Re: Fw: Problems with LDAP authentication
Lev A KARATUN wrote: Good morning everyone! Well, I've got no idea what happened (providing nobody is configuring tomcat except me), but I've just opened catalina.out and have seen that the error message changed to Exception opening directory server connection: javax .naming.CommunicationException: raiffeisen.ru:389 [Root exception is java.net.SocketTimeoutException: connect timed out] so Tomcat is at least trying to connect to the proper host now. Lev, I don't think that you can be sure of that yet. I cannot comment on your Realm configuration (because I don't know how it works), but to me the kind of problem you are having makes me suspect that something is wrong in your network setup. The connect timed out for example suggest that Java/Tomcat may be connecting to a host that has port 389 open, and maybe the connect itself is working, but the response to the connect (a packet from that host raiffeisen.ru) never comes back to your Tomcat host. Perhaps the LDAP host raiffeisen.ru is in a different network segment than your Tomcat host, and Tomcat can send packets to raiffeisen.ru, but raiffeisen.ru cannot send packets back to the Tomcat host ? (some firewall or router in-between ?) Can you run a command-line session on the host raiffeisen.ru, and check if from there you can at least ping your Tomcat host ? Or use a traceroute (tracert under Windows) from your Tomcat host to the raiffeisen.ru host (and look at the IP's) ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fw: Problems with LDAP authentication
André Warnier a...@ice-sa.com 14.02.2012 16:00 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication Lev A KARATUN wrote: Good morning everyone! Well, I've got no idea what happened (providing nobody is configuring tomcat except me), but I've just opened catalina.out and have seen that the error message changed to Exception opening directory server connection: javax .naming.CommunicationException: raiffeisen.ru:389 [Root exception is java.net.SocketTimeoutException: connect timed out] so Tomcat is at least trying to connect to the proper host now. Lev, I don't think that you can be sure of that yet. I cannot comment on your Realm configuration (because I don't know how it works), but to me the kind of problem you are having makes me suspect that something is wrong in your network setup. The connect timed out for example suggest that Java/Tomcat may be connecting to a host that has port 389 open, and maybe the connect itself is working, but the response to the connect (a packet from that host raiffeisen.ru) never comes back to your Tomcat host. Perhaps the LDAP host raiffeisen.ru is in a different network segment than your Tomcat host, You're right, it is. Thanks for paying my attention on it. and Tomcat can send packets to raiffeisen.ru, but raiffeisen.ru cannot send packets back to the Tomcat host ? (some firewall or router in-between ?) Can you run a command-line session on the host raiffeisen.ru, Unfortunately, not. I've got no access there (and doubt that I can get it without joining different department) ) and check if from there you can at least ping your Tomcat host ? I tried it vice versa - when trying to ping raiffeisen.ru from my Tomcat host I get no answer. Or use a traceroute (tracert under Windows) from your Tomcat host to the raiffeisen.ru host (and look at the IP's) ? Well, I suppose, my first goal is to be able to telnet my AD host by port 389, right? If you don't mind I'll write you again when I'm done with it ) --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
Re: Fw: Problems with LDAP authentication
André Warnier a...@ice-sa.com 10.02.2012 18:02 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication Lev A KARATUN wrote: ... I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true ... That's why Felix said that he thought that this config wasn't the one being used. What is the name of the Context xml file in tomcat/conf/Catalina/localhost? Is it logs.xml or myapp.xml or something else? It is logs.xml Huh ? Is it just me, or does something not fit ? (or was this another edit before posting ?) The name of the file has always been logs.xml. When I was writing the 1st message about my problem, I used myapp.xml just as an example (because it really doesn't matter what the name of the app is, right?). When Pid asked me about the actual name of the app's context file, I answered him - logs.xml - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
Re: Fw: Problems with LDAP authentication
Good morning everyone! Well, I've got no idea what happened (providing nobody is configuring tomcat except me), but I've just opened catalina.out and have seen that the error message changed to Exception opening directory server connection: javax .naming.CommunicationException: raiffeisen.ru:389 [Root exception is java.net.SocketTimeoutException: connect timed out] so Tomcat is at least trying to connect to the proper host now. As far as I understand I've entered something wrong in the JNDI Realm properties. Am I right? Here's my present realm config. Can you take a look please? ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true docBase=/opt/tomcat/TC02/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; alternateURL=ldap://raiffeisen.ru:389; connectionName=cn=mylogin,dc=raiffeisen,dc=ru connectionPassword=mypassword (unencrypted (for development purposes) - is it correct?) referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true userPattern=uid={0},ou=_Users,dc=raiffeisen,dc=ru roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) adCompat=true/ /Context Thanks in advance. Best Regards, Karatun Lev, Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012 21:51:25: Felix Schumacher felix.schumac...