JNDIRealm autehentication
Hi Folks,
Is it possible to authenticate in multiples userBase´s using JNDIRealm ?
I have a configuration as above:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://localhost:389;
userBase=ou=people,dc=mycompany,dc=com
userSearch=(mail={0})
userRoleName=memberOf
roleBase=ou=groups,dc=mycompany,dc=com
roleName=cn
roleSearch=(uniqueMember={0})
/
and I need to provide 2 userBase´s
userBase=ou=people,dc=mycompany,dc=com
and
userBase=ou=people2,dc=mycompany,dc=com
is it posssible ?
I don´t want to search in my uppper level, because it´s really big.
Thanks in advance,
Rogerio.
Re: JNDIRealm autehentication
No, but code of JNDIRealm can be easily reused to create your own realm.
Le Vendredi 19 Août 2005 15:26, Rogerio Baldini das Neves a écrit :
Hi Folks,
Is it possible to authenticate in multiples userBase´s using JNDIRealm ?
I have a configuration as above:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://localhost:389;
userBase=ou=people,dc=mycompany,dc=com
userSearch=(mail={0})
userRoleName=memberOf
roleBase=ou=groups,dc=mycompany,dc=com
roleName=cn
roleSearch=(uniqueMember={0})
/
and I need to provide 2 userBase´s
userBase=ou=people,dc=mycompany,dc=com
and
userBase=ou=people2,dc=mycompany,dc=com
is it posssible ?
I don´t want to search in my uppper level, because it´s really big.
Thanks in advance,
Rogerio.
--
David Delbecq
Royal Meteorological Institute of Belgium
-
Is there life after /sbin/halt -p?
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIrealm Mbean
I modify my function, and I verify that the Mbean exists. But how can I get
the value of my Mbean attributes ?
here is my code:
try {
ObjectName timer = new
ObjectName(Catalina:type=Realm,path=/DJLRWebapp,host=localhost);
List list = MBeanServerFactory.findMBeanServer(null);
MBeanServer server = (MBeanServer) list.iterator().next();
//String type=nodeName + : + projectName+:+date;
System.out.println(server.isRegistered(timer));
int i=0;
while(i5){ //listing of the 5th attributes
System.out.println(server.getMBeanInfo(timer).getAttributes()[i].getName());
i++;
}
}
catch(Exception e){
}
Thanks for answers
Jabouille Jean Charles
- Original Message -
From: jean charles jabouille [EMAIL PROTECTED]
To: tomcat-user@jakarta.apache.org
Sent: Friday, March 11, 2005 10:48 AM
Subject: JNDIrealm Mbean
Hi,
I use Tomcat 5.5 and I created a JNDIRealm in the server.xml file. I d'like
to accede to the JNDIMean mbean but I can't find informations about source
code exemple. I saw this page that contains all Tomcat Mbean
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/mbean-names.html
Is there a mbean-descriptor.xml to add to my application ? I do think
because I think that Tomcat Mbean are loaded automatically.
Here is an exemple of my tentative to access to the Tomcat JNDIRealm mbean
and to access to the connectionUrl of my realm. This code is not working :-(
try {
ObjectName timer = new
ObjectName(Catalina:type=org.apache.catalina.realm.JNDIRealm,name=JNDIRealm
);
List list = MBeanServerFactory.findMBeanServer(null);
MBeanServer server = (MBeanServer) list.iterator().next();
String connectionUrl;
connectionUrl=(String)server.invoke(timer,connectionURL,new Object[]
},new String[] { .getClass().getName()});
}
catch(Exception e){
}
Do you have an code exemple or a solution ?
Thanks for your answers,
Jabouille Jean Charles
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIrealm Mbean
I answer to my questions...
try {
ObjectName JNDIRealm = new
ObjectName(Catalina:type=Realm,path=/DJLRWebapp,host=localhost);
List list = MBeanServerFactory.findMBeanServer(null);
MBeanServer server = (MBeanServer) list.iterator().next();
System.out.println(server.getAttribute(JNDIRealm,connectionName));
System.out.println(server.getAttribute(JNDIRealm,connectionURL));
System.out.println(server.getAttribute(JNDIRealm,connectionPassword));
System.out.println(server.getAttribute(JNDIRealm,contextFactory));
System.out.println(server.getAttribute(JNDIRealm,digest));
System.out.println(server.getAttribute(JNDIRealm,userBase));
}
catch(Exception e){
System.out.println(e);
}
- Original Message -
From: jean charles jabouille [EMAIL PROTECTED]
To: Tomcat Users List tomcat-user@jakarta.apache.org
Sent: Wednesday, March 16, 2005 10:03 AM
Subject: Re: JNDIrealm Mbean
I modify my function, and I verify that the Mbean exists. But how can I
get
the value of my Mbean attributes ?
here is my code:
try {
ObjectName timer = new
ObjectName(Catalina:type=Realm,path=/DJLRWebapp,host=localhost);
List list = MBeanServerFactory.findMBeanServer(null);
MBeanServer server = (MBeanServer) list.iterator().next();
//String type=nodeName + : + projectName+:+date;
System.out.println(server.isRegistered(timer));
int i=0;
while(i5){ //listing of the 5th attributes
System.out.println(server.getMBeanInfo(timer).getAttributes()[i].getName());
i++;
}
}
catch(Exception e){
}
Thanks for answers
Jabouille Jean Charles
- Original Message -
From: jean charles jabouille [EMAIL PROTECTED]
To: tomcat-user@jakarta.apache.org
Sent: Friday, March 11, 2005 10:48 AM
Subject: JNDIrealm Mbean
Hi,
I use Tomcat 5.5 and I created a JNDIRealm in the server.xml file. I
d'like
to accede to the JNDIMean mbean but I can't find informations about source
code exemple. I saw this page that contains all Tomcat Mbean
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/mbean-names.html
Is there a mbean-descriptor.xml to add to my application ? I do think
because I think that Tomcat Mbean are loaded automatically.
Here is an exemple of my tentative to access to the Tomcat JNDIRealm mbean
and to access to the connectionUrl of my realm. This code is not working
:-(
try {
ObjectName timer = new
ObjectName(Catalina:type=org.apache.catalina.realm.JNDIRealm,name=JNDIRealm
);
List list = MBeanServerFactory.findMBeanServer(null);
MBeanServer server = (MBeanServer) list.iterator().next();
String connectionUrl;
connectionUrl=(String)server.invoke(timer,connectionURL,new Object[]
},new String[] { .getClass().getName()});
}
catch(Exception e){
}
Do you have an code exemple or a solution ?
Thanks for your answers,
Jabouille Jean Charles
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
JNDIrealm Mbean
Hi,
I use Tomcat 5.5 and I created a JNDIRealm in the server.xml file. I d'like to
accede to the JNDIMean mbean but I can't find informations about source code
exemple. I saw this page that contains all Tomcat Mbean
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/mbean-names.html
Is there a mbean-descriptor.xml to add to my application ? I do think because I
think that Tomcat Mbean are loaded automatically.
Here is an exemple of my tentative to access to the Tomcat JNDIRealm mbean and
to access to the connectionUrl of my realm. This code is not working :-(
try {
ObjectName timer = new
ObjectName(Catalina:type=org.apache.catalina.realm.JNDIRealm,name=JNDIRealm);
List list = MBeanServerFactory.findMBeanServer(null);
MBeanServer server = (MBeanServer) list.iterator().next();
String connectionUrl;
connectionUrl=(String)server.invoke(timer,connectionURL,new Object[] { },new
String[] { .getClass().getName()});
}
catch(Exception e){
}
Do you have an code exemple or a solution ?
Thanks for your answers,
Jabouille Jean Charles
Authenticate JNDIrealm through Client
I wonder ive started a jndirealm and it works just fine against ldap. I have no problem to login from a webbrowser (BASIC mode). But i want to login from a Java client how do i do that ? _ Chat: Ha en fest på Habbo Hotel http://habbohotel.msn.se/habbo/sv/channelizer Checka in här! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SV: Authenticate JNDIrealm through Client
Hi! Without beeing to sure about this I guess that if you are going to authenticate a user via any kind of client against a tomcat-server you have to talk the language Tomcat talks, and that language is HTTP. So, you have to make your client able to talk http and then send the login-request as an http-request and then look at the http-response. Regards Roland Carlsson Den 05-02-21 12.20, skrev bohldan bohldan [EMAIL PROTECTED]: I wonder ive started a jndirealm and it works just fine against ldap. I have no problem to login from a webbrowser (BASIC mode). But i want to login from a Java client how do i do that ? _ Chat: Ha en fest på Habbo Hotel http://habbohotel.msn.se/habbo/sv/channelizer Checka in här! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm and multiple groups in LDAP.
Hi,
I'm Trying to apply JNDIRealm to the LDAP structure, where each user
belong to some group (organizationalUnit):
dn: ou=Group1, o=myorg
objectclass: organizationalUnit
ou: Group1
dn: uid=user1, ou=Group1, o=myorg
objectclass: person
uid: user1
dn: ou=Group2, o=myorg
objectclass: organizationalUnit
ou: Group2
dn: uid=user2, ou=Group2, o=myorg
objectclass: person
uid: user2
Also there are roles, and each of them can be assigned to some groups:
dn: cn=readIt, o=myorg
objectclass: organizationalRole
cn: readIt
roleOccupant: ou=Group1, o=myorg
roleOccupant: ou=Group2, o=myorg
dn: cn=changeIt, o=myorg
objectclass: organizationalRole
cn: changeIt
roleOccupant: ou=Group2, o=myorg
So technically, to find roles for a user, we need three steps:
- Search for (uid=username);
- Get the group DN by stripping the last component
groupDN = userDN.getPrefix(userDN.size() - 1);
- search for roles (roleOccupant={groupDN});
Current implementation of JNDI assumes that roles should be assigned
to users, not to groups. So I can't use it directly.
Of course I could (and probably will) find a way to hack it (extend,
put some adapter, etc.), but I suspect that it's pretty common case,
and it could be resolved in more general and graceful way.
For instance, the inner User class could have additional attribute,
e.g. getGroup() and that value could be used as the third parameter in
roleSearch attribute.
What do you think? Is it worth trying to generalize usage of groups in
JNDIRealm?
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
REPOST: Recursive groups in JNDIRealm
Hi!
I'm am sorry for reposting this but I urgently need confirmation about
Tomcat supporting or not supporting recursive searching in LDAP for Roles
including other Roles.
I post the relevant part of server.xml
:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://192.168.10.10:389;
connectionName=CN=Administrator,CN=Users,DC=alfa-moving,DC=se
connectionPassword=x
userBase=CN=Users,DC=alfa-moving,DC=se
userSearch=(sAMAccountName={0})
userRoleName=memberOf
roleBase=CN=Users,DC=alfa-moving,DC=se
roleName=CN
roleSearch=(member={0})
roleSubtree=true/
/
Thank you very much in advance
Roland Carlsson
Från: Roland Carlsson [EMAIL PROTECTED]
Svara till: Tomcat Users List [EMAIL PROTECTED]
Datum: Wed, 17 Nov 2004 16:52:34 +0100
Till: TomcatUsers [EMAIL PROTECTED]
Ämne: Recursive groups in JNDIRealm
Hi!
After an hour of searching I can't figure out if Tomcat is able to find
groups in group in a LDAP server?
I found this in the archives but since it is from 4.1.18
http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg89601.html
Thanks in advance
Roland Carlsson
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-- Slut på vidarebefordrat meddelande
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Recursive groups in JNDIRealm
Hi! After an hour of searching I can't figure out if Tomcat is able to find groups in group in a LDAP server? I found this in the archives but since it is from 4.1.18 http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg89601.html Thanks in advance Roland Carlsson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Roles-problem with JNDIRealm and AD
Hi List
I'm trying to connect Tomcat/5.0.28 to AD on Windows 2003. My problem is that
JNDIRealm fails to get role information, after successfully binding with the
users DN.
My temporary conclusion is that JNDIRealm fails to use the bound connection with
AD when performing the search for the role object. I have verified that the user
object in question can access the group object by using another LDAP client and
binding as that user.
Is my conclusion somewhere close to the mark? If it is, how can I make JNDIRealm
behave; if not, any other ideas?
Here is the relevant section from server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://dtoslhk001;
debug=99
userBase=cn=Users,dc=netlinetest,dc=kol,dc=net
userPattern=cn={0},cn=Users,dc=netlinetest,dc=kol,dc=net
roleBase=cn=Users,dc=netlinetest,dc=kol,dc=net
roleSearch=(member={0})
roleName=cn /
And here is the log output I get when I try to authenticate:
JNDIRealm[Catalina]: lookupUser(Per I. Lot)
JNDIRealm[Catalina]: dn=cn=Per I. Lot,cn=Users,dc=netlinetest,dc=kol,dc=net
JNDIRealm[Catalina]: validating credentials by binding as the user
JNDIRealm[Catalina]: binding as cn=Per I.
Lot,cn=Users,dc=netlinetest,dc=kol,dc=net
JNDIRealm[Catalina]: Username Per I. Lot successfully authenticated
JNDIRealm[Catalina]: getRoles(cn=Per I. Lot,cn=Users,dc=netlinetest,dc=kol,dc=net)
JNDIRealm[Catalina]: Searching role base
'cn=Users,dc=netlinetest,dc=kol,dc=net' for attribute 'cn'
JNDIRealm[Catalina]: With filter expression '(member=cn=Per I.
Lot,cn=Users,dc=netlinetest,dc=kol,dc=net)'
JNDIRealm[Catalina]: Exception performing authentication
javax.naming.NamingException: [LDAP: error code 1 - : LdapErr:
DSID-0C0905FF, comment: In order to perform this operation a successful bind
must be completed on the connection., data 0, vece]; remaining name
'cn=Users,dc=netlinetest,dc=kol,dc=net'
Hope someone can help. Best regards!
--
Eivind Trondsen| http://www.linuxlabs.no
LinuxLabs AS | eivind.trondsen at linuxlabs.no
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm Problem
Hello:
I have a problem with my JNDIRealm configuration in Tomcat 5.
I'm using the bind mode for authentication
My company have Microsoft Active Directory with two ou within ou=People
I configured the server.xml to connect to my ldap sucessfully but only to
one OU, i tried to put only ou=People in UserBase to search in both sub OU
but i can't connect
This i how i have server.xml:
In this case i can connect if the user is in ou=TGP, if the user is in
ou=COGA i can't
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://10.158.1.4:389;
userPattern=cn={0},ou=TGP,ou=People,ou=Public,dc=reltsa,dc=coga,dc=com
userSubtree= true
digest=MD5
roleBase=ou=People,ou=Public,dc=reltsa,dc=coga,dc=com
roleName=cn
roleSubtree=true
roleSearch=(uniqueMember={0})/
So i tried this:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://10.158.1.4:389;
userBase=ou=People,ou=Public,dc=reltsa,dc=coga,dc=com
userSearch=(uid={0})
userSubtree= true
digest=MD5
roleBase=ou=People,ou=Public,dc=reltsa,dc=coga,dc=com
roleName=cn
roleSubtree=true
roleSearch=(uniqueMember={0})/
but don't work
Any ideas?
Thanks a lot
Claudia
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RV: JNDIRealm and Windows 2000 Active Directory
I'm trying configure one JNDIRealm asking to one Windows 2000 Active Directory. In the examples in the web of jakarta I have seen examples over openLdap. Can you help me in the configuration over Windows2000 AD. Has somebody a production system or wep application using JNDIRealm vs Active Directory ? . Can you help me in order to configure it? .Thanks for all.
Re: Tomcat 5 and JNDIRealm
Unfortunately, the LDAP server is on Domino and the only guy who worked on it quit. And I don't know enough about Domino to access it's logs or figure out the answers to the questions below. Here's what is appearing in the Tomcat logs: 2004-08-11 10:43:23 JNDIRealm[deepa.myinfogenic.net]: lookupUser(dramamurthy) 2004-08-11 10:43:23 JNDIRealm[deepa.myinfogenic.net]: dn=O=Infogenic 2004-08-11 10:43:23 JNDIRealm[deepa.myinfogenic.net]: validating credentials by binding as the user 2004-08-11 10:43:23 JNDIRealm[deepa.myinfogenic.net]: binding as O=Infogenic 2004-08-11 10:43:23 JNDIRealm[deepa.myinfogenic.net]: bind attempt failed 2004-08-11 10:43:23 JNDIRealm[deepa.myinfogenic.net]: Username dramamurthy NOT successfully authenticated I ran the sample GetattrsAll program on java.sun.com. Here's what it returned: [EMAIL PROTECTED] dramamurthy]$ java GetattrsAll attribute: mail value: [EMAIL PROTECTED] attribute: uid value: DRamamurthy attribute: givenname value: Deepa attribute: objectclass value: dominoPerson value: inetOrgPerson value: organizationalPerson value: person value: top attribute: maildomain value: Infogenic attribute: mailserver value: CN=Lexy,O=Infogenic attribute: cn value: Deepa Ramamurthy Thanks. Deepa QM [EMAIL PROTECTED] 08/10/2004 07:44 PM Please respond to Tomcat Users List To: Tomcat Users List [EMAIL PROTECTED] cc: Subject:Re: Tomcat 5 and JNDIRealm On Tue, Aug 10, 2004 at 03:52:16PM -0500, Deepa Ramamurthy wrote: : My webapp is running on Tomcat 5.0. : I've been trying to set it up to use the LDAP server for authentication : without any luck. Details, details: - what do you experience when you try to login? What's in the logs, both for Tomcat and the LDAP server? (Increase log verbosity on both for the purposes of your test. You'd be surprised what gremlins are lurking ;) - does your LDAP directory have the proper attributes for user roles and such? - does the directory use a password hashing expected by JNDIRealm)? - have you tried running LDAP queries using the roleSearch criteria specified in the Realm/ element? Providing the server.xml and web.xml was a good start, but we'll need more info. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 5 and JNDIRealm
Hello!
My webapp is running on Tomcat 5.0.
