Re: Fw: Problems with LDAP authentication
Lev A KARATUN wrote: Good morning everyone! Well, I've got no idea what happened (providing nobody is configuring tomcat except me), but I've just opened catalina.out and have seen that the error message changed to Exception opening directory server connection: javax .naming.CommunicationException: raiffeisen.ru:389 [Root exception is java.net.SocketTimeoutException: connect timed out] so Tomcat is at least trying to connect to the proper host now. Lev, I don't think that you can be sure of that yet. I cannot comment on your Realm configuration (because I don't know how it works), but to me the kind of problem you are having makes me suspect that something is wrong in your network setup. The connect timed out for example suggest that Java/Tomcat may be connecting to a host that has port 389 open, and maybe the connect itself is working, but the response to the connect (a packet from that host raiffeisen.ru) never comes back to your Tomcat host. Perhaps the LDAP host raiffeisen.ru is in a different network segment than your Tomcat host, and Tomcat can send packets to raiffeisen.ru, but raiffeisen.ru cannot send packets back to the Tomcat host ? (some firewall or router in-between ?) Can you run a command-line session on the host raiffeisen.ru, and check if from there you can at least ping your Tomcat host ? Or use a traceroute (tracert under Windows) from your Tomcat host to the raiffeisen.ru host (and look at the IP's) ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fw: Problems with LDAP authentication
André Warnier a...@ice-sa.com 14.02.2012 16:00 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication Lev A KARATUN wrote: Good morning everyone! Well, I've got no idea what happened (providing nobody is configuring tomcat except me), but I've just opened catalina.out and have seen that the error message changed to Exception opening directory server connection: javax .naming.CommunicationException: raiffeisen.ru:389 [Root exception is java.net.SocketTimeoutException: connect timed out] so Tomcat is at least trying to connect to the proper host now. Lev, I don't think that you can be sure of that yet. I cannot comment on your Realm configuration (because I don't know how it works), but to me the kind of problem you are having makes me suspect that something is wrong in your network setup. The connect timed out for example suggest that Java/Tomcat may be connecting to a host that has port 389 open, and maybe the connect itself is working, but the response to the connect (a packet from that host raiffeisen.ru) never comes back to your Tomcat host. Perhaps the LDAP host raiffeisen.ru is in a different network segment than your Tomcat host, You're right, it is. Thanks for paying my attention on it. and Tomcat can send packets to raiffeisen.ru, but raiffeisen.ru cannot send packets back to the Tomcat host ? (some firewall or router in-between ?) Can you run a command-line session on the host raiffeisen.ru, Unfortunately, not. I've got no access there (and doubt that I can get it without joining different department) ) and check if from there you can at least ping your Tomcat host ? I tried it vice versa - when trying to ping raiffeisen.ru from my Tomcat host I get no answer. Or use a traceroute (tracert under Windows) from your Tomcat host to the raiffeisen.ru host (and look at the IP's) ? Well, I suppose, my first goal is to be able to telnet my AD host by port 389, right? If you don't mind I'll write you again when I'm done with it ) --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
Re: Fw: Problems with LDAP authentication
André Warnier a...@ice-sa.com 10.02.2012 18:02 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication Lev A KARATUN wrote: ... I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true ... That's why Felix said that he thought that this config wasn't the one being used. What is the name of the Context xml file in tomcat/conf/Catalina/localhost? Is it logs.xml or myapp.xml or something else? It is logs.xml Huh ? Is it just me, or does something not fit ? (or was this another edit before posting ?) The name of the file has always been logs.xml. When I was writing the 1st message about my problem, I used myapp.xml just as an example (because it really doesn't matter what the name of the app is, right?). When Pid asked me about the actual name of the app's context file, I answered him - logs.xml - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
Re: Fw: Problems with LDAP authentication
Good morning everyone!
Well, I've got no idea what happened (providing nobody is configuring
tomcat except me), but I've just opened catalina.out and have seen that
the error message changed to
Exception opening directory server connection: javax
.naming.CommunicationException: raiffeisen.ru:389 [Root exception is
java.net.SocketTimeoutException: connect timed out]
so Tomcat is at least trying to connect to the proper host now.
As far as I understand I've entered something wrong in the JNDI Realm
properties. Am I right?
Here's my present realm config. Can you take a look please?
?xml version=1.0 encoding=UTF-8?
Context antiResourceLocking=false privileged=true
docBase=/opt/tomcat/TC02/logs reloadable=true
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://raiffeisen.ru:389;
alternateURL=ldap://raiffeisen.ru:389;
connectionName=cn=mylogin,dc=raiffeisen,dc=ru
connectionPassword=mypassword (unencrypted (for
development purposes) - is it correct?)
referrals=follow
userBase=OU=_Users,DC=raiffeisen,DC=ru
userSearch=(sAMAccountName={0})
userSubtree=true
userPattern=uid={0},ou=_Users,dc=raiffeisen,dc=ru
roleBase=OU=_Groups,DC=raiffeisen,DC=ru
roleName=cn
roleSubtree=true
roleSearch=(member={0})
adCompat=true/
/Context
Thanks in advance.
