JNDIRealm autehentication
Hi Folks, Is it possible to authenticate in multiples userBase´s using JNDIRealm ? I have a configuration as above: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://localhost:389; userBase=ou=people,dc=mycompany,dc=com userSearch=(mail={0}) userRoleName=memberOf roleBase=ou=groups,dc=mycompany,dc=com roleName=cn roleSearch=(uniqueMember={0}) / and I need to provide 2 userBase´s userBase=ou=people,dc=mycompany,dc=com and userBase=ou=people2,dc=mycompany,dc=com is it posssible ? I don´t want to search in my uppper level, because it´s really big. Thanks in advance, Rogerio.
Re: JNDIRealm autehentication
No, but code of JNDIRealm can be easily reused to create your own realm. Le Vendredi 19 Août 2005 15:26, Rogerio Baldini das Neves a écrit : Hi Folks, Is it possible to authenticate in multiples userBase´s using JNDIRealm ? I have a configuration as above: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://localhost:389; userBase=ou=people,dc=mycompany,dc=com userSearch=(mail={0}) userRoleName=memberOf roleBase=ou=groups,dc=mycompany,dc=com roleName=cn roleSearch=(uniqueMember={0}) / and I need to provide 2 userBase´s userBase=ou=people,dc=mycompany,dc=com and userBase=ou=people2,dc=mycompany,dc=com is it posssible ? I don´t want to search in my uppper level, because it´s really big. Thanks in advance, Rogerio. -- David Delbecq Royal Meteorological Institute of Belgium - Is there life after /sbin/halt -p? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIrealm Mbean
I modify my function, and I verify that the Mbean exists. But how can I get the value of my Mbean attributes ? here is my code: try { ObjectName timer = new ObjectName(Catalina:type=Realm,path=/DJLRWebapp,host=localhost); List list = MBeanServerFactory.findMBeanServer(null); MBeanServer server = (MBeanServer) list.iterator().next(); //String type=nodeName + : + projectName+:+date; System.out.println(server.isRegistered(timer)); int i=0; while(i5){ //listing of the 5th attributes System.out.println(server.getMBeanInfo(timer).getAttributes()[i].getName()); i++; } } catch(Exception e){ } Thanks for answers Jabouille Jean Charles - Original Message - From: jean charles jabouille [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 11, 2005 10:48 AM Subject: JNDIrealm Mbean Hi, I use Tomcat 5.5 and I created a JNDIRealm in the server.xml file. I d'like to accede to the JNDIMean mbean but I can't find informations about source code exemple. I saw this page that contains all Tomcat Mbean http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/mbean-names.html Is there a mbean-descriptor.xml to add to my application ? I do think because I think that Tomcat Mbean are loaded automatically. Here is an exemple of my tentative to access to the Tomcat JNDIRealm mbean and to access to the connectionUrl of my realm. This code is not working :-( try { ObjectName timer = new ObjectName(Catalina:type=org.apache.catalina.realm.JNDIRealm,name=JNDIRealm ); List list = MBeanServerFactory.findMBeanServer(null); MBeanServer server = (MBeanServer) list.iterator().next(); String connectionUrl; connectionUrl=(String)server.invoke(timer,connectionURL,new Object[] },new String[] { .getClass().getName()}); } catch(Exception e){ } Do you have an code exemple or a solution ? Thanks for your answers, Jabouille Jean Charles - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIrealm Mbean
I answer to my questions... try { ObjectName JNDIRealm = new ObjectName(Catalina:type=Realm,path=/DJLRWebapp,host=localhost); List list = MBeanServerFactory.findMBeanServer(null); MBeanServer server = (MBeanServer) list.iterator().next(); System.out.println(server.getAttribute(JNDIRealm,connectionName)); System.out.println(server.getAttribute(JNDIRealm,connectionURL)); System.out.println(server.getAttribute(JNDIRealm,connectionPassword)); System.out.println(server.getAttribute(JNDIRealm,contextFactory)); System.out.println(server.getAttribute(JNDIRealm,digest)); System.out.println(server.getAttribute(JNDIRealm,userBase)); } catch(Exception e){ System.out.println(e); } - Original Message - From: jean charles jabouille [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, March 16, 2005 10:03 AM Subject: Re: JNDIrealm Mbean I modify my function, and I verify that the Mbean exists. But how can I get the value of my Mbean attributes ? here is my code: try { ObjectName timer = new ObjectName(Catalina:type=Realm,path=/DJLRWebapp,host=localhost); List list = MBeanServerFactory.findMBeanServer(null); MBeanServer server = (MBeanServer) list.iterator().next(); //String type=nodeName + : + projectName+:+date; System.out.println(server.isRegistered(timer)); int i=0; while(i5){ //listing of the 5th attributes System.out.println(server.getMBeanInfo(timer).getAttributes()[i].getName()); i++; } } catch(Exception e){ } Thanks for answers Jabouille Jean Charles - Original Message - From: jean charles jabouille [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 11, 2005 10:48 AM Subject: JNDIrealm Mbean Hi, I use Tomcat 5.5 and I created a JNDIRealm in the server.xml file. I d'like to accede to the JNDIMean mbean but I can't find informations about source code exemple. I saw this page that contains all Tomcat Mbean http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/mbean-names.html Is there a mbean-descriptor.xml to add to my application ? I do think because I think that Tomcat Mbean are loaded automatically. Here is an exemple of my tentative to access to the Tomcat JNDIRealm mbean and to access to the connectionUrl of my realm. This code is not working :-( try { ObjectName timer = new ObjectName(Catalina:type=org.apache.catalina.realm.JNDIRealm,name=JNDIRealm ); List list = MBeanServerFactory.findMBeanServer(null); MBeanServer server = (MBeanServer) list.iterator().next(); String connectionUrl; connectionUrl=(String)server.invoke(timer,connectionURL,new Object[] },new String[] { .getClass().getName()}); } catch(Exception e){ } Do you have an code exemple or a solution ? Thanks for your answers, Jabouille Jean Charles - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIrealm Mbean
Hi, I use Tomcat 5.5 and I created a JNDIRealm in the server.xml file. I d'like to accede to the JNDIMean mbean but I can't find informations about source code exemple. I saw this page that contains all Tomcat Mbean http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/mbean-names.html Is there a mbean-descriptor.xml to add to my application ? I do think because I think that Tomcat Mbean are loaded automatically. Here is an exemple of my tentative to access to the Tomcat JNDIRealm mbean and to access to the connectionUrl of my realm. This code is not working :-( try { ObjectName timer = new ObjectName(Catalina:type=org.apache.catalina.realm.JNDIRealm,name=JNDIRealm); List list = MBeanServerFactory.findMBeanServer(null); MBeanServer server = (MBeanServer) list.iterator().next(); String connectionUrl; connectionUrl=(String)server.invoke(timer,connectionURL,new Object[] { },new String[] { .getClass().getName()}); } catch(Exception e){ } Do you have an code exemple or a solution ? Thanks for your answers, Jabouille Jean Charles
Authenticate JNDIrealm through Client
I wonder ive started a jndirealm and it works just fine against ldap. I have no problem to login from a webbrowser (BASIC mode). But i want to login from a Java client how do i do that ? _ Chat: Ha en fest på Habbo Hotel http://habbohotel.msn.se/habbo/sv/channelizer Checka in här! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SV: Authenticate JNDIrealm through Client
Hi! Without beeing to sure about this I guess that if you are going to authenticate a user via any kind of client against a tomcat-server you have to talk the language Tomcat talks, and that language is HTTP. So, you have to make your client able to talk http and then send the login-request as an http-request and then look at the http-response. Regards Roland Carlsson Den 05-02-21 12.20, skrev bohldan bohldan [EMAIL PROTECTED]: I wonder ive started a jndirealm and it works just fine against ldap. I have no problem to login from a webbrowser (BASIC mode). But i want to login from a Java client how do i do that ? _ Chat: Ha en fest på Habbo Hotel http://habbohotel.msn.se/habbo/sv/channelizer Checka in här! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm and multiple groups in LDAP.
Hi, I'm Trying to apply JNDIRealm to the LDAP structure, where each user belong to some group (organizationalUnit): dn: ou=Group1, o=myorg objectclass: organizationalUnit ou: Group1 dn: uid=user1, ou=Group1, o=myorg objectclass: person uid: user1 dn: ou=Group2, o=myorg objectclass: organizationalUnit ou: Group2 dn: uid=user2, ou=Group2, o=myorg objectclass: person uid: user2 Also there are roles, and each of them can be assigned to some groups: dn: cn=readIt, o=myorg objectclass: organizationalRole cn: readIt roleOccupant: ou=Group1, o=myorg roleOccupant: ou=Group2, o=myorg dn: cn=changeIt, o=myorg objectclass: organizationalRole cn: changeIt roleOccupant: ou=Group2, o=myorg So technically, to find roles for a user, we need three steps: - Search for (uid=username); - Get the group DN by stripping the last component groupDN = userDN.getPrefix(userDN.size() - 1); - search for roles (roleOccupant={groupDN}); Current implementation of JNDI assumes that roles should be assigned to users, not to groups. So I can't use it directly. Of course I could (and probably will) find a way to hack it (extend, put some adapter, etc.), but I suspect that it's pretty common case, and it could be resolved in more general and graceful way. For instance, the inner User class could have additional attribute, e.g. getGroup() and that value could be used as the third parameter in roleSearch attribute. What do you think? Is it worth trying to generalize usage of groups in JNDIRealm? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
REPOST: Recursive groups in JNDIRealm
Hi! I'm am sorry for reposting this but I urgently need confirmation about Tomcat supporting or not supporting recursive searching in LDAP for Roles including other Roles. I post the relevant part of server.xml : Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://192.168.10.10:389; connectionName=CN=Administrator,CN=Users,DC=alfa-moving,DC=se connectionPassword=x userBase=CN=Users,DC=alfa-moving,DC=se userSearch=(sAMAccountName={0}) userRoleName=memberOf roleBase=CN=Users,DC=alfa-moving,DC=se roleName=CN roleSearch=(member={0}) roleSubtree=true/ / Thank you very much in advance Roland Carlsson Från: Roland Carlsson [EMAIL PROTECTED] Svara till: Tomcat Users List [EMAIL PROTECTED] Datum: Wed, 17 Nov 2004 16:52:34 +0100 Till: TomcatUsers [EMAIL PROTECTED] Ämne: Recursive groups in JNDIRealm Hi! After an hour of searching I can't figure out if Tomcat is able to find groups in group in a LDAP server? I found this in the archives but since it is from 4.1.18 http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg89601.html Thanks in advance Roland Carlsson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Slut på vidarebefordrat meddelande - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Recursive groups in JNDIRealm
Hi! After an hour of searching I can't figure out if Tomcat is able to find groups in group in a LDAP server? I found this in the archives but since it is from 4.1.18 http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg89601.html Thanks in advance Roland Carlsson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Roles-problem with JNDIRealm and AD
Hi List I'm trying to connect Tomcat/5.0.28 to AD on Windows 2003. My problem is that JNDIRealm fails to get role information, after successfully binding with the users DN. My temporary conclusion is that JNDIRealm fails to use the bound connection with AD when performing the search for the role object. I have verified that the user object in question can access the group object by using another LDAP client and binding as that user. Is my conclusion somewhere close to the mark? If it is, how can I make JNDIRealm behave; if not, any other ideas? Here is the relevant section from server.xml: Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://dtoslhk001; debug=99 userBase=cn=Users,dc=netlinetest,dc=kol,dc=net userPattern=cn={0},cn=Users,dc=netlinetest,dc=kol,dc=net roleBase=cn=Users,dc=netlinetest,dc=kol,dc=net roleSearch=(member={0}) roleName=cn / And here is the log output I get when I try to authenticate: JNDIRealm[Catalina]: lookupUser(Per I. Lot) JNDIRealm[Catalina]: dn=cn=Per I. Lot,cn=Users,dc=netlinetest,dc=kol,dc=net JNDIRealm[Catalina]: validating credentials by binding as the user JNDIRealm[Catalina]: binding as cn=Per I. Lot,cn=Users,dc=netlinetest,dc=kol,dc=net JNDIRealm[Catalina]: Username Per I. Lot successfully authenticated JNDIRealm[Catalina]: getRoles(cn=Per I. Lot,cn=Users,dc=netlinetest,dc=kol,dc=net) JNDIRealm[Catalina]: Searching role base 'cn=Users,dc=netlinetest,dc=kol,dc=net' for attribute 'cn' JNDIRealm[Catalina]: With filter expression '(member=cn=Per I. Lot,cn=Users,dc=netlinetest,dc=kol,dc=net)' JNDIRealm[Catalina]: Exception performing authentication javax.naming.NamingException: [LDAP: error code 1 - : LdapErr: DSID-0C0905FF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'cn=Users,dc=netlinetest,dc=kol,dc=net' Hope someone can help. Best regards! -- Eivind Trondsen| http://www.linuxlabs.no LinuxLabs AS | eivind.trondsen at linuxlabs.no - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm Problem
Hello: I have a problem with my JNDIRealm configuration in Tomcat 5. I'm using the bind mode for authentication My company have Microsoft Active Directory with two ou within ou=People I configured the server.xml to connect to my ldap sucessfully but only to one OU, i tried to put only ou=People in UserBase to search in both sub OU but i can't connect This i how i have server.xml: In this case i can connect if the user is in ou=TGP, if the user is in ou=COGA i can't Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://10.158.1.4:389; userPattern=cn={0},ou=TGP,ou=People,ou=Public,dc=reltsa,dc=coga,dc=com userSubtree= true digest=MD5 roleBase=ou=People,ou=Public,dc=reltsa,dc=coga,dc=com roleName=cn roleSubtree=true roleSearch=(uniqueMember={0})/ So i tried this: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://10.158.1.4:389; userBase=ou=People,ou=Public,dc=reltsa,dc=coga,dc=com userSearch=(uid={0}) userSubtree= true digest=MD5 roleBase=ou=People,ou=Public,dc=reltsa,dc=coga,dc=com roleName=cn roleSubtree=true roleSearch=(uniqueMember={0})/ but don't work Any ideas? Thanks a lot Claudia - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RV: JNDIRealm and Windows 2000 Active Directory
I'm trying configure one JNDIRealm asking to one Windows 2000 Active Directory. In the examples in the web of jakarta I have seen examples over openLdap. Can you help me in the configuration over Windows2000 AD. Has somebody a production system or wep application using JNDIRealm vs Active Directory ? . Can you help me in order to configure it? .Thanks for all.