I've been trying to set it up to use the LDAP server for authentication
without any luck.
Here are my entries in server.xml and web.xml respectively:
server.xml:
Host name=beepy.myinfogenic.net debug=0 appBase=webapps
unpackWARs=true autoDeploy=true
xmlValidation=false xmlNamespaceAware=false
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionURL=ldap://10.0.0.29:389;
roleBase=O=Infogenic
userPattern=O=Infogenic
roleSearch=(uniqueMember={0})
/
Valve className=org.apache.catalina.authenticator.SingleSignOn
debug=1/
Logger className=org.apache.catalina.logger.FileLogger
directory=logs prefix=deepa.myinfogenic_log.
suffix=.txt
timestamp=true/
Valve className=org.apache.catalina.valves.AccessLogValve
directory=logs prefix=deepa_access_log.
suffix=.txt
pattern=common resolveHosts=false/
Context path=/test docBase=test debug=0 reloadable=true/
/Host
web.xml:
security-constraint
web-resource-collection
web-resource-namePortal/web-resource-name
description accessible by authenticated users of the
tomcat role/description
url-pattern/servlet/*/url-pattern
/web-resource-collection
auth-constraint
descriptionThese roles are allowed access/description
role-nameuser/role-name
/auth-constraint
/security-constraint
login-config
auth-methodBASIC/auth-method
realm-nameYourWebApp Protected Area/realm-name
/login-config
Thanks.
Deepa
Re: Tomcat 5 and JNDIRealm
On Tue, Aug 10, 2004 at 03:52:16PM -0500, Deepa Ramamurthy wrote: : My webapp is running on Tomcat 5.0. : I've been trying to set it up to use the LDAP server for authentication : without any luck. Details, details: - what do you experience when you try to login? What's in the logs, both for Tomcat and the LDAP server? (Increase log verbosity on both for the purposes of your test. You'd be surprised what gremlins are lurking ;) - does your LDAP directory have the proper attributes for user roles and such? - does the directory use a password hashing expected by JNDIRealm)? - have you tried running LDAP queries using the roleSearch criteria specified in the Realm/ element? Providing the server.xml and web.xml was a good start, but we'll need more info. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to get Roles in a Principal with JNDIRealm
Hello All, I'm using JNDIRealm to authenticate users and it's working well. In my java code, I need to retrieve roles associated with the authenticated user. Here is a sample of this code : Subject s = Subject.getSubject((AccessControlContext)System.getSecurityManager().getSecurityContext()); Principal p = (Principal)s.getPrincipals().toArray()[0]; The API only allows me to retrieve, on the Principal, the name (with the getName accessor) of the user, not associated roles. Nevertheless, when running the code in a debugger, the state of the Principal object seems containing all needed informations (name, password, realm, roles). Is there a (standard) way to retrieve these additional information ? Or should I develop my own LDAP Realm (JAAS module) and extend the Principal interface to add role notions ? Any help would be appreciated... RP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to get Roles in a Principal with JNDIRealm
It may be easier to use JMX and retrieve the role out of the user information from the user bean. Robert S. Harper 801.265.8800 ex. 255 -Original Message- From: Renato Primavera [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 30, 2004 7:47 AM To: [EMAIL PROTECTED] Subject: How to get Roles in a Principal with JNDIRealm Hello All, I'm using JNDIRealm to authenticate users and it's working well. In my java code, I need to retrieve roles associated with the authenticated user. Here is a sample of this code : Subject s = Subject.getSubject((AccessControlContext)System.getSecurityManager().getSecuri tyContext()); Principal p = (Principal)s.getPrincipals().toArray()[0]; The API only allows me to retrieve, on the Principal, the name (with the getName accessor) of the user, not associated roles. Nevertheless, when running the code in a debugger, the state of the Principal object seems containing all needed informations (name, password, realm, roles). Is there a (standard) way to retrieve these additional information ? Or should I develop my own LDAP Realm (JAAS module) and extend the Principal interface to add role notions ? Any help would be appreciated... RP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
4.0.29: does JNDIRealm (LDAP) perform authorization right after authentication??
Hello,
I have LDAP users that are members of one or more groups and I also have
users that aren't members in any group at all. Only users that have
successfully authenticated themselves may use my web application. Some
other users (e.g. those being member of the admin group) may use
additional functionality of the application automatically depending on
their group membership (which is checked using method isUserInRole at
runtime).
It seems that the LDAP JNDIRealm of tomcat automatically performs an
authorisation for given groups after a successful user authentication
... Is this generally the case, or do I have to change the config of may
JNDIRealm in some way?
This is the configuration as it appears in my server.xml
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionURL=ldap://ldap.mycompany.com:389;
userBase=ou=People,dc=MyCompany,dc=COM
roleBase=ou=Groups,dc=MyCompany,dc=COM
roleSubtree=true
roleName=cn
userSearch=(uid={0})
roleSearch=(uniqueMember={0})
/
Thanks in advance for a hint.
Cheers,
chris
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm strangeness
Well you have prompted me to respond once more! Tomcat should not have to do anything to establish a encrypted SSL connection to your LDAP server except pass on the correct parameters to the chosen LDAP driver, and instantiate it. It is the LDAP drivers job to handle all the nasty details of doing the SSL connection, and talking LDAP. That said, some LDAP driver factories do offer extra parameters for configuring SSL parameters beyond the SECURITY_PROTOCOL parameter. (Of course, Tomcat will be issuing the appropriate LDAP queries to do the Realm authentication, etc). I took a quick look at the Tomcat JDNI Realm configuration document, and it does specify that you can put in your own contextFactory so if you have another LDAP driver, other than Suns reference driver then you could use try that out to see if it fixes your problem. I don't know if OpenLDAP provides their own Java LDAP Driver but its worth a look! Have a hunt around and see what you can find. Technically speaking any driver that implements the LDAP RFCs should be able to talk to any LDAP server that implements the RFCs, but cruel reality often imposes itself :) But yes, someone should get around to putting in a bug report about that ldaps matter :) If it has not already been done that is. Regards, Shane. -Original Message- From: Chong Yu Meng [mailto:[EMAIL PROTECTED] Sent: Monday, 10 May 2004 11:53 AM To: Tomcat Users List Subject: Re: JNDIRealm strangeness Hi Shane ! Thanks for your help! After experimenting over the weekend, I think that this is probably a bug in the Tomcat code. I checked and corrected some problems in my OpenLDAP setup, and verified that SSL/TLS connections can be made successfully to it using ldapsearch. When I tried starting up Tomcat again, it gave me the same error. I think Tomcat may not be able to establish an encrypted connection to OpenLDAP. Unencrypted connections on port 389 seem to be ok. Incidentally, I'm also anal retentive (that, I am told, is a national characteristic of my country), and I tried ldaps://, but Tomcat will throw a parse error and will not accept the JNDI Realm parameters. They may have fixed it in the just-released 5.0.24, though. Thanks for your help, again ! I'm not on any specific timetable, so I don't need to fix this soon. I'll direct my question to the Tomcat developers and see if they are aware of the issue. Regards, pascal chong Shane Linley wrote: Hi, What happens on failed connections IS driver specific, but it should NOT BY DEFAULT switch to using a non SSL connection, for the sake of security if nothing else. The connection should tried to be established, if it fails then it should send back the appropriate naming exception. That said drivers do accept configuration properties to modify their behaviour, so technically anything is possible, based on your drivers documentation. I have never used OpenLDAP so its error logs don't really mean all that much to me, but having done similar things in the past you should look up your error codes in the OpenLDAP documentation (but its probably the OpenSSL doco) as to what the error codes really mean to work out what the problem is. I'm referring specifically to this line (as id does match up to the Request: 1 cancelled) message that the LDAP client driver reports. May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing Thats all I have! Good luck. Regards, Shane. P.S. The anal retentive part of me still wants you to specify the ldap connection as ldaps://server:636 but that is completely besides the point! :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm strangeness
Hi, What happens on failed connections IS driver specific, but it should NOT BY DEFAULT switch to using a non SSL connection, for the sake of security if nothing else. The connection should tried to be established, if it fails then it should send back the appropriate naming exception. That said drivers do accept configuration properties to modify their behaviour, so technically anything is possible, based on your drivers documentation. I have never used OpenLDAP so its error logs don't really mean all that much to me, but having done similar things in the past you should look up your error codes in the OpenLDAP documentation (but its probably the OpenSSL doco) as to what the error codes really mean to work out what the problem is. I'm referring specifically to this line (as id does match up to the Request: 1 cancelled) message that the LDAP client driver reports. May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing Thats all I have! Good luck. Regards, Shane. P.S. The anal retentive part of me still wants you to specify the ldap connection as ldaps://server:636 but that is completely besides the point! :) -Original Message- From: Chong Yu Meng [mailto:[EMAIL PROTECTED] Sent: Friday, 7 May 2004 8:17 PM To: Tomcat Users List Subject: Re: JNDIRealm strangeness Hi Shane ! Thanks for the description and advice! I managed to finally turn on OpenLDAP logging (a pain in Fedora Core 1), and set the loglevel to 256. Here's what I get. When the Tomcat server starts up, the connection errors seem to be related to port 636 : May 7 19:51:50 localhost slapd[6049]: conn=4 fd=11 ACCEPT from IP=127.0.0.1:32892 (IP=0.0.0.0:636) May 7 19:51:50 localhost slapd[6049]: conn=4 fd=11 closed May 7 19:51:50 localhost slapd[6049]: conn=5 fd=11 ACCEPT from IP=127.0.0.1:32894 (IP=0.0.0.0:389) May 7 19:51:50 localhost slapd[6049]: conn=5 op=0 BIND dn= method=128 May 7 19:51:50 localhost slapd[6049]: conn=5 op=0 RESULT tag=97 err=0 text= May 7 19:52:02 localhost slapd[6049]: conn=6 fd=12 ACCEPT from IP=127.0.0.1:32895 (IP=0.0.0.0:636) May 7 19:52:02 localhost slapd[6049]: conn=6 fd=12 closed May 7 19:52:02 localhost slapd[6049]: conn=7 fd=12 ACCEPT from IP=127.0.0.1:32897 (IP=0.0.0.0:389) May 7 19:52:02 localhost slapd[6049]: conn=7 op=0 BIND dn= method=128 May 7 19:52:02 localhost slapd[6049]: conn=7 op=0 RESULT tag=97 err=0 text= Bumping up loglevel to 4095, I get these details for the errors on port 636: May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing May 7 20:03:56 localhost slapd[6346]: connection_closing: readying conn=0 sd=11 for close May 7 20:03:56 localhost slapd[6346]: connection_close: conn=0 sd=11 Seems to indicate that there is something wrong with my SSL/TLS connection. But my JNDIRealm still works ! Users can still authenticate successfully. Does the connection fallback to port 389 if a connection on 636 is not possible? Thanks for the help, Shane ! If you have any further suggestions, I would really appreciate it ! Regards, pascal chong Shane Linley wrote: Hi, Knowledge on configuring JNDIRealms security: zip! Knowledge on the JNDI LDAP interface: guru! The root cause: javax.naming.CommunicationException, refers to there being an underlying network problem with communicating between the LDAP client, and the LDAP server. The message received from the ldap driver: Request: 1 cancelled is the reason as to why this error occured. As can be seen its not very helpful. (I've been spoilt on receiving error codes from servers and detailed messages and such). You appear to be using the Sun JNDI LDAP reference implementation, which I found to not always offer the best error messages. I cant remember if it has any extra logging capabilities (from memory it doesn't) to try and wring more information out of the driver, however the key to solving the problem may lie elsewhere. I would recommended turning on the detailed debugging in your LDAP server to determine what error it is trying to communicate back to the LDAP driver (and if the server is successfully contacted in this first instance), by of course inspecting its logs. This approach I have had to use a number of times on less than helpful LDAP drivers that don't seem to think good error messages are needed. You are trying to use a secure SSL connection to the LDAP server, but it does not appear to be SSL related as you normally get a specific SSL error back when it is SSL related, usually ugly and unhelpful. Regards, Shane. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm strangeness
Hi Shane ! Thanks for your help! After experimenting over the weekend, I think that this is probably a bug in the Tomcat code. I checked and corrected some problems in my OpenLDAP setup, and verified that SSL/TLS connections can be made successfully to it using ldapsearch. When I tried starting up Tomcat again, it gave me the same error. I think Tomcat may not be able to establish an encrypted connection to OpenLDAP. Unencrypted connections on port 389 seem to be ok. Incidentally, I'm also anal retentive (that, I am told, is a national characteristic of my country), and I tried ldaps://, but Tomcat will throw a parse error and will not accept the JNDI Realm parameters. They may have fixed it in the just-released 5.0.24, though. Thanks for your help, again ! I'm not on any specific timetable, so I don't need to fix this soon. I'll direct my question to the Tomcat developers and see if they are aware of the issue. Regards, pascal chong Shane Linley wrote: Hi, What happens on failed connections IS driver specific, but it should NOT BY DEFAULT switch to using a non SSL connection, for the sake of security if nothing else. The connection should tried to be established, if it fails then it should send back the appropriate naming exception. That said drivers do accept configuration properties to modify their behaviour, so technically anything is possible, based on your drivers documentation. I have never used OpenLDAP so its error logs don't really mean all that much to me, but having done similar things in the past you should look up your error codes in the OpenLDAP documentation (but its probably the OpenSSL doco) as to what the error codes really mean to work out what the problem is. I'm referring specifically to this line (as id does match up to the Request: 1 cancelled) message that the LDAP client driver reports. May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing Thats all I have! Good luck. Regards, Shane. P.S. The anal retentive part of me still wants you to specify the ldap connection as ldaps://server:636 but that is completely besides the point! :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm strangeness
Hi All ! I wonder if anyone has seen this anomaly, when following my instructions on setting up a JNDIRealm, on my website (http://cymulacrum.net/writings/adv_tomcat/c487.html). I wrote these instructions after version 5.0.19 of Tomcat came out and fixed the character encoding issue in the JNDIRealm. In my document I described how to : 1. Setup OpenLDAP so it runs with SSL/TLS enabled 2. Setup Tomcat's JNDIRealm so that it communicates with ldap://localhost:636, the secure port instead of 389. I never noticed anything strange, because my JNDIRealm setup seemed to work fine, but when I tried to put SecurityFilter on, I found an error. Thinking that it was probably SecurityFilter, I looked at the logfiles, and I was surprised to find that, even before I had installed SecurityFilter, there was that same error being logged inside catalina.out. I just never bothered to look before because everything seemed to be running fine. Here's what the error looks like. It only occurs on startup, all LDAP operations work fine with no errors: JNDIRealm[Catalina]: Connecting to URL ldap://localhost:636 JNDIRealm[Catalina]: Exception performing authentication javax.naming.CommunicationException: Request: 1 cancelled at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:76) at com.sun.jndi.ldap.Connection.readReply(Connection.java:433) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:356) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:187) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2615) at com.sun.jndi.ldap.LdapCtx.init(LdapCtx.java:293) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:208) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:674) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:256) at javax.naming.InitialContext.init(InitialContext.java:232) at javax.naming.InitialContext.init(InitialContext.java:208) rest of errors snipped I'm not really sure where to begin, or even if it is significant (since LDAP authentication still works). If you want to repeat this error for yourself, you can follow the instructions on my web page. Any help would be greatly appreciated ! Regards, pascal chong - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm strangeness
Hi, Knowledge on configuring JNDIRealms security: zip! Knowledge on the JNDI LDAP interface: guru! The root cause: javax.naming.CommunicationException, refers to there being an underlying network problem with communicating between the LDAP client, and the LDAP server. The message received from the ldap driver: Request: 1 cancelled is the reason as to why this error occured. As can be seen its not very helpful. (I've been spoilt on receiving error codes from servers and detailed messages and such). You appear to be using the Sun JNDI LDAP reference implementation, which I found to not always offer the best error messages. I cant remember if it has any extra logging capabilities (from memory it doesn't) to try and wring more information out of the driver, however the key to solving the problem may lie elsewhere. I would recommended turning on the detailed debugging in your LDAP server to determine what error it is trying to communicate back to the LDAP driver (and if the server is successfully contacted in this first instance), by of course inspecting its logs. This approach I have had to use a number of times on less than helpful LDAP drivers that don't seem to think good error messages are needed. You are trying to use a secure SSL connection to the LDAP server, but it does not appear to be SSL related as you normally get a specific SSL error back when it is SSL related, usually ugly and unhelpful. Regards, Shane. -Original Message- From: Chong Yu Meng [mailto:[EMAIL PROTECTED] Sent: Friday, 7 May 2004 4:32 PM To: Tomcat Users List Subject: JNDIRealm strangeness Hi All ! I wonder if anyone has seen this anomaly, when following my instructions on setting up a JNDIRealm, on my website (http://cymulacrum.net/writings/adv_tomcat/c487.html). I wrote these instructions after version 5.0.19 of Tomcat came out and fixed the character encoding issue in the JNDIRealm. In my document I described how to : 1. Setup OpenLDAP so it runs with SSL/TLS enabled 2. Setup Tomcat's JNDIRealm so that it communicates with ldap://localhost:636, the secure port instead of 389. I never noticed anything strange, because my JNDIRealm setup seemed to work fine, but when I tried to put SecurityFilter on, I found an error. Thinking that it was probably SecurityFilter, I looked at the logfiles, and I was surprised to find that, even before I had installed SecurityFilter, there was that same error being logged inside catalina.out. I just never bothered to look before because everything seemed to be running fine. Here's what the error looks like. It only occurs on startup, all LDAP operations work fine with no errors: JNDIRealm[Catalina]: Connecting to URL ldap://localhost:636 JNDIRealm[Catalina]: Exception performing authentication javax.naming.CommunicationException: Request: 1 cancelled at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:76) at com.sun.jndi.ldap.Connection.readReply(Connection.java:433) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:356) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:187) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2615) at com.sun.jndi.ldap.LdapCtx.init(LdapCtx.java:293) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:208) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:674) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:256) at javax.naming.InitialContext.init(InitialContext.java:232) at javax.naming.InitialContext.init(InitialContext.java:208) rest of errors snipped I'm not really sure where to begin, or even if it is significant (since LDAP authentication still works). If you want to repeat this error for yourself, you can follow the instructions on my web page. Any help would be greatly appreciated ! Regards, pascal chong - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm strangeness
Hi Shane ! Thanks for the description and advice! I managed to finally turn on OpenLDAP logging (a pain in Fedora Core 1), and set the loglevel to 256. Here's what I get. When the Tomcat server starts up, the connection errors seem to be related to port 636 : May 7 19:51:50 localhost slapd[6049]: conn=4 fd=11 ACCEPT from IP=127.0.0.1:32892 (IP=0.0.0.0:636) May 7 19:51:50 localhost slapd[6049]: conn=4 fd=11 closed May 7 19:51:50 localhost slapd[6049]: conn=5 fd=11 ACCEPT from IP=127.0.0.1:32894 (IP=0.0.0.0:389) May 7 19:51:50 localhost slapd[6049]: conn=5 op=0 BIND dn= method=128 May 7 19:51:50 localhost slapd[6049]: conn=5 op=0 RESULT tag=97 err=0 text= May 7 19:52:02 localhost slapd[6049]: conn=6 fd=12 ACCEPT from IP=127.0.0.1:32895 (IP=0.0.0.0:636) May 7 19:52:02 localhost slapd[6049]: conn=6 fd=12 closed May 7 19:52:02 localhost slapd[6049]: conn=7 fd=12 ACCEPT from IP=127.0.0.1:32897 (IP=0.0.0.0:389) May 7 19:52:02 localhost slapd[6049]: conn=7 op=0 BIND dn= method=128 May 7 19:52:02 localhost slapd[6049]: conn=7 op=0 RESULT tag=97 err=0 text= Bumping up loglevel to 4095, I get these details for the errors on port 636: May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing May 7 20:03:56 localhost slapd[6346]: connection_closing: readying conn=0 sd=11 for close May 7 20:03:56 localhost slapd[6346]: connection_close: conn=0 sd=11 Seems to indicate that there is something wrong with my SSL/TLS connection. But my JNDIRealm still works ! Users can still authenticate successfully. Does the connection fallback to port 389 if a connection on 636 is not possible? Thanks for the help, Shane ! If you have any further suggestions, I would really appreciate it ! Regards, pascal chong Shane Linley wrote: Hi, Knowledge on configuring JNDIRealms security: zip! Knowledge on the JNDI LDAP interface: guru! The root cause: javax.naming.CommunicationException, refers to there being an underlying network problem with communicating between the LDAP client, and the LDAP server. The message received from the ldap driver: Request: 1 cancelled is the reason as to why this error occured. As can be seen its not very helpful. (I've been spoilt on receiving error codes from servers and detailed messages and such). You appear to be using the Sun JNDI LDAP reference implementation, which I found to not always offer the best error messages. I cant remember if it has any extra logging capabilities (from memory it doesn't) to try and wring more information out of the driver, however the key to solving the problem may lie elsewhere. I would recommended turning on the detailed debugging in your LDAP server to determine what error it is trying to communicate back to the LDAP driver (and if the server is successfully contacted in this first instance), by of course inspecting its logs. This approach I have had to use a number of times on less than helpful LDAP drivers that don't seem to think good error messages are needed. You are trying to use a secure SSL connection to the LDAP server, but it does not appear to be SSL related as you normally get a specific SSL error back when it is SSL related, usually ugly and unhelpful. Regards, Shane. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm in Tomcat 5
Hello All, I searched the archive but have not seen a situation like mine. I am in the process of upgrading to tomcat 5.0.16 from 4.1.29. I'm happy to say that my webapp seems to be running fine under tomcat 5 with one important exception. My configured JNDIRealm seems to be failing. The main problem is that I cannot seem to get the logger to report the realm's errors to me. I have the realm within engine and both engine and realm are set to debug=99. Is there something else I need to do? Thanks. Vincent smime.p7s Description: S/MIME Cryptographic Signature
Tomcat 5.0.18, JNDIRealm and disabling RFC2254 encoding
Is there a flag you can you in the Realm decleration portion of server.xml
that turns off the RFC2254 encoding in the JNDI Realm. Upgrading my ldap
server is low on my list of things I'd like to do soon.