Best Regards,
Karatun Lev,
Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012
21:51:25:
Felix Schumacher felix.schumac...@internetallee.de
10.02.2012 21:52
Please respond to
Tomcat Users List users@tomcat.apache.org
To
users@tomcat.apache.org
cc
Subject
Re: Fw: Problems with LDAP authentication
Am Freitag, den 10.02.2012, 16:54 +0400 schrieb Lev A KARATUN:
Felix Schumacher felix.schumac...@internetallee.de wrote on
10.02.2012
15:31:43:
Felix Schumacher felix.schumac...@internetallee.de
10.02.2012 15:32
Hi again.
So, my boss told me that it's insecure to give anyone the password
to
view
tomcat's logs and that should be an authentication based on Active
Directory.
I've been reading the manuals for some time, and configured my
Tomcat
the
following way:
$CATALINA_BASE/conf/Catalina/localhost/myapp.xml
Context antiResourceLocking=false privileged=true
docBase=$CATALINA_BASE/logs reloadable=true
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://raiffeisen.ru:389;
connectionName=myacco...@raiffeisen.ru (I also tried
the
format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it
matter
what format do I use?)
For normal ldap servers it would be the latter one, eg. a fully
qualified dn. ADS might accept the mail adress of the user, but I
frankly don't know.
Anyway, I tried both variants - the server refuses to accept the
connection
No wonder, since your error message below tells us, that tomcat is
talking to localhost instead of raiffeisen.ru :)
connectionPassword=mypassword
referrals=follow
userBase=OU=_Users,DC=raiffeisen,DC=ru
userSearch=(sAMAccountName={0})
userSubtree=true
roleBase=OU=_Groups,DC=raiffeisen,DC=ru
roleName=cn
roleSubtree=true
roleSearch=(member={0})
For ADS you might want to add adCompat=true (look at
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for
further
infos).
OK, added, but nothing changed =\
Again, no wonder.
/
/Context
WEB-INF/web.xml
security-constraint
web-resource-collection
web-resource-nameAdministrative
Area/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-nameADGroupName/role-name
/auth-constraint
/security-constraint
security-role
description
The role that is required to view logs
/description
role-nameADGroupName/role-name
/security-role
I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat
for
I think, that is not needed since java 1.4.x, even if it is mentioned in
the howto :( I have never used that ldap.jar and wouldn't even know
where to get it. But my jndi-Realms work.
I
guess a hundred times, but every time I'm getting a message in
catalina.out:
Throwable occurred: LifecycleException: Exception opening
directory
server connection: javax.naming.CommunicationException:
localhost:389
[Root exception is java.net.ConnectException: A remote host
refused
an
attempted connect operation.]
Since localhost is another server, than what you told us you had
configured, I think your context file is not being used. Search
Fw: Problems with LDAP authentication
Does anybody have an idea?..
Hi again.
So, my boss told me that it's insecure to give anyone the password to view
tomcat's logs and that should be an authentication based on Active
Directory.
I've been reading the manuals for some time, and configured my Tomcat the
following way:
$CATALINA_BASE/conf/Catalina/localhost/myapp.xml
Context antiResourceLocking=false privileged=true
docBase=$CATALINA_BASE/logs reloadable=true
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://raiffeisen.ru:389;
connectionName=myacco...@raiffeisen.ru (I also tried the
format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter
what format do I use?)
connectionPassword=mypassword
referrals=follow
userBase=OU=_Users,DC=raiffeisen,DC=ru
userSearch=(sAMAccountName={0})
userSubtree=true
roleBase=OU=_Groups,DC=raiffeisen,DC=ru
roleName=cn
roleSubtree=true
roleSearch=(member={0})
/
/Context
WEB-INF/web.xml
security-constraint
web-resource-collection
web-resource-nameAdministrative Area/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-nameADGroupName/role-name
/auth-constraint
/security-constraint
security-role
description
The role that is required to view logs
/description
role-nameADGroupName/role-name
/security-role
I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I
guess a hundred times, but every time I'm getting a message in
catalina.out:
Throwable occurred: LifecycleException: Exception opening directory
server connection: javax.naming.CommunicationException: localhost:389
[Root exception is java.net.ConnectException: A remote host refused an
attempted connect operation.]
and
SEVERE: Error deploying configuration descriptor myapp.xml
Throwable occurred: java.lang.IllegalStateException:
ContainerBase.addChild: start: LifecycleException: Exception opening
directory server connection: javax.naming.CommunicationException:
localhost:389 [Root exception is java.net.ConnectException: A remote host
refused an attempted connect operation.]
I tried to telnet raiffeisen.ru by port 389 and got connected.
I installed JXplorer, entered hostname, port, my credentials and got
connected.
I start Tomcat and get errors.
Can you please give me an idea about what am I doing wrong?