Re: Tomcat 5 and JNDIRealm
Unfortunately, the LDAP server is on Domino and the only guy who worked on it quit. And I don't know enough about Domino to access it's logs or figure out the answers to the questions below. Here's what is appearing in the Tomcat logs: 2004-08-11 10:43:23 JNDIRealm[deepa.myinfogenic.net]: lookupUser(dramamurthy) 2004-08-11 10:43:23 JNDIRealm[deepa.myinfogenic.net]: dn=O=Infogenic 2004-08-11 10:43:23 JNDIRealm[deepa.myinfogenic.net]: validating credentials by binding as the user 2004-08-11 10:43:23 JNDIRealm[deepa.myinfogenic.net]: binding as O=Infogenic 2004-08-11 10:43:23 JNDIRealm[deepa.myinfogenic.net]: bind attempt failed 2004-08-11 10:43:23 JNDIRealm[deepa.myinfogenic.net]: Username dramamurthy NOT successfully authenticated I ran the sample GetattrsAll program on java.sun.com. Here's what it returned: [EMAIL PROTECTED] dramamurthy]$ java GetattrsAll attribute: mail value: [EMAIL PROTECTED] attribute: uid value: DRamamurthy attribute: givenname value: Deepa attribute: objectclass value: dominoPerson value: inetOrgPerson value: organizationalPerson value: person value: top attribute: maildomain value: Infogenic attribute: mailserver value: CN=Lexy,O=Infogenic attribute: cn value: Deepa Ramamurthy Thanks. Deepa QM [EMAIL PROTECTED] 08/10/2004 07:44 PM Please respond to Tomcat Users List To: Tomcat Users List [EMAIL PROTECTED] cc: Subject:Re: Tomcat 5 and JNDIRealm On Tue, Aug 10, 2004 at 03:52:16PM -0500, Deepa Ramamurthy wrote: : My webapp is running on Tomcat 5.0. : I've been trying to set it up to use the LDAP server for authentication : without any luck. Details, details: - what do you experience when you try to login? What's in the logs, both for Tomcat and the LDAP server? (Increase log verbosity on both for the purposes of your test. You'd be surprised what gremlins are lurking ;) - does your LDAP directory have the proper attributes for user roles and such? - does the directory use a password hashing expected by JNDIRealm)? - have you tried running LDAP queries using the roleSearch criteria specified in the Realm/ element? Providing the server.xml and web.xml was a good start, but we'll need more info. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 5 and JNDIRealm
Hello! My webapp is running on Tomcat 5.0. I've been trying to set it up to use the LDAP server for authentication without any luck. Here are my entries in server.xml and web.xml respectively: server.xml: Host name=beepy.myinfogenic.net debug=0 appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://10.0.0.29:389; roleBase=O=Infogenic userPattern=O=Infogenic roleSearch=(uniqueMember={0}) / Valve className=org.apache.catalina.authenticator.SingleSignOn debug=1/ Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=deepa.myinfogenic_log. suffix=.txt timestamp=true/ Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=deepa_access_log. suffix=.txt pattern=common resolveHosts=false/ Context path=/test docBase=test debug=0 reloadable=true/ /Host web.xml: security-constraint web-resource-collection web-resource-namePortal/web-resource-name description accessible by authenticated users of the tomcat role/description url-pattern/servlet/*/url-pattern /web-resource-collection auth-constraint descriptionThese roles are allowed access/description role-nameuser/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameYourWebApp Protected Area/realm-name /login-config Thanks. Deepa
Re: Tomcat 5 and JNDIRealm
On Tue, Aug 10, 2004 at 03:52:16PM -0500, Deepa Ramamurthy wrote: : My webapp is running on Tomcat 5.0. : I've been trying to set it up to use the LDAP server for authentication : without any luck. Details, details: - what do you experience when you try to login? What's in the logs, both for Tomcat and the LDAP server? (Increase log verbosity on both for the purposes of your test. You'd be surprised what gremlins are lurking ;) - does your LDAP directory have the proper attributes for user roles and such? - does the directory use a password hashing expected by JNDIRealm)? - have you tried running LDAP queries using the roleSearch criteria specified in the Realm/ element? Providing the server.xml and web.xml was a good start, but we'll need more info. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to get Roles in a Principal with JNDIRealm
Hello All, I'm using JNDIRealm to authenticate users and it's working well. In my java code, I need to retrieve roles associated with the authenticated user. Here is a sample of this code : Subject s = Subject.getSubject((AccessControlContext)System.getSecurityManager().getSecurityContext()); Principal p = (Principal)s.getPrincipals().toArray()[0]; The API only allows me to retrieve, on the Principal, the name (with the getName accessor) of the user, not associated roles. Nevertheless, when running the code in a debugger, the state of the Principal object seems containing all needed informations (name, password, realm, roles). Is there a (standard) way to retrieve these additional information ? Or should I develop my own LDAP Realm (JAAS module) and extend the Principal interface to add role notions ? Any help would be appreciated... RP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to get Roles in a Principal with JNDIRealm
It may be easier to use JMX and retrieve the role out of the user information from the user bean. Robert S. Harper 801.265.8800 ex. 255 -Original Message- From: Renato Primavera [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 30, 2004 7:47 AM To: [EMAIL PROTECTED] Subject: How to get Roles in a Principal with JNDIRealm Hello All, I'm using JNDIRealm to authenticate users and it's working well. In my java code, I need to retrieve roles associated with the authenticated user. Here is a sample of this code : Subject s = Subject.getSubject((AccessControlContext)System.getSecurityManager().getSecuri tyContext()); Principal p = (Principal)s.getPrincipals().toArray()[0]; The API only allows me to retrieve, on the Principal, the name (with the getName accessor) of the user, not associated roles. Nevertheless, when running the code in a debugger, the state of the Principal object seems containing all needed informations (name, password, realm, roles). Is there a (standard) way to retrieve these additional information ? Or should I develop my own LDAP Realm (JAAS module) and extend the Principal interface to add role notions ? Any help would be appreciated... RP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
4.0.29: does JNDIRealm (LDAP) perform authorization right after authentication??