I use this currently
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionURL=ldap://ldap0.our.domain.name;
roleName=cn
roleBase=ou=Group,dc=our,dc=domain,dc=name
roleSearch=(uniqueMember={0})
userBase=dc=our,dc=domain,dc=name
userSubtree=true
userSearch=uid={0}/
I didn't see anything in the source to suggest RFC2254=false but here's
hoping.
Thanks,
Frank
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm question
Hi All,
I have a configuration that is not covered in the JNDIRealm HOWTO, and
was wondering if someone else has tried this before :
I am using OpenLDAP 2.1.22 on Red Hat 9. For the DN, I am using the CN
instead of the UID (i.e., dn: cn=Zhu De,ou=People,o=Cymulacrum instead
of uid=zhude,ou=People,o=Cymulacrum), and the roles recognized by Tomcat
are in the Groups OU.
My question : how do I setup a Tomcat JNDI Realm such that it looks up
roles based on the UID instead of the DN ? In the JNDIRealm HOWTO, the
instructions assume that the DN is using the UID instead of the CN. For
the userSearch, I would substitute with (uid={0}), since I need to do a
search and comparison with an attribute. But to retrieve the role ...
I'm not so sure about how to do this. I'm thinking that the stanza below
would not work (no, I haven't tried it yet). Does anyone know how it
should look ?
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://localhost:389;
userBase=ou=people,o=Cymulacrum
userSearch=(uid={0})
userRoleName=memberOf
roleBase=ou=groups,o=Cymulacrum
roleName=cn
roleSearch=(uniqueMember={0})
/
Using the CN instead of the UID for the DN is actually (in my experience
anyway) quite common -- Lotus Domino/Notes uses the CN for logging in,
and Novell eDirectory too (though I suppose both can be configured to
use the UID instead).
Thanks in advance,
pascal chong
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Problem with JNDIRealm
I have successfully installed mod_auth_ldap with Apache.
Here's the configuration:
LDAP_Protocol_Version 2
LDAP_Server server
LDAP_Port port
Base_DN ou=People,o=company,c=DE
UID_Attr_Alt uid
require valid-user
Bind_DN cn=appadmin,o=company,c=DE
Bind_Pass password
I want to use this in Tomcat. I tested a lot of configurations. Here's one
of it:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://server:port
userPattern=uid={0},ou=People,o=company,c=DE
roleBase=ou=People,o=company,c=DE
roleName=uid
roleSearch=(uid={0})
roleSubtree=true
connectionName=cn=appadmin,o=company,c=DE
connectionPassword=password
/
When testing it with a working user/pass combination I get:
2003-11-26 21:17:29 JNDIRealm[Standalone]: lookupUser(jheid)
2003-11-26 21:17:29 JNDIRealm[Standalone]:
dn=uid=jheid,ou=People,o=Company,c=DE
2003-11-26 21:17:29 JNDIRealm[Standalone]: validating credentials by
binding a
s the user
2003-11-26 21:17:29 JNDIRealm[Standalone]: binding as
uid=jheid,ou=People,o=Company,c=DE
2003-11-26 21:17:29 JNDIRealm[Standalone]: Exception performing
authentication
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object];
rema
ining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1294)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(Componen
tDirContext.java:213)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Par
tialCompositeDirContext.java:121)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Par
tialCompositeDirContext.java:109)
at
javax.naming.directory.InitialDirContext.getAttributes(InitialDirCont
ext.java:121)
at org.apache.catalina.realm.JNDIRealm.bindAsUser(JNDIRealm.java:127
But when I'm using a wrong user/pass combination, I get:
2003-11-26 21:27:59 JNDIRealm[Standalone]: bind attempt failed
2003-11-26 21:27:59 JNDIRealm[Standalone]: Username jheid NOT successfully
authenticated
Can anybody help me please?
JOERN
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with JNDIRealm
It looks like one of you attributes is missing (i.e. null). Do you have
a role associated with the username? I'm also having problems with
JNDIRealm -- I can't get it working ! Going to check if it is because
I'm missing some libraries.
Regards,
pascal chong
Jörn Heid wrote:
I have successfully installed mod_auth_ldap with Apache.
Here's the configuration:
LDAP_Protocol_Version 2
LDAP_Server server
LDAP_Port port
Base_DN ou=People,o=company,c=DE
UID_Attr_Alt uid
require valid-user
Bind_DN cn=appadmin,o=company,c=DE
Bind_Pass password
I want to use this in Tomcat. I tested a lot of configurations. Here's one
of it:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://server:port
userPattern=uid={0},ou=People,o=company,c=DE
roleBase=ou=People,o=company,c=DE
roleName=uid
roleSearch=(uid={0})
roleSubtree=true
connectionName=cn=appadmin,o=company,c=DE
connectionPassword=password
/
When testing it with a working user/pass combination I get:
2003-11-26 21:17:29 JNDIRealm[Standalone]: lookupUser(jheid)
2003-11-26 21:17:29 JNDIRealm[Standalone]:
dn=uid=jheid,ou=People,o=Company,c=DE
2003-11-26 21:17:29 JNDIRealm[Standalone]: validating credentials by
binding a
s the user
2003-11-26 21:17:29 JNDIRealm[Standalone]: binding as
uid=jheid,ou=People,o=Company,c=DE
2003-11-26 21:17:29 JNDIRealm[Standalone]: Exception performing
authentication
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object];
rema
ining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1294)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(Componen
tDirContext.java:213)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Par
tialCompositeDirContext.java:121)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Par
tialCompositeDirContext.java:109)
at
javax.naming.directory.InitialDirContext.getAttributes(InitialDirCont
ext.java:121)
at org.apache.catalina.realm.JNDIRealm.bindAsUser(JNDIRealm.java:127
But when I'm using a wrong user/pass combination, I get:
2003-11-26 21:27:59 JNDIRealm[Standalone]: bind attempt failed
2003-11-26 21:27:59 JNDIRealm[Standalone]: Username jheid NOT successfully
authenticated
Can anybody help me please?
JOERN
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending JNDIRealm
Ok, why?
What am I doing that should cause a stack overflow?
Justin
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Monday, November 24, 2003 7:26 PM
To: Tomcat Users List
Subject: Re: Extending JNDIRealm
Odd, based on what I see so far, I would expect it to crash with a
StackOverFlow exception.
-Tim
Hart, Justin wrote:
Whoops, the code is actually as follows...
No sure what's going on with this code... I'm attempting to extend JNDIRealm so I
can add a few features I need for my site, I have an interesting issue, however.
If, I try this :
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username);
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
username gets printed, and the system works properly
However, if I try something akin to this
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username.length());
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
It crashes with a null pointer exception.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extending JNDIRealm
Based on what I saw so far ...
In JNDIRealm authenticate(String, String) gets a DirContext and calls
authenticate(DirContext, String, String).
Your code snippet which I assume overrides, authenticate(DirContext, String,
String) which calls super.authenticate(String, String).
Then ... super.authenticate(String, String) calls authenticate(DirContext,
String, String) which you had overridden which is indirect recursion.
-Tim
Hart, Justin wrote:
Ok, why?
What am I doing that should cause a stack overflow?
Justin
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Monday, November 24, 2003 7:26 PM
To: Tomcat Users List
Subject: Re: Extending JNDIRealm
Odd, based on what I see so far, I would expect it to crash with a
StackOverFlow exception.
-Tim
Hart, Justin wrote:
Whoops, the code is actually as follows...
No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can add a few features I need for my site, I have an interesting issue, however.
If, I try this :
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username);
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
username gets printed, and the system works properly
However, if I try something akin to this
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username.length());
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
It crashes with a null pointer exception.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending JNDIRealm
I *cough* didn't download the JNDIRealm code. I'll go look into that.
Justin
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 25, 2003 9:28 AM
To: Tomcat Users List
Subject: Re: Extending JNDIRealm
Based on what I saw so far ...
In JNDIRealm authenticate(String, String) gets a DirContext and calls
authenticate(DirContext, String, String).
Your code snippet which I assume overrides, authenticate(DirContext, String,
String) which calls super.authenticate(String, String).
Then ... super.authenticate(String, String) calls authenticate(DirContext,
String, String) which you had overridden which is indirect recursion.
-Tim
Hart, Justin wrote:
Ok, why?
What am I doing that should cause a stack overflow?
Justin
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Monday, November 24, 2003 7:26 PM
To: Tomcat Users List
Subject: Re: Extending JNDIRealm
Odd, based on what I see so far, I would expect it to crash with a
StackOverFlow exception.
-Tim
Hart, Justin wrote:
Whoops, the code is actually as follows...
No sure what's going on with this code... I'm attempting to extend JNDIRealm so I
can add a few features I need for my site, I have an interesting issue, however.
If, I try this :
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username);
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
username gets printed, and the system works properly
However, if I try something akin to this
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username.length());
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
It crashes with a null pointer exception.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending JNDIRealm
Wait, reading the stack trace doesn't show anything like that.
No, that can't be the issue.
Justin
-Original Message-
From: Hart, Justin
Sent: Tuesday, November 25, 2003 9:30 AM
To: Tomcat Users List
Subject: RE: Extending JNDIRealm
I *cough* didn't download the JNDIRealm code. I'll go look into that.
Justin
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 25, 2003 9:28 AM
To: Tomcat Users List
Subject: Re: Extending JNDIRealm
Based on what I saw so far ...
In JNDIRealm authenticate(String, String) gets a DirContext and calls
authenticate(DirContext, String, String).
Your code snippet which I assume overrides, authenticate(DirContext, String,
String) which calls super.authenticate(String, String).
Then ... super.authenticate(String, String) calls authenticate(DirContext,
String, String) which you had overridden which is indirect recursion.
-Tim
Hart, Justin wrote:
Ok, why?
What am I doing that should cause a stack overflow?
Justin
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Monday, November 24, 2003 7:26 PM
To: Tomcat Users List
Subject: Re: Extending JNDIRealm
Odd, based on what I see so far, I would expect it to crash with a
StackOverFlow exception.
-Tim
Hart, Justin wrote:
Whoops, the code is actually as follows...
No sure what's going on with this code... I'm attempting to extend JNDIRealm so I
can add a few features I need for my site, I have an interesting issue, however.
If, I try this :
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username);
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
username gets printed, and the system works properly
However, if I try something akin to this
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username.length());
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
It crashes with a null pointer exception.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending JNDIRealm
Read through the code, ran some example stuff. What I'm doing in my implementation is
fine.
Justin
-Original Message-
From: Hart, Justin
Sent: Tuesday, November 25, 2003 9:31 AM
To: Tomcat Users List
Subject: RE: Extending JNDIRealm
Wait, reading the stack trace doesn't show anything like that.
No, that can't be the issue.
Justin
-Original Message-
From: Hart, Justin
Sent: Tuesday, November 25, 2003 9:30 AM
To: Tomcat Users List
Subject: RE: Extending JNDIRealm
I *cough* didn't download the JNDIRealm code. I'll go look into that.
Justin
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 25, 2003 9:28 AM
To: Tomcat Users List
Subject: Re: Extending JNDIRealm
Based on what I saw so far ...
In JNDIRealm authenticate(String, String) gets a DirContext and calls
authenticate(DirContext, String, String).
Your code snippet which I assume overrides, authenticate(DirContext, String,
String) which calls super.authenticate(String, String).
Then ... super.authenticate(String, String) calls authenticate(DirContext,
String, String) which you had overridden which is indirect recursion.
-Tim
Hart, Justin wrote:
Ok, why?
What am I doing that should cause a stack overflow?
Justin
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Monday, November 24, 2003 7:26 PM
To: Tomcat Users List
Subject: Re: Extending JNDIRealm
Odd, based on what I see so far, I would expect it to crash with a
StackOverFlow exception.
-Tim
Hart, Justin wrote:
Whoops, the code is actually as follows...
No sure what's going on with this code... I'm attempting to extend JNDIRealm so I
can add a few features I need for my site, I have an interesting issue, however.
If, I try this :
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username);
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
username gets printed, and the system works properly
However, if I try something akin to this
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username.length());
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
It crashes with a null pointer exception.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending JNDIRealm
Ok, for those interested, here's the real issue.
At some point in time (I don't know enough about tomcat to know when or why), before
it Tomcat has your username (at least with my config files, but it looks common since
JNDIRealm is checking for it too), authenticate is called with a null username. Since
the username is null, taking its length causes a null pointer exception. I added a
check, and now it works fine.
Justin
-Original Message-
From: Hart, Justin
Sent: Tuesday, November 25, 2003 10:19 AM
To: Tomcat Users List
Subject: RE: Extending JNDIRealm
Read through the code, ran some example stuff. What I'm doing in my implementation is
fine.
Justin
-Original Message-
From: Hart, Justin
Sent: Tuesday, November 25, 2003 9:31 AM
To: Tomcat Users List
Subject: RE: Extending JNDIRealm
Wait, reading the stack trace doesn't show anything like that.
No, that can't be the issue.
Justin
-Original Message-
From: Hart, Justin
Sent: Tuesday, November 25, 2003 9:30 AM
To: Tomcat Users List
Subject: RE: Extending JNDIRealm
I *cough* didn't download the JNDIRealm code. I'll go look into that.
Justin
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 25, 2003 9:28 AM
To: Tomcat Users List
Subject: Re: Extending JNDIRealm
Based on what I saw so far ...
In JNDIRealm authenticate(String, String) gets a DirContext and calls
authenticate(DirContext, String, String).
Your code snippet which I assume overrides, authenticate(DirContext, String,
String) which calls super.authenticate(String, String).
Then ... super.authenticate(String, String) calls authenticate(DirContext,
String, String) which you had overridden which is indirect recursion.