Thanks in advance.
Best Regards,
Karatun Lev.
---
This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure. If you are not the intended recipient any
use, distribution, copying or disclosure is strictly prohibited. If you have
received this message in error, please notify the sender immediately either by
telephone or by e-mail and delete this message and any attachment from your
system. Correspondence via e-mail is for information purposes only. ZAO
Raiffeisenbank neither makes nor accepts legally binding statements by e-mail
unless otherwise agreed.
---
Re: Fw: Problems with LDAP authentication
Am 10.02.2012 11:43, schrieb Lev A KARATUN:
Does anybody have an idea?..
Hi again.
So, my boss told me that it's insecure to give anyone the password to
view
tomcat's logs and that should be an authentication based on Active
Directory.
I've been reading the manuals for some time, and configured my Tomcat
the
following way:
$CATALINA_BASE/conf/Catalina/localhost/myapp.xml
Context antiResourceLocking=false privileged=true
docBase=$CATALINA_BASE/logs reloadable=true
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://raiffeisen.ru:389;
connectionName=myacco...@raiffeisen.ru (I also tried the
format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it
matter
what format do I use?)
For normal ldap servers it would be the latter one, eg. a fully
qualified dn. ADS might accept the mail adress of the user, but I
frankly don't know.
connectionPassword=mypassword
referrals=follow
userBase=OU=_Users,DC=raiffeisen,DC=ru
userSearch=(sAMAccountName={0})
userSubtree=true
roleBase=OU=_Groups,DC=raiffeisen,DC=ru
roleName=cn
roleSubtree=true
roleSearch=(member={0})
For ADS you might want to add adCompat=true (look at
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further
infos).
/
/Context
WEB-INF/web.xml
security-constraint
web-resource-collection
web-resource-nameAdministrative Area/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-nameADGroupName/role-name
/auth-constraint
/security-constraint
security-role
description
The role that is required to view logs
/description
role-nameADGroupName/role-name
/security-role
I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for
I
guess a hundred times, but every time I'm getting a message in
catalina.out:
Throwable occurred: LifecycleException: Exception opening directory
server connection: javax.naming.CommunicationException:
localhost:389
[Root exception is java.net.ConnectException: A remote host refused
an
attempted connect operation.]
Since localhost is another server, than what you told us you had
configured, I think your context file is not being used. Search for
other context files, where you either have configured localhost or
misspelled connectionURL.
and
SEVERE: Error deploying configuration descriptor myapp.xml
Throwable occurred: java.lang.IllegalStateException:
ContainerBase.addChild: start: LifecycleException: Exception opening
directory server connection: javax.naming.CommunicationException:
localhost:389 [Root exception is java.net.ConnectException: A remote
host
refused an attempted connect operation.]
I tried to telnet raiffeisen.ru by port 389 and got connected.
I installed JXplorer, entered hostname, port, my credentials and got
connected.
telnet localhost 389 and see if you get any errors :)
Regards
Felix
I start Tomcat and get errors.
Can you please give me an idea about what am I doing wrong?
Thanks in advance.
Best Regards,
Karatun Lev.
---
This message and any attachment are confidential and may be
privileged or otherwise protected from disclosure. If you are not the
intended recipient any use, distribution, copying or disclosure is
strictly prohibited. If you have received this message in error,
please notify the sender immediately either by telephone or by e-mail
and delete this message and any attachment from your system.
Correspondence via e-mail is for information purposes only. ZAO
Raiffeisenbank neither makes nor accepts legally binding statements
by
e-mail unless otherwise agreed.
---
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fw: Problems with LDAP authentication
On 10/02/2012 10:43, Lev A KARATUN wrote:
Does anybody have an idea?..
Hi again.
So, my boss told me that it's insecure to give anyone the password to view
tomcat's logs and that should be an authentication based on Active
Directory.
I think we raised that particular issue too.
I've been reading the manuals for some time, and configured my Tomcat the
following way:
$CATALINA_BASE/conf/Catalina/localhost/myapp.xml
Context antiResourceLocking=false privileged=true
docBase=$CATALINA_BASE/logs reloadable=true
That variable should be ${catalina.base}.
p
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://raiffeisen.ru:389;
connectionName=myacco...@raiffeisen.ru (I also tried the
format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter
what format do I use?)
connectionPassword=mypassword
referrals=follow
userBase=OU=_Users,DC=raiffeisen,DC=ru
userSearch=(sAMAccountName={0})
userSubtree=true
roleBase=OU=_Groups,DC=raiffeisen,DC=ru
roleName=cn
roleSubtree=true
roleSearch=(member={0})
/
/Context
WEB-INF/web.xml
security-constraint
web-resource-collection
web-resource-nameAdministrative Area/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-nameADGroupName/role-name
/auth-constraint
/security-constraint
security-role
description
The role that is required to view logs
/description
role-nameADGroupName/role-name
/security-role
I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I
guess a hundred times, but every time I'm getting a message in
catalina.out:
Throwable occurred: LifecycleException: Exception opening directory
server connection: javax.naming.CommunicationException: localhost:389
[Root exception is java.net.ConnectException: A remote host refused an
attempted connect operation.]
and
SEVERE: Error deploying configuration descriptor myapp.xml
Throwable occurred: java.lang.IllegalStateException:
ContainerBase.addChild: start: LifecycleException: Exception opening
directory server connection: javax.naming.CommunicationException:
localhost:389 [Root exception is java.net.ConnectException: A remote host
refused an attempted connect operation.]
