AW: JNDIRealm - Active Directory Roles
Thanks again! It keep the Userdatabase realm now, but I removed the "path=tomcat-users.xml" parameter. It's working now. Regards, Björn -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 15:15 An: users@tomcat.apache.org Betreff: Re: JNDIRealm - Active Directory Roles Am 17.03.2014 14:31, schrieb bjoern.bec...@easycash.de: > Yes, I found this error: > > Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm > startInternal > Schwerwiegend: Exception looking up UserDatabase under key > UserDatabase > javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this > Context. Unable to find [UserDatabase]. > at org.apache.naming.NamingContext.lookup(NamingContext.java:820) > at org.apache.naming.NamingContext.lookup(NamingContext.java:168) > at > org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > at > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) > at > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > > While activating the ad realm I commented out the UserDatabase Resource: > > > > > > > and: > > > > May this is my problem? I thought the tomcatuser.xml and the > UserDatabaseRealm is not necessary anymore? UserDatabase is needed for any UserDatabaseRealm you might have. So you will have to look into all of your contexts to see if you can disable UserDatabase. And I believe you have to have one Realm (doesn't matter what type) in your host. I think there were some startup mechanisms relying on one realm to be there. Regards Felix > > Best Regards, > Bjoern > > > -Ursprüngliche Nachricht- > Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] > Gesendet: Montag, 17. März 2014 14:11 > An: Tomcat Users List; Becker, Björn > Betreff: Re: JNDIRealm - Active Directory Roles > > > > On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote: >> Well, I still got a problem. >> After activating my active directory realm the applications don't >> anymore. >> >> I got this error: >> >> Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig >> deployDescriptor >> Schwerwiegend: Error deploying configuration descriptor >> /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml >> java.lang.IllegalStateException: ContainerBase.addChild: start: >> org.apache.catalina.LifecycleException: Failed to start component >> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ap >> p] >> ] > Have you looked at the localhost log file? Maybe you have a problem with > web.xml? > > Regards > Felix > >> at >> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) >> at >> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) >> at >> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) >> at >> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) >> at >> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) >> at >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) >> at java.util.concurrent.FutureTask.run(FutureTask.java:262) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> at java.lang.Thread.run(Thread.java:744) >> >> >
AW: JNDIRealm - Active Directory Roles
Yes, I found this error: Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm startInternal Schwerwiegend: Exception looking up UserDatabase under key UserDatabase javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this Context. Unable to find [UserDatabase]. at org.apache.naming.NamingContext.lookup(NamingContext.java:820) at org.apache.naming.NamingContext.lookup(NamingContext.java:168) at org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) While activating the ad realm I commented out the UserDatabase Resource: and: May this is my problem? I thought the tomcatuser.xml and the UserDatabaseRealm is not necessary anymore? Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 14:11 An: Tomcat Users List; Becker, Björn Betreff: Re: JNDIRealm - Active Directory Roles On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote: >Well, I still got a problem. >After activating my active directory realm the applications don't >anymore. > >I got this error: > >Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig >deployDescriptor >Schwerwiegend: Error deploying configuration descriptor >/app/tomcat2/tomcat/conf/Catalina/localhost/app.xml >java.lang.IllegalStateException: ContainerBase.addChild: start: >org.apache.catalina.LifecycleException: Failed to start component >[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app] >] Have you looked at the localhost log file? Maybe you have a problem with web.xml? Regards Felix > at >org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) > at >org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) > at >org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) > at >org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) > at >org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) > at >java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at >java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at >java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > > >Best Regards, >Bjoern > > >-Ursprüngliche Nachricht- >Von: Becker, Björn >Gesendet: Montag, 17. März 2014 13:06 >An: users@tomcat.apache.org >Betreff: AW: JNDIRealm - Active Directory Roles > >Hallo Felix, > >thanks for explaination! I got it now! > >What helps was to enable debugging: > ># conf/logging.conf ># This would turn on trace-level for everything # the possible levels >are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL >#org.apache.catalina.level = ALL #org.apache.catalina.handlers = >2localhost.org.apache.juli.FileHandler >org.apache.catalina.realm.level = ALL >org.apache.catalina.realm.useParentHandlers = true >org.apache.catalina.authenticator.level = ALL >org.apache.catalina.authenticator.useParentHandlers = true > >I got this realm config now: > > connectionName="CN=SVC_TomcatLdapQuery,OU=Service >Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= " > connectionPassword="PASS" > > connectionURL="ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)" > userSear
AW: JNDIRealm - Active Directory Roles
Well, I still got a problem.
After activating my active directory realm the applications don't anymore.
I got this error:
Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor
Schwerwiegend: Error deploying configuration descriptor
/app/tomcat2/tomcat/conf/Catalina/localhost/app.xml
java.lang.IllegalStateException: ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app]]
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Becker, Björn
Gesendet: Montag, 17. März 2014 13:06
An: users@tomcat.apache.org
Betreff: AW: JNDIRealm - Active Directory Roles
Hallo Felix,
thanks for explaination! I got it now!