Hello, I have LDAP users that are members of one or more groups and I also have users that aren't members in any group at all. Only users that have successfully authenticated themselves may use my web application. Some other users (e.g. those being member of the admin group) may use additional functionality of the application automatically depending on their group membership (which is checked using method isUserInRole at runtime). It seems that the LDAP JNDIRealm of tomcat automatically performs an authorisation for given groups after a successful user authentication ... Is this generally the case, or do I have to change the config of may JNDIRealm in some way? This is the configuration as it appears in my server.xml Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://ldap.mycompany.com:389; userBase=ou=People,dc=MyCompany,dc=COM roleBase=ou=Groups,dc=MyCompany,dc=COM roleSubtree=true roleName=cn userSearch=(uid={0}) roleSearch=(uniqueMember={0}) / Thanks in advance for a hint. Cheers, chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm strangeness
Well you have prompted me to respond once more! Tomcat should not have to do anything to establish a encrypted SSL connection to your LDAP server except pass on the correct parameters to the chosen LDAP driver, and instantiate it. It is the LDAP drivers job to handle all the nasty details of doing the SSL connection, and talking LDAP. That said, some LDAP driver factories do offer extra parameters for configuring SSL parameters beyond the SECURITY_PROTOCOL parameter. (Of course, Tomcat will be issuing the appropriate LDAP queries to do the Realm authentication, etc). I took a quick look at the Tomcat JDNI Realm configuration document, and it does specify that you can put in your own contextFactory so if you have another LDAP driver, other than Suns reference driver then you could use try that out to see if it fixes your problem. I don't know if OpenLDAP provides their own Java LDAP Driver but its worth a look! Have a hunt around and see what you can find. Technically speaking any driver that implements the LDAP RFCs should be able to talk to any LDAP server that implements the RFCs, but cruel reality often imposes itself :) But yes, someone should get around to putting in a bug report about that ldaps matter :) If it has not already been done that is. Regards, Shane. -Original Message- From: Chong Yu Meng [mailto:[EMAIL PROTECTED] Sent: Monday, 10 May 2004 11:53 AM To: Tomcat Users List Subject: Re: JNDIRealm strangeness Hi Shane ! Thanks for your help! After experimenting over the weekend, I think that this is probably a bug in the Tomcat code. I checked and corrected some problems in my OpenLDAP setup, and verified that SSL/TLS connections can be made successfully to it using ldapsearch. When I tried starting up Tomcat again, it gave me the same error. I think Tomcat may not be able to establish an encrypted connection to OpenLDAP. Unencrypted connections on port 389 seem to be ok. Incidentally, I'm also anal retentive (that, I am told, is a national characteristic of my country), and I tried ldaps://, but Tomcat will throw a parse error and will not accept the JNDI Realm parameters. They may have fixed it in the just-released 5.0.24, though. Thanks for your help, again ! I'm not on any specific timetable, so I don't need to fix this soon. I'll direct my question to the Tomcat developers and see if they are aware of the issue. Regards, pascal chong Shane Linley wrote: Hi, What happens on failed connections IS driver specific, but it should NOT BY DEFAULT switch to using a non SSL connection, for the sake of security if nothing else. The connection should tried to be established, if it fails then it should send back the appropriate naming exception. That said drivers do accept configuration properties to modify their behaviour, so technically anything is possible, based on your drivers documentation. I have never used OpenLDAP so its error logs don't really mean all that much to me, but having done similar things in the past you should look up your error codes in the OpenLDAP documentation (but its probably the OpenSSL doco) as to what the error codes really mean to work out what the problem is. I'm referring specifically to this line (as id does match up to the Request: 1 cancelled) message that the LDAP client driver reports. May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing Thats all I have! Good luck. Regards, Shane. P.S. The anal retentive part of me still wants you to specify the ldap connection as ldaps://server:636 but that is completely besides the point! :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm strangeness
Hi, What happens on failed connections IS driver specific, but it should NOT BY DEFAULT switch to using a non SSL connection, for the sake of security if nothing else. The connection should tried to be established, if it fails then it should send back the appropriate naming exception. That said drivers do accept configuration properties to modify their behaviour, so technically anything is possible, based on your drivers documentation. I have never used OpenLDAP so its error logs don't really mean all that much to me, but having done similar things in the past you should look up your error codes in the OpenLDAP documentation (but its probably the OpenSSL doco) as to what the error codes really mean to work out what the problem is. I'm referring specifically to this line (as id does match up to the Request: 1 cancelled) message that the LDAP client driver reports. May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing Thats all I have! Good luck. Regards, Shane. P.S. The anal retentive part of me still wants you to specify the ldap connection as ldaps://server:636 but that is completely besides the point! :) -Original Message- From: Chong Yu Meng [mailto:[EMAIL PROTECTED] Sent: Friday, 7 May 2004 8:17 PM To: Tomcat Users List Subject: Re: JNDIRealm strangeness Hi Shane ! Thanks for the description and advice! I managed to finally turn on OpenLDAP logging (a pain in Fedora Core 1), and set the loglevel to 256. Here's what I get. When the Tomcat server starts up, the connection errors seem to be related to port 636 : May 7 19:51:50 localhost slapd[6049]: conn=4 fd=11 ACCEPT from IP=127.0.0.1:32892 (IP=0.0.0.0:636) May 7 19:51:50 localhost slapd[6049]: conn=4 fd=11 closed May 7 19:51:50 localhost slapd[6049]: conn=5 fd=11 ACCEPT from IP=127.0.0.1:32894 (IP=0.0.0.0:389) May 7 19:51:50 localhost slapd[6049]: conn=5 op=0 BIND dn= method=128 May 7 19:51:50 localhost slapd[6049]: conn=5 op=0 RESULT tag=97 err=0 text= May 7 19:52:02 localhost slapd[6049]: conn=6 fd=12 ACCEPT from IP=127.0.0.1:32895 (IP=0.0.0.0:636) May 7 19:52:02 localhost slapd[6049]: conn=6 fd=12 closed May 7 19:52:02 localhost slapd[6049]: conn=7 fd=12 ACCEPT from IP=127.0.0.1:32897 (IP=0.0.0.0:389) May 7 19:52:02 localhost slapd[6049]: conn=7 op=0 BIND dn= method=128 May 7 19:52:02 localhost slapd[6049]: conn=7 op=0 RESULT tag=97 err=0 text= Bumping up loglevel to 4095, I get these details for the errors on port 636: May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing May 7 20:03:56 localhost slapd[6346]: connection_closing: readying conn=0 sd=11 for close May 7 20:03:56 localhost slapd[6346]: connection_close: conn=0 sd=11 Seems to indicate that there is something wrong with my SSL/TLS connection. But my JNDIRealm still works ! Users can still authenticate successfully. Does the connection fallback to port 389 if a connection on 636 is not possible? Thanks for the help, Shane ! If you have any further suggestions, I would really appreciate it ! Regards, pascal chong Shane Linley wrote: Hi, Knowledge on configuring JNDIRealms security: zip! Knowledge on the JNDI LDAP interface: guru! The root cause: javax.naming.CommunicationException, refers to there being an underlying network problem with communicating between the LDAP client, and the LDAP server. The message received from the ldap driver: Request: 1 cancelled is the reason as to why this error occured. As can be seen its not very helpful. (I've been spoilt on receiving error codes from servers and detailed messages and such). You appear to be using the Sun JNDI LDAP reference implementation, which I found to not always offer the best error messages. I cant remember if it has any extra logging capabilities (from memory it doesn't) to try and wring more information out of the driver, however the key to solving the problem may lie elsewhere. I would recommended turning on the detailed debugging in your LDAP server to determine what error it is trying to communicate back to the LDAP driver (and if the server is successfully contacted in this first instance), by of course inspecting its logs. This approach I have had to use a number of times on less than helpful LDAP drivers that don't seem to think good error messages are needed. You are trying to use a secure SSL connection to the LDAP server, but it does not appear to be SSL related as you normally get a specific SSL error back when it is SSL related, usually ugly and unhelpful. Regards, Shane. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm strangeness
Hi Shane ! Thanks for your help! After experimenting over the weekend, I think that this is probably a bug in the Tomcat code. I checked and corrected some problems in my OpenLDAP setup, and verified that SSL/TLS connections can be made successfully to it using ldapsearch. When I tried starting up Tomcat again, it gave me the same error. I think Tomcat may not be able to establish an encrypted connection to OpenLDAP. Unencrypted connections on port 389 seem to be ok. Incidentally, I'm also anal retentive (that, I am told, is a national characteristic of my country), and I tried ldaps://, but Tomcat will throw a parse error and will not accept the JNDI Realm parameters. They may have fixed it in the just-released 5.0.24, though. Thanks for your help, again ! I'm not on any specific timetable, so I don't need to fix this soon. I'll direct my question to the Tomcat developers and see if they are aware of the issue. Regards, pascal chong Shane Linley wrote: Hi, What happens on failed connections IS driver specific, but it should NOT BY DEFAULT switch to using a non SSL connection, for the sake of security if nothing else. The connection should tried to be established, if it fails then it should send back the appropriate naming exception. That said drivers do accept configuration properties to modify their behaviour, so technically anything is possible, based on your drivers documentation. I have never used OpenLDAP so its error logs don't really mean all that much to me, but having done similar things in the past you should look up your error codes in the OpenLDAP documentation (but its probably the OpenSSL doco) as to what the error codes really mean to work out what the problem is. I'm referring specifically to this line (as id does match up to the Request: 1 cancelled) message that the LDAP client driver reports. May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing Thats all I have! Good luck. Regards, Shane. P.S. The anal retentive part of me still wants you to specify the ldap connection as ldaps://server:636 but that is completely besides the point! :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm strangeness
Hi All ! I wonder if anyone has seen this anomaly, when following my instructions on setting up a JNDIRealm, on my website (http://cymulacrum.net/writings/adv_tomcat/c487.html). I wrote these instructions after version 5.0.19 of Tomcat came out and fixed the character encoding issue in the JNDIRealm. In my document I described how to : 1. Setup OpenLDAP so it runs with SSL/TLS enabled 2. Setup Tomcat's JNDIRealm so that it communicates with ldap://localhost:636, the secure port instead of 389. I never noticed anything strange, because my JNDIRealm setup seemed to work fine, but when I tried to put SecurityFilter on, I found an error. Thinking that it was probably SecurityFilter, I looked at the logfiles, and I was surprised to find that, even before I had installed SecurityFilter, there was that same error being logged inside catalina.out. I just never bothered to look before because everything seemed to be running fine. Here's what the error looks like. It only occurs on startup, all LDAP operations work fine with no errors: JNDIRealm[Catalina]: Connecting to URL ldap://localhost:636 JNDIRealm[Catalina]: Exception performing authentication javax.naming.CommunicationException: Request: 1 cancelled at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:76) at com.sun.jndi.ldap.Connection.readReply(Connection.java:433) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:356) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:187) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2615) at com.sun.jndi.ldap.LdapCtx.init(LdapCtx.java:293) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:208) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:674) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:256) at javax.naming.InitialContext.init(InitialContext.java:232) at javax.naming.InitialContext.init(InitialContext.java:208) rest of errors snipped I'm not really sure where to begin, or even if it is significant (since LDAP authentication still works). If you want to repeat this error for yourself, you can follow the instructions on my web page. Any help would be greatly appreciated ! Regards, pascal chong - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm strangeness