-Tim
Hart, Justin wrote:
Ok, why?
What am I doing that should cause a stack overflow?
Justin
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Monday, November 24, 2003 7:26 PM
To: Tomcat Users List
Subject: Re: Extending JNDIRealm
Odd, based on what I see so far, I would expect it to crash with a
StackOverFlow exception.
-Tim
Hart, Justin wrote:
Whoops, the code is actually as follows...
No sure what's going on with this code... I'm attempting to extend JNDIRealm so I
can add a few features I need for my site, I have an interesting issue, however.
If, I try this :
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username);
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
username gets printed, and the system works properly
However, if I try something akin to this
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username.length());
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
It crashes with a null pointer exception.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Extending JNDIRealm
No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can
add a few features I need for my site, I have an interesting issue, however.
If, I try this :
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username);
super.authenticate(username, credentials);
}
username gets printed, and the system works properly
However, if I try something akin to this
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username.length());
super.authenticate(username, credentials);
}
It crashes with a null pointer exception.
Eh?
Justin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending JNDIRealm
Whoops, the code is actually as follows...
No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can
add a few features I need for my site, I have an interesting issue, however.
If, I try this :
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username);
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
username gets printed, and the system works properly
However, if I try something akin to this
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username.length());
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
It crashes with a null pointer exception.
Eh?
Justin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extending JNDIRealm
Odd, based on what I see so far, I would expect it to crash with a
StackOverFlow exception.
-Tim
Hart, Justin wrote:
Whoops, the code is actually as follows...
No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can add a few features I need for my site, I have an interesting issue, however.
If, I try this :
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username);
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
username gets printed, and the system works properly
However, if I try something akin to this
public Principal authenticate(DirContext context, String username, String
credentials) throws NamingException {
Principal authPrincipal = null;
System.out.println(username.length());
authPrincipal = super.authenticate(username, credentials);
return authPrincipal;
}
It crashes with a null pointer exception.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
getRemoteUser(), if your familiar with jsp's then you'll know how to use
it. Unfortunately I don't, but I guess that is why we have web
application developers on staff. :-)
Dean Searle
Computing Oasis
989.245.7369 (p)
989.921.3904 (f)
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 05, 2003 5:00 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks for the pointer, I'll see about pointing to one of our 2 mail
servers. I wonder if they talk back and forth.
Also,
Do you know how I can extract the sign-ed on user's user-id once they've
authenticated?
robyne
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 05, 2003 2:06 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Great to hear that information worked for you. I included the
alternateURL in the event our primary AD went down for one reason or
another and our users could still access the password protected sites.
Without an alternate AD active or specified you will not have access to
your web applications.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Wed 11/5/2003 13:46
To: Tomcat Users List
Cc:
Subject:RE: JNDIRealm...more
Dean!
Mine works!
A thousand thanks!
I hope I can return the favor some time.
Your nice explanation helped.
I did not need the alternatURL in mine. I found out that we have 2 mail
servers, well the server.xml only allows for 1 alternate. I decided to
try it without any and it worked.
Much appreciation,
Robyne Vaughn
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 9:48 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Hello,
I hope that I am not to late to post here. I have just returned to the
land of the living and have started to catch up on my reading. I noticed
that Robyne you were trying to find the collective all for your users.
I have just recently figured this out after working on it for two days.
Here is my working server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://your.AD.com;
alternateURL=ldap://other.AD.com;
connectionName=cn=USER DISPLAY NAME,ou=FIRST
SUB-GROUP,dc=AD,dc=com
connectionPassword=XX
referrals=follow
userBase=dc=AD,dc=com
userSearch=(amp;(sAMAccountName={0})(objectClass=user))
userSubtree=true
roleBase=dc=AD,dc=com
roleSearch=(uniqueMember={0})
roleName=cn
/
KEY:
cn = common name
ou = organizational unit
dc = domain controller
your.AD.comwww.yahoo.com
other.AD.com mail.yahoo.com
USER DISPLAY NAME This is the full name that shows up in
your AD, ie user might be johnd but full
name is John Doe.
For the connection name and password, it must be user that has
authority to access AD. This part is necessary to connect.
FIRST SUB-GROUP This depends on how your organization is
built in AD. You might have departments like: Accounting, Human
Resources, Information Technologies.
In an AD structure it might look something like this:
COM
|
|_Yahoo
|
|
|_Accounting
| |_John Doe
|
|_Information Technologies
||_Jack Daniels
|
|_Human Resources
|_Mary Jane
sAMAccountName is the account name you most commonly login into
your computers with objectClass=user this should be user, as
defined in AD unless
your sys admin or someone has tampered
the AD.
referrals=follow this is necessary to traverse the full AD
without knowing the user's base location.
I hope that this clears up some issues for you. Please let me know if I
can help you more.
Dean E. Searle
Computing Oasis
989.245.7369 (P)
989.921.3904 (F)
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:25 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks.
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:10 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Good luck.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:07 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks, Justin,
You've given me some good pointers. I guess I'll do some more hammering
and snooping. Our AD is on a server and the administrators gave me an
administrator type password to try hitting it with, but they don't want
me snooping around too much. I don't actually have direct access to it.
Like I said, I have hit it with some JNDI, but that is new to me also,
and I still couldn't discover the tree structure adequately.
Anyway, I guess I'll try
RE: JNDIRealm...more
getRemoteUser() will give you the username of the user logged in. This is going to be
the name that they typed in when they got authenticated, not their DN.
Justin
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 06, 2003 6:58 AM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
getRemoteUser(), if your familiar with jsp's then you'll know how to use
it. Unfortunately I don't, but I guess that is why we have web
application developers on staff. :-)
Dean Searle
Computing Oasis
989.245.7369 (p)
989.921.3904 (f)
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 05, 2003 5:00 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks for the pointer, I'll see about pointing to one of our 2 mail
servers. I wonder if they talk back and forth.
Also,
Do you know how I can extract the sign-ed on user's user-id once they've
authenticated?
robyne
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 05, 2003 2:06 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Great to hear that information worked for you. I included the
alternateURL in the event our primary AD went down for one reason or
another and our users could still access the password protected sites.
Without an alternate AD active or specified you will not have access to
your web applications.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Wed 11/5/2003 13:46
To: Tomcat Users List
Cc:
Subject:RE: JNDIRealm...more
Dean!
Mine works!
A thousand thanks!
I hope I can return the favor some time.
Your nice explanation helped.
I did not need the alternatURL in mine. I found out that we have 2 mail
servers, well the server.xml only allows for 1 alternate. I decided to
try it without any and it worked.
Much appreciation,
Robyne Vaughn
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 9:48 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Hello,
I hope that I am not to late to post here. I have just returned to the
land of the living and have started to catch up on my reading. I noticed
that Robyne you were trying to find the collective all for your users.
I have just recently figured this out after working on it for two days.
Here is my working server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://your.AD.com;
alternateURL=ldap://other.AD.com;
connectionName=cn=USER DISPLAY NAME,ou=FIRST
SUB-GROUP,dc=AD,dc=com
connectionPassword=XX
referrals=follow
userBase=dc=AD,dc=com
userSearch=(amp;(sAMAccountName={0})(objectClass=user))
userSubtree=true
roleBase=dc=AD,dc=com
roleSearch=(uniqueMember={0})
roleName=cn
/
KEY:
cn = common name
ou = organizational unit
dc = domain controller
your.AD.comwww.yahoo.com
other.AD.com mail.yahoo.com
USER DISPLAY NAME This is the full name that shows up in
your AD, ie user might be johnd but full
name is John Doe.
For the connection name and password, it must be user that has
authority to access AD. This part is necessary to connect.
FIRST SUB-GROUP This depends on how your organization is
built in AD. You might have departments like: Accounting, Human
Resources, Information Technologies.
In an AD structure it might look something like this:
COM
|
|_Yahoo
|
|
|_Accounting
| |_John Doe
|
|_Information Technologies
||_Jack Daniels
|
|_Human Resources
|_Mary Jane
sAMAccountName is the account name you most commonly login into
your computers with objectClass=user this should be user, as
defined in AD unless
your sys admin or someone has tampered
the AD.
referrals=follow this is necessary to traverse the full AD
without knowing the user's base location.
I hope that this clears up some issues for you. Please let me know if I
can help you more.
Dean E. Searle
Computing Oasis
989.245.7369 (P)
989.921.3904 (F)
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:25 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks.
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:10 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Good luck.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:07 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks, Justin,
You've given me some good pointers. I guess I'll do some more hammering
and snooping. Our AD is on a server
RE: JNDIRealm...more
I can use that. Thanks.
Robyne
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 06, 2003 5:58 AM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
getRemoteUser(), if your familiar with jsp's then you'll know how to use
it. Unfortunately I don't, but I guess that is why we have web
application developers on staff. :-)
Dean Searle
Computing Oasis
989.245.7369 (p)
989.921.3904 (f)
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 05, 2003 5:00 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks for the pointer, I'll see about pointing to one of our 2 mail
servers. I wonder if they talk back and forth. Also, Do you know how
I can extract the sign-ed on user's user-id once they've authenticated?
robyne
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 05, 2003 2:06 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Great to hear that information worked for you. I included the
alternateURL in the event our primary AD went down for one reason or
another and our users could still access the password protected sites.
Without an alternate AD active or specified you will not have access to
your web applications.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Wed 11/5/2003 13:46
To: Tomcat Users List
Cc:
Subject:RE: JNDIRealm...more
Dean!
Mine works!
A thousand thanks!
I hope I can return the favor some time.
Your nice explanation helped.
I did not need the alternatURL in mine. I found out that we have 2 mail
servers, well the server.xml only allows for 1 alternate. I decided to
try it without any and it worked.
Much appreciation,
Robyne Vaughn
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 9:48 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Hello,
I hope that I am not to late to post here. I have just returned to the
land of the living and have started to catch up on my reading. I noticed
that Robyne you were trying to find the collective all for your users.
I have just recently figured this out after working on it for two days.
Here is my working server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://your.AD.com;
alternateURL=ldap://other.AD.com;
connectionName=cn=USER DISPLAY NAME,ou=FIRST
SUB-GROUP,dc=AD,dc=com
connectionPassword=XX
referrals=follow
userBase=dc=AD,dc=com
userSearch=(amp;(sAMAccountName={0})(objectClass=user))
userSubtree=true
roleBase=dc=AD,dc=com
roleSearch=(uniqueMember={0})
roleName=cn
/
KEY:
cn = common name
ou = organizational unit
dc = domain controller
your.AD.comwww.yahoo.com
other.AD.com mail.yahoo.com
USER DISPLAY NAME This is the full name that shows up in
your AD, ie user might be johnd but full
name is John Doe.
For the connection name and password, it must be user that has
authority to access AD. This part is necessary to connect.
FIRST SUB-GROUP This depends on how your organization is
built in AD. You might have departments like: Accounting, Human
Resources, Information Technologies.
In an AD structure it might look something like this:
COM
|
|_Yahoo
|
|
|_Accounting
| |_John Doe
|
|_Information Technologies
||_Jack Daniels
|
|_Human Resources
|_Mary Jane
sAMAccountName is the account name you most commonly login into
your computers with objectClass=user this should be user, as
defined in AD unless
your sys admin or someone has tampered
the AD.
referrals=follow this is necessary to traverse the full AD
without knowing the user's base location.
I hope that this clears up some issues for you. Please let me know if I
can help you more.
Dean E. Searle
Computing Oasis
989.245.7369 (P)
989.921.3904 (F)
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:25 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks.
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:10 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Good luck.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:07 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks, Justin,
You've given me some good pointers. I guess I'll do some more hammering
and snooping. Our AD is on a server and the administrators gave me an
administrator type password to try hitting it with, but they don't want
me snooping around too much. I
JNDIRealm with UserMapping (was: Trust Store and Credentials)
Bill Barker wrote: Speaking only for myself, it is because of the dependencies on sun.** classes (so it won't work with e.g. IBM's JVM). Otherwise the patch looks Ok. I just haven't had enough spare cycles to work out how to remove the Sun dependancies. Ah, yes i see, but this is true for the JNDIRealmCertAD (which is for Windows-ActiveDirectory) only. I think we could left this out, since there might be better solutions (JAAS) for this environment. JNDIRealmCertOpenExchange do not rely on sun.* and threrefore could be a candidate for adding. Ciao, Mario smime.p7s Description: S/MIME Cryptographic Signature
RE: JNDIRealm...more
Dean,
WOW, this is enlightening.
Thanks, I'll let you know how it goes. I believe I have the connection
name part working. I have not been able to find the user. This helps a
lot.
Much appreciation,
I'll let you know how it goes.
Rob
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 9:48 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Hello,
I hope that I am not to late to post here. I have just returned to the
land of the living and have started to catch up on my reading. I noticed
that Robyne you were trying to find the collective all for your users.
I have just recently figured this out after working on it for two days.
Here is my working server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://your.AD.com;
alternateURL=ldap://other.AD.com;
connectionName=cn=USER DISPLAY NAME,ou=FIRST
SUB-GROUP,dc=AD,dc=com
connectionPassword=XX
referrals=follow
userBase=dc=AD,dc=com
userSearch=(amp;(sAMAccountName={0})(objectClass=user))
userSubtree=true
roleBase=dc=AD,dc=com
roleSearch=(uniqueMember={0})
roleName=cn
/
KEY:
cn = common name
ou = organizational unit
dc = domain controller
your.AD.comwww.yahoo.com
other.AD.com mail.yahoo.com
USER DISPLAY NAME This is the full name that shows up in
your AD, ie user might be johnd but full
name is John Doe.
For the connection name and password, it must be user that has
authority to access AD. This part is necessary to connect.
FIRST SUB-GROUP This depends on how your organization is
built in AD. You might have departments like: Accounting, Human
Resources, Information Technologies.
In an AD structure it might look something like this:
COM
|
|_Yahoo
|
|
|_Accounting
| |_John Doe
|
|_Information Technologies
||_Jack Daniels
|
|_Human Resources
|_Mary Jane
sAMAccountName is the account name you most commonly login into
your computers with objectClass=user this should be user, as
defined in AD unless
your sys admin or someone has tampered
the AD.
referrals=follow this is necessary to traverse the full AD
without knowing the user's base location.
I hope that this clears up some issues for you. Please let me know if I
can help you more.
Dean E. Searle
Computing Oasis
989.245.7369 (P)
989.921.3904 (F)
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:25 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks.
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:10 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Good luck.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:07 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks, Justin,
You've given me some good pointers. I guess I'll do some more hammering
and snooping. Our AD is on a server and the administrators gave me an
administrator type password to try hitting it with, but they don't want
me snooping around too much. I don't actually have direct access to it.
Like I said, I have hit it with some JNDI, but that is new to me also,
and I still couldn't discover the tree structure adequately.
Anyway, I guess I'll try to pull things out of the loading script and my
LDAP books. It's so frustrating. I can't find and the administrators
don't know where the collective all of our users are located. They
found an example script, used it, and don't really know what they have
yet.
I really appreciate your time.
Thanks,
Rob
Ps I expect I'll have more questions later. Right now, I'm still stuck
just figuring out where all users are.
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 11:40 AM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Oh, for the AD LDAP, I've been using the programs that came with Active
Directory. There is also an ldp.exe, I dunno where that came from, but
that's pretty useful.
-Original Message-
From: Hart, Justin
Sent: Tuesday, November 04, 2003 12:39 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
I used * as my role-name.
Justin
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:38 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Justin,
I REALLY appreciate your help. I've been stuck for a while.
I believe that Users is a CN . (scanning thru the script, I don't see
Users ever set as an OU, but I do see it as a CN.)
How are you browsing around in AD's LDAP? I have a jndi
RE: JNDIRealm...more
Ok, cool, so, how I have a question about the parts:
roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com
roleName=memberOf
roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)
This is going to specify what roles apply to the user under the role-name portion
of the web.xml, correct? As well as for use with isUserInRole(), right?
If I want the roles that apply to my user to be their NT Groups, would I make it
something akin to:
roleBase=CN=Users,DC=[Domain],DC=com
roleName=memberOf
Will it take all of their roles, even with roleSearch specified?
Am I on the Right Track(tm) with all of this?
Justin
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 4:16 PM
To: [EMAIL PROTECTED]
Subject: RE: JNDIRealm...more
Here's what I have..this works for mehope this helps
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionURL=ldap://[domain controller]:389
userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com
userSearch=(sAMAccountName={0})
userRoleName=member
roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com
roleName=memberOf
roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)
connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com
connectionPassword=[password]
roleSubtree=true
userSubtree=true/To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Ok, figured it out. For those who are curious (IE the handful of other people who've
been taking part in JNDIRealm threads on this list:
roleBase=OU=Users,OU=[Your OU from the userBase],DC=[Domain],DC=com
roleName=memberOf
roleSearch=(Whatever group all members allowed to log in should be a part of)
Now, when you refer to their role in the rest of your application, you use the DN of
the NT Group that they are supposed to be a part of. That way, you can use NT
permissions to control your web app.
Justin
-Original Message-
From: Hart, Justin
Sent: Wednesday, November 05, 2003 12:00 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Ok, cool, so, how I have a question about the parts:
roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com
roleName=memberOf
roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)
This is going to specify what roles apply to the user under the role-name portion
of the web.xml, correct? As well as for use with isUserInRole(), right?
If I want the roles that apply to my user to be their NT Groups, would I make it
something akin to:
roleBase=CN=Users,DC=[Domain],DC=com
roleName=memberOf
Will it take all of their roles, even with roleSearch specified?
Am I on the Right Track(tm) with all of this?
Justin
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 4:16 PM
To: [EMAIL PROTECTED]
Subject: RE: JNDIRealm...more
Here's what I have..this works for mehope this helps
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionURL=ldap://[domain controller]:389
userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com
userSearch=(sAMAccountName={0})
userRoleName=member
roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com
roleName=memberOf
roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)
connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com
connectionPassword=[password]
roleSubtree=true
userSubtree=true/To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
server.xml JNDIRealm
Ok, more nifty questions from myself.