What helps was to enable debugging:
# conf/logging.conf
# This would turn on trace-level for everything # the possible levels are:
SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
#org.apache.catalina.level = ALL #org.apache.catalina.handlers =
2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
I got this realm config now:
ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleSubtree="true"
roleName="CN"
userRoleName="memberOf"
/>
And I copy the manager-gui constraint in web.xml of the manager application and
put in my new role:
CN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle
Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC=
Thanks a lot!
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Gesendet: Samstag, 15. März 2014 21:52
An: users@tomcat.apache.org
Betreff: Re: JNDIRealm - Active Directory Roles
Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:
> Hello,
>
> I try to implement the authentification for the tomcat manager application
> against active directory.
>
> Unfortunately I don't understand the role concept. I like to give the users
> permissions to open the manager when they're in this group:
>
>> memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
>> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
> server.xml:
>connectionName="CN=SVC,OU=Service
> Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de"
> connectionPassword="_2VK!WHzybn1SJ8P"
>
> connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)"
>
> userSearch="(sAMAccountName={0})"
> userSubtree="true"
>
> roleSearch="(memberof={0})"
> roleSubtree="true"
> userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle
> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de "
> />
>
>
>
> With this configuration I can open the Manager, but got no permissions.
>
> Even if the user role relationship will found, I don't understand how I can
> assign tomcat roles (e.g. manager-gui) to the user.
Looking at the documentation on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
you have three settings which are most probably not correct.
* roleSearch will only be used, if roleName is set (which is commented out in
your configuration)
* roleSearch will be used to search for objects that match the given filter.
In your case you would find user objects instead of group objects.
* userRoleName should be the name of an attribute in the
AW: JNDIRealm - Active Directory Roles
Hallo Felix,
thanks for explaination! I got it now!
What helps was to enable debugging:
# conf/logging.conf
# This would turn on trace-level for everything
# the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST
or ALL
#org.apache.catalina.level = ALL
#org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
I got this realm config now:
ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleSubtree="true"
roleName="CN"
userRoleName="memberOf"
/>
And I copy the manager-gui constraint in web.xml of the manager application and
put in my new role:
CN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle
Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=easycash,DC=de
Thanks a lot!
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Gesendet: Samstag, 15. März 2014 21:52
An: users@tomcat.apache.org
Betreff: Re: JNDIRealm - Active Directory Roles
Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:
> Hello,
>
> I try to implement the authentification for the tomcat manager application
> against active directory.
>
> Unfortunately I don't understand the role concept. I like to give the users
> permissions to open the manager when they're in this group:
>
>> memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
>> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
> server.xml:
>connectionName="CN=SVC,OU=Service
> Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de"
> connectionPassword="_2VK!WHzybn1SJ8P"
>
> connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)"
>
> userSearch="(sAMAccountName={0})"
> userSubtree="true"
>
> roleSearch="(memberof={0})"
> roleSubtree="true"
> userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle
> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de "
> />
>
>
>
> With this configuration I can open the Manager, but got no permissions.
>
> Even if the user role relationship will found, I don't understand how I can
> assign tomcat roles (e.g. manager-gui) to the user.
Looking at the documentation on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
you have three settings which are most probably not correct.
* roleSearch will only be used, if roleName is set (which is commented out in
your configuration)
* roleSearch will be used to search for objects that match the given filter.
In your case you would find user objects instead of group objects.
* userRoleName should be the name of an attribute in the user object (cn=...
is not a name of an attribute, but rather a value)
So given your goal, that cn=tomcat admins,... should be a role, you have two
options.
* You could activate roleName=cn (or another attribute name) and change the
roleSearch to member={0}. Then the realm would (hopefully) find the object
cn=tomcat admins,...
* You could change userRoleName to memberOf
In the first case your user would have a role with the name "Tomcat Admins".
The second option would lead to a role name of "cn=Tomcat Admins,...".
In both cases you would have to change the security constraints in the webapp
(those are defined in the WEB-INF/web.xml file).
If your role objects had other attributes with values that match the roles
defined in web.xml you could simply change roleName in the first option above.
Regards
Felix
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
AW: JNDIRealm - Active Directory Roles
Hello,
thanks for your reply. It doesn't make any difference.
I don't understand how the authenticated user receive permissions for one of
these roles:
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Leo Donahue [mailto:donahu...@gmail.com]
Gesendet: Donnerstag, 13. März 2014 19:31
An: Tomcat Users List
Betreff: Re: JNDIRealm - Active Directory Roles
On Thu, Mar 13, 2014 at 10:15 AM, wrote:
> Hello,
>
> server.xml:
> connectionName="CN=SVC,OU=Service
> Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de"
>
connectionPassword="_2VK!WHzybn1SJ8P"
>
> connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)"
>
> userSearch="(sAMAccountName={0})"
> userSubtree="true"
>
> roleSearch="(memberof={0})"
> roleSubtree="true"
> userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle
> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de "
> />
>
>
>
Lines that are different in my context:
connectionURL="ldap://fully.qualified.server.name:389";
userSearch="(&(objectCategory=person)(sAMAccountName={0}))"
roleSearch="(member={0})"
userRoleName="memberOf"
I don't know if it makes a difference for you or not.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