Hi, Knowledge on configuring JNDIRealms security: zip! Knowledge on the JNDI LDAP interface: guru! The root cause: javax.naming.CommunicationException, refers to there being an underlying network problem with communicating between the LDAP client, and the LDAP server. The message received from the ldap driver: Request: 1 cancelled is the reason as to why this error occured. As can be seen its not very helpful. (I've been spoilt on receiving error codes from servers and detailed messages and such). You appear to be using the Sun JNDI LDAP reference implementation, which I found to not always offer the best error messages. I cant remember if it has any extra logging capabilities (from memory it doesn't) to try and wring more information out of the driver, however the key to solving the problem may lie elsewhere. I would recommended turning on the detailed debugging in your LDAP server to determine what error it is trying to communicate back to the LDAP driver (and if the server is successfully contacted in this first instance), by of course inspecting its logs. This approach I have had to use a number of times on less than helpful LDAP drivers that don't seem to think good error messages are needed. You are trying to use a secure SSL connection to the LDAP server, but it does not appear to be SSL related as you normally get a specific SSL error back when it is SSL related, usually ugly and unhelpful. Regards, Shane. -Original Message- From: Chong Yu Meng [mailto:[EMAIL PROTECTED] Sent: Friday, 7 May 2004 4:32 PM To: Tomcat Users List Subject: JNDIRealm strangeness Hi All ! I wonder if anyone has seen this anomaly, when following my instructions on setting up a JNDIRealm, on my website (http://cymulacrum.net/writings/adv_tomcat/c487.html). I wrote these instructions after version 5.0.19 of Tomcat came out and fixed the character encoding issue in the JNDIRealm. In my document I described how to : 1. Setup OpenLDAP so it runs with SSL/TLS enabled 2. Setup Tomcat's JNDIRealm so that it communicates with ldap://localhost:636, the secure port instead of 389. I never noticed anything strange, because my JNDIRealm setup seemed to work fine, but when I tried to put SecurityFilter on, I found an error. Thinking that it was probably SecurityFilter, I looked at the logfiles, and I was surprised to find that, even before I had installed SecurityFilter, there was that same error being logged inside catalina.out. I just never bothered to look before because everything seemed to be running fine. Here's what the error looks like. It only occurs on startup, all LDAP operations work fine with no errors: JNDIRealm[Catalina]: Connecting to URL ldap://localhost:636 JNDIRealm[Catalina]: Exception performing authentication javax.naming.CommunicationException: Request: 1 cancelled at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:76) at com.sun.jndi.ldap.Connection.readReply(Connection.java:433) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:356) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:187) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2615) at com.sun.jndi.ldap.LdapCtx.init(LdapCtx.java:293) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:208) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:674) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:256) at javax.naming.InitialContext.init(InitialContext.java:232) at javax.naming.InitialContext.init(InitialContext.java:208) rest of errors snipped I'm not really sure where to begin, or even if it is significant (since LDAP authentication still works). If you want to repeat this error for yourself, you can follow the instructions on my web page. Any help would be greatly appreciated ! Regards, pascal chong - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm strangeness
Hi Shane ! Thanks for the description and advice! I managed to finally turn on OpenLDAP logging (a pain in Fedora Core 1), and set the loglevel to 256. Here's what I get. When the Tomcat server starts up, the connection errors seem to be related to port 636 : May 7 19:51:50 localhost slapd[6049]: conn=4 fd=11 ACCEPT from IP=127.0.0.1:32892 (IP=0.0.0.0:636) May 7 19:51:50 localhost slapd[6049]: conn=4 fd=11 closed May 7 19:51:50 localhost slapd[6049]: conn=5 fd=11 ACCEPT from IP=127.0.0.1:32894 (IP=0.0.0.0:389) May 7 19:51:50 localhost slapd[6049]: conn=5 op=0 BIND dn= method=128 May 7 19:51:50 localhost slapd[6049]: conn=5 op=0 RESULT tag=97 err=0 text= May 7 19:52:02 localhost slapd[6049]: conn=6 fd=12 ACCEPT from IP=127.0.0.1:32895 (IP=0.0.0.0:636) May 7 19:52:02 localhost slapd[6049]: conn=6 fd=12 closed May 7 19:52:02 localhost slapd[6049]: conn=7 fd=12 ACCEPT from IP=127.0.0.1:32897 (IP=0.0.0.0:389) May 7 19:52:02 localhost slapd[6049]: conn=7 op=0 BIND dn= method=128 May 7 19:52:02 localhost slapd[6049]: conn=7 op=0 RESULT tag=97 err=0 text= Bumping up loglevel to 4095, I get these details for the errors on port 636: May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing May 7 20:03:56 localhost slapd[6346]: connection_closing: readying conn=0 sd=11 for close May 7 20:03:56 localhost slapd[6346]: connection_close: conn=0 sd=11 Seems to indicate that there is something wrong with my SSL/TLS connection. But my JNDIRealm still works ! Users can still authenticate successfully. Does the connection fallback to port 389 if a connection on 636 is not possible? Thanks for the help, Shane ! If you have any further suggestions, I would really appreciate it ! Regards, pascal chong Shane Linley wrote: Hi, Knowledge on configuring JNDIRealms security: zip! Knowledge on the JNDI LDAP interface: guru! The root cause: javax.naming.CommunicationException, refers to there being an underlying network problem with communicating between the LDAP client, and the LDAP server. The message received from the ldap driver: Request: 1 cancelled is the reason as to why this error occured. As can be seen its not very helpful. (I've been spoilt on receiving error codes from servers and detailed messages and such). You appear to be using the Sun JNDI LDAP reference implementation, which I found to not always offer the best error messages. I cant remember if it has any extra logging capabilities (from memory it doesn't) to try and wring more information out of the driver, however the key to solving the problem may lie elsewhere. I would recommended turning on the detailed debugging in your LDAP server to determine what error it is trying to communicate back to the LDAP driver (and if the server is successfully contacted in this first instance), by of course inspecting its logs. This approach I have had to use a number of times on less than helpful LDAP drivers that don't seem to think good error messages are needed. You are trying to use a secure SSL connection to the LDAP server, but it does not appear to be SSL related as you normally get a specific SSL error back when it is SSL related, usually ugly and unhelpful. Regards, Shane. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm in Tomcat 5
Hello All, I searched the archive but have not seen a situation like mine. I am in the process of upgrading to tomcat 5.0.16 from 4.1.29. I'm happy to say that my webapp seems to be running fine under tomcat 5 with one important exception. My configured JNDIRealm seems to be failing. The main problem is that I cannot seem to get the logger to report the realm's errors to me. I have the realm within engine and both engine and realm are set to debug=99. Is there something else I need to do? Thanks. Vincent smime.p7s Description: S/MIME Cryptographic Signature
Tomcat 5.0.18, JNDIRealm and disabling RFC2254 encoding
Is there a flag you can you in the Realm decleration portion of server.xml that turns off the RFC2254 encoding in the JNDI Realm. Upgrading my ldap server is low on my list of things I'd like to do soon. I use this currently Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://ldap0.our.domain.name; roleName=cn roleBase=ou=Group,dc=our,dc=domain,dc=name roleSearch=(uniqueMember={0}) userBase=dc=our,dc=domain,dc=name userSubtree=true userSearch=uid={0}/ I didn't see anything in the source to suggest RFC2254=false but here's hoping. Thanks, Frank - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm question
Hi All, I have a configuration that is not covered in the JNDIRealm HOWTO, and was wondering if someone else has tried this before : I am using OpenLDAP 2.1.22 on Red Hat 9. For the DN, I am using the CN instead of the UID (i.e., dn: cn=Zhu De,ou=People,o=Cymulacrum instead of uid=zhude,ou=People,o=Cymulacrum), and the roles recognized by Tomcat are in the Groups OU. My question : how do I setup a Tomcat JNDI Realm such that it looks up roles based on the UID instead of the DN ? In the JNDIRealm HOWTO, the instructions assume that the DN is using the UID instead of the CN. For the userSearch, I would substitute with (uid={0}), since I need to do a search and comparison with an attribute. But to retrieve the role ... I'm not so sure about how to do this. I'm thinking that the stanza below would not work (no, I haven't tried it yet). Does anyone know how it should look ? Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://localhost:389; userBase=ou=people,o=Cymulacrum userSearch=(uid={0}) userRoleName=memberOf roleBase=ou=groups,o=Cymulacrum roleName=cn roleSearch=(uniqueMember={0}) / Using the CN instead of the UID for the DN is actually (in my experience anyway) quite common -- Lotus Domino/Notes uses the CN for logging in, and Novell eDirectory too (though I suppose both can be configured to use the UID instead). Thanks in advance, pascal chong - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem with JNDIRealm
I have successfully installed mod_auth_ldap with Apache. Here's the configuration: LDAP_Protocol_Version 2 LDAP_Server server LDAP_Port port Base_DN ou=People,o=company,c=DE UID_Attr_Alt uid require valid-user Bind_DN cn=appadmin,o=company,c=DE Bind_Pass password I want to use this in Tomcat. I tested a lot of configurations. Here's one of it: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://server:port userPattern=uid={0},ou=People,o=company,c=DE roleBase=ou=People,o=company,c=DE roleName=uid roleSearch=(uid={0}) roleSubtree=true connectionName=cn=appadmin,o=company,c=DE connectionPassword=password / When testing it with a working user/pass combination I get: 2003-11-26 21:17:29 JNDIRealm[Standalone]: lookupUser(jheid) 2003-11-26 21:17:29 JNDIRealm[Standalone]: dn=uid=jheid,ou=People,o=Company,c=DE 2003-11-26 21:17:29 JNDIRealm[Standalone]: validating credentials by binding a s the user 2003-11-26 21:17:29 JNDIRealm[Standalone]: binding as uid=jheid,ou=People,o=Company,c=DE 2003-11-26 21:17:29 JNDIRealm[Standalone]: Exception performing authentication javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; rema ining name '' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3013) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740) at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1294) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(Componen tDirContext.java:213) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Par tialCompositeDirContext.java:121) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Par tialCompositeDirContext.java:109) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirCont ext.java:121) at org.apache.catalina.realm.JNDIRealm.bindAsUser(JNDIRealm.java:127 But when I'm using a wrong user/pass combination, I get: 2003-11-26 21:27:59 JNDIRealm[Standalone]: bind attempt failed 2003-11-26 21:27:59 JNDIRealm[Standalone]: Username jheid NOT successfully authenticated Can anybody help me please? JOERN - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with JNDIRealm
It looks like one of you attributes is missing (i.e. null). Do you have a role associated with the username? I'm also having problems with JNDIRealm -- I can't get it working ! Going to check if it is because I'm missing some libraries. Regards, pascal chong Jörn Heid wrote: I have successfully installed mod_auth_ldap with Apache. Here's the configuration: LDAP_Protocol_Version 2 LDAP_Server server LDAP_Port port Base_DN ou=People,o=company,c=DE UID_Attr_Alt uid require valid-user Bind_DN cn=appadmin,o=company,c=DE Bind_Pass password I want to use this in Tomcat. I tested a lot of configurations. Here's one of it: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://server:port userPattern=uid={0},ou=People,o=company,c=DE roleBase=ou=People,o=company,c=DE roleName=uid roleSearch=(uid={0}) roleSubtree=true connectionName=cn=appadmin,o=company,c=DE connectionPassword=password / When testing it with a working user/pass combination I get: 2003-11-26 21:17:29 JNDIRealm[Standalone]: lookupUser(jheid) 2003-11-26 21:17:29 JNDIRealm[Standalone]: dn=uid=jheid,ou=People,o=Company,c=DE 2003-11-26 21:17:29 JNDIRealm[Standalone]: validating credentials by binding a s the user 2003-11-26 21:17:29 JNDIRealm[Standalone]: binding as uid=jheid,ou=People,o=Company,c=DE 2003-11-26 21:17:29 JNDIRealm[Standalone]: Exception performing authentication javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; rema ining name '' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3013) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740) at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1294) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(Componen tDirContext.java:213) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Par tialCompositeDirContext.java:121) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Par tialCompositeDirContext.java:109) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirCont ext.java:121) at org.apache.catalina.realm.JNDIRealm.bindAsUser(JNDIRealm.java:127 But when I'm using a wrong user/pass combination, I get: 2003-11-26 21:27:59 JNDIRealm[Standalone]: bind attempt failed 2003-11-26 21:27:59 JNDIRealm[Standalone]: Username jheid NOT successfully authenticated Can anybody help me please? JOERN - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending JNDIRealm
Ok, why? What am I doing that should cause a stack overflow? Justin -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 7:26 PM To: Tomcat Users List Subject: Re: Extending JNDIRealm Odd, based on what I see so far, I would expect it to crash with a StackOverFlow exception. -Tim Hart, Justin wrote: Whoops, the code is actually as follows... No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can add a few features I need for my site, I have an interesting issue, however. If, I try this : public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } username gets printed, and the system works properly However, if I try something akin to this public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username.length()); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } It crashes with a null pointer exception. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extending JNDIRealm
Based on what I saw so far ... In JNDIRealm authenticate(String, String) gets a DirContext and calls authenticate(DirContext, String, String). Your code snippet which I assume overrides, authenticate(DirContext, String, String) which calls super.authenticate(String, String). Then ... super.authenticate(String, String) calls authenticate(DirContext, String, String) which you had overridden which is indirect recursion. -Tim Hart, Justin wrote: Ok, why? What am I doing that should cause a stack overflow? Justin -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 7:26 PM To: Tomcat Users List Subject: Re: Extending JNDIRealm Odd, based on what I see so far, I would expect it to crash with a StackOverFlow exception. -Tim Hart, Justin wrote: Whoops, the code is actually as follows... No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can add a few features I need for my site, I have an interesting issue, however. If, I try this : public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } username gets printed, and the system works properly However, if I try something akin to this public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username.length()); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } It crashes with a null pointer exception. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending JNDIRealm