The format that the rest of the company uses for NT Authentication is
[domain].com\[username] in the username field, and then [pass] in the password field.
The NT Admins would really like if my application would do the same (so as not to
throw off users).
Is it possible to split characters off of the username field before providing them to
the userSearch query... ie
userSearch=(sAMAccountName={0}) with the [domain].com\ part gone?
Justin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Dean!
Mine works!
A thousand thanks!
I hope I can return the favor some time.
Your nice explanation helped.
I did not need the alternatURL in mine. I found out that we have 2 mail
servers, well the server.xml only allows for 1 alternate. I decided to
try it without any and it worked.
Much appreciation,
Robyne Vaughn
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 9:48 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Hello,
I hope that I am not to late to post here. I have just returned to the
land of the living and have started to catch up on my reading. I noticed
that Robyne you were trying to find the collective all for your users.
I have just recently figured this out after working on it for two days.
Here is my working server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://your.AD.com;
alternateURL=ldap://other.AD.com;
connectionName=cn=USER DISPLAY NAME,ou=FIRST
SUB-GROUP,dc=AD,dc=com
connectionPassword=XX
referrals=follow
userBase=dc=AD,dc=com
userSearch=(amp;(sAMAccountName={0})(objectClass=user))
userSubtree=true
roleBase=dc=AD,dc=com
roleSearch=(uniqueMember={0})
roleName=cn
/
KEY:
cn = common name
ou = organizational unit
dc = domain controller
your.AD.comwww.yahoo.com
other.AD.com mail.yahoo.com
USER DISPLAY NAME This is the full name that shows up in
your AD, ie user might be johnd but full
name is John Doe.
For the connection name and password, it must be user that has
authority to access AD. This part is necessary to connect.
FIRST SUB-GROUP This depends on how your organization is
built in AD. You might have departments like: Accounting, Human
Resources, Information Technologies.
In an AD structure it might look something like this:
COM
|
|_Yahoo
|
|
|_Accounting
| |_John Doe
|
|_Information Technologies
||_Jack Daniels
|
|_Human Resources
|_Mary Jane
sAMAccountName is the account name you most commonly login into
your computers with objectClass=user this should be user, as
defined in AD unless
your sys admin or someone has tampered
the AD.
referrals=follow this is necessary to traverse the full AD
without knowing the user's base location.
I hope that this clears up some issues for you. Please let me know if I
can help you more.
Dean E. Searle
Computing Oasis
989.245.7369 (P)
989.921.3904 (F)
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:25 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks.
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:10 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Good luck.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:07 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks, Justin,
You've given me some good pointers. I guess I'll do some more hammering
and snooping. Our AD is on a server and the administrators gave me an
administrator type password to try hitting it with, but they don't want
me snooping around too much. I don't actually have direct access to it.
Like I said, I have hit it with some JNDI, but that is new to me also,
and I still couldn't discover the tree structure adequately.
Anyway, I guess I'll try to pull things out of the loading script and my
LDAP books. It's so frustrating. I can't find and the administrators
don't know where the collective all of our users are located. They
found an example script, used it, and don't really know what they have
yet.
I really appreciate your time.
Thanks,
Rob
Ps I expect I'll have more questions later. Right now, I'm still stuck
just figuring out where all users are.
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 11:40 AM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Oh, for the AD LDAP, I've been using the programs that came with Active
Directory. There is also an ldp.exe, I dunno where that came from, but
that's pretty useful.
-Original Message-
From: Hart, Justin
Sent: Tuesday, November 04, 2003 12:39 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
I used * as my role-name.
Justin
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:38 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Justin,
I REALLY appreciate your help. I've been stuck for a while.
I believe that Users is a CN . (scanning thru the script, I don't see
Users ever set as an OU
RE: JNDIRealm...more
Great to hear that information worked for you. I included the alternateURL in the
event our primary AD went down for one reason or another and our users could still
access the password protected sites. Without an alternate AD active or specified you
will not have access to your web applications.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Wed 11/5/2003 13:46
To: Tomcat Users List
Cc:
Subject:RE: JNDIRealm...more
Dean!
Mine works!
A thousand thanks!
I hope I can return the favor some time.
Your nice explanation helped.
I did not need the alternatURL in mine. I found out that we have 2 mail
servers, well the server.xml only allows for 1 alternate. I decided to
try it without any and it worked.
Much appreciation,
Robyne Vaughn
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 9:48 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Hello,
I hope that I am not to late to post here. I have just returned to the
land of the living and have started to catch up on my reading. I noticed
that Robyne you were trying to find the collective all for your users.
I have just recently figured this out after working on it for two days.
Here is my working server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://your.AD.com;
alternateURL=ldap://other.AD.com;
connectionName=cn=USER DISPLAY NAME,ou=FIRST
SUB-GROUP,dc=AD,dc=com
connectionPassword=XX
referrals=follow
userBase=dc=AD,dc=com
userSearch=(amp;(sAMAccountName={0})(objectClass=user))
userSubtree=true
roleBase=dc=AD,dc=com
roleSearch=(uniqueMember={0})
roleName=cn
/
KEY:
cn = common name
ou = organizational unit
dc = domain controller
your.AD.comwww.yahoo.com
other.AD.com mail.yahoo.com
USER DISPLAY NAME This is the full name that shows up in
your AD, ie user might be johnd but full
name is John Doe.
For the connection name and password, it must be user that has
authority to access AD. This part is necessary to connect.
FIRST SUB-GROUP This depends on how your organization is
built in AD. You might have departments like: Accounting, Human
Resources, Information Technologies.
In an AD structure it might look something like this:
COM
|
|_Yahoo
|
|
|_Accounting
| |_John Doe
|
|_Information Technologies
||_Jack Daniels
|
|_Human Resources
|_Mary Jane
sAMAccountName is the account name you most commonly login into
your computers with objectClass=user this should be user, as
defined in AD unless
your sys admin or someone has tampered
the AD.
referrals=follow this is necessary to traverse the full AD
without knowing the user's base location.
I hope that this clears up some issues for you. Please let me know if I
can help you more.
Dean E. Searle
Computing Oasis
989.245.7369 (P)
989.921.3904 (F)
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:25 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks.
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:10 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Good luck.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:07 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks, Justin,
You've given me some good pointers. I guess I'll do some more hammering
and snooping. Our AD is on a server and the administrators gave me an
administrator type password to try hitting it with, but they don't want
me snooping around too much. I don't actually have direct access to it.
Like I said, I have hit it with some JNDI, but that is new to me also,
and I still couldn't discover the tree structure adequately.
Anyway, I guess I'll try to pull things out of the loading script and my
LDAP books. It's so frustrating. I can't find and the administrators
don't know where the collective all of our users are located. They
found an example script, used it, and don't really know what they have
yet.
I really appreciate your time.
Thanks,
Rob
Ps I expect I'll have more questions later. Right now, I'm still stuck
just figuring out where all users are.
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 11:40 AM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Oh, for the AD LDAP, I've been using the programs that came with Active
Directory. There is also an ldp.exe, I dunno where that came from, but
that's pretty useful.
-Original Message-
From: Hart
RE: JNDIRealm...more
Thanks for the pointer, I'll see about pointing to one of our 2 mail
servers. I wonder if they talk back and forth.
Also,
Do you know how I can extract the sign-ed on user's user-id once they've
authenticated?
robyne
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 05, 2003 2:06 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Great to hear that information worked for you. I included the
alternateURL in the event our primary AD went down for one reason or
another and our users could still access the password protected sites.
Without an alternate AD active or specified you will not have access to
your web applications.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Wed 11/5/2003 13:46
To: Tomcat Users List
Cc:
Subject:RE: JNDIRealm...more
Dean!
Mine works!
A thousand thanks!
I hope I can return the favor some time.
Your nice explanation helped.
I did not need the alternatURL in mine. I found out that we have 2 mail
servers, well the server.xml only allows for 1 alternate. I decided to
try it without any and it worked.
Much appreciation,
Robyne Vaughn
-Original Message-
From: Dean Searle [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 9:48 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Hello,
I hope that I am not to late to post here. I have just returned to the
land of the living and have started to catch up on my reading. I noticed
that Robyne you were trying to find the collective all for your users.
I have just recently figured this out after working on it for two days.
Here is my working server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://your.AD.com;
alternateURL=ldap://other.AD.com;
connectionName=cn=USER DISPLAY NAME,ou=FIRST
SUB-GROUP,dc=AD,dc=com
connectionPassword=XX
referrals=follow
userBase=dc=AD,dc=com
userSearch=(amp;(sAMAccountName={0})(objectClass=user))
userSubtree=true
roleBase=dc=AD,dc=com
roleSearch=(uniqueMember={0})
roleName=cn
/
KEY:
cn = common name
ou = organizational unit
dc = domain controller
your.AD.comwww.yahoo.com
other.AD.com mail.yahoo.com
USER DISPLAY NAME This is the full name that shows up in
your AD, ie user might be johnd but full
name is John Doe.
For the connection name and password, it must be user that has
authority to access AD. This part is necessary to connect.
FIRST SUB-GROUP This depends on how your organization is
built in AD. You might have departments like: Accounting, Human
Resources, Information Technologies.
In an AD structure it might look something like this:
COM
|
|_Yahoo
|
|
|_Accounting
| |_John Doe
|
|_Information Technologies
||_Jack Daniels
|
|_Human Resources
|_Mary Jane
sAMAccountName is the account name you most commonly login into
your computers with objectClass=user this should be user, as
defined in AD unless
your sys admin or someone has tampered
the AD.
referrals=follow this is necessary to traverse the full AD
without knowing the user's base location.
I hope that this clears up some issues for you. Please let me know if I
can help you more.
Dean E. Searle
Computing Oasis
989.245.7369 (P)
989.921.3904 (F)
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:25 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks.
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:10 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Good luck.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:07 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks, Justin,
You've given me some good pointers. I guess I'll do some more hammering
and snooping. Our AD is on a server and the administrators gave me an
administrator type password to try hitting it with, but they don't want
me snooping around too much. I don't actually have direct access to it.
Like I said, I have hit it with some JNDI, but that is new to me also,
and I still couldn't discover the tree structure adequately.
Anyway, I guess I'll try to pull things out of the loading script and my
LDAP books. It's so frustrating. I can't find and the administrators
don't know where the collective all of our users are located. They
found an example script, used it, and don't really know what they have
yet.
I really appreciate your time.
Thanks,
Rob
Ps I expect I'll have more questions later. Right now, I'm still stuck
just figuring out where all
RE: JNDIRealm...more
I just got it working...
A million thank yous! I didn't really understand LDAP until learning (some) about it
yesterday, and once I started learning it, your example made perfect sense, and now I
can authenticate my users!
This rules very much!
Justin
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 4:16 PM
To: [EMAIL PROTECTED]
Subject: RE: JNDIRealm...more
Here's what I have..this works for mehope this helps
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionURL=ldap://[domain controller]:389
userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com
userSearch=(sAMAccountName={0})
userRoleName=member
roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com
roleName=memberOf
roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)
connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com
connectionPassword=[password]
roleSubtree=true
userSubtree=true/
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 12:57 PM
To: Tomcat Users List
Subject: JNDIRealm...more
My server.xml now looks like this :
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=A good active directory server
userBase=dc=MY DOMAIN NAME,dc=com
userRoleName=member
roleName=cn
roleSearch=(userPrincipalName={0})
roleSubtree=false
userSubtree=false
referrals=follow
/
Reading through the log shows no errors, just that the realm is openning and
closing connections with my LDAP server, after 3 tries, it tells me that I
need to use http authentication.
What's going wrong here?
Justin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Hi,
I've been watching your emails andI'm still trying to understand. I
have a couple of ldap books and I'm trying to figure some things out. I
can authenticate to AD with known OU's and known common names, but I
can't use basic or form authentication and get them authenticated with
just a user-id and password.
What is:
roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)
1.specifically, what is CN=tomcat ?Is that a role which has been
set up in AD?
What is:userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com
2.specifically, what is OU=[My OU] ?
3. What did you put in your web-app web.xml?
My AD administrators have not been able to explain our tree structure to
me. Either I'm asking the wrong questions, or they don't understand it
either. They have given me a copy of the script they used to load it.
I'm trying to look thru the script to discover the tree structure.
Also, they printed a screen print from their AD administrative tool. It
has this sort of structure:
Active Directory Users and Computers
lubbock.isd
Builtin
CO
Computers
Disabled Accounts
Elem
ForeignSecurityPrincipals
HS
JH
LostAndFound
Microsoft Exchange System Object
OG
System
Users
Should that tell me what to plug into the OU? I know if I hit the AD
with an Administrative name, password and its OU, then I authenticate.
For instance CN=Administratorname,OU=CO,dc=lubbock,dc=isd);. CO
stands for central office (in this case.) I know that this
administrative name is in the OU=CO. What do I do if my user is not in
OU=CO?
How do I authenticate when I'm not given the person's specific OU?
I don't understand why you're specifying 2 different values for OU?
Any help would be appreciated.
Thanks,
rob
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 9:13 AM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
I just got it working...
A million thank yous! I didn't really understand LDAP until learning
(some) about it yesterday, and once I started learning it, your example
made perfect sense, and now I can authenticate my users!
This rules very much!
Justin
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 4:16 PM
To: [EMAIL PROTECTED]
Subject: RE: JNDIRealm...more
Here's what I have..this works for mehope this helps
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionURL=ldap://[domain controller]:389
userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com
userSearch=(sAMAccountName={0})
userRoleName=member
roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com
roleName=memberOf
roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)
connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com
connectionPassword=[password]
roleSubtree=true
userSubtree=true/
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 12:57 PM
To: Tomcat Users List
Subject: JNDIRealm...more
My server.xml now looks like this :
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=A good active directory server
userBase=dc=MY DOMAIN NAME,dc=com
userRoleName=member
roleName=cn
roleSearch=(userPrincipalName={0})
roleSubtree=false
userSubtree=false
referrals=follow
/
Reading through the log shows no errors, just that the realm is openning
and closing connections with my LDAP server, after 3 tries, it tells me
that I need to use http authentication.
What's going wrong here?
Justin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: security-constraint web-resource-collection web-resource-name/web-resource-name url-pattern/url-pattern /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint login-config auth-method/auth-method !-- realm-name/realm-name -- /login-config security-role role-name/role-name /security-role Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the ALL mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance CN=Administratorname,OU=CO,dc=lubbock,dc=isd);. CO stands for central office (in this case.) I know that this administrative name is in the OU=CO. What do I do if my user is not in OU=CO? How do I authenticate when I'm not given the person's specific OU? I don't understand why you're specifying 2 different values for OU? Any help would be appreciated. Thanks, rob -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:13 AM To: Tomcat Users List Subject: RE: JNDIRealm...more I just got it working... A million thank yous! I didn't really understand LDAP until learning
RE: JNDIRealm...more
I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: security-constraint web-resource-collection web-resource-name/web-resource-name url-pattern/url-pattern /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint login-config auth-method/auth-method !-- realm-name/realm-name -- /login-config security-role role-name/role-name /security-role Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the ALL mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance CN=Administratorname,OU=CO,dc=lubbock,dc=isd);. CO stands for central office (in this case.) I know that this administrative name is in the OU=CO. What do I do if my user is not in OU=CO? How do I authenticate when I'm not given the person's specific OU? I don't understand why you're specifying 2 different values for OU? Any help would be appreciated. Thanks, rob -Original Message- From: Hart, Justin [mailto:[EMAIL
RE: JNDIRealm...more
Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: security-constraint web-resource-collection web-resource-name/web-resource-name url-pattern/url-pattern /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint login-config auth-method/auth-method !-- realm-name/realm-name -- /login-config security-role role-name/role-name /security-role Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the ALL mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance CN=Administratorname,OU=CO,dc=lubbock,dc=isd);. CO stands for central office (in this case.) I know that this administrative
RE: JNDIRealm...more
Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective all of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where all users are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: security-constraint web-resource-collection web-resource-name/web-resource-name url-pattern/url-pattern /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint login-config auth-method/auth-method !-- realm-name/realm-name -- /login-config security-role role-name/role-name /security-role Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the ALL mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com 2.specifically
RE: JNDIRealm...more
Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective all of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where all users are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: security-constraint web-resource-collection web-resource-name/web-resource-name url-pattern/url-pattern /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint login-config auth-method/auth-method !-- realm-name/realm-name -- /login-config security-role role-name/role-name /security-role Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the ALL mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC
RE: JNDIRealm...more
Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective all of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where all users are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: security-constraint web-resource-collection web-resource-name/web-resource-name url-pattern/url-pattern /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint login-config auth-method/auth-method !-- realm-name/realm-name -- /login-config security-role role-name/role-name /security-role Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the ALL mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common
RE: JNDIRealm...more
Hello,
I hope that I am not to late to post here. I have just returned to the
land of the living and have started to catch up on my reading. I noticed
that Robyne you were trying to find the collective all for your users.
I have just recently figured this out after working on it for two days.
Here is my working server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://your.AD.com;
alternateURL=ldap://other.AD.com;
connectionName=cn=USER DISPLAY NAME,ou=FIRST
SUB-GROUP,dc=AD,dc=com
connectionPassword=XX
referrals=follow
userBase=dc=AD,dc=com
userSearch=(amp;(sAMAccountName={0})(objectClass=user))
userSubtree=true
roleBase=dc=AD,dc=com
roleSearch=(uniqueMember={0})
roleName=cn
/
KEY:
cn = common name
ou = organizational unit
dc = domain controller
your.AD.comwww.yahoo.com
other.AD.com mail.yahoo.com
USER DISPLAY NAME This is the full name that shows up in
your AD, ie user might be johnd but full
name is John Doe.
For the connection name and password, it must be user that has
authority to access AD. This part is necessary to connect.