@internetallee.de 10.02.2012 21:52 Please respond to Tomcat Users List users@tomcat.apache.org To users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication Am Freitag, den 10.02.2012, 16:54 +0400 schrieb Lev A KARATUN: Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012 15:31:43: Felix Schumacher felix.schumac...@internetallee.de 10.02.2012 15:32 Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) For normal ldap servers it would be the latter one, eg. a fully qualified dn. ADS might accept the mail adress of the user, but I frankly don't know. Anyway, I tried both variants - the server refuses to accept the connection No wonder, since your error message below tells us, that tomcat is talking to localhost instead of raiffeisen.ru :) connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) For ADS you might want to add adCompat=true (look at http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further infos). OK, added, but nothing changed =\ Again, no wonder. / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I think, that is not needed since java 1.4.x, even if it is mentioned in the howto :( I have never used that ldap.jar and wouldn't even know where to get it. But my jndi-Realms work. I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] Since localhost is another server, than what you told us you had configured, I think your context file is not being used. Search
Fw: Problems with LDAP authentication
Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. I start Tomcat and get errors. Can you please give me an idea about what am I doing wrong? Thanks in advance. Best Regards, Karatun Lev. --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
Re: Fw: Problems with LDAP authentication
Am 10.02.2012 11:43, schrieb Lev A KARATUN: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) For normal ldap servers it would be the latter one, eg. a fully qualified dn. ADS might accept the mail adress of the user, but I frankly don't know. connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) For ADS you might want to add adCompat=true (look at http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further infos). / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] Since localhost is another server, than what you told us you had configured, I think your context file is not being used. Search for other context files, where you either have configured localhost or misspelled connectionURL. and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. telnet localhost 389 and see if you get any errors :) Regards Felix I start Tomcat and get errors. Can you please give me an idea about what am I doing wrong? Thanks in advance. Best Regards, Karatun Lev. --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. --- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fw: Problems with LDAP authentication
On 10/02/2012 10:43, Lev A KARATUN wrote: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I think we raised that particular issue too. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true That variable should be ${catalina.base}. p Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. I start Tomcat and get errors. Can you please give me an idea about what am I doing wrong? Thanks in advance. Best Regards, Karatun Lev. --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. --- -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Fw: Problems with LDAP authentication
Pid, sorry, my english is not very good. What do you mean by raised that particular issue too? That variable should be ${catalina.base}. Actually, there is no variable in the config file, and it works pretty fine.. I just did not want to insert the full path from / to the logs folder into my letter and so I wrote just $CATALINA_BASE. Best Regards, Karatun Lev, Pid p...@pidster.com 10.02.2012 15:33 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication On 10/02/2012 10:43, Lev A KARATUN wrote: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I think we raised that particular issue too. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true That variable should be ${catalina.base}. p Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. I start Tomcat and get errors. Can you please give me an idea about what am I doing wrong? Thanks in advance. Best Regards, Karatun Lev. --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. --- -- [key:62590808] [attachment signature.asc deleted by Lev A KARATUN/MSK/RBA-MOSCOW/RU] --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
Re: Fw: Problems with LDAP authentication