I tried to telnet raiffeisen.ru by port 389 and got connected.
I installed JXplorer, entered hostname, port, my credentials and got
connected.
I start Tomcat and get errors.
Can you please give me an idea about what am I doing wrong?
Thanks in advance.
Best Regards,
Karatun Lev.
---
This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure. If you are not the intended recipient
any use, distribution, copying or disclosure is strictly prohibited. If you
have received this message in error, please notify the sender immediately
either by telephone or by e-mail and delete this message and any attachment
from your system. Correspondence via e-mail is for information purposes only.
ZAO Raiffeisenbank neither makes nor accepts legally binding statements by
e-mail unless otherwise agreed.
---
--
[key:62590808]
signature.asc
Description: OpenPGP digital signature
Re: Fw: Problems with LDAP authentication
Pid,
sorry, my english is not very good. What do you mean by raised that
particular issue too?
That variable should be ${catalina.base}.
Actually, there is no variable in the config file, and it works pretty
fine.. I just did not want to insert the full path from / to the logs
folder into my letter and so I wrote just $CATALINA_BASE.
Best Regards,
Karatun Lev,
Pid p...@pidster.com
10.02.2012 15:33
Please respond to
Tomcat Users List users@tomcat.apache.org
To
Tomcat Users List users@tomcat.apache.org
cc
Subject
Re: Fw: Problems with LDAP authentication
On 10/02/2012 10:43, Lev A KARATUN wrote:
Does anybody have an idea?..
Hi again.
So, my boss told me that it's insecure to give anyone the password to
view
tomcat's logs and that should be an authentication based on Active
Directory.
I think we raised that particular issue too.
I've been reading the manuals for some time, and configured my Tomcat
the
following way:
$CATALINA_BASE/conf/Catalina/localhost/myapp.xml
Context antiResourceLocking=false privileged=true
docBase=$CATALINA_BASE/logs reloadable=true
That variable should be ${catalina.base}.
p
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://raiffeisen.ru:389;
connectionName=myacco...@raiffeisen.ru (I also tried the
format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it
matter
what format do I use?)
connectionPassword=mypassword
referrals=follow
userBase=OU=_Users,DC=raiffeisen,DC=ru
userSearch=(sAMAccountName={0})
userSubtree=true
roleBase=OU=_Groups,DC=raiffeisen,DC=ru
roleName=cn
roleSubtree=true
roleSearch=(member={0})
/
/Context
WEB-INF/web.xml
security-constraint
web-resource-collection
web-resource-nameAdministrative Area/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-nameADGroupName/role-name
/auth-constraint
/security-constraint
security-role
description
The role that is required to view logs
/description
role-nameADGroupName/role-name
/security-role
I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I
guess a hundred times, but every time I'm getting a message in
catalina.out:
Throwable occurred: LifecycleException: Exception opening directory
server connection: javax.naming.CommunicationException: localhost:389
[Root exception is java.net.ConnectException: A remote host refused an
attempted connect operation.]
and
SEVERE: Error deploying configuration descriptor myapp.xml
Throwable occurred: java.lang.IllegalStateException:
ContainerBase.addChild: start: LifecycleException: Exception opening
directory server connection: javax.naming.CommunicationException:
localhost:389 [Root exception is java.net.ConnectException: A remote
host
refused an attempted connect operation.]
I tried to telnet raiffeisen.ru by port 389 and got connected.
I installed JXplorer, entered hostname, port, my credentials and got
connected.
I start Tomcat and get errors.
Can you please give me an idea about what am I doing wrong?
Thanks in advance.
Best Regards,
Karatun Lev.
---
This message and any attachment are confidential and may be privileged
or otherwise protected from disclosure. If you are not the intended
recipient any use, distribution, copying or disclosure is strictly
prohibited. If you have received this message in error, please notify the
sender immediately either by telephone or by e-mail and delete this
message and any attachment from your system. Correspondence via e-mail is
for information purposes only. ZAO Raiffeisenbank neither makes nor
accepts legally binding statements by e-mail unless otherwise agreed.
---
--
[key:62590808]
[attachment signature.asc deleted by Lev A KARATUN/MSK/RBA-MOSCOW/RU]
---
This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure. If you are not the intended recipient any
use, distribution, copying or disclosure is strictly prohibited. If you have
received this message in error, please notify the sender immediately either by
telephone or by e-mail and delete this message and any attachment from your
system. Correspondence via e-mail is for information purposes only. ZAO
Raiffeisenbank neither makes nor accepts legally binding statements by e-mail
unless otherwise agreed.