FIRST SUB-GROUP This depends on how your organization is
built in AD. You might have departments like: Accounting, Human
Resources, Information Technologies.
In an AD structure it might look something like this:
COM
|
|_Yahoo
|
|
|_Accounting
| |_John Doe
|
|_Information Technologies
||_Jack Daniels
|
|_Human Resources
|_Mary Jane
sAMAccountName is the account name you most commonly login into
your computers with
objectClass=user this should be user, as defined in AD unless
your sys admin or someone has tampered
the AD.
referrals=follow this is necessary to traverse the full AD
without knowing the user's base location.
I hope that this clears up some issues for you. Please let me know if I
can help you more.
Dean E. Searle
Computing Oasis
989.245.7369 (P)
989.921.3904 (F)
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:25 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks.
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:10 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Good luck.
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:07 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks, Justin,
You've given me some good pointers. I guess I'll do some more hammering
and snooping. Our AD is on a server and the administrators gave me an
administrator type password to try hitting it with, but they don't want
me snooping around too much. I don't actually have direct access to it.
Like I said, I have hit it with some JNDI, but that is new to me also,
and I still couldn't discover the tree structure adequately.
Anyway, I guess I'll try to pull things out of the loading script and my
LDAP books. It's so frustrating. I can't find and the administrators
don't know where the collective all of our users are located. They
found an example script, used it, and don't really know what they have
yet.
I really appreciate your time.
Thanks,
Rob
Ps I expect I'll have more questions later. Right now, I'm still stuck
just figuring out where all users are.
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 11:40 AM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Oh, for the AD LDAP, I've been using the programs that came with Active
Directory. There is also an ldp.exe, I dunno where that came from, but
that's pretty useful.
-Original Message-
From: Hart, Justin
Sent: Tuesday, November 04, 2003 12:39 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
I used * as my role-name.
Justin
-Original Message-
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:38 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Justin,
I REALLY appreciate your help. I've been stuck for a while.
I believe that Users is a CN . (scanning thru the script, I don't see
Users ever set as an OU, but I do see it as a CN.)
How are you browsing around in AD's LDAP? I have a jndi jsp that I've
tried finding things with.
One bit of info: The AD I am trying to authenticate to is on a
different box than the one I work on. I do know to hit AD with a
connection name and password, then I've tried to use the sAMAccountname
but have been unsuccessful. I can't quite get my path worked out.
I will look thru the DN, to see if I can find where all the users are a
member.
In my web.xml, I
JNDIRealm Configuration
Does anybody have an example JDNIRealm configuration (server.xml web.xml). I feel like I'm just taking stabs in the dark with these files... Currently I can get it to pop up a window and ask for your username/password. I use my NT username and password and it rejects them. I think that I have the web.xml correct, but the server.xml incorrect. Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://[Windows 2000 Domain Controller]:389
userBase=CN=Users,dc=[domain name],dc=com
userSearch=(userPrincipalName={0})
userRoleName=member
roleBase=CN=Users,dc=[domain name],dc=com
roleName=cn
roleSearch=(member={0})
connectionName=CN=[jndi account username],CN=Users,DC=[domain name],DC=com
connectionPassword=[jndi account password]
roleSubtree=true
userSubtree=true /
Found the preceding snippet on java-internals.com.
My server.xml, looks like this :
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=my server... it's correct
userBase=CN=Users,dc=correct,dc=com
userSearch=(userPrincipalName={0})
userRoleName=member
roleBase=CN=Users,dc=sfa,dc=com
roleName=cn
roleSearch=(member={0})
roleSubtree=true
userSubtree=true /
It fails to authenticate NT users based on their NT username/password combination.
It's connecting to an ActiveDirectory server... is there anything glaringly obvious
that I am doing incorrectly here?
Justin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm...more
My server.xml now looks like this :
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=A good active directory server
userBase=dc=MY DOMAIN NAME,dc=com
userRoleName=member
roleName=cn
roleSearch=(userPrincipalName={0})
roleSubtree=false
userSubtree=false
referrals=follow
/
Reading through the log shows no errors, just that the realm is openning and closing
connections with my LDAP server, after 3 tries, it tells me that I need to use http
authentication.
What's going wrong here?
Justin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Here's what I have..this works for mehope this helps
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionURL=ldap://[domain controller]:389
userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com
userSearch=(sAMAccountName={0})
userRoleName=member
roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com
roleName=memberOf
roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)
connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com
connectionPassword=[password]
roleSubtree=true
userSubtree=true/
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 12:57 PM
To: Tomcat Users List
Subject: JNDIRealm...more
My server.xml now looks like this :
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=A good active directory server
userBase=dc=MY DOMAIN NAME,dc=com
userRoleName=member
roleName=cn
roleSearch=(userPrincipalName={0})
roleSubtree=false
userSubtree=false
referrals=follow
/
Reading through the log shows no errors, just that the realm is openning and
closing connections with my LDAP server, after 3 tries, it tells me that I
need to use http authentication.
What's going wrong here?
Justin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Is there a way to do this without the admin password in the file?
What is sAMAccountName?
Also, not terribly versed in LDAP, what is My OU?
Justin
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 4:16 PM
To: [EMAIL PROTECTED]
Subject: RE: JNDIRealm...more
Here's what I have..this works for mehope this helps
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionURL=ldap://[domain controller]:389
userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com
userSearch=(sAMAccountName={0})
userRoleName=member
roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com
roleName=memberOf
roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)
connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com
connectionPassword=[password]
roleSubtree=true
userSubtree=true/
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 12:57 PM
To: Tomcat Users List
Subject: JNDIRealm...more
My server.xml now looks like this :
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=A good active directory server
userBase=dc=MY DOMAIN NAME,dc=com
userRoleName=member
roleName=cn
roleSearch=(userPrincipalName={0})
roleSubtree=false
userSubtree=false
referrals=follow
/
Reading through the log shows no errors, just that the realm is openning and
closing connections with my LDAP server, after 3 tries, it tells me that I
need to use http authentication.
What's going wrong here?
Justin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
You don't need the admin password, you do need a domain account the has read
permissions.just about any account will do thiscreate a test
account.and use that instead of the admin account..
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 4:18 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Is there a way to do this without the admin password in the file?
What is sAMAccountName?
Also, not terribly versed in LDAP, what is My OU?
Justin
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 4:16 PM
To: [EMAIL PROTECTED]
Subject: RE: JNDIRealm...more
Here's what I have..this works for mehope this helps
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionURL=ldap://[domain controller]:389
userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com
userSearch=(sAMAccountName={0})
userRoleName=member
roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com
roleName=memberOf
roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)
connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com
connectionPassword=[password]
roleSubtree=true
userSubtree=true/
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 12:57 PM
To: Tomcat Users List
Subject: JNDIRealm...more
My server.xml now looks like this :
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=A good active directory server
userBase=dc=MY DOMAIN NAME,dc=com
userRoleName=member
roleName=cn
roleSearch=(userPrincipalName={0})
roleSubtree=false
userSubtree=false
referrals=follow
/
Reading through the log shows no errors, just that the realm is openning and
closing connections with my LDAP server, after 3 tries, it tells me that I
need to use http authentication.
What's going wrong here?
Justin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Ok, what about sAMAccountname? I'm browsing through my LDAP, and don't see any keys
that match that... would that be whatever key matches the username I want typed in?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 4:26 PM
To: [EMAIL PROTECTED]
Subject: RE: JNDIRealm...more
You don't need the admin password, you do need a domain account the has read
permissions.just about any account will do thiscreate a test
account.and use that instead of the admin account..
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 4:18 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Is there a way to do this without the admin password in the file?
What is sAMAccountName?
Also, not terribly versed in LDAP, what is My OU?
Justin
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 4:16 PM
To: [EMAIL PROTECTED]
Subject: RE: JNDIRealm...more
Here's what I have..this works for mehope this helps
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionURL=ldap://[domain controller]:389
userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com
userSearch=(sAMAccountName={0})
userRoleName=member
roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com
roleName=memberOf
roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)
connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com
connectionPassword=[password]
roleSubtree=true
userSubtree=true/
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 12:57 PM
To: Tomcat Users List
Subject: JNDIRealm...more
My server.xml now looks like this :
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=A good active directory server
userBase=dc=MY DOMAIN NAME,dc=com
userRoleName=member
roleName=cn
roleSearch=(userPrincipalName={0})
roleSubtree=false
userSubtree=false
referrals=follow
/
Reading through the log shows no errors, just that the realm is openning and
closing connections with my LDAP server, after 3 tries, it tells me that I
need to use http authentication.
What's going wrong here?
Justin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm using LDAP with SSL
Did you solve your problem? I don't get the whole thing to run.
Are you really able to use *ldaps* in the connectionURL. On my system i
get the following error:
LifecycleException: Exception opening directory server connection:
javax.naming.NamingException:
Cannot parse url: ldaps://localhost:636 [Root exception is
java.net.MalformedURLException: Not an L
DAP URL: ldaps://localhost:636]
If i just use ldap://localhost:636 i get this:
LifecycleException: Exception opening directory server connection:
javax.naming.CommunicationExce
ption: Request: 1 cancelled
Both doesn't really help defending network sniffers from stealing user
data.
Hayo Schmidt
Chris Egolf schrieb:
Does anyone have any experience getting ldaps working w/ the
JDNIRealms in Tomcat 4.1.24? Regular LDAP is working fine, but when I
change the connection URL to ldaps://ldap-host:636 I get the
following error:
2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL
ldaps://10.1.1.50:636
2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing
authentication
javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636
[Root exception is javax.net.ssl.SSLException: Connection has been
shutdown: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found]
My Realm element in server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
resourceName=UserDatabase
connectionURL=ldaps://10.1.1.50:636
connectionName=cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany
connectionPassword=password
userBase=o=MyCompany
userSearch=(amp;(cn={0})(objectClass=inetOrgPerson))
userSubtree=true
roleBase=ou=WebAppGrp,ou=MyOU,o=MyCompany
roleSearch=(uniqueMember={0})
roleName=cn
/
Like I said, this works if connectionURL=ldap://10.1.1.50:389;. I
can connect to the LDAP server (Novell eDirectory) via SSL using a
Java browser if I accept the certificate, so I wonder if that might
have something to do with it.
I've also successfully followed the Config-SSL-HOWTO, accepted the
certificate from the server and setup the keystore for the connector
as described, but I get the feeling that this is strictly for enabling
SSL over HTTP.
Thanks in advance.
Chris
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm source code -
http://jakarta.apache.org/site/cvsindex.html
JNDIRealm is jakarta-tomcat-catalina for tomcat5,
jakarta-tomcat-4.0/catalina/ for tomcat4
I recommend more exploration before accepting an error code2 as a valid
login. Its a kluge around the MS's ldap implementation and such a kluge
probably won't make it back into the source tree. I have seen problems with
respect to JNDIRealm and MS with respect to commas, or other weird characters
in the DN with respect to escaping. (I don't remember any more details, it is
to horrifing an experience to recall) There might also be a Bugzilla report
with respect to it.
-Tim
Davi Leal wrote:
Hi,
I am using tomcat 4.1.27, Java sdk-1.4.1_02 and JNDIRealm to use the Micro$oft
Site Server service to authenticate our webapps.
I get an error code 2 exception (Protocol Error) only when the user and the
password is right. That is to say, when an OK is expected. I am thinking
about modify the JNDIRealm to support that Micro$oft returned 'code', instead
of raising an exception. It looks easy :) . You can see below the appointed
catalina log.
Can you supply me any URL, CVS repository, or whatever which points me to the
JNDI source code?.
I have read the JNDI API I must use is the one included in Java sdk 1.4.2.
Last question: Can we solve the 'M$ protocol' issue just using Tomcat 5.0?.
Regards,
Davi Leal
Tim Funk wrote:
I have gotten JNDIRealm to work against iPlanet. I have heard others get it
working against:
- Active Directory (I personally had problems due to some IT policies)
- Novell
- OpenLDAP
But in the worst case - the code is open for change so creating a custom
Realm should be simple if one understands JNDI programming. Which is what I
had to do with respect to ActiveDirectory and wacky business rules vs
domain setup.
-Tim
David Diaz wrote:
Reference: http://www.weblogic.com/docs51/admindocs/ldap2.html#intro
The WebLogic LDAP realm has been tested against the following LDAP
servers:
* OpenLDAP
* iPlanet Directory Server
* Microsoft Site Server
I would like to get a similar Tomcat link to show to my boss.
APPENDIX
The catalina log
59 JNDIRealm[Standalone]: Connecting to URL ldap://host:1003
* Testing with a no-existent user:
44 JNDIRealm[Standalone]: lookupUser(davi)
44 JNDIRealm[Standalone]: dn=cn=davi,ou=Members,o=tpi
44 JNDIRealm[Standalone]: validating credentials by binding as the user
44 JNDIRealm[Standalone]: binding as cn=davi,ou=Members,o=org
44 JNDIRealm[Standalone]: bind attempt failed
44 JNDIRealm[Standalone]: Autentificaci¾n fallida para el usuario davi
* Testing with an user which is right, but using a worng password:
36 JNDIRealm[Standalone]: lookupUser(ph32796)
36 JNDIRealm[Standalone]: dn=cn=ph32796,ou=Members,o=org
36 JNDIRealm[Standalone]: validating credentials by binding as the user
36 JNDIRealm[Standalone]: binding as cn=ph32796,ou=Members,o=org
36 JNDIRealm[Standalone]: bind attempt failed
36 JNDIRealm[Standalone]: Autentificaci¾n fallida para el usuario ph32796
* Testing with both user and password right:
09 JNDIRealm[Standalone]: lookupUser(phe2796)
09 JNDIRealm[Standalone]: dn=cn=phe2796,ou=Members,o=org
09 JNDIRealm[Standalone]: validating credentials by binding as the user
09 JNDIRealm[Standalone]: binding as cn=phe2796,ou=Members,o=org
09 JNDIRealm[Standalone]: Excepci¾n al realizar la autentificaci¾n
javax.naming.CommunicationException: [LDAP: error code 2 - Protocol Error];
remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2965)
...
09 JNDIRealm[Standalone]: Closing directory context
The realm we are using in server.xml
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=cn=PHE2796,ou=Members,o=org
connectionPassword=
connectionURL=ldap://host:1003;
userPattern=cn={0},ou=Members,o=org
userSubtree=true
roleBase=ou=UserCFuncional,ou=CFuncional,ou=Groups,o=org
roleName=cn
roleSearch=(uniqueMember={0})
/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm source code - (was: Re: Tomcat vs Bea WebLogic)
Hi,
I am using tomcat 4.1.27, Java sdk-1.4.1_02 and JNDIRealm to use the Micro$oft
Site Server service to authenticate our webapps.
I get an error code 2 exception (Protocol Error) only when the user and the
password is right. That is to say, when an OK is expected. I am thinking
about modify the JNDIRealm to support that Micro$oft returned 'code', instead
of raising an exception. It looks easy :) . You can see below the appointed
catalina log.
Can you supply me any URL, CVS repository, or whatever which points me to the
JNDI source code?.
I have read the JNDI API I must use is the one included in Java sdk 1.4.2.
Last question: Can we solve the 'M$ protocol' issue just using Tomcat 5.0?.
Regards,
Davi Leal
Tim Funk wrote:
I have gotten JNDIRealm to work against iPlanet. I have heard others get it
working against:
- Active Directory (I personally had problems due to some IT policies)
- Novell
- OpenLDAP
But in the worst case - the code is open for change so creating a custom
Realm should be simple if one understands JNDI programming. Which is what I
had to do with respect to ActiveDirectory and wacky business rules vs
domain setup.
-Tim
David Diaz wrote:
Reference: http://www.weblogic.com/docs51/admindocs/ldap2.html#intro
The WebLogic LDAP realm has been tested against the following LDAP
servers:
* OpenLDAP
* iPlanet Directory Server
* Microsoft Site Server
I would like to get a similar Tomcat link to show to my boss.
APPENDIX
The catalina log
59 JNDIRealm[Standalone]: Connecting to URL ldap://host:1003
* Testing with a no-existent user:
44 JNDIRealm[Standalone]: lookupUser(davi)
44 JNDIRealm[Standalone]: dn=cn=davi,ou=Members,o=tpi
44 JNDIRealm[Standalone]: validating credentials by binding as the user
44 JNDIRealm[Standalone]: binding as cn=davi,ou=Members,o=org
44 JNDIRealm[Standalone]: bind attempt failed
44 JNDIRealm[Standalone]: Autentificaci¾n fallida para el usuario davi
* Testing with an user which is right, but using a worng password:
36 JNDIRealm[Standalone]: lookupUser(ph32796)
36 JNDIRealm[Standalone]: dn=cn=ph32796,ou=Members,o=org
36 JNDIRealm[Standalone]: validating credentials by binding as the user
36 JNDIRealm[Standalone]: binding as cn=ph32796,ou=Members,o=org
36 JNDIRealm[Standalone]: bind attempt failed
36 JNDIRealm[Standalone]: Autentificaci¾n fallida para el usuario ph32796
* Testing with both user and password right:
09 JNDIRealm[Standalone]: lookupUser(phe2796)
09 JNDIRealm[Standalone]: dn=cn=phe2796,ou=Members,o=org
09 JNDIRealm[Standalone]: validating credentials by binding as the user
09 JNDIRealm[Standalone]: binding as cn=phe2796,ou=Members,o=org
09 JNDIRealm[Standalone]: Excepci¾n al realizar la autentificaci¾n
javax.naming.CommunicationException: [LDAP: error code 2 - Protocol Error];
remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2965)
...
09 JNDIRealm[Standalone]: Closing directory context
The realm we are using in server.xml
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=cn=PHE2796,ou=Members,o=org
connectionPassword=
connectionURL=ldap://host:1003;
userPattern=cn={0},ou=Members,o=org
userSubtree=true
roleBase=ou=UserCFuncional,ou=CFuncional,ou=Groups,o=org
roleName=cn
roleSearch=(uniqueMember={0})
/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm(LDAP) Authentication Configuration Sample Required
Hi
I have tried different different options but cannot get the LDAP authentication to
work in my application.