I *cough* didn't download the JNDIRealm code. I'll go look into that. Justin -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:28 AM To: Tomcat Users List Subject: Re: Extending JNDIRealm Based on what I saw so far ... In JNDIRealm authenticate(String, String) gets a DirContext and calls authenticate(DirContext, String, String). Your code snippet which I assume overrides, authenticate(DirContext, String, String) which calls super.authenticate(String, String). Then ... super.authenticate(String, String) calls authenticate(DirContext, String, String) which you had overridden which is indirect recursion. -Tim Hart, Justin wrote: Ok, why? What am I doing that should cause a stack overflow? Justin -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 7:26 PM To: Tomcat Users List Subject: Re: Extending JNDIRealm Odd, based on what I see so far, I would expect it to crash with a StackOverFlow exception. -Tim Hart, Justin wrote: Whoops, the code is actually as follows... No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can add a few features I need for my site, I have an interesting issue, however. If, I try this : public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } username gets printed, and the system works properly However, if I try something akin to this public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username.length()); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } It crashes with a null pointer exception. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending JNDIRealm
Wait, reading the stack trace doesn't show anything like that. No, that can't be the issue. Justin -Original Message- From: Hart, Justin Sent: Tuesday, November 25, 2003 9:30 AM To: Tomcat Users List Subject: RE: Extending JNDIRealm I *cough* didn't download the JNDIRealm code. I'll go look into that. Justin -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:28 AM To: Tomcat Users List Subject: Re: Extending JNDIRealm Based on what I saw so far ... In JNDIRealm authenticate(String, String) gets a DirContext and calls authenticate(DirContext, String, String). Your code snippet which I assume overrides, authenticate(DirContext, String, String) which calls super.authenticate(String, String). Then ... super.authenticate(String, String) calls authenticate(DirContext, String, String) which you had overridden which is indirect recursion. -Tim Hart, Justin wrote: Ok, why? What am I doing that should cause a stack overflow? Justin -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 7:26 PM To: Tomcat Users List Subject: Re: Extending JNDIRealm Odd, based on what I see so far, I would expect it to crash with a StackOverFlow exception. -Tim Hart, Justin wrote: Whoops, the code is actually as follows... No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can add a few features I need for my site, I have an interesting issue, however. If, I try this : public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } username gets printed, and the system works properly However, if I try something akin to this public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username.length()); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } It crashes with a null pointer exception. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending JNDIRealm
Read through the code, ran some example stuff. What I'm doing in my implementation is fine. Justin -Original Message- From: Hart, Justin Sent: Tuesday, November 25, 2003 9:31 AM To: Tomcat Users List Subject: RE: Extending JNDIRealm Wait, reading the stack trace doesn't show anything like that. No, that can't be the issue. Justin -Original Message- From: Hart, Justin Sent: Tuesday, November 25, 2003 9:30 AM To: Tomcat Users List Subject: RE: Extending JNDIRealm I *cough* didn't download the JNDIRealm code. I'll go look into that. Justin -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:28 AM To: Tomcat Users List Subject: Re: Extending JNDIRealm Based on what I saw so far ... In JNDIRealm authenticate(String, String) gets a DirContext and calls authenticate(DirContext, String, String). Your code snippet which I assume overrides, authenticate(DirContext, String, String) which calls super.authenticate(String, String). Then ... super.authenticate(String, String) calls authenticate(DirContext, String, String) which you had overridden which is indirect recursion. -Tim Hart, Justin wrote: Ok, why? What am I doing that should cause a stack overflow? Justin -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 7:26 PM To: Tomcat Users List Subject: Re: Extending JNDIRealm Odd, based on what I see so far, I would expect it to crash with a StackOverFlow exception. -Tim Hart, Justin wrote: Whoops, the code is actually as follows... No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can add a few features I need for my site, I have an interesting issue, however. If, I try this : public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } username gets printed, and the system works properly However, if I try something akin to this public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username.length()); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } It crashes with a null pointer exception. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending JNDIRealm
Ok, for those interested, here's the real issue. At some point in time (I don't know enough about tomcat to know when or why), before it Tomcat has your username (at least with my config files, but it looks common since JNDIRealm is checking for it too), authenticate is called with a null username. Since the username is null, taking its length causes a null pointer exception. I added a check, and now it works fine. Justin -Original Message- From: Hart, Justin Sent: Tuesday, November 25, 2003 10:19 AM To: Tomcat Users List Subject: RE: Extending JNDIRealm Read through the code, ran some example stuff. What I'm doing in my implementation is fine. Justin -Original Message- From: Hart, Justin Sent: Tuesday, November 25, 2003 9:31 AM To: Tomcat Users List Subject: RE: Extending JNDIRealm Wait, reading the stack trace doesn't show anything like that. No, that can't be the issue. Justin -Original Message- From: Hart, Justin Sent: Tuesday, November 25, 2003 9:30 AM To: Tomcat Users List Subject: RE: Extending JNDIRealm I *cough* didn't download the JNDIRealm code. I'll go look into that. Justin -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 9:28 AM To: Tomcat Users List Subject: Re: Extending JNDIRealm Based on what I saw so far ... In JNDIRealm authenticate(String, String) gets a DirContext and calls authenticate(DirContext, String, String). Your code snippet which I assume overrides, authenticate(DirContext, String, String) which calls super.authenticate(String, String). Then ... super.authenticate(String, String) calls authenticate(DirContext, String, String) which you had overridden which is indirect recursion. -Tim Hart, Justin wrote: Ok, why? What am I doing that should cause a stack overflow? Justin -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 7:26 PM To: Tomcat Users List Subject: Re: Extending JNDIRealm Odd, based on what I see so far, I would expect it to crash with a StackOverFlow exception. -Tim Hart, Justin wrote: Whoops, the code is actually as follows... No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can add a few features I need for my site, I have an interesting issue, however. If, I try this : public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } username gets printed, and the system works properly However, if I try something akin to this public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username.length()); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } It crashes with a null pointer exception. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Extending JNDIRealm
No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can add a few features I need for my site, I have an interesting issue, however. If, I try this : public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username); super.authenticate(username, credentials); } username gets printed, and the system works properly However, if I try something akin to this public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username.length()); super.authenticate(username, credentials); } It crashes with a null pointer exception. Eh? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Extending JNDIRealm
Whoops, the code is actually as follows... No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can add a few features I need for my site, I have an interesting issue, however. If, I try this : public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } username gets printed, and the system works properly However, if I try something akin to this public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username.length()); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } It crashes with a null pointer exception. Eh? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extending JNDIRealm
Odd, based on what I see so far, I would expect it to crash with a StackOverFlow exception. -Tim Hart, Justin wrote: Whoops, the code is actually as follows... No sure what's going on with this code... I'm attempting to extend JNDIRealm so I can add a few features I need for my site, I have an interesting issue, however. If, I try this : public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } username gets printed, and the system works properly However, if I try something akin to this public Principal authenticate(DirContext context, String username, String credentials) throws NamingException { Principal authPrincipal = null; System.out.println(username.length()); authPrincipal = super.authenticate(username, credentials); return authPrincipal; } It crashes with a null pointer exception. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
getRemoteUser(), if your familiar with jsp's then you'll know how to use it. Unfortunately I don't, but I guess that is why we have web application developers on staff. :-) Dean Searle Computing Oasis 989.245.7369 (p) 989.921.3904 (f) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 5:00 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks for the pointer, I'll see about pointing to one of our 2 mail servers. I wonder if they talk back and forth. Also, Do you know how I can extract the sign-ed on user's user-id once they've authenticated? robyne -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 2:06 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Great to hear that information worked for you. I included the alternateURL in the event our primary AD went down for one reason or another and our users could still access the password protected sites. Without an alternate AD active or specified you will not have access to your web applications. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wed 11/5/2003 13:46 To: Tomcat Users List Cc: Subject:RE: JNDIRealm...more Dean! Mine works! A thousand thanks! I hope I can return the favor some time. Your nice explanation helped. I did not need the alternatURL in mine. I found out that we have 2 mail servers, well the server.xml only allows for 1 alternate. I decided to try it without any and it worked. Much appreciation, Robyne Vaughn -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the collective all for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://your.AD.com; alternateURL=ldap://other.AD.com; connectionName=cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com connectionPassword=XX referrals=follow userBase=dc=AD,dc=com userSearch=(amp;(sAMAccountName={0})(objectClass=user)) userSubtree=true roleBase=dc=AD,dc=com roleSearch=(uniqueMember={0}) roleName=cn / KEY: cn = common name ou = organizational unit dc = domain controller your.AD.comwww.yahoo.com other.AD.com mail.yahoo.com USER DISPLAY NAME This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName is the account name you most commonly login into your computers with objectClass=user this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals=follow this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try
RE: JNDIRealm...more
getRemoteUser() will give you the username of the user logged in. This is going to be the name that they typed in when they got authenticated, not their DN. Justin -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 6:58 AM To: Tomcat Users List Subject: RE: JNDIRealm...more getRemoteUser(), if your familiar with jsp's then you'll know how to use it. Unfortunately I don't, but I guess that is why we have web application developers on staff. :-) Dean Searle Computing Oasis 989.245.7369 (p) 989.921.3904 (f) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 5:00 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks for the pointer, I'll see about pointing to one of our 2 mail servers. I wonder if they talk back and forth. Also, Do you know how I can extract the sign-ed on user's user-id once they've authenticated? robyne -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 2:06 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Great to hear that information worked for you. I included the alternateURL in the event our primary AD went down for one reason or another and our users could still access the password protected sites. Without an alternate AD active or specified you will not have access to your web applications. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wed 11/5/2003 13:46 To: Tomcat Users List Cc: Subject:RE: JNDIRealm...more Dean! Mine works! A thousand thanks! I hope I can return the favor some time. Your nice explanation helped. I did not need the alternatURL in mine. I found out that we have 2 mail servers, well the server.xml only allows for 1 alternate. I decided to try it without any and it worked. Much appreciation, Robyne Vaughn -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the collective all for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://your.AD.com; alternateURL=ldap://other.AD.com; connectionName=cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com connectionPassword=XX referrals=follow userBase=dc=AD,dc=com userSearch=(amp;(sAMAccountName={0})(objectClass=user)) userSubtree=true roleBase=dc=AD,dc=com roleSearch=(uniqueMember={0}) roleName=cn / KEY: cn = common name ou = organizational unit dc = domain controller your.AD.comwww.yahoo.com other.AD.com mail.yahoo.com USER DISPLAY NAME This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName is the account name you most commonly login into your computers with objectClass=user this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals=follow this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server