---
Re: Fw: Problems with LDAP authentication
Please see my answers below.
Best Regards,
Karatun Lev,
Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012
15:31:43:
Felix Schumacher felix.schumac...@internetallee.de
10.02.2012 15:32
Please respond to
Tomcat Users List users@tomcat.apache.org
To
Tomcat Users List users@tomcat.apache.org
cc
Subject
Re: Fw: Problems with LDAP authentication
Am 10.02.2012 11:43, schrieb Lev A KARATUN:
Does anybody have an idea?..
Hi again.
So, my boss told me that it's insecure to give anyone the password to
view
tomcat's logs and that should be an authentication based on Active
Directory.
I've been reading the manuals for some time, and configured my Tomcat
the
following way:
$CATALINA_BASE/conf/Catalina/localhost/myapp.xml
Context antiResourceLocking=false privileged=true
docBase=$CATALINA_BASE/logs reloadable=true
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://raiffeisen.ru:389;
connectionName=myacco...@raiffeisen.ru (I also tried the
format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it
matter
what format do I use?)
For normal ldap servers it would be the latter one, eg. a fully
qualified dn. ADS might accept the mail adress of the user, but I
frankly don't know.
Anyway, I tried both variants - the server refuses to accept the
connection
connectionPassword=mypassword
referrals=follow
userBase=OU=_Users,DC=raiffeisen,DC=ru
userSearch=(sAMAccountName={0})
userSubtree=true
roleBase=OU=_Groups,DC=raiffeisen,DC=ru
roleName=cn
roleSubtree=true
roleSearch=(member={0})
For ADS you might want to add adCompat=true (look at
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further
infos).
OK, added, but nothing changed =\
/
/Context
WEB-INF/web.xml
security-constraint
web-resource-collection
web-resource-nameAdministrative Area/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-nameADGroupName/role-name
/auth-constraint
/security-constraint
security-role
description
The role that is required to view logs
/description
role-nameADGroupName/role-name
/security-role
I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for
I
guess a hundred times, but every time I'm getting a message in
catalina.out:
Throwable occurred: LifecycleException: Exception opening directory
server connection: javax.naming.CommunicationException:
localhost:389
[Root exception is java.net.ConnectException: A remote host refused
an
attempted connect operation.]
Since localhost is another server, than what you told us you had
configured, I think your context file is not being used. Search for
other context files, where you either have configured localhost or
misspelled connectionURL.
But the 389th port is only mentioned in myapp's config file and nowhere
else. So I assume that Tomcat tries to use myapp.xml, but fails for some
reason..
The other apps' context files are default - like this:
?xml version=1.0 encoding=UTF-8?
Context antiResourceLocking=false privileged=true /
and
SEVERE: Error deploying configuration descriptor myapp.xml
Throwable occurred: java.lang.IllegalStateException:
ContainerBase.addChild: start: LifecycleException: Exception opening
directory server connection: javax.naming.CommunicationException:
localhost:389 [Root exception is java.net.ConnectException: A remote
host
refused an attempted connect operation.]
I tried to telnet raiffeisen.ru by port 389 and got connected.
I installed JXplorer, entered hostname, port, my credentials and got
connected.
telnet localhost 389 and see if you get any errors :)
bash-3.00$ telnet localhost 389
Trying...
telnet: connect: A remote host refused an attempted connect operation.
...but WHY is Tomcat trying to connect to localhost? It's clearly written
in the realm - connectionURL=ldap://raiffeisen.ru:389;
=(
Regards
Felix
I start Tomcat and get errors.
Can you please give me an idea about what am I doing wrong?
Thanks in advance.
Best Regards,
Karatun Lev.
---
This message and any attachment are confidential and may be
privileged or otherwise protected from disclosure. If you are not the
intended recipient any use, distribution, copying or disclosure is
strictly prohibited. If you have received this message in error,
please notify the sender immediately either by telephone or by e-mail
and delete this message and any attachment from your system.
Correspondence via e-mail is for information
Re: Fw: Problems with LDAP authentication
On 10/02/2012 11:53, Lev A KARATUN wrote:
Pid,
sorry, my english is not very good. What do you mean by raised that
particular issue too?
We mentioned that allowing uncontrolled access to the logs was a bad
idea. Your boss appears to agree.
That variable should be ${catalina.base}.
Actually, there is no variable in the config file, and it works pretty
fine.. I just did not want to insert the full path from / to the logs
folder into my letter and so I wrote just $CATALINA_BASE.
OK.
p
Best Regards,
Karatun Lev,
Pid p...@pidster.com
10.02.2012 15:33
Please respond to
Tomcat Users List users@tomcat.apache.org
To
Tomcat Users List users@tomcat.apache.org
cc
Subject
Re: Fw: Problems with LDAP authentication
On 10/02/2012 10:43, Lev A KARATUN wrote:
Does anybody have an idea?..
