I don't know why it doesn't work, but I think this idea is really bad when it
comes to Windows Active Directory, even if you made it work.
* This won't work for trusted domains.
* This won't work for nested domain groups.
* This won't work for local groups.
* You're hard-coding a domain user password.
* You're asking the user to enter his domain credentials, which forces
you to run under SSL (instead of doing single-sign-on).
If you are on Windows, you might want to try http://waffle.codeplex.com
instead, it's a drop-in solution that just works.
dB. @ dblock.org<http://www.dblock.org/>
Moscow|Geneva|Seattle|New York
From: Jill Han [mailto:jill@alverno.edu]
Sent: Tuesday, June 15, 2010 9:26 AM
To: users@tomcat.apache.org
Subject: Active Directory authentication
Hi,
I tried to configure tomcat to authenticate against active directory. Here is
the relevant part in server.xml
ldap://tst.mycollege.edu:389";
userBase="DC=tst,DC=mycollege,DC=edu"
userSearch="(sAMAccountName={0})"
userRoleName="memberof"
roleBase="DC=tst,DC=mycollege,DC=edu"
roleName="cn"
roleSearch="(uniqueMember={0})"
userSubtree="true"
roleSubtree="false"
/>
In the web.xml
...
.
OU=EMP,dc=tst,DC=mycollege,DC=edu
BASIC
NEWS
OU=EMP,dc=tst,DC=mycollege,DC=edu
...
The login window will prompt when you access the site, however no
login/password will be accepted, in the log file,
Jun 15, 2010 7:14:53 AM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.PartialResultException: Unprocessed Continuation Reference(s);
remaining name 'DC=tst,DC=mycollege,DC=edu'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2763)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
at
com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129)
at
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198)
at
com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)
at
org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1067)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:958)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:907)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:808)
at
org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754)
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684)
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
I don't know what could go wrong, AD setup on active directory site, or the
properties in the server.xml.
Thanks for your help as always,
Jill