) at org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) While activating the ad realm I commented out the UserDatabase Resource: GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- !--Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml /-- /GlobalNamingResources and: !-- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/-- May this is my problem? I thought the tomcatuser.xml and the UserDatabaseRealm is not necessary anymore? Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 14:11 An: Tomcat Users List; Becker, Björn Betreff: Re: JNDIRealm - Active Directory Roles On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote: Well, I still got a problem. After activating my active directory realm the applications don't anymore. I got this error: Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor Schwerwiegend: Error deploying configuration descriptor /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app] ] Have you looked at the localhost log file? Maybe you have a problem with web.xml? Regards Felix at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Becker, Björn Gesendet: Montag, 17. März 2014 13:06 An: users@tomcat.apache.org Betreff: AW: JNDIRealm - Active Directory Roles Hallo Felix, thanks for explaination! I got it now! What helps was to enable debugging: # conf/logging.conf # This would turn on trace-level for everything # the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL #org.apache.catalina.level = ALL #org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler org.apache.catalina.realm.level = ALL org.apache.catalina.realm.useParentHandlers = true org.apache.catalina.authenticator.level = ALL org.apache.catalina.authenticator.useParentHandlers = true I got this realm config now: Realm className=org.apache.catalina.realm.JNDIRealm
AW: JNDIRealm - Active Directory Roles
Thanks again! It keep the Userdatabase realm now, but I removed the path=tomcat-users.xml parameter. It's working now. Regards, Björn -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 15:15 An: users@tomcat.apache.org Betreff: Re: JNDIRealm - Active Directory Roles Am 17.03.2014 14:31, schrieb bjoern.bec...@easycash.de: Yes, I found this error: Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm startInternal Schwerwiegend: Exception looking up UserDatabase under key UserDatabase javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this Context. Unable to find [UserDatabase]. at org.apache.naming.NamingContext.lookup(NamingContext.java:820) at org.apache.naming.NamingContext.lookup(NamingContext.java:168) at org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) While activating the ad realm I commented out the UserDatabase Resource: GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- !--Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml /-- /GlobalNamingResources and: !-- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/-- May this is my problem? I thought the tomcatuser.xml and the UserDatabaseRealm is not necessary anymore? UserDatabase is needed for any UserDatabaseRealm you might have. So you will have to look into all of your contexts to see if you can disable UserDatabase. And I believe you have to have one Realm (doesn't matter what type) in your host. I think there were some startup mechanisms relying on one realm to be there. Regards Felix Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 14:11 An: Tomcat Users List; Becker, Björn Betreff: Re: JNDIRealm - Active Directory Roles On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote: Well, I still got a problem. After activating my active directory realm the applications don't anymore. I got this error: Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor Schwerwiegend: Error deploying configuration descriptor /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ap p] ] Have you looked at the localhost log file? Maybe you have a problem with web.xml? Regards Felix at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Best Regards, Bjoern
AW: JNDIRealm - Active Directory Roles
Hello,
thanks for your reply. It doesn't make any difference.
I don't understand how the authenticated user receive permissions for one of
these roles:
role rolename=manager/
role rolename=tomcat/
role rolename=admin/
role rolename=manager-gui/
role rolename=manager-jmx/
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Leo Donahue [mailto:donahu...@gmail.com]
Gesendet: Donnerstag, 13. März 2014 19:31
An: Tomcat Users List
Betreff: Re: JNDIRealm - Active Directory Roles
On Thu, Mar 13, 2014 at 10:15 AM, bjoern.bec...@easycash.de wrote:
Hello,
server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=CN=SVC,OU=Service
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
connectionPassword=_2VK!WHzybn1SJ8P
connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSearch=(memberof={0})
roleSubtree=true
userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
/
!--roleBase=DC=DOM,DC=de
roleName=cn
--
Lines that are different in my context:
connectionURL=ldap://fully.qualified.server.name:389;
userSearch=(amp;(objectCategory=person)(sAMAccountName={0}))
roleSearch=(member={0})
userRoleName=memberOf
I don't know if it makes a difference for you or not.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
JNDIRealm - Active Directory Roles
Hello,
I try to implement the authentification for the tomcat manager application
against active directory.
Unfortunately I don't understand the role concept. I like to give the users
permissions to open the manager when they're in this group:
memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=CN=SVC,OU=Service
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
connectionPassword=_2VK!WHzybn1SJ8P
connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSearch=(memberof={0})
roleSubtree=true
userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
/
!--roleBase=DC=DOM,DC=de
roleName=cn
--
With this configuration I can open the Manager, but got no permissions.
Even if the user role relationship will found, I don't understand how I can
assign tomcat roles (e.g. manager-gui) to the user.
Thanks!
Best Regards,
Bjoern
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