RE: JNDIRealm...more
I can use that. Thanks. Robyne -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 5:58 AM To: Tomcat Users List Subject: RE: JNDIRealm...more getRemoteUser(), if your familiar with jsp's then you'll know how to use it. Unfortunately I don't, but I guess that is why we have web application developers on staff. :-) Dean Searle Computing Oasis 989.245.7369 (p) 989.921.3904 (f) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 5:00 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks for the pointer, I'll see about pointing to one of our 2 mail servers. I wonder if they talk back and forth. Also, Do you know how I can extract the sign-ed on user's user-id once they've authenticated? robyne -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 2:06 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Great to hear that information worked for you. I included the alternateURL in the event our primary AD went down for one reason or another and our users could still access the password protected sites. Without an alternate AD active or specified you will not have access to your web applications. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wed 11/5/2003 13:46 To: Tomcat Users List Cc: Subject:RE: JNDIRealm...more Dean! Mine works! A thousand thanks! I hope I can return the favor some time. Your nice explanation helped. I did not need the alternatURL in mine. I found out that we have 2 mail servers, well the server.xml only allows for 1 alternate. I decided to try it without any and it worked. Much appreciation, Robyne Vaughn -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the collective all for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://your.AD.com; alternateURL=ldap://other.AD.com; connectionName=cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com connectionPassword=XX referrals=follow userBase=dc=AD,dc=com userSearch=(amp;(sAMAccountName={0})(objectClass=user)) userSubtree=true roleBase=dc=AD,dc=com roleSearch=(uniqueMember={0}) roleName=cn / KEY: cn = common name ou = organizational unit dc = domain controller your.AD.comwww.yahoo.com other.AD.com mail.yahoo.com USER DISPLAY NAME This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName is the account name you most commonly login into your computers with objectClass=user this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals=follow this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I
JNDIRealm with UserMapping (was: Trust Store and Credentials)
Bill Barker wrote: Speaking only for myself, it is because of the dependencies on sun.** classes (so it won't work with e.g. IBM's JVM). Otherwise the patch looks Ok. I just haven't had enough spare cycles to work out how to remove the Sun dependancies. Ah, yes i see, but this is true for the JNDIRealmCertAD (which is for Windows-ActiveDirectory) only. I think we could left this out, since there might be better solutions (JAAS) for this environment. JNDIRealmCertOpenExchange do not rely on sun.* and threrefore could be a candidate for adding. Ciao, Mario smime.p7s Description: S/MIME Cryptographic Signature
RE: JNDIRealm...more
Dean, WOW, this is enlightening. Thanks, I'll let you know how it goes. I believe I have the connection name part working. I have not been able to find the user. This helps a lot. Much appreciation, I'll let you know how it goes. Rob -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the collective all for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://your.AD.com; alternateURL=ldap://other.AD.com; connectionName=cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com connectionPassword=XX referrals=follow userBase=dc=AD,dc=com userSearch=(amp;(sAMAccountName={0})(objectClass=user)) userSubtree=true roleBase=dc=AD,dc=com roleSearch=(uniqueMember={0}) roleName=cn / KEY: cn = common name ou = organizational unit dc = domain controller your.AD.comwww.yahoo.com other.AD.com mail.yahoo.com USER DISPLAY NAME This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName is the account name you most commonly login into your computers with objectClass=user this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals=follow this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective all of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where all users are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi
RE: JNDIRealm...more
Ok, cool, so, how I have a question about the parts: roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com roleName=memberOf roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) This is going to specify what roles apply to the user under the role-name portion of the web.xml, correct? As well as for use with isUserInRole(), right? If I want the roles that apply to my user to be their NT Groups, would I make it something akin to: roleBase=CN=Users,DC=[Domain],DC=com roleName=memberOf Will it take all of their roles, even with roleSearch specified? Am I on the Right Track(tm) with all of this? Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://[domain controller]:389 userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com userSearch=(sAMAccountName={0}) userRoleName=member roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com roleName=memberOf roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com connectionPassword=[password] roleSubtree=true userSubtree=true/To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Ok, figured it out. For those who are curious (IE the handful of other people who've been taking part in JNDIRealm threads on this list: roleBase=OU=Users,OU=[Your OU from the userBase],DC=[Domain],DC=com roleName=memberOf roleSearch=(Whatever group all members allowed to log in should be a part of) Now, when you refer to their role in the rest of your application, you use the DN of the NT Group that they are supposed to be a part of. That way, you can use NT permissions to control your web app. Justin -Original Message- From: Hart, Justin Sent: Wednesday, November 05, 2003 12:00 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Ok, cool, so, how I have a question about the parts: roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com roleName=memberOf roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) This is going to specify what roles apply to the user under the role-name portion of the web.xml, correct? As well as for use with isUserInRole(), right? If I want the roles that apply to my user to be their NT Groups, would I make it something akin to: roleBase=CN=Users,DC=[Domain],DC=com roleName=memberOf Will it take all of their roles, even with roleSearch specified? Am I on the Right Track(tm) with all of this? Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://[domain controller]:389 userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com userSearch=(sAMAccountName={0}) userRoleName=member roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com roleName=memberOf roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com connectionPassword=[password] roleSubtree=true userSubtree=true/To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
server.xml JNDIRealm
Ok, more nifty questions from myself. The format that the rest of the company uses for NT Authentication is [domain].com\[username] in the username field, and then [pass] in the password field. The NT Admins would really like if my application would do the same (so as not to throw off users). Is it possible to split characters off of the username field before providing them to the userSearch query... ie userSearch=(sAMAccountName={0}) with the [domain].com\ part gone? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Dean! Mine works! A thousand thanks! I hope I can return the favor some time. Your nice explanation helped. I did not need the alternatURL in mine. I found out that we have 2 mail servers, well the server.xml only allows for 1 alternate. I decided to try it without any and it worked. Much appreciation, Robyne Vaughn -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the collective all for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://your.AD.com; alternateURL=ldap://other.AD.com; connectionName=cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com connectionPassword=XX referrals=follow userBase=dc=AD,dc=com userSearch=(amp;(sAMAccountName={0})(objectClass=user)) userSubtree=true roleBase=dc=AD,dc=com roleSearch=(uniqueMember={0}) roleName=cn / KEY: cn = common name ou = organizational unit dc = domain controller your.AD.comwww.yahoo.com other.AD.com mail.yahoo.com USER DISPLAY NAME This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName is the account name you most commonly login into your computers with objectClass=user this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals=follow this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective all of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where all users are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU
RE: JNDIRealm...more
Great to hear that information worked for you. I included the alternateURL in the event our primary AD went down for one reason or another and our users could still access the password protected sites. Without an alternate AD active or specified you will not have access to your web applications. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wed 11/5/2003 13:46 To: Tomcat Users List Cc: Subject:RE: JNDIRealm...more Dean! Mine works! A thousand thanks! I hope I can return the favor some time. Your nice explanation helped. I did not need the alternatURL in mine. I found out that we have 2 mail servers, well the server.xml only allows for 1 alternate. I decided to try it without any and it worked. Much appreciation, Robyne Vaughn -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the collective all for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://your.AD.com; alternateURL=ldap://other.AD.com; connectionName=cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com connectionPassword=XX referrals=follow userBase=dc=AD,dc=com userSearch=(amp;(sAMAccountName={0})(objectClass=user)) userSubtree=true roleBase=dc=AD,dc=com roleSearch=(uniqueMember={0}) roleName=cn / KEY: cn = common name ou = organizational unit dc = domain controller your.AD.comwww.yahoo.com other.AD.com mail.yahoo.com USER DISPLAY NAME This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName is the account name you most commonly login into your computers with objectClass=user this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals=follow this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective all of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where all users are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart
RE: JNDIRealm...more
Thanks for the pointer, I'll see about pointing to one of our 2 mail servers. I wonder if they talk back and forth. Also, Do you know how I can extract the sign-ed on user's user-id once they've authenticated? robyne -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 2:06 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Great to hear that information worked for you. I included the alternateURL in the event our primary AD went down for one reason or another and our users could still access the password protected sites. Without an alternate AD active or specified you will not have access to your web applications. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wed 11/5/2003 13:46 To: Tomcat Users List Cc: Subject:RE: JNDIRealm...more Dean! Mine works! A thousand thanks! I hope I can return the favor some time. Your nice explanation helped. I did not need the alternatURL in mine. I found out that we have 2 mail servers, well the server.xml only allows for 1 alternate. I decided to try it without any and it worked. Much appreciation, Robyne Vaughn -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the collective all for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://your.AD.com; alternateURL=ldap://other.AD.com; connectionName=cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com connectionPassword=XX referrals=follow userBase=dc=AD,dc=com userSearch=(amp;(sAMAccountName={0})(objectClass=user)) userSubtree=true roleBase=dc=AD,dc=com roleSearch=(uniqueMember={0}) roleName=cn / KEY: cn = common name ou = organizational unit dc = domain controller your.AD.comwww.yahoo.com other.AD.com mail.yahoo.com USER DISPLAY NAME This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName is the account name you most commonly login into your computers with objectClass=user this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals=follow this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective all of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where all
RE: JNDIRealm...more