Following is what i am using.
Tomcat: 4.1.27-LE-jdk14
Apache: 2.0.47
Java : 1.4.2
Linux OS: 7.3
LDAP : IPlanet LDAP Server.
1) In this regard i have downloaded the latest JNDI API and then
copied the ldap.jar file to $CATALINA_HOME/server/lib directory.
2) The i have added the following entry to the server.xml file.
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://ldap.mycompany.com:389;
userBase=ou=active,ou=employees,ou=people,o=mycompany.com
userSearch=(uid={0})
roleSearch=(uniqueMember={0})
roleName=cn
debug=99
contextFactory=com.sun.jndi.ldap.LdapCtxFactory
/
3) In my application web.xml file i have added the following
security-constraint
web-resource-collection
web-resource-nameNrt/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-name*/role-name
/auth-constraint
/security-constraint
login-config
auth-methodBASIC/auth-method
realm-nameCEC/realm-name
/login-config
Then i have restarted the tomcat and apache. I get the prompt for
userid and password, but when i provide the correct userid/password i
get an message saying incorrect userid and password, i think i am
missing something in the configuration and tomcat is not talking with
LDAP, was wondering if you can provide some inputs on this.
Appreciate your help and time.
Thanks
Arun
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm LDAP Configuration Problem
Hi
I am using the following
Tomcat: 4.1.27-LE-jdk14
Apache: 2.0.47
Java : 1.4.2
Linux OS: 7.3
iPlanet LDAP Server
I am trying to configure LDAP authentication mechanism to my application.
1) In this regard i have downloaded the latest JNDI API and then copied the ldap.jar
file to $CATALINA_HOME/server/lib directory.
2) The i have added the following entry to the server.xml file.
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://ldap.mycompany.com:389;
userBase=ou=active,ou=employees,ou=people,o=mycompany.com
userSearch=(uid={0})
roleSearch=(uniqueMember={0})
roleName=cn
debug=99
contextFactory=com.sun.jndi.ldap.LdapCtxFactory
/
3) In my application web.xml file i have added the following
security-constraint
web-resource-collection
web-resource-nameNrt/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-name*/role-name
/auth-constraint
/security-constraint
login-config
auth-methodBASIC/auth-method
realm-nameCEC/realm-name
/login-config
Then i have restarted the tomcat and apache. I get the prompt for userid and password,
but when i provide the correct userid/password i get an message saying incorrect
userid and password, i think i am missing something in the configuration and tomcat is
not talking with LDAP, was wondering if you can provide some inputs on this.
Appreciate your help and time.
Thanks
-
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
JNDIRealm (LDAP) Configuration Problem
Hi
I am using the following
Tomcat: 4.1.27-LE-jdk14
Apache: 2.0.47
Java : 1.4.2
Linux OS: 7.3
I am trying to configure LDAP authentication mechanism to my application.
1) In this regard i have downloaded the latest JNDI API and then copied the ldap.jar
file to $CATALINA_HOME/server/lib directory.
2) The i have added the following entry to the server.xml file.
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://ldap.mycompany.com:389;
userBase=ou=active,ou=employees,ou=people,o=mycompany.com
userSearch=(uid={0})
roleSearch=(uniqueMember={0})
roleName=cn
debug=99
contextFactory=com.sun.jndi.ldap.LdapCtxFactory
/
3) In my application web.xml file i have added the following
security-constraint
web-resource-collection
web-resource-nameNrt/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-name*/role-name
/auth-constraint
/security-constraint
login-config
auth-methodBASIC/auth-method
realm-nameCEC/realm-name
/login-config
Then i have restarted the tomcat and apache. I get the prompt for userid and password,
but when i provide the correct userid/password i get an message saying incorrect
userid and password, i think i am missing something in the configuration and tomcat is
not talking with LDAP, was wondering if you can provide some inputs on this.
Appreciate your help and time.
Thanks
Arun
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm User bind context available in the Servile Context?
In a servlet I would like to access the same JNDIRealm directory server context that is used during BASIC authentication. Is it possible to configure the jndirealm as a resource link for the servlet context? I *can* make an Application super user to establish a DirContext , but wanted to use the same bind as the user/credentials. from the class org.apache.catalina.realm.JNDIRealm I am trying to avoid using FORM authentication... And am trying to avoid writing my own org.apache.catalina.realm.JNDIRealm class And trying to avoid putting clear text passwords in code or config files... Any help appreciated tia dant
Re: JNDIRealm: Authentication Failing [SOLVED]
Adam Sherman writes: 2003-07-27 13:44:06 JNDIRealm[Standalone]: validating credentials by binding as the user 2003-07-27 13:44:06 JNDIRealm[Standalone]: binding as uid=adam,ou=People,dc=tritus,dc=ca 2003-07-27 13:44:06 JNDIRealm[Standalone]: bind attempt failed JNDIRealm is attempting to bind as 'uid=adam,ou=People,dc=tritus,dc=ca', which is correct and exists. I can bind as this user using the LDAP CLI tools. Using a password that ends in a space doesn't work. I have tested this using the JNDI libs and it *does* work so I assume that something else, maybe HTTP is responsible. I have filed a bug: 22176 Thank you, A. -- Adam Sherman Tritus CG Inc. http://www.tritus.ca/ +1 (613) 797-6819 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm: Authentication Failing
My appologies for taking so long to reply. Thank you very much for your input! Hayo Schmidt writes: Is 'mail' the naming value? This means, if you export to an ldif file you should find a line dn: [EMAIL PROTECTED],ou=People,dc=tritus,dc=ca As you can see from the log snipped below: 2003-07-27 13:44:06 JNDIRealm[Standalone]: validating credentials by binding as the user 2003-07-27 13:44:06 JNDIRealm[Standalone]: binding as uid=adam,ou=People,dc=tritus,dc=ca 2003-07-27 13:44:06 JNDIRealm[Standalone]: bind attempt failed JNDIRealm is attempting to bind as 'uid=adam,ou=People,dc=tritus,dc=ca', which is correct and exists. I can bind as this user using the LDAP CLI tools. Since it is a BIND, the format of userPassword shouldn't matter. Thanks for your help, A. -- Adam Sherman Tritus CG Inc. http://www.tritus.ca/ +1 (613) 797-6819 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm: Authentication Failing
Is 'mail' the naming value?
This means, if you export to an ldif file you should find a line
dn: [EMAIL PROTECTED],ou=People,dc=tritus,dc=ca
Hayo Schmidt
Adam Sherman schrieb:
I am trying to get JNDIRealm to authenticate against my LDAP tree:
Realm className=org.apache.catalina.realm.JNDIRealm
debug=200
connectionURL=ldap://localhost:389;
userBase=ou=People,dc=tritus,dc=ca
userSearch=(mail={0})
roleBase=ou=Groups,dc=tritus,dc=ca
roleName=cn
roleSearch=(member={0})
/
Using a user I can authenticate with the OpenLDAP CLI tools:
2003-07-27 13:44:06 JNDIRealm[Standalone]: Searching for [EMAIL PROTECTED]
2003-07-27 13:44:06 JNDIRealm[Standalone]: base:
ou=People,dc=tritus,dc=ca filter: ([EMAIL PROTECTED])
2003-07-27 13:44:06 JNDIRealm[Standalone]: entry found for
[EMAIL PROTECTED] with dn uid=adam,ou=People,dc=tritus,dc=ca
2003-07-27 13:44:06 JNDIRealm[Standalone]: validating credentials by
binding as the user
2003-07-27 13:44:06 JNDIRealm[Standalone]: binding as
uid=adam,ou=People,dc=tritus,dc=ca
2003-07-27 13:44:06 JNDIRealm[Standalone]: bind attempt failed
2003-07-27 13:44:06 JNDIRealm[Standalone]: Username [EMAIL PROTECTED] NOT
successfully authenticated
The lookup functions correctly, but binding fails. Even though I know
the user can bind.
Info:
Tomcat 4.1.24, OpenLDAP 2.1.x
Any ideas?
A.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm: Authentication Failing
Is 'mail' the naming value?
This means, if you export to an ldif file you should find a line
dn: [EMAIL PROTECTED],ou=People,dc=tritus,dc=ca
Hayo Schmidt
Adam Sherman schrieb:
I am trying to get JNDIRealm to authenticate against my LDAP tree:
Realm className=org.apache.catalina.realm.JNDIRealm
debug=200
connectionURL=ldap://localhost:389;
userBase=ou=People,dc=tritus,dc=ca
userSearch=(mail={0})
roleBase=ou=Groups,dc=tritus,dc=ca
roleName=cn
roleSearch=(member={0})
/
Using a user I can authenticate with the OpenLDAP CLI tools:
2003-07-27 13:44:06 JNDIRealm[Standalone]: Searching for [EMAIL PROTECTED]
2003-07-27 13:44:06 JNDIRealm[Standalone]: base:
ou=People,dc=tritus,dc=ca filter: ([EMAIL PROTECTED])
2003-07-27 13:44:06 JNDIRealm[Standalone]: entry found for
[EMAIL PROTECTED] with dn uid=adam,ou=People,dc=tritus,dc=ca
2003-07-27 13:44:06 JNDIRealm[Standalone]: validating credentials by
binding as the user
2003-07-27 13:44:06 JNDIRealm[Standalone]: binding as
uid=adam,ou=People,dc=tritus,dc=ca
2003-07-27 13:44:06 JNDIRealm[Standalone]: bind attempt failed
2003-07-27 13:44:06 JNDIRealm[Standalone]: Username [EMAIL PROTECTED] NOT
successfully authenticated
The lookup functions correctly, but binding fails. Even though I know
the user can bind.
Info:
Tomcat 4.1.24, OpenLDAP 2.1.x
Any ideas?
A.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm using LDAP with SSL
Does anyone have any experience getting ldaps working w/ the JDNIRealms in
Tomcat 4.1.24? Regular LDAP is working fine, but when I change the connection
URL to ldaps://ldap-host:636 I get the following error:
2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL ldaps://10.1.1.50:636
2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing authentication
javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636 [Root
exception is javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
No trusted certificate found]
My Realm element in server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
resourceName=UserDatabase
connectionURL=ldaps://10.1.1.50:636
connectionName=cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany
connectionPassword=password
userBase=o=MyCompany
userSearch=(amp;(cn={0})(objectClass=inetOrgPerson))
userSubtree=true
roleBase=ou=WebAppGrp,ou=MyOU,o=MyCompany
roleSearch=(uniqueMember={0})
roleName=cn
/
Like I said, this works if connectionURL=ldap://10.1.1.50:389;. I can connect
to the LDAP server (Novell eDirectory) via SSL using a Java browser if I accept
the certificate, so I wonder if that might have something to do with it.
I've also successfully followed the Config-SSL-HOWTO, accepted the certificate
from the server and setup the keystore for the connector as described, but I get
the feeling that this is strictly for enabling SSL over HTTP.
Thanks in advance.
Chris
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm using LDAP with SSL
We've done exactly that. What you need to do is import the root
certificate into a .keystore file. I'm not sure if Tomcat will pick up
the default cacerts file, or if you always have to specify it like we
did (-Djavax.net.ssl.trustStore=sys:/adminsrv/conf/.keystore etc) My
guess is that you can set that in the java.security file in
java\lib\security instead of specifying it on the command line.
If you are doing this on a NetWare server, here is something similar to
what we use to import the certificate:
keytool -import -v -noprompt -trustcacerts -file
sys:/public/RootCert.der -keystore sys:/adminsrv/conf/.keystore
-storepass changeit
If you are running eDirectory on something besides the server, I'm not
exactly sure how to get the RootCert.der file, I'm guessing it can be
done as an export from ConsoleOne.
Oh, I just read the bottom of your message where you said you have done
some work with the keystore. It looks like the documentation is a
little different for just setting up the SSL connector. Try doing the
import of the root certificate and see if it works any better.
Good luck,
Jeff Tulley ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
[EMAIL PROTECTED] 7/28/03 9:49:56 AM
Does anyone have any experience getting ldaps working w/ the JDNIRealms
in
Tomcat 4.1.24? Regular LDAP is working fine, but when I change the
connection
URL to ldaps://ldap-host:636 I get the following error:
2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL
ldaps://10.1.1.50:636
2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing
authentication
javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636
[Root
exception is javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
No trusted certificate found]
My Realm element in server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
resourceName=UserDatabase
connectionURL=ldaps://10.1.1.50:636
connectionName=cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany
connectionPassword=password
userBase=o=MyCompany
userSearch=(amp;(cn={0})(objectClass=inetOrgPerson))
userSubtree=true
roleBase=ou=WebAppGrp,ou=MyOU,o=MyCompany
roleSearch=(uniqueMember={0})
roleName=cn
/
Like I said, this works if connectionURL=ldap://10.1.1.50:389;. I can
connect
to the LDAP server (Novell eDirectory) via SSL using a Java browser if
I accept
the certificate, so I wonder if that might have something to do with
it.
I've also successfully followed the Config-SSL-HOWTO, accepted the
certificate
from the server and setup the keystore for the connector as described,
but I get
the feeling that this is strictly for enabling SSL over HTTP.
Thanks in advance.
Chris
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm using LDAP with SSL
Jeff Tulley wrote: We've done exactly that. What you need to do is import the root certificate into a .keystore file. I'm not sure if Tomcat will pick up the default cacerts file, or if you always have to specify it like we did (-Djavax.net.ssl.trustStore=sys:/adminsrv/conf/.keystore etc) My guess is that you can set that in the java.security file in java\lib\security instead of specifying it on the command line. Thanks Jeff! I used the command line trick and that worked. I'm not sure about the java.security file since I'm not sure what that is. We are using another filename for the keystore and explicitly specifying it for the https configuration, so I'll bet this would work if the keystore file was the default ~/.keystore. Thanks again. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm: Authentication Failing
I am trying to get JNDIRealm to authenticate against my LDAP tree:
Realm className=org.apache.catalina.realm.JNDIRealm
debug=200
connectionURL=ldap://localhost:389;
userBase=ou=People,dc=tritus,dc=ca
userSearch=(mail={0})
roleBase=ou=Groups,dc=tritus,dc=ca
roleName=cn
roleSearch=(member={0})
/
Using a user I can authenticate with the OpenLDAP CLI tools:
2003-07-27 13:44:06 JNDIRealm[Standalone]: Searching for [EMAIL PROTECTED]
2003-07-27 13:44:06 JNDIRealm[Standalone]: base: ou=People,dc=tritus,dc=ca
filter: ([EMAIL PROTECTED])
2003-07-27 13:44:06 JNDIRealm[Standalone]: entry found for [EMAIL PROTECTED]
with dn uid=adam,ou=People,dc=tritus,dc=ca
2003-07-27 13:44:06 JNDIRealm[Standalone]: validating credentials by
binding as the user
2003-07-27 13:44:06 JNDIRealm[Standalone]: binding as
uid=adam,ou=People,dc=tritus,dc=ca
2003-07-27 13:44:06 JNDIRealm[Standalone]: bind attempt failed
2003-07-27 13:44:06 JNDIRealm[Standalone]: Username [EMAIL PROTECTED] NOT
successfully authenticated
The lookup functions correctly, but binding fails. Even though I know the
user can bind.
Info:
Tomcat 4.1.24, OpenLDAP 2.1.x
Any ideas?
A.
--
Adam Sherman
Tritus CG Inc.
http://www.tritus.ca/
+1 (613) 797-6819
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
how to set up JNDIRealm in tomcat4.1.24 bundled with Jboss
Hi, I have successfully setup JNDIRealm for FORM based authentication and it is working perfectly in Standalone Tomcat4.1.24. However, I am unable to do the same in Tomcat4.1.24 bundled with JBoss. Could any body please help me out in setting up JNDIRealm in Tomcat4.1.24 bundled with JBoss..please... Thank you very much in advance, Naveen SMS using the Yahoo! Messenger;Download latest version.
REPOST: CLIENT-CERT and JNDIRealm
Hello ! http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 I think, a common solution should be found for this, so i try again to push a discussion: Questions: *) Are there some standards how to map an certificate to an user within an ldap-server *) If not, could/should we implement some of my code directly in an class (say) JNDIRealmCert, and one could simply override an abstract certToUser method. I have tried to use CLIENT-CERT to authenticate the user for our application. JNDIRealm do not support such authentication, so i have tried to implement it. For our infrastructure my solution works well, but i think (know) it is strongly bound to it. The way it works is to get a certificate for an user, and import this certificate to the ActiveDirectory Server. During authentication a user with the matching certificate is searched, and the cn for this user is used furthermore (getRoles() ...) First, I have created a new class JNDIRealmCertAD (JNDIRealm Certificate ActiveDirectory) and introduced a new property certSearch. (I also have copied the *Pattern getter/setter for use with certificate, but havent tested it yet) Much of the code from JNDIRealm has to be copied, due to the private User class, however, this class is a prototype. The advantage (i think) of my solution is, that it does not use the Cert.getSubjectDN() for the username, instead it is using the cn (or any other attribute) for the ldap entry returned when searching the corresponding user for the certificate. With my class it is possible to use BASIC and CLIENT-CERT and always do have the same username for the application. I think the application should not be bothered with the type of authentication. However, currently this solution is bound to our Win2000-Domain. Comments are welcome !! Ciao, Mario
ActiveDirectory not following referrals when using JNDIRealm
I'm using Tomcat 4.1.24 (win32) and I have my JNDIRealm configured like so:
Realm className=org.apache.catalina.realm.JNDIRealm
debug=5
referrals=follow
connectionURL=ldap://vader.arbor.edu;
alternateURL=ldap://bsod.arbor.edu;
userBase=dc=arbor,dc=edu
userSearch=(amp;(objectClass=user) (cn={0}))
roleBase=dc=arbor,dc=edu
roleName=cn
roleSearch=(amp;(objectClass=group) (member={0}))
connectionName= distinguished name
connectionPassword= password
roleSubtree=true
userSubtree=true /
And I'm getting the following PartialResultException:
2003-06-06 10:25:12 JNDIRealm[Standalone]: Exception performing authentication
javax.naming.PartialResultException. Root exception is
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893·]
at com.sun.jndi.ldap.LdapReferralContext.init(LdapReferralContext.java:74)
at
com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:132)
at
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEnumeration.java:334)
at
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:207)
at
com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:170)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1036)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:913)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:862)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:788)
at
org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:161)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:509)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:376)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562)
at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
at java.lang.Thread.run(Thread.java:536)
Can anyone tell where I'm going wrong? This configuration works fine in
4.1.18, but not in 4.1.24. (It works in 4.1.18, because I implemented the
patch that I submitted to Tomcat for the alternateURL stuff.)
