Re: LDAP connection issue
Am 22.02.2012 21:40, schrieb vbw: Hi all, I am having trouble using FORM based authentication against an LDAP server. I have configured my web.xml and server.xml and created a Login.jsp page and can can successfully authenticate against a simple tomcat-users.xml file. Therefore I am confident my basic configurations are okay and my login page is good. Everything behaves as expected. Users are authenticated, authorized, errors are forwarded appropriately, etc. However, when I change my server.xml to use LDAP it appears that the user credentials are not being sent to the LDAP server (Microsoft Active Directory). Here is the realm definition from the server.xml, which is defined under the Catalina service (and is the only configured realm): Realm className=org.apache.catalina.realm.JNDIRealm debug=99 The debug attribute is not used in tomcat 6 or higher, so you can just remove it :) connectionName=myn...@mycompany.net connectionPassword=mypassword connectionURL=ldap://corp.mycompany.net:389; userPattern=uid={0},ou='standard users',ou=users,ou=mycompany,dc=corp,dc=mycompanycorp,dc=net I believe you don't need the single ticks to protect your spaces there. I don't know if they will harm, you could try to remove them. roleBase=dc=corp,dc=mycompanycorp,dc=net roleName=cn roleSearch=memberUid={1}/ I do know that I am successfully binding to the LDAP server when Tomcat starts. If I change mypassword to an invalid password then I get a ConnectException due to the connection being refused. I also see So, we are editing the right context file, that is nice to know. You could try to set logging for JNDIRealm to debug and see, what it will tell you. Just add org.apache.catalina.realm.JNDIRealm = FINE to conf/logging.properties or whereever your tomcat installation has its logging.properties file. Regards Felix this connection using a network monitoring tool - it is initiated at startup and then persists until Tomcat is shut down. After the initial connection is made, I don't see any packets being sent to the LDAP server. I've tried using both basic and form authentication. Here's the web.xml snippet for form authentication: security-constraint web-resource-collection web-resource-nameMyApplication/web-resource-name url-pattern/Dashboard/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameRole1/role-name role-nameRole2/role-name /auth-constraint /security-constraint security-role role-nameRole1/role-name /security-role security-role role-nameRole2/role-name /security-role login-config auth-methodFORM/auth-method form-login-config form-login-page/Login.jsp/form-login-page form-error-page/Login.jsp?authError=login/form-error-page /form-login-config /login-config I have spent hours researching and I can't see where I am going wrong. The LDAP connection, user and role information in the server.xml seem correct. However, no matter what I key in on the login page I get back a 404 Page error - user is not authenticated. I can't understand why I can connect to the LDAP server at server startup but cannot authenticate users. Can anyone give me any ideas? Any help would be much appreciated! Thanks in advance, Vaughne - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
LDAP connection issue
Hi all, I am having trouble using FORM based authentication against an LDAP server. I have configured my web.xml and server.xml and created a Login.jsp page and can can successfully authenticate against a simple tomcat-users.xml file. Therefore I am confident my basic configurations are okay and my login page is good. Everything behaves as expected. Users are authenticated, authorized, errors are forwarded appropriately, etc. However, when I change my server.xml to use LDAP it appears that the user credentials are not being sent to the LDAP server (Microsoft Active Directory). Here is the realm definition from the server.xml, which is defined under the Catalina service (and is the only configured realm): Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=myn...@mycompany.net connectionPassword=mypassword connectionURL=ldap://corp.mycompany.net:389; userPattern=uid={0},ou='standard users',ou=users,ou=mycompany,dc=corp,dc=mycompanycorp,dc=net roleBase=dc=corp,dc=mycompanycorp,dc=net roleName=cn roleSearch=memberUid={1}/ I do know that I am successfully binding to the LDAP server when Tomcat starts. If I change mypassword to an invalid password then I get a ConnectException due to the connection being refused. I also see this connection using a network monitoring tool - it is initiated at startup and then persists until Tomcat is shut down. After the initial connection is made, I don't see any packets being sent to the LDAP server. I've tried using both basic and form authentication. Here's the web.xml snippet for form authentication: security-constraint web-resource-collection web-resource-nameMyApplication/web-resource-name url-pattern/Dashboard/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameRole1/role-name role-nameRole2/role-name /auth-constraint /security-constraint security-role role-nameRole1/role-name /security-role security-role role-nameRole2/role-name /security-role login-config auth-methodFORM/auth-method form-login-config form-login-page/Login.jsp/form-login-page form-error-page/Login.jsp?authError=login/form-error-page /form-login-config /login-config I have spent hours researching and I can't see where I am going wrong. The LDAP connection, user and role information in the server.xml seem correct. However, no matter what I key in on the login page I get back a 404 Page error - user is not authenticated. I can't understand why I can connect to the LDAP server at server startup but cannot authenticate users. Can anyone give me any ideas? Any help would be much appreciated! Thanks in advance, Vaughne - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP connection issue
I do know that I am successfully binding to the LDAP server when Tomcat starts. If I change mypassword to an invalid password then I get a ConnectException due to the connection being refused. I also see this connection using a network monitoring tool - it is initiated at startup and then persists until Tomcat is shut down. Is the user you bind with to LDAP allowed to check other user's passwords? I think it's common practice to supply specific bind-users which have this role. After the initial connection is made, I don't see any packets being sent to the LDAP server. You actually don't see packets or no new connections? John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP connection issue
Hi, The user I bind cannot check user's passwords but it can browse the LDAP tree and see all the available users. I have used ldap.exe with the same connection/bind and can traverse the LDAP tree. As far as after the initial connection is made, no I don't see any packets or new connections after j_security_check is called. Thanks, Vaughne On Wed, Feb 22, 2012 at 3:47 PM, John Renne j...@gniffelnieuws.net wrote: I do know that I am successfully binding to the LDAP server when Tomcat starts. If I change mypassword to an invalid password then I get a ConnectException due to the connection being refused. I also see this connection using a network monitoring tool - it is initiated at startup and then persists until Tomcat is shut down. Is the user you bind with to LDAP allowed to check other user's passwords? I think it's common practice to supply specific bind-users which have this role. After the initial connection is made, I don't see any packets being sent to the LDAP server. You actually don't see packets or no new connections? John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP connection issue
The user I bind cannot check user's passwords but it can browse the LDAP tree and see all the available users. I have used ldap.exe with the same connection/bind and can traverse the LDAP tree. As far as after the initial connection is made, no I don't see any packets or new connections after j_security_check is called. I'm definitely not and LDAP expert, but would it be possible it's checked beforehand if the user is allowed to check passwords (perform a bind-as if I remember well) and therefor the authentication requests won't be sent (as in, the user ain't allowed to do so anyway) John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org