Hi again.
So, my boss told me that it's insecure to give anyone the password to
view
tomcat's logs and that should be an authentication based on Active
Directory.
I think we raised that particular issue too.
I've been reading the manuals for some time, and configured my Tomcat
the
following way:
$CATALINA_BASE/conf/Catalina/localhost/myapp.xml
Context antiResourceLocking=false privileged=true
docBase=$CATALINA_BASE/logs reloadable=true
That variable should be ${catalina.base}.
p
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://raiffeisen.ru:389;
connectionName=myacco...@raiffeisen.ru (I also tried the
format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it
matter
what format do I use?)
connectionPassword=mypassword
referrals=follow
userBase=OU=_Users,DC=raiffeisen,DC=ru
userSearch=(sAMAccountName={0})
userSubtree=true
roleBase=OU=_Groups,DC=raiffeisen,DC=ru
roleName=cn
roleSubtree=true
roleSearch=(member={0})
/
/Context
WEB-INF/web.xml
security-constraint
web-resource-collection
web-resource-nameAdministrative Area/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-nameADGroupName/role-name
/auth-constraint
/security-constraint
security-role
description
The role that is required to view logs
/description
role-nameADGroupName/role-name
/security-role
I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I
guess a hundred times, but every time I'm getting a message in
catalina.out:
Throwable occurred: LifecycleException: Exception opening directory
server connection: javax.naming.CommunicationException: localhost:389
[Root exception is java.net.ConnectException: A remote host refused an
attempted connect operation.]
and
SEVERE: Error deploying configuration descriptor myapp.xml
Throwable occurred: java.lang.IllegalStateException:
ContainerBase.addChild: start: LifecycleException: Exception opening
directory server connection: javax.naming.CommunicationException:
localhost:389 [Root exception is java.net.ConnectException: A remote
host
refused an attempted connect operation.]
I tried to telnet raiffeisen.ru by port 389 and got connected.
I installed JXplorer, entered hostname, port, my credentials and got
connected.
I start Tomcat and get errors.
Can you please give me an idea about what am I doing wrong?
Thanks in advance.
Best Regards,
Karatun Lev.
---
This message and any attachment are confidential and may be privileged
or otherwise protected from disclosure. If you are not the intended
recipient any use, distribution, copying or disclosure is strictly
prohibited. If you have received this message in error, please notify the
sender immediately either by telephone or by e-mail and delete this
message and any attachment from your system. Correspondence via e-mail is
for information purposes only. ZAO Raiffeisenbank neither makes nor
accepts legally binding statements by e-mail unless otherwise agreed.
---
--
[key:62590808]
signature.asc
Description: OpenPGP digital signature
Re: Fw: Problems with LDAP authentication
On 10/02/2012 12:54, Lev A KARATUN wrote:
Please see my answers below.
Best Regards,
Karatun Lev,
Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012
15:31:43:
Felix Schumacher felix.schumac...@internetallee.de
10.02.2012 15:32
Please respond to
Tomcat Users List users@tomcat.apache.org
To
Tomcat Users List users@tomcat.apache.org
cc
Subject
Re: Fw: Problems with LDAP authentication
Am 10.02.2012 11:43, schrieb Lev A KARATUN:
Does anybody have an idea?..
Hi again.
So, my boss told me that it's insecure to give anyone the password to
view
tomcat's logs and that should be an authentication based on Active
Directory.
I've been reading the manuals for some time, and configured my Tomcat
the
following way:
$CATALINA_BASE/conf/Catalina/localhost/myapp.xml
Context antiResourceLocking=false privileged=true
docBase=$CATALINA_BASE/logs reloadable=true
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://raiffeisen.ru:389;
connectionName=myacco...@raiffeisen.ru (I also tried the
format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it
matter
what format do I use?)
For normal ldap servers it would be the latter one, eg. a fully
qualified dn. ADS might accept the mail adress of the user, but I
frankly don't know.
Anyway, I tried both variants - the server refuses to accept the
connection
connectionPassword=mypassword
referrals=follow
userBase=OU=_Users,DC=raiffeisen,DC=ru
userSearch=(sAMAccountName={0})
userSubtree=true
roleBase=OU=_Groups,DC=raiffeisen,DC=ru
roleName=cn
roleSubtree=true
roleSearch=(member={0})
For ADS you might want to add adCompat=true (look at
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further
infos).
OK, added, but nothing changed =\
/
/Context
WEB-INF/web.xml
security-constraint
web-resource-collection
web-resource-nameAdministrative Area/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-nameADGroupName/role-name
/auth-constraint
/security-constraint
security-role
description
The role that is required to view logs
/description
role-nameADGroupName/role-name
/security-role
I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for
I
guess a hundred times, but every time I'm getting a message in
catalina.out:
Throwable occurred: LifecycleException: Exception opening directory
server connection: javax.naming.CommunicationException:
localhost:389
[Root exception is java.net.ConnectException: A remote host refused
an
attempted connect operation.]
