Re: LDAP connection issue
Am 22.02.2012 21:40, schrieb vbw:
Hi all,
I am having trouble using FORM based authentication against an LDAP
server.
I have configured my web.xml and server.xml and created a Login.jsp
page and can can successfully authenticate against a simple
tomcat-users.xml file. Therefore I am confident my basic
configurations are okay and my login page is good. Everything
behaves
as expected. Users are authenticated, authorized, errors are
forwarded appropriately, etc.
However, when I change my server.xml to use LDAP it appears that the
user credentials are not being sent to the LDAP server (Microsoft
Active Directory).
Here is the realm definition from the server.xml, which is defined
under the Catalina service (and is the only configured realm):
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
The debug attribute is not used in tomcat 6 or higher, so you can just
remove it :)
connectionName=myn...@mycompany.net
connectionPassword=mypassword
connectionURL=ldap://corp.mycompany.net:389;
userPattern=uid={0},ou='standard
users',ou=users,ou=mycompany,dc=corp,dc=mycompanycorp,dc=net
I believe you don't need the single ticks to protect your spaces there.
I don't know if they will harm, you could try to remove them.
roleBase=dc=corp,dc=mycompanycorp,dc=net
roleName=cn
roleSearch=memberUid={1}/
I do know that I am successfully binding to the LDAP server when
Tomcat starts. If I change mypassword to an invalid password then I
get a ConnectException due to the connection being refused. I also
see
So, we are editing the right context file, that is nice to know.
You could try to set logging for JNDIRealm to debug and see, what it
will tell you. Just add
org.apache.catalina.realm.JNDIRealm = FINE
to conf/logging.properties or whereever your tomcat installation has
its logging.properties file.
Regards
Felix
this connection using a network monitoring tool - it is initiated at
startup and then persists until Tomcat is shut down.
After the initial connection is made, I don't see any packets being
sent to the LDAP server. I've tried using both basic and form
authentication. Here's the web.xml snippet for form authentication:
security-constraint
web-resource-collection
web-resource-nameMyApplication/web-resource-name
url-pattern/Dashboard/*/url-pattern
http-methodGET/http-method
http-methodPOST/http-method
/web-resource-collection
auth-constraint
role-nameRole1/role-name
role-nameRole2/role-name
/auth-constraint
/security-constraint
security-role
role-nameRole1/role-name
/security-role
security-role
role-nameRole2/role-name
/security-role
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/Login.jsp/form-login-page
form-error-page/Login.jsp?authError=login/form-error-page
/form-login-config
/login-config
I have spent hours researching and I can't see where I am going
wrong.
The LDAP connection, user and role information in the server.xml
seem
correct. However, no matter what I key in on the login page I get
back a 404 Page error - user is not authenticated.
I can't understand why I can connect to the LDAP server at server
startup but cannot authenticate users. Can anyone give me any ideas?
Any help would be much appreciated!
Thanks in advance,
Vaughne
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
LDAP connection issue
Hi all,
I am having trouble using FORM based authentication against an LDAP server.
I have configured my web.xml and server.xml and created a Login.jsp
page and can can successfully authenticate against a simple
tomcat-users.xml file. Therefore I am confident my basic
configurations are okay and my login page is good. Everything behaves
as expected. Users are authenticated, authorized, errors are
forwarded appropriately, etc.
However, when I change my server.xml to use LDAP it appears that the
user credentials are not being sent to the LDAP server (Microsoft
Active Directory).
Here is the realm definition from the server.xml, which is defined
under the Catalina service (and is the only configured realm):
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=myn...@mycompany.net
connectionPassword=mypassword
connectionURL=ldap://corp.mycompany.net:389;
userPattern=uid={0},ou='standard
users',ou=users,ou=mycompany,dc=corp,dc=mycompanycorp,dc=net
roleBase=dc=corp,dc=mycompanycorp,dc=net
roleName=cn
roleSearch=memberUid={1}/
I do know that I am successfully binding to the LDAP server when
Tomcat starts. If I change mypassword to an invalid password then I
get a ConnectException due to the connection being refused. I also see
this connection using a network monitoring tool - it is initiated at
startup and then persists until Tomcat is shut down.
After the initial connection is made, I don't see any packets being
sent to the LDAP server. I've tried using both basic and form
authentication. Here's the web.xml snippet for form authentication:
security-constraint
web-resource-collection
web-resource-nameMyApplication/web-resource-name
url-pattern/Dashboard/*/url-pattern
http-methodGET/http-method
http-methodPOST/http-method
/web-resource-collection
auth-constraint
role-nameRole1/role-name
role-nameRole2/role-name
/auth-constraint
/security-constraint
security-role
role-nameRole1/role-name
/security-role
security-role
role-nameRole2/role-name
/security-role
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/Login.jsp/form-login-page
form-error-page/Login.jsp?authError=login/form-error-page
/form-login-config
/login-config
I have spent hours researching and I can't see where I am going wrong.
The LDAP connection, user and role information in the server.xml seem
correct. However, no matter what I key in on the login page I get
back a 404 Page error - user is not authenticated.
I can't understand why I can connect to the LDAP server at server
startup but cannot authenticate users. Can anyone give me any ideas?
Any help would be much appreciated!
Thanks in advance,
Vaughne
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP connection issue
I do know that I am successfully binding to the LDAP server when Tomcat starts. If I change mypassword to an invalid password then I get a ConnectException due to the connection being refused. I also see this connection using a network monitoring tool - it is initiated at startup and then persists until Tomcat is shut down. Is the user you bind with to LDAP allowed to check other user's passwords? I think it's common practice to supply specific bind-users which have this role. After the initial connection is made, I don't see any packets being sent to the LDAP server. You actually don't see packets or no new connections? John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP connection issue
Hi, The user I bind cannot check user's passwords but it can browse the LDAP tree and see all the available users. I have used ldap.exe with the same connection/bind and can traverse the LDAP tree. As far as after the initial connection is made, no I don't see any packets or new connections after j_security_check is called. Thanks, Vaughne On Wed, Feb 22, 2012 at 3:47 PM, John Renne j...@gniffelnieuws.net wrote: I do know that I am successfully binding to the LDAP server when Tomcat starts. If I change mypassword to an invalid password then I get a ConnectException due to the connection being refused. I also see this connection using a network monitoring tool - it is initiated at startup and then persists until Tomcat is shut down. Is the user you bind with to LDAP allowed to check other user's passwords? I think it's common practice to supply specific bind-users which have this role. After the initial connection is made, I don't see any packets being sent to the LDAP server. You actually don't see packets or no new connections? John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP connection issue
The user I bind cannot check user's passwords but it can browse the LDAP tree and see all the available users. I have used ldap.exe with the same connection/bind and can traverse the LDAP tree. As far as after the initial connection is made, no I don't see any packets or new connections after j_security_check is called. I'm definitely not and LDAP expert, but would it be possible it's checked beforehand if the user is allowed to check passwords (perform a bind-as if I remember well) and therefor the authentication requests won't be sent (as in, the user ain't allowed to do so anyway) John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