I just got it working... A million thank yous! I didn't really understand LDAP until learning (some) about it yesterday, and once I started learning it, your example made perfect sense, and now I can authenticate my users! This rules very much! Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://[domain controller]:389 userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com userSearch=(sAMAccountName={0}) userRoleName=member roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com roleName=memberOf roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com connectionPassword=[password] roleSubtree=true userSubtree=true/ -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=A good active directory server userBase=dc=MY DOMAIN NAME,dc=com userRoleName=member roleName=cn roleSearch=(userPrincipalName={0}) roleSubtree=false userSubtree=false referrals=follow / Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance CN=Administratorname,OU=CO,dc=lubbock,dc=isd);. CO stands for central office (in this case.) I know that this administrative name is in the OU=CO. What do I do if my user is not in OU=CO? How do I authenticate when I'm not given the person's specific OU? I don't understand why you're specifying 2 different values for OU? Any help would be appreciated. Thanks, rob -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:13 AM To: Tomcat Users List Subject: RE: JNDIRealm...more I just got it working... A million thank yous! I didn't really understand LDAP until learning (some) about it yesterday, and once I started learning it, your example made perfect sense, and now I can authenticate my users! This rules very much! Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://[domain controller]:389 userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com userSearch=(sAMAccountName={0}) userRoleName=member roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com roleName=memberOf roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com connectionPassword=[password] roleSubtree=true userSubtree=true/ -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=A good active directory server userBase=dc=MY DOMAIN NAME,dc=com userRoleName=member roleName=cn roleSearch=(userPrincipalName={0}) roleSubtree=false userSubtree=false referrals=follow / Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: security-constraint web-resource-collection web-resource-name/web-resource-name url-pattern/url-pattern /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint login-config auth-method/auth-method !-- realm-name/realm-name -- /login-config security-role role-name/role-name /security-role Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the ALL mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance CN=Administratorname,OU=CO,dc=lubbock,dc=isd);. CO stands for central office (in this case.) I know that this administrative name is in the OU=CO. What do I do if my user is not in OU=CO? How do I authenticate when I'm not given the person's specific OU? I don't understand why you're specifying 2 different values for OU? Any help would be appreciated. Thanks, rob -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:13 AM To: Tomcat Users List Subject: RE: JNDIRealm...more I just got it working... A million thank yous! I didn't really understand LDAP until learning
RE: JNDIRealm...more
I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: security-constraint web-resource-collection web-resource-name/web-resource-name url-pattern/url-pattern /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint login-config auth-method/auth-method !-- realm-name/realm-name -- /login-config security-role role-name/role-name /security-role Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the ALL mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance CN=Administratorname,OU=CO,dc=lubbock,dc=isd);. CO stands for central office (in this case.) I know that this administrative name is in the OU=CO. What do I do if my user is not in OU=CO? How do I authenticate when I'm not given the person's specific OU? I don't understand why you're specifying 2 different values for OU? Any help would be appreciated. Thanks, rob -Original Message- From: Hart, Justin [mailto:[EMAIL
RE: JNDIRealm...more
Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: security-constraint web-resource-collection web-resource-name/web-resource-name url-pattern/url-pattern /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint login-config auth-method/auth-method !-- realm-name/realm-name -- /login-config security-role role-name/role-name /security-role Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the ALL mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance CN=Administratorname,OU=CO,dc=lubbock,dc=isd);. CO stands for central office (in this case.) I know that this administrative
RE: JNDIRealm...more
Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective all of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where all users are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: security-constraint web-resource-collection web-resource-name/web-resource-name url-pattern/url-pattern /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint login-config auth-method/auth-method !-- realm-name/realm-name -- /login-config security-role role-name/role-name /security-role Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the ALL mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com 2.specifically
RE: JNDIRealm...more
Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective all of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where all users are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: security-constraint web-resource-collection web-resource-name/web-resource-name url-pattern/url-pattern /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint login-config auth-method/auth-method !-- realm-name/realm-name -- /login-config security-role role-name/role-name /security-role Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the ALL mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC
RE: JNDIRealm...more
Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective all of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where all users are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: security-constraint web-resource-collection web-resource-name/web-resource-name url-pattern/url-pattern /web-resource-collection auth-constraint role-name/role-name /auth-constraint /security-constraint login-config auth-method/auth-method !-- realm-name/realm-name -- /login-config security-role role-name/role-name /security-role Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the ALL mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common
RE: JNDIRealm...more
Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the collective all for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://your.AD.com; alternateURL=ldap://other.AD.com; connectionName=cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com connectionPassword=XX referrals=follow userBase=dc=AD,dc=com userSearch=(amp;(sAMAccountName={0})(objectClass=user)) userSubtree=true roleBase=dc=AD,dc=com roleSearch=(uniqueMember={0}) roleName=cn / KEY: cn = common name ou = organizational unit dc = domain controller your.AD.comwww.yahoo.com other.AD.com mail.yahoo.com USER DISPLAY NAME This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName is the account name you most commonly login into your computers with objectClass=user this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals=follow this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective all of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where all users are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my path worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I
JNDIRealm Configuration
Does anybody have an example JDNIRealm configuration (server.xml web.xml). I feel like I'm just taking stabs in the dark with these files... Currently I can get it to pop up a window and ask for your username/password. I use my NT username and password and it rejects them. I think that I have the web.xml correct, but the server.xml incorrect. Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm
Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://[Windows 2000 Domain Controller]:389 userBase=CN=Users,dc=[domain name],dc=com userSearch=(userPrincipalName={0}) userRoleName=member roleBase=CN=Users,dc=[domain name],dc=com roleName=cn roleSearch=(member={0}) connectionName=CN=[jndi account username],CN=Users,DC=[domain name],DC=com connectionPassword=[jndi account password] roleSubtree=true userSubtree=true / Found the preceding snippet on java-internals.com. My server.xml, looks like this : Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=my server... it's correct userBase=CN=Users,dc=correct,dc=com userSearch=(userPrincipalName={0}) userRoleName=member roleBase=CN=Users,dc=sfa,dc=com roleName=cn roleSearch=(member={0}) roleSubtree=true userSubtree=true / It fails to authenticate NT users based on their NT username/password combination. It's connecting to an ActiveDirectory server... is there anything glaringly obvious that I am doing incorrectly here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm...more
My server.xml now looks like this : Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=A good active directory server userBase=dc=MY DOMAIN NAME,dc=com userRoleName=member roleName=cn roleSearch=(userPrincipalName={0}) roleSubtree=false userSubtree=false referrals=follow / Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Here's what I have..this works for mehope this helps Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://[domain controller]:389 userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com userSearch=(sAMAccountName={0}) userRoleName=member roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com roleName=memberOf roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com connectionPassword=[password] roleSubtree=true userSubtree=true/ -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=A good active directory server userBase=dc=MY DOMAIN NAME,dc=com userRoleName=member roleName=cn roleSearch=(userPrincipalName={0}) roleSubtree=false userSubtree=false referrals=follow / Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Is there a way to do this without the admin password in the file? What is sAMAccountName? Also, not terribly versed in LDAP, what is My OU? Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://[domain controller]:389 userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com userSearch=(sAMAccountName={0}) userRoleName=member roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com roleName=memberOf roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com connectionPassword=[password] roleSubtree=true userSubtree=true/ -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=A good active directory server userBase=dc=MY DOMAIN NAME,dc=com userRoleName=member roleName=cn roleSearch=(userPrincipalName={0}) roleSubtree=false userSubtree=false referrals=follow / Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
You don't need the admin password, you do need a domain account the has read permissions.just about any account will do thiscreate a test account.and use that instead of the admin account.. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:18 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Is there a way to do this without the admin password in the file? What is sAMAccountName? Also, not terribly versed in LDAP, what is My OU? Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://[domain controller]:389 userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com userSearch=(sAMAccountName={0}) userRoleName=member roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com roleName=memberOf roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com connectionPassword=[password] roleSubtree=true userSubtree=true/ -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=A good active directory server userBase=dc=MY DOMAIN NAME,dc=com userRoleName=member roleName=cn roleSearch=(userPrincipalName={0}) roleSubtree=false userSubtree=false referrals=follow / Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Ok, what about sAMAccountname? I'm browsing through my LDAP, and don't see any keys that match that... would that be whatever key matches the username I want typed in? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:26 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more You don't need the admin password, you do need a domain account the has read permissions.just about any account will do thiscreate a test account.and use that instead of the admin account.. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:18 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Is there a way to do this without the admin password in the file? What is sAMAccountName? Also, not terribly versed in LDAP, what is My OU? Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://[domain controller]:389 userBase=OU=Users,OU=[My OU],DC=[Domain],DC=com userSearch=(sAMAccountName={0}) userRoleName=member roleBase=OU=Users,OU=[my OU],DC=[Domain],DC=com roleName=memberOf roleSearch=(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com) connectionName=CN=Administrator,CN=Users,DC=[Domain],DC=com connectionPassword=[password] roleSubtree=true userSubtree=true/ -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=A good active directory server userBase=dc=MY DOMAIN NAME,dc=com userRoleName=member roleName=cn roleSearch=(userPrincipalName={0}) roleSubtree=false userSubtree=false referrals=follow / Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm using LDAP with SSL
Did you solve your problem? I don't get the whole thing to run. Are you really able to use *ldaps* in the connectionURL. On my system i get the following error: LifecycleException: Exception opening directory server connection: javax.naming.NamingException: Cannot parse url: ldaps://localhost:636 [Root exception is java.net.MalformedURLException: Not an L DAP URL: ldaps://localhost:636] If i just use ldap://localhost:636 i get this: LifecycleException: Exception opening directory server connection: javax.naming.CommunicationExce ption: Request: 1 cancelled Both doesn't really help defending network sniffers from stealing user data. Hayo Schmidt Chris Egolf schrieb: Does anyone have any experience getting ldaps working w/ the JDNIRealms in Tomcat 4.1.24? Regular LDAP is working fine, but when I change the connection URL to ldaps://ldap-host:636 I get the following error: 2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL ldaps://10.1.1.50:636 2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing authentication javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636 [Root exception is javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found] My Realm element in server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 resourceName=UserDatabase connectionURL=ldaps://10.1.1.50:636 connectionName=cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany connectionPassword=password userBase=o=MyCompany userSearch=(amp;(cn={0})(objectClass=inetOrgPerson)) userSubtree=true roleBase=ou=WebAppGrp,ou=MyOU,o=MyCompany roleSearch=(uniqueMember={0}) roleName=cn / Like I said, this works if connectionURL=ldap://10.1.1.50:389;. I can connect to the LDAP server (Novell eDirectory) via SSL using a Java browser if I accept the certificate, so I wonder if that might have something to do with it. I've also successfully followed the Config-SSL-HOWTO, accepted the certificate from the server and setup the keystore for the connector as described, but I get the feeling that this is strictly for enabling SSL over HTTP. Thanks in advance. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm source code -