Since localhost is another server, than what you told us you had
configured, I think your context file is not being used. Search for
other context files, where you either have configured localhost or
misspelled connectionURL.
But the 389th port is only mentioned in myapp's config file and nowhere
else. So I assume that Tomcat tries to use myapp.xml, but fails for some
reason..
The other apps' context files are default - like this:
?xml version=1.0 encoding=UTF-8?
Context antiResourceLocking=false privileged=true /
and
SEVERE: Error deploying configuration descriptor myapp.xml
Throwable occurred: java.lang.IllegalStateException:
ContainerBase.addChild: start: LifecycleException: Exception opening
directory server connection: javax.naming.CommunicationException:
localhost:389 [Root exception is java.net.ConnectException: A remote
host
refused an attempted connect operation.]
I tried to telnet raiffeisen.ru by port 389 and got connected.
I installed JXplorer, entered hostname, port, my credentials and got
connected.
telnet localhost 389 and see if you get any errors :)
bash-3.00$ telnet localhost 389
Trying...
telnet: connect: A remote host refused an attempted connect operation.
...but WHY is Tomcat trying to connect to localhost? It's clearly written
in the realm - connectionURL=ldap://raiffeisen.ru:389;
=(
That's why Felix said that he thought that this config wasn't the one
being used.
What is the name of the Context xml file in tomcat/conf/Catalina/localhost?
Is it logs.xml or myapp.xml or something else?
p
--
[key:62590808]
signature.asc
Description: OpenPGP digital signature
Re: Fw: Problems with LDAP authentication
Pid p...@pidster.com
10.02.2012 17:35
Please respond to
Tomcat Users List users@tomcat.apache.org
To
Tomcat Users List users@tomcat.apache.org
cc
Subject
Re: Fw: Problems with LDAP authentication
On 10/02/2012 12:54, Lev A KARATUN wrote:
Please see my answers below.
Best Regards,
Karatun Lev,
Felix Schumacher felix.schumac...@internetallee.de wrote on
10.02.2012
15:31:43:
Felix Schumacher felix.schumac...@internetallee.de
10.02.2012 15:32
Please respond to
Tomcat Users List users@tomcat.apache.org
To
Tomcat Users List users@tomcat.apache.org
cc
Subject
Re: Fw: Problems with LDAP authentication
Am 10.02.2012 11:43, schrieb Lev A KARATUN:
Does anybody have an idea?..
Hi again.
So, my boss told me that it's insecure to give anyone the password
to
view
tomcat's logs and that should be an authentication based on Active
Directory.
I've been reading the manuals for some time, and configured my
Tomcat
the
following way:
$CATALINA_BASE/conf/Catalina/localhost/myapp.xml
Context antiResourceLocking=false privileged=true
docBase=$CATALINA_BASE/logs reloadable=true
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://raiffeisen.ru:389;
connectionName=myacco...@raiffeisen.ru (I also tried the
format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it
matter
what format do I use?)
For normal ldap servers it would be the latter one, eg. a fully
qualified dn. ADS might accept the mail adress of the user, but I
frankly don't know.
Anyway, I tried both variants - the server refuses to accept the
connection
connectionPassword=mypassword
referrals=follow
userBase=OU=_Users,DC=raiffeisen,DC=ru
userSearch=(sAMAccountName={0})
userSubtree=true
roleBase=OU=_Groups,DC=raiffeisen,DC=ru
roleName=cn
roleSubtree=true
roleSearch=(member={0})
For ADS you might want to add adCompat=true (look at
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further
infos).
OK, added, but nothing changed =\
/
/Context
WEB-INF/web.xml
security-constraint
web-resource-collection
web-resource-nameAdministrative
Area/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-nameADGroupName/role-name
/auth-constraint
/security-constraint
security-role
description
The role that is required to view logs
/description
role-nameADGroupName/role-name
/security-role
I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for
I
guess a hundred times, but every time I'm getting a message in
catalina.out:
Throwable occurred: LifecycleException: Exception opening directory
server connection: javax.naming.CommunicationException:
localhost:389
[Root exception is java.net.ConnectException: A remote host refused
an
attempted connect operation.]
Since localhost is another server, than what you told us you had
configured, I think your context file is not being used. Search for
other context files, where you either have configured localhost or
misspelled connectionURL.
But the 389th port is only mentioned in myapp's config file and
nowhere
else. So I assume that Tomcat tries to use myapp.xml, but fails for
some
reason..
The other apps' context files are default - like this:
?xml version=1.0 encoding=UTF-8?
Context antiResourceLocking=false privileged=true /
and
SEVERE: Error deploying configuration descriptor myapp.xml
Throwable occurred: java.lang.IllegalStateException:
ContainerBase.addChild: start: LifecycleException: Exception
opening
directory server connection: javax.naming.CommunicationException:
localhost:389 [Root exception is java.net.ConnectException: A remote
host
refused an attempted connect operation.]
