I don't know why it doesn't work, but I think this idea is really bad when it comes to Windows Active Directory, even if you made it work.
* This won't work for trusted domains. * This won't work for nested domain groups. * This won't work for local groups. * You're hard-coding a domain user password. * You're asking the user to enter his domain credentials, which forces you to run under SSL (instead of doing single-sign-on). If you are on Windows, you might want to try http://waffle.codeplex.com instead, it's a drop-in solution that just works. dB. @ dblock.org<http://www.dblock.org/> Moscow|Geneva|Seattle|New York From: Jill Han [mailto:jill....@alverno.edu] Sent: Tuesday, June 15, 2010 9:26 AM To: users@tomcat.apache.org Subject: Active Directory authentication Hi, I tried to configure tomcat to authenticate against active directory. Here is the relevant part in server.xml <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionName="ad...@tst.mycollege.edu" connectionPassword="adminpassword" connectionURL="ldap://tst.mycollege.edu:389" userBase="DC=tst,DC=mycollege,DC=edu" userSearch="(sAMAccountName={0})" userRoleName="memberof" roleBase="DC=tst,DC=mycollege,DC=edu" roleName="cn" roleSearch="(uniqueMember={0})" userSubtree="true" roleSubtree="false" /> In the web.xml ... <security-constraint> ..... <auth-constraint> <role-name>OU=EMP,dc=tst,DC=mycollege,DC=edu</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>NEWS</realm-name> </login-config> <security-role> <role-name>OU=EMP,dc=tst,DC=mycollege,DC=edu</role-name> </security-role> ... The login window will prompt when you access the site, however no login/password will be accepted, in the log file, Jun 15, 2010 7:14:53 AM org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=tst,DC=mycollege,DC=edu' at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2763) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737) at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1067) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:958) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:907) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:808) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595) I don't know what could go wrong, AD setup on active directory site, or the properties in the server.xml. Thanks for your help as always, Jill