Please see my answers below. Best Regards, Karatun Lev, Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012 15:31:43: Felix Schumacher felix.schumac...@internetallee.de 10.02.2012 15:32 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication Am 10.02.2012 11:43, schrieb Lev A KARATUN: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) For normal ldap servers it would be the latter one, eg. a fully qualified dn. ADS might accept the mail adress of the user, but I frankly don't know. Anyway, I tried both variants - the server refuses to accept the connection connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) For ADS you might want to add adCompat=true (look at http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further infos). OK, added, but nothing changed =\ / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] Since localhost is another server, than what you told us you had configured, I think your context file is not being used. Search for other context files, where you either have configured localhost or misspelled connectionURL. But the 389th port is only mentioned in myapp's config file and nowhere else. So I assume that Tomcat tries to use myapp.xml, but fails for some reason.. The other apps' context files are default - like this: ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true / and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. telnet localhost 389 and see if you get any errors :) bash-3.00$ telnet localhost 389 Trying... telnet: connect: A remote host refused an attempted connect operation. ...but WHY is Tomcat trying to connect to localhost? It's clearly written in the realm - connectionURL=ldap://raiffeisen.ru:389; =( Regards Felix I start Tomcat and get errors. Can you please give me an idea about what am I doing wrong? Thanks in advance. Best Regards, Karatun Lev. --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information
Re: Fw: Problems with LDAP authentication
On 10/02/2012 11:53, Lev A KARATUN wrote: Pid, sorry, my english is not very good. What do you mean by raised that particular issue too? We mentioned that allowing uncontrolled access to the logs was a bad idea. Your boss appears to agree. That variable should be ${catalina.base}. Actually, there is no variable in the config file, and it works pretty fine.. I just did not want to insert the full path from / to the logs folder into my letter and so I wrote just $CATALINA_BASE. OK. p Best Regards, Karatun Lev, Pid p...@pidster.com 10.02.2012 15:33 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication On 10/02/2012 10:43, Lev A KARATUN wrote: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I think we raised that particular issue too. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true That variable should be ${catalina.base}. p Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. I start Tomcat and get errors. Can you please give me an idea about what am I doing wrong? Thanks in advance. Best Regards, Karatun Lev. --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. --- -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Fw: Problems with LDAP authentication
On 10/02/2012 12:54, Lev A KARATUN wrote: Please see my answers below. Best Regards, Karatun Lev, Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012 15:31:43: Felix Schumacher felix.schumac...@internetallee.de 10.02.2012 15:32 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication Am 10.02.2012 11:43, schrieb Lev A KARATUN: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) For normal ldap servers it would be the latter one, eg. a fully qualified dn. ADS might accept the mail adress of the user, but I frankly don't know. Anyway, I tried both variants - the server refuses to accept the connection connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) For ADS you might want to add adCompat=true (look at http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further infos). OK, added, but nothing changed =\ / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] Since localhost is another server, than what you told us you had configured, I think your context file is not being used. Search for other context files, where you either have configured localhost or misspelled connectionURL. But the 389th port is only mentioned in myapp's config file and nowhere else. So I assume that Tomcat tries to use myapp.xml, but fails for some reason.. The other apps' context files are default - like this: ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true / and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. telnet localhost 389 and see if you get any errors :) bash-3.00$ telnet localhost 389 Trying... telnet: connect: A remote host refused an attempted connect operation. ...but WHY is Tomcat trying to connect to localhost? It's clearly written in the realm - connectionURL=ldap://raiffeisen.ru:389; =( That's why Felix said that he thought that this config wasn't the one being used. What is the name of the Context xml file in tomcat/conf/Catalina/localhost? Is it logs.xml or myapp.xml or something else? p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Fw: Problems with LDAP authentication
Pid p...@pidster.com 10.02.2012 17:35 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication On 10/02/2012 12:54, Lev A KARATUN wrote: Please see my answers below. Best Regards, Karatun Lev, Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012 15:31:43: Felix Schumacher felix.schumac...@internetallee.de 10.02.2012 15:32 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Problems with LDAP authentication Am 10.02.2012 11:43, schrieb Lev A KARATUN: Does anybody have an idea?.. Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) For normal ldap servers it would be the latter one, eg. a fully qualified dn. ADS might accept the mail adress of the user, but I frankly don't know. Anyway, I tried both variants - the server refuses to accept the connection connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) For ADS you might want to add adCompat=true (look at http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further infos). OK, added, but nothing changed =\ / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] Since localhost is another server, than what you told us you had configured, I think your context file is not being used. Search for other context files, where you either have configured localhost or misspelled connectionURL. But the 389th port is only mentioned in myapp's config file and nowhere else. So I assume that Tomcat tries to use myapp.xml, but fails for some reason.. The other apps' context files are default - like this: ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true / and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. telnet localhost 389 and see if you get any errors :) bash-3.00$ telnet localhost 389 Trying... telnet: connect: A remote host refused an attempted connect operation. ...but WHY is Tomcat trying to connect to localhost? It's clearly written in the realm - connectionURL=ldap://raiffeisen.ru:389; =( That's why Felix said that he thought that this config wasn't the one being used. What is the name of the Context xml file in tomcat/conf/Catalina/localhost? Is it logs.xml or myapp.xml or something else? It is logs.xml p -- [key:62590808] [attachment signature.asc
Re: Fw: Problems with LDAP authentication
Lev A KARATUN wrote: ... I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true ... That's why Felix said that he thought that this config wasn't the one being used. What is the name of the Context xml file in tomcat/conf/Catalina/localhost? Is it logs.xml or myapp.xml or something else? It is logs.xml Huh ? Is it just me, or does something not fit ? (or was this another edit before posting ?) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fw: Problems with LDAP authentication
Am Freitag, den 10.02.2012, 16:54 +0400 schrieb Lev A KARATUN: Felix Schumacher felix.schumac...@internetallee.de wrote on 10.02.2012 15:31:43: Felix Schumacher felix.schumac...@internetallee.de 10.02.2012 15:32 Hi again. So, my boss told me that it's insecure to give anyone the password to view tomcat's logs and that should be an authentication based on Active Directory. I've been reading the manuals for some time, and configured my Tomcat the following way: $CATALINA_BASE/conf/Catalina/localhost/myapp.xml Context antiResourceLocking=false privileged=true docBase=$CATALINA_BASE/logs reloadable=true Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://raiffeisen.ru:389; connectionName=myacco...@raiffeisen.ru (I also tried the format connectionName=cn=myaccount,dc=raiffeisen,dc=ru - does it matter what format do I use?) For normal ldap servers it would be the latter one, eg. a fully qualified dn. ADS might accept the mail adress of the user, but I frankly don't know. Anyway, I tried both variants - the server refuses to accept the connection No wonder, since your error message below tells us, that tomcat is talking to localhost instead of raiffeisen.ru :) connectionPassword=mypassword referrals=follow userBase=OU=_Users,DC=raiffeisen,DC=ru userSearch=(sAMAccountName={0}) userSubtree=true roleBase=OU=_Groups,DC=raiffeisen,DC=ru roleName=cn roleSubtree=true roleSearch=(member={0}) For ADS you might want to add adCompat=true (look at http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further infos). OK, added, but nothing changed =\ Again, no wonder. / /Context WEB-INF/web.xml security-constraint web-resource-collection web-resource-nameAdministrative Area/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameADGroupName/role-name /auth-constraint /security-constraint security-role description The role that is required to view logs /description role-nameADGroupName/role-name /security-role I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I think, that is not needed since java 1.4.x, even if it is mentioned in the howto :( I have never used that ldap.jar and wouldn't even know where to get it. But my jndi-Realms work. I guess a hundred times, but every time I'm getting a message in catalina.out: Throwable occurred: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] Since localhost is another server, than what you told us you had configured, I think your context file is not being used. Search for other context files, where you either have configured localhost or misspelled connectionURL. But the 389th port is only mentioned in myapp's config file and nowhere else. So I assume that Tomcat tries to use myapp.xml, but fails for some reason.. Don't look for 389 explicitly, since that is the default port as is localhost the default host. Search for another context configuration, which could be used. The other apps' context files are default - like this: ?xml version=1.0 encoding=UTF-8? Context antiResourceLocking=false privileged=true / I somehow doubt that privileged=true is default and that you need it, but it is certainly irrelevant to your problems. and SEVERE: Error deploying configuration descriptor myapp.xml Throwable occurred: java.lang.IllegalStateException: ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: A remote host refused an attempted connect operation.] I tried to telnet raiffeisen.ru by port 389 and got connected. I installed JXplorer, entered hostname, port, my credentials and got connected. telnet localhost 389 and see if you get any errors :) bash-3.00$ telnet localhost 389 Trying... telnet: connect: A remote host refused an attempted connect operation. ...but WHY is Tomcat trying to connect to localhost? It's clearly written in the realm - connectionURL=ldap://raiffeisen.ru:389; =( Either ldap.jar confuses it, or it uses another context file, or you have a typo in your context file, which is not present in the config you have shown us. Regards Felix Regards Felix I