Brad Handy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: ActiveDirectory not following referrals when using JNDIRealm
I figured it out. The credentials I was using the creation of the
InitialDirContext didn't have enough permissions (for some weird
reason). I got it to work when I used a different account.
Brad Handy
At 11:28 AM 6/6/2003, you wrote:
I'm using Tomcat 4.1.24 (win32) and I have my JNDIRealm configured like so:
Realm className=org.apache.catalina.realm.JNDIRealm
debug=5
referrals=follow
connectionURL=ldap://vader.arbor.edu;
alternateURL=ldap://bsod.arbor.edu;
userBase=dc=arbor,dc=edu
userSearch=(amp;(objectClass=user) (cn={0}))
roleBase=dc=arbor,dc=edu
roleName=cn
roleSearch=(amp;(objectClass=group) (member={0}))
connectionName= distinguished name
connectionPassword= password
roleSubtree=true
userSubtree=true /
And I'm getting the following PartialResultException:
2003-06-06 10:25:12 JNDIRealm[Standalone]: Exception performing authentication
javax.naming.PartialResultException. Root exception is
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893·]
at
com.sun.jndi.ldap.LdapReferralContext.init(LdapReferralContext.java:74)
at
com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:132)
at
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEnumeration.java:334)
at
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:207)
at
com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:170)
at
org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1036)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:913)
at
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:862)
at
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:788)
at
org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:161)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:509)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:376)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562)
at
org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
at java.lang.Thread.run(Thread.java:536)
Can anyone tell where I'm going wrong? This configuration works fine in
4.1.18, but not in 4.1.24. (It works in 4.1.18, because I
Tomcat JNDIRealm subtree role enumeration
Hi All,
Question:
Does tomcat enumerate the values of attributes back up the sub-tree if it
finds an entry [in the LDAP schema] at a lower layer, or does it
only(strictly) give back the value of the attribute of the specific entry
that it found?
Background:
We have an LDAP schema that is organized as follows:
dn: cn=user,ou=Groups,o=Canada,...
uniqueMember: cn=somecompany,ou=Groups,o=Canada,...
and
dn: cn=somecompany,ou=Groups,o=Canada,...
uniqueMember: uid=someuser,ou=People,o=Canada,...
My Tomcat(4.0.6) JNDIRealm configuration is as follows:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://ldaphost01:389;
connectionName=cn=Directory Manager
connectionPassword=
userPattern=uid={0},ou=People,o=Canada,...
userPassword=userPassword
userSubtree=true
roleBase=ou=Groups,o=Canada,...
roleName=cn
roleSearch=(uniqueMember={0})
roleSubtree=true /
When Tomcat finds the entry someuser, I would ideally like the role (cn)
enumeration (somecompany, user) back, but I SEEM to be getting [only]
(somecompany) back. Is this true? How can I confirm? Is it possible to
get my ideal enumeration back?
Thanks for your time. Any comment will be greatly appreciated.
Markus
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Anyone successfully authenticating Tomcat users w/ windows login info using a JNDIRealm?
Try this: http://www.jguru.com/faq/view.jsp?EID=1045412
--
Darian Shimy
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 26, 2003 11:16 AM
To: Tomcat Users List
Subject: Re: Anyone successfully authenticating Tomcat users
w/ windows login info using a JNDIRealm?
If you have multiple domains, I think your out of luck. If you run a
single active directory domain, you *might* be able to do
something like
this:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://need.morecowbell.com:389;
userBase=dc=more,dc=morecowbell,dc=com
userSearch=(userPrincipalName={0})
userRoleName=member
roleBase=dc=more,dc=morecowbell,dc=com
roleName=cn
roleSearch=(member={0})
connectionName=cn=A_USER,cn=Users,dc=more,dc=morecowbell,dc=com
connectionPassword=prescription
roleSubtree=true
userSubtree=true /
To connect to active directory, you need a special user connection.
Thats why
connectionName=cn=A_USER,cn=Users,dc=more,dc=morecowbell,dc=com
is used.
I hope you have better luck that I had.
-Tim
Dan Payne wrote:
I'm looking for some assistance in setting up single-sign
on with our
windows 2000 intranet and Tomcat using Windows Active
Directory and a Tomcat
JINDIRealm and LDAP. What I'm essentially looking for is
HttpServletRequest.getRemoteUser() to return the username used to
authenticate to the Windows network (Active Directory).
My last post was rather vague and elicited no responses.
I've done some more
research and this seems to be the way to go but it would be
nice if anyone
who's already done it could relate their experiences or
perhaps point me in
the right direction to some resources covering this issue.
Thanks again,
Dan
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Anyone successfully authenticating Tomcat users w/ windows login info using a JNDIRealm?
I'm looking for some assistance in setting up single-sign on with our windows 2000 intranet and Tomcat using Windows Active Directory and a Tomcat JINDIRealm and LDAP. What I'm essentially looking for is HttpServletRequest.getRemoteUser() to return the username used to authenticate to the Windows network (Active Directory). My last post was rather vague and elicited no responses. I've done some more research and this seems to be the way to go but it would be nice if anyone who's already done it could relate their experiences or perhaps point me in the right direction to some resources covering this issue. Thanks again, Dan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Anyone successfully authenticating Tomcat users w/ windows logininfo using a JNDIRealm?
If you have multiple domains, I think your out of luck. If you run a
single active directory domain, you *might* be able to do something like
this:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://need.morecowbell.com:389;
userBase=dc=more,dc=morecowbell,dc=com
userSearch=(userPrincipalName={0})
userRoleName=member
roleBase=dc=more,dc=morecowbell,dc=com
roleName=cn
roleSearch=(member={0})
connectionName=cn=A_USER,cn=Users,dc=more,dc=morecowbell,dc=com
connectionPassword=prescription
roleSubtree=true
userSubtree=true /
To connect to active directory, you need a special user connection.
Thats why connectionName=cn=A_USER,cn=Users,dc=more,dc=morecowbell,dc=com
is used.
I hope you have better luck that I had.
-Tim
Dan Payne wrote:
I'm looking for some assistance in setting up single-sign on with our
windows 2000 intranet and Tomcat using Windows Active Directory and a Tomcat
JINDIRealm and LDAP. What I'm essentially looking for is
HttpServletRequest.getRemoteUser() to return the username used to
authenticate to the Windows network (Active Directory).
My last post was rather vague and elicited no responses. I've done some more
research and this seems to be the way to go but it would be nice if anyone
who's already done it could relate their experiences or perhaps point me in
the right direction to some resources covering this issue.
Thanks again,
Dan
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Send parameters to the JNDIRealm
Hi. I have an application that it connects to a servlet and send it a set of parameters through OutputStream. I have a JNDIRealm installed and when the application connects to the servlet, my Realm can't to map these parameters (with the client certificate) a none authenticate() method. What parameters is sent to my JNDIRealm?? I think that the authenticate method will be ~ authenticate(X509Certificate[] certs, xxx) - xxx = ?? Regards. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Get URL within JNDIRealm
Hi... I've making a JNDIRealm with LDAP access and I need to get the URL where JNDIRealm is called. I've various security constraints and I would like to distinguish the protected zones. How I can to get the URL within of my own JNDIRealm?? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Retrieve parameters from web.xml in my own JNDIRealm
I've making my own JNDIRealm and my web application has various protected zones. In my JNDIRealm I would like to retrieve the parameters from web.xml (security-constraint subelements) related with the protected zones. For example, in web.xml file I have the following lines: security-constraint web-resource-collection web-resource-namePrivate Zone 1/web-resource-name ... /web-resource-collection ... /security-constraint security-constraint web-resource-collection web-resource-namePrivate Zone 2/web-resource-name ... /web-resource-collection ... /security-constraint In my JNDIRealm I would like to distinguish the different zones for the web-resource-name subelement for to make different things. How I can to retrieve this subelement when my application is running?? Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Searches on JNDIRealm
Hi all.
I have making a JNDIRealm for LDAP connections (the JNDIRealm to have to
retrieve client certificates from LDAP). I would like to realize searches
only for Organization Unit (Organization and Country are fixed); though,
the client DN is CN - OU - OU - C (the root search for my LDAP).
The code should be as the following:
// Set up search controls.
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
// Perform search.
NamingEnumeration answer =
ctx.search(O=myOrganization, C=myCountry, (ou={0}), new Object[]
{orgunit}, ctls);
orgunit = param to my JNDIRealm (e.g. myOrgUnit)
CN = indifferent
The previous code does not work (error 32 - No such object). Can somebody
help me??
Thanks and regards.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm login failure
Gil Check whether the directory server is configured to time out idle connections. If so, the first attempt made by Tomcat to authenticate after a long enough period of inactivity will fail in the manner you describe. If this is the problem, you should find that after a second login attempt has succeeded other users can authenticate straight away - until the next long period of inactivity. You may be able fix the problem by disabling timeout on the directory server. (You don't say which directory server you are using). Really there should be an option for JNDIRealm to check whether the connection is valid and reconnect if not before the authentication attempt is made. However its connection management is very basic! John. Gil Chilton wrote: I have created a simple tomcat web app that uses a JNDIRealm for authentication per the instructions in the Tomcat 4.1 documentation. When I start tomcat, the login process for this web app works fine for a few minutes or logins. Eventually, I reach a state where the first login always fails until I restart Tomcat. Each failed login results in the following error in the logs: 2003-01-06 14:33:35 JNDIRealm[Standalone]: Exception performing authentication javax.naming.CommunicationException. Root exception is java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:168) at java.io.BufferedInputStream.fill(BufferedInputStream.java:183) at java.io.BufferedInputStream.read1(BufferedInputStream.java:222) at java.io.BufferedInputStream.read(BufferedInputStream.java:277) at com.sun.jndi.ldap.Connection.run(Connection.java:779) at java.lang.Thread.run(Thread.java:536) If the user backs up and resubmits the login a second time, it works with no additional log entries. I have seen this on Tomcat 4.1.12 and now 4.1.18 with BASIC or FORM based authentication. I have searched the web and mailing lists without a match. The platform is RedHat Linux 7.3 or 8.0 with Sun's SDK 1.4.1_01 installed. Any ideas? Thanks __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JNDIRealm login failure
I have created a simple tomcat web app that uses a JNDIRealm for authentication per the instructions in the Tomcat 4.1 documentation. When I start tomcat, the login process for this web app works fine for a few minutes or logins. Eventually, I reach a state where the first login always fails until I restart Tomcat. Each failed login results in the following error in the logs: 2003-01-06 14:33:35 JNDIRealm[Standalone]: Exception performing authentication javax.naming.CommunicationException. Root exception is java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:168) at java.io.BufferedInputStream.fill(BufferedInputStream.java:183) at java.io.BufferedInputStream.read1(BufferedInputStream.java:222) at java.io.BufferedInputStream.read(BufferedInputStream.java:277) at com.sun.jndi.ldap.Connection.run(Connection.java:779) at java.lang.Thread.run(Thread.java:536) If the user backs up and resubmits the login a second time, it works with no additional log entries. I have seen this on Tomcat 4.1.12 and now 4.1.18 with BASIC or FORM based authentication. I have searched the web and mailing lists without a match. The platform is RedHat Linux 7.3 or 8.0 with Sun's SDK 1.4.1_01 installed. Any ideas? Thanks __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JNDIRealm expires?
I have been able to successfully set up a JNDIRealm in tomcat for authentication. Only problem is after about 12 (rough guess) I get the dreaded black page instead of seeing my login form. The workaround is to restart tomcat. Obviously, this won't work well for a always-on service. Maybe there might be a way to reinitialize an idle connection? Thanks. 2002-10-08 12:35:18 CoyoteAdapter An exception or error occurred in the container during the request processing java.lang.NullPointerException at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:173) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2516) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2458) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2432) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1837) at com.sun.jndi.ldap.LdapCtx.doSearchOnce(LdapCtx.java:1829) at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1223) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:121) at org.apache.catalina.realm.JNDIRealm.bindAsUser(JNDIRealm.java:1051) at org.apache.catalina.realm.JNDIRealm.checkCredentials(JNDIRealm.java:957) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:729) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:671) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:263) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:458) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2397) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:380) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533) at java.lang.Thread.run(Thread.java:536) -- Vincent Stoessel Linux Systems Developer vincent xaymaca.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
AW: JNDIRealm expires?
I apoligize for the false alarm. My password had expired (arghh) that is why the login process failed. Back to the regularly scheduled program. Vincent Stoessel wrote: I have been able to successfully set up a JNDIRealm in tomcat for authentication. Only problem is after about 12 (rough guess) I get the dreaded black page instead of seeing my login form. The workaround is to restart tomcat. Obviously, this won't work well for a always-on service. Maybe there might be a way to reinitialize an idle connection? Thanks. 2002-10-08 12:35:18 CoyoteAdapter An exception or error occurred in the container during the request processing java.lang.NullPointerException at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:173) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2516) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2458) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2432) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1837) at com.sun.jndi.ldap.LdapCtx.doSearchOnce(LdapCtx.java:1829) at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1223) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:121) at org.apache.catalina.realm.JNDIRealm.bindAsUser(JNDIRealm.java:1051) at org.apache.catalina.realm.JNDIRealm.checkCredentials(JNDIRealm.java:957) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:729) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:671) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:263) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:458) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2397) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:380) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533) at java.lang.Thread.run(Thread.java:536) smime.p7s Description: S/MIME Cryptographic Signature
RE: JNDIRealm and 4.1.10 with iPlanet
Looks like you are using parentheses around the 0 rather than
brackets. That is probably why it is being passed literal rather than
being expanded.
---
Sorry to jump in on this discussion. But I think people with LDAP
experience are having a look on it.
Realm className=org.apache.catalina.realm.JNDIRealm
debug=999
connectionName=cn=Directory Manager
connectionPassword=mypassword
connectionURL=ldap://192.168.90.120:11592;
roleBase=dc=my-company,dc=com
roleName=uid
roleSearch=(uid={0})
roleSubtree=false
userPassword=userPassword
userPattern=uid={0}, ou=People, dc=my-company,
dc=com
/
As he has almost the same declaration like I, I'm wondering why in
my
case the query gets sent to the OpenLDAP server, but uid=(0) is not
changed to the users name.
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://localhost;
userPattern=uid=(0),ou=people,dc=yikester,dc=net
roleBase=ou=groups,dc=yikester,dc=net
roleName=cn
roleSearch=(uniqueMember=(0))
userPassword=userPassword /
On the OpenLDAP server I see in the logfile:
SRCH base=uid=(0),ou=people,dc=yikester,dc=net scope=0
filter=(objectClass=*)
Can it be that this code in Tomcat still is very new and not many
people
are using it?
Stephan
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: JNDIRealm and 4.1.10 with iPlanet
This was exactly my problem. I had not seen that I needed to do this
while reviewing the documentation. With this help I was able to get
everything working.
It looks like LDAP dynamic groups aren't currently supported by
Tomcat. Does anyone have information that conflicts this? I ended up
using a static group.
---
Did you protect the resource that you're trying to access with a
security-constraint in your web.xml?
Jon
- Original Message -
From: Douglas L Stewart [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, September 23, 2002 11:31 AM
Subject: JNDIRealm and 4.1.10 with iPlanet
I'm using Tomcat 4.1.10 trying to authenticate against iPlanet
Directory Server 5.0.
I've created a Realm inside of the Engine declaration:
Realm className=org.apache.catalina.realm.JNDIRealm
debug=999
connectionName=cn=Directory Manager
connectionPassword=mypassword
connectionURL=ldap://192.168.90.120:11592;
roleBase=dc=my-company,dc=com
roleName=uid
roleSearch=(uid={0})
roleSubtree=false
userPassword=userPassword
userPattern=uid={0}, ou=People, dc=my-company,
dc=com
/
I'm getting this in the log when I start Tomcat:
2002-09-23 11:09:49 JNDIRealm[Standalone]: Connecting to URL
ldap://192.168.90.120:11592
According to the documentation putting the Realm declaration in
the
Engine section should make it used globally, but when I try to
view
some of my servlets I see nothing in the log and I'm not prompted
for
a login, it just shows the page.
What am I missing?
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JNDIRealm and 4.1.10 with iPlanet
I'm using Tomcat 4.1.10 trying to authenticate against iPlanet
Directory Server 5.0.
I've created a Realm inside of the Engine declaration:
Realm className=org.apache.catalina.realm.JNDIRealm
debug=999
connectionName=cn=Directory Manager
connectionPassword=mypassword
connectionURL=ldap://192.168.90.120:11592;
roleBase=dc=my-company,dc=com
roleName=uid
roleSearch=(uid={0})
roleSubtree=false
userPassword=userPassword
userPattern=uid={0}, ou=People, dc=my-company,
dc=com
/
I'm getting this in the log when I start Tomcat:
2002-09-23 11:09:49 JNDIRealm[Standalone]: Connecting to URL
ldap://192.168.90.120:11592
According to the documentation putting the Realm declaration in the
Engine section should make it used globally, but when I try to view
some of my servlets I see nothing in the log and I'm not prompted for
a login, it just shows the page.
What am I missing?
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