I tried to telnet raiffeisen.ru by port 389 and got connected.
I installed JXplorer, entered hostname, port, my credentials and got
connected.
telnet localhost 389 and see if you get any errors :)
bash-3.00$ telnet localhost 389
Trying...
telnet: connect: A remote host refused an attempted connect operation.
...but WHY is Tomcat trying to connect to localhost? It's clearly
written
in the realm - connectionURL=ldap://raiffeisen.ru:389;
=(
That's why Felix said that he thought that this config wasn't the one
being used.
What is the name of the Context xml file in
tomcat/conf/Catalina/localhost?
Is it logs.xml or myapp.xml or something else?
It is logs.xml
p
--
[key:62590808]
[attachment signature.asc
Re: Fw: Problems with LDAP authentication
Lev A KARATUN wrote: ... I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true ... That's why Felix said that he thought that this config wasn't the one being used. What is the name of the Context xml file in tomcat/conf/Catalina/localhost? Is it logs.xml or myapp.xml or something else? It is logs.xml Huh ? Is it just me, or does something not fit ? (or was this another edit before posting ?) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fw: Problems with LDAP authentication
Am Freitag, den 10.02.2012, 16:54 +0400 schrieb Lev A KARATUN:
Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012
15:31:43:
Felix Schumacher felix.schumac...@internetallee.de
10.02.2012 15:32
Hi again.
So, my boss told me that it's insecure to give anyone the password to
view
tomcat's logs and that should be an authentication based on Active
Directory.
I've been reading the manuals for some time, and configured my Tomcat
the
following way:
$CATALINA_BASE/conf/Catalina/localhost/myapp.xml
Context antiResourceLocking=false privileged=true
docBase=$CATALINA_BASE/logs reloadable=true
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://raiffeisen.ru:389;
connectionName=myacco...@raiffeisen.ru (I also tried the
format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it
matter
what format do I use?)
For normal ldap servers it would be the latter one, eg. a fully
qualified dn. ADS might accept the mail adress of the user, but I
frankly don't know.
Anyway, I tried both variants - the server refuses to accept the
connection
No wonder, since your error message below tells us, that tomcat is
talking to localhost instead of raiffeisen.ru :)
connectionPassword=mypassword
referrals=follow
userBase=OU=_Users,DC=raiffeisen,DC=ru
userSearch=(sAMAccountName={0})
userSubtree=true
roleBase=OU=_Groups,DC=raiffeisen,DC=ru
roleName=cn
roleSubtree=true
roleSearch=(member={0})
For ADS you might want to add adCompat=true (look at
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further
infos).
OK, added, but nothing changed =\
Again, no wonder.
/
/Context
WEB-INF/web.xml
security-constraint
web-resource-collection
web-resource-nameAdministrative Area/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-nameADGroupName/role-name
/auth-constraint
/security-constraint
security-role
description
The role that is required to view logs
/description
role-nameADGroupName/role-name
/security-role
I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for
I think, that is not needed since java 1.4.x, even if it is mentioned in
the howto :( I have never used that ldap.jar and wouldn't even know
where to get it. But my jndi-Realms work.
I
guess a hundred times, but every time I'm getting a message in
catalina.out:
Throwable occurred: LifecycleException: Exception opening directory
server connection: javax.naming.CommunicationException:
localhost:389
[Root exception is java.net.ConnectException: A remote host refused
an
attempted connect operation.]
Since localhost is another server, than what you told us you had
configured, I think your context file is not being used. Search for
other context files, where you either have configured localhost or
misspelled connectionURL.
But the 389th port is only mentioned in myapp's config file and nowhere
else. So I assume that Tomcat tries to use myapp.xml, but fails for some
reason..
Don't look for 389 explicitly, since that is the default port as is
localhost the default host. Search for another context configuration,
which could be used.
The other apps' context files are default - like this:
?xml version=1.0 encoding=UTF-8?
Context antiResourceLocking=false privileged=true /
I somehow doubt that privileged=true is default and that you need it,
but it is certainly irrelevant to your problems.
and
SEVERE: Error deploying configuration descriptor myapp.xml
Throwable occurred: java.lang.IllegalStateException:
ContainerBase.addChild: start: LifecycleException: Exception opening
directory server connection: javax.naming.CommunicationException:
localhost:389 [Root exception is java.net.ConnectException: A remote
host
refused an attempted connect operation.]
I tried to telnet raiffeisen.ru by port 389 and got connected.
I installed JXplorer, entered hostname, port, my credentials and got
connected.
telnet localhost 389 and see if you get any errors :)
bash-3.00$ telnet localhost 389
Trying...
telnet: connect: A remote host refused an attempted connect operation.
...but WHY is Tomcat trying to connect to localhost? It's clearly written
in the realm - connectionURL=ldap://raiffeisen.ru:389;
=(
Either ldap.jar confuses it, or it uses another context file, or you
have a typo in your context file, which is not present in the config you
have shown us.
Regards
Felix
Regards
Felix
I