http://jakarta.apache.org/site/cvsindex.html JNDIRealm is jakarta-tomcat-catalina for tomcat5, jakarta-tomcat-4.0/catalina/ for tomcat4 I recommend more exploration before accepting an error code2 as a valid login. Its a kluge around the MS's ldap implementation and such a kluge probably won't make it back into the source tree. I have seen problems with respect to JNDIRealm and MS with respect to commas, or other weird characters in the DN with respect to escaping. (I don't remember any more details, it is to horrifing an experience to recall) There might also be a Bugzilla report with respect to it. -Tim Davi Leal wrote: Hi, I am using tomcat 4.1.27, Java sdk-1.4.1_02 and JNDIRealm to use the Micro$oft Site Server service to authenticate our webapps. I get an error code 2 exception (Protocol Error) only when the user and the password is right. That is to say, when an OK is expected. I am thinking about modify the JNDIRealm to support that Micro$oft returned 'code', instead of raising an exception. It looks easy :) . You can see below the appointed catalina log. Can you supply me any URL, CVS repository, or whatever which points me to the JNDI source code?. I have read the JNDI API I must use is the one included in Java sdk 1.4.2. Last question: Can we solve the 'M$ protocol' issue just using Tomcat 5.0?. Regards, Davi Leal Tim Funk wrote: I have gotten JNDIRealm to work against iPlanet. I have heard others get it working against: - Active Directory (I personally had problems due to some IT policies) - Novell - OpenLDAP But in the worst case - the code is open for change so creating a custom Realm should be simple if one understands JNDI programming. Which is what I had to do with respect to ActiveDirectory and wacky business rules vs domain setup. -Tim David Diaz wrote: Reference: http://www.weblogic.com/docs51/admindocs/ldap2.html#intro The WebLogic LDAP realm has been tested against the following LDAP servers: * OpenLDAP * iPlanet Directory Server * Microsoft Site Server I would like to get a similar Tomcat link to show to my boss. APPENDIX The catalina log 59 JNDIRealm[Standalone]: Connecting to URL ldap://host:1003 * Testing with a no-existent user: 44 JNDIRealm[Standalone]: lookupUser(davi) 44 JNDIRealm[Standalone]: dn=cn=davi,ou=Members,o=tpi 44 JNDIRealm[Standalone]: validating credentials by binding as the user 44 JNDIRealm[Standalone]: binding as cn=davi,ou=Members,o=org 44 JNDIRealm[Standalone]: bind attempt failed 44 JNDIRealm[Standalone]: Autentificaci¾n fallida para el usuario davi * Testing with an user which is right, but using a worng password: 36 JNDIRealm[Standalone]: lookupUser(ph32796) 36 JNDIRealm[Standalone]: dn=cn=ph32796,ou=Members,o=org 36 JNDIRealm[Standalone]: validating credentials by binding as the user 36 JNDIRealm[Standalone]: binding as cn=ph32796,ou=Members,o=org 36 JNDIRealm[Standalone]: bind attempt failed 36 JNDIRealm[Standalone]: Autentificaci¾n fallida para el usuario ph32796 * Testing with both user and password right: 09 JNDIRealm[Standalone]: lookupUser(phe2796) 09 JNDIRealm[Standalone]: dn=cn=phe2796,ou=Members,o=org 09 JNDIRealm[Standalone]: validating credentials by binding as the user 09 JNDIRealm[Standalone]: binding as cn=phe2796,ou=Members,o=org 09 JNDIRealm[Standalone]: Excepci¾n al realizar la autentificaci¾n javax.naming.CommunicationException: [LDAP: error code 2 - Protocol Error]; remaining name '' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2965) ... 09 JNDIRealm[Standalone]: Closing directory context The realm we are using in server.xml Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=cn=PHE2796,ou=Members,o=org connectionPassword= connectionURL=ldap://host:1003; userPattern=cn={0},ou=Members,o=org userSubtree=true roleBase=ou=UserCFuncional,ou=CFuncional,ou=Groups,o=org roleName=cn roleSearch=(uniqueMember={0}) / - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm source code - (was: Re: Tomcat vs Bea WebLogic)
Hi, I am using tomcat 4.1.27, Java sdk-1.4.1_02 and JNDIRealm to use the Micro$oft Site Server service to authenticate our webapps. I get an error code 2 exception (Protocol Error) only when the user and the password is right. That is to say, when an OK is expected. I am thinking about modify the JNDIRealm to support that Micro$oft returned 'code', instead of raising an exception. It looks easy :) . You can see below the appointed catalina log. Can you supply me any URL, CVS repository, or whatever which points me to the JNDI source code?. I have read the JNDI API I must use is the one included in Java sdk 1.4.2. Last question: Can we solve the 'M$ protocol' issue just using Tomcat 5.0?. Regards, Davi Leal Tim Funk wrote: I have gotten JNDIRealm to work against iPlanet. I have heard others get it working against: - Active Directory (I personally had problems due to some IT policies) - Novell - OpenLDAP But in the worst case - the code is open for change so creating a custom Realm should be simple if one understands JNDI programming. Which is what I had to do with respect to ActiveDirectory and wacky business rules vs domain setup. -Tim David Diaz wrote: Reference: http://www.weblogic.com/docs51/admindocs/ldap2.html#intro The WebLogic LDAP realm has been tested against the following LDAP servers: * OpenLDAP * iPlanet Directory Server * Microsoft Site Server I would like to get a similar Tomcat link to show to my boss. APPENDIX The catalina log 59 JNDIRealm[Standalone]: Connecting to URL ldap://host:1003 * Testing with a no-existent user: 44 JNDIRealm[Standalone]: lookupUser(davi) 44 JNDIRealm[Standalone]: dn=cn=davi,ou=Members,o=tpi 44 JNDIRealm[Standalone]: validating credentials by binding as the user 44 JNDIRealm[Standalone]: binding as cn=davi,ou=Members,o=org 44 JNDIRealm[Standalone]: bind attempt failed 44 JNDIRealm[Standalone]: Autentificaci¾n fallida para el usuario davi * Testing with an user which is right, but using a worng password: 36 JNDIRealm[Standalone]: lookupUser(ph32796) 36 JNDIRealm[Standalone]: dn=cn=ph32796,ou=Members,o=org 36 JNDIRealm[Standalone]: validating credentials by binding as the user 36 JNDIRealm[Standalone]: binding as cn=ph32796,ou=Members,o=org 36 JNDIRealm[Standalone]: bind attempt failed 36 JNDIRealm[Standalone]: Autentificaci¾n fallida para el usuario ph32796 * Testing with both user and password right: 09 JNDIRealm[Standalone]: lookupUser(phe2796) 09 JNDIRealm[Standalone]: dn=cn=phe2796,ou=Members,o=org 09 JNDIRealm[Standalone]: validating credentials by binding as the user 09 JNDIRealm[Standalone]: binding as cn=phe2796,ou=Members,o=org 09 JNDIRealm[Standalone]: Excepci¾n al realizar la autentificaci¾n javax.naming.CommunicationException: [LDAP: error code 2 - Protocol Error]; remaining name '' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2965) ... 09 JNDIRealm[Standalone]: Closing directory context The realm we are using in server.xml Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=cn=PHE2796,ou=Members,o=org connectionPassword= connectionURL=ldap://host:1003; userPattern=cn={0},ou=Members,o=org userSubtree=true roleBase=ou=UserCFuncional,ou=CFuncional,ou=Groups,o=org roleName=cn roleSearch=(uniqueMember={0}) / - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm(LDAP) Authentication Configuration Sample Required
Hi I have tried different different options but cannot get the LDAP authentication to work in my application. Following is what i am using. Tomcat: 4.1.27-LE-jdk14 Apache: 2.0.47 Java : 1.4.2 Linux OS: 7.3 LDAP : IPlanet LDAP Server. 1) In this regard i have downloaded the latest JNDI API and then copied the ldap.jar file to $CATALINA_HOME/server/lib directory. 2) The i have added the following entry to the server.xml file. Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://ldap.mycompany.com:389; userBase=ou=active,ou=employees,ou=people,o=mycompany.com userSearch=(uid={0}) roleSearch=(uniqueMember={0}) roleName=cn debug=99 contextFactory=com.sun.jndi.ldap.LdapCtxFactory / 3) In my application web.xml file i have added the following security-constraint web-resource-collection web-resource-nameNrt/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameCEC/realm-name /login-config Then i have restarted the tomcat and apache. I get the prompt for userid and password, but when i provide the correct userid/password i get an message saying incorrect userid and password, i think i am missing something in the configuration and tomcat is not talking with LDAP, was wondering if you can provide some inputs on this. Appreciate your help and time. Thanks Arun Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm LDAP Configuration Problem
Hi I am using the following Tomcat: 4.1.27-LE-jdk14 Apache: 2.0.47 Java : 1.4.2 Linux OS: 7.3 iPlanet LDAP Server I am trying to configure LDAP authentication mechanism to my application. 1) In this regard i have downloaded the latest JNDI API and then copied the ldap.jar file to $CATALINA_HOME/server/lib directory. 2) The i have added the following entry to the server.xml file. Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://ldap.mycompany.com:389; userBase=ou=active,ou=employees,ou=people,o=mycompany.com userSearch=(uid={0}) roleSearch=(uniqueMember={0}) roleName=cn debug=99 contextFactory=com.sun.jndi.ldap.LdapCtxFactory / 3) In my application web.xml file i have added the following security-constraint web-resource-collection web-resource-nameNrt/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameCEC/realm-name /login-config Then i have restarted the tomcat and apache. I get the prompt for userid and password, but when i provide the correct userid/password i get an message saying incorrect userid and password, i think i am missing something in the configuration and tomcat is not talking with LDAP, was wondering if you can provide some inputs on this. Appreciate your help and time. Thanks - Do you Yahoo!? The New Yahoo! Shopping - with improved product search
JNDIRealm (LDAP) Configuration Problem
Hi I am using the following Tomcat: 4.1.27-LE-jdk14 Apache: 2.0.47 Java : 1.4.2 Linux OS: 7.3 I am trying to configure LDAP authentication mechanism to my application. 1) In this regard i have downloaded the latest JNDI API and then copied the ldap.jar file to $CATALINA_HOME/server/lib directory. 2) The i have added the following entry to the server.xml file. Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://ldap.mycompany.com:389; userBase=ou=active,ou=employees,ou=people,o=mycompany.com userSearch=(uid={0}) roleSearch=(uniqueMember={0}) roleName=cn debug=99 contextFactory=com.sun.jndi.ldap.LdapCtxFactory / 3) In my application web.xml file i have added the following security-constraint web-resource-collection web-resource-nameNrt/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameCEC/realm-name /login-config Then i have restarted the tomcat and apache. I get the prompt for userid and password, but when i provide the correct userid/password i get an message saying incorrect userid and password, i think i am missing something in the configuration and tomcat is not talking with LDAP, was wondering if you can provide some inputs on this. Appreciate your help and time. Thanks Arun Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm User bind context available in the Servile Context?
In a servlet I would like to access the same JNDIRealm directory server context that is used during BASIC authentication. Is it possible to configure the jndirealm as a resource link for the servlet context? I *can* make an Application super user to establish a DirContext , but wanted to use the same bind as the user/credentials. from the class org.apache.catalina.realm.JNDIRealm I am trying to avoid using FORM authentication... And am trying to avoid writing my own org.apache.catalina.realm.JNDIRealm class And trying to avoid putting clear text passwords in code or config files... Any help appreciated tia dant
Re: JNDIRealm: Authentication Failing [SOLVED]
Adam Sherman writes: 2003-07-27 13:44:06 JNDIRealm[Standalone]: validating credentials by binding as the user 2003-07-27 13:44:06 JNDIRealm[Standalone]: binding as uid=adam,ou=People,dc=tritus,dc=ca 2003-07-27 13:44:06 JNDIRealm[Standalone]: bind attempt failed JNDIRealm is attempting to bind as 'uid=adam,ou=People,dc=tritus,dc=ca', which is correct and exists. I can bind as this user using the LDAP CLI tools. Using a password that ends in a space doesn't work. I have tested this using the JNDI libs and it *does* work so I assume that something else, maybe HTTP is responsible. I have filed a bug: 22176 Thank you, A. -- Adam Sherman Tritus CG Inc. http://www.tritus.ca/ +1 (613) 797-6819 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm: Authentication Failing
My appologies for taking so long to reply. Thank you very much for your input! Hayo Schmidt writes: Is 'mail' the naming value? This means, if you export to an ldif file you should find a line dn: [EMAIL PROTECTED],ou=People,dc=tritus,dc=ca As you can see from the log snipped below: 2003-07-27 13:44:06 JNDIRealm[Standalone]: validating credentials by binding as the user 2003-07-27 13:44:06 JNDIRealm[Standalone]: binding as uid=adam,ou=People,dc=tritus,dc=ca 2003-07-27 13:44:06 JNDIRealm[Standalone]: bind attempt failed JNDIRealm is attempting to bind as 'uid=adam,ou=People,dc=tritus,dc=ca', which is correct and exists. I can bind as this user using the LDAP CLI tools. Since it is a BIND, the format of userPassword shouldn't matter. Thanks for your help, A. -- Adam Sherman Tritus CG Inc. http://www.tritus.ca/ +1 (613) 797-6819 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm: Authentication Failing
Is 'mail' the naming value? This means, if you export to an ldif file you should find a line dn: [EMAIL PROTECTED],ou=People,dc=tritus,dc=ca Hayo Schmidt Adam Sherman schrieb: I am trying to get JNDIRealm to authenticate against my LDAP tree: Realm className=org.apache.catalina.realm.JNDIRealm debug=200 connectionURL=ldap://localhost:389; userBase=ou=People,dc=tritus,dc=ca userSearch=(mail={0}) roleBase=ou=Groups,dc=tritus,dc=ca roleName=cn roleSearch=(member={0}) / Using a user I can authenticate with the OpenLDAP CLI tools: 2003-07-27 13:44:06 JNDIRealm[Standalone]: Searching for [EMAIL PROTECTED] 2003-07-27 13:44:06 JNDIRealm[Standalone]: base: ou=People,dc=tritus,dc=ca filter: ([EMAIL PROTECTED]) 2003-07-27 13:44:06 JNDIRealm[Standalone]: entry found for [EMAIL PROTECTED] with dn uid=adam,ou=People,dc=tritus,dc=ca 2003-07-27 13:44:06 JNDIRealm[Standalone]: validating credentials by binding as the user 2003-07-27 13:44:06 JNDIRealm[Standalone]: binding as uid=adam,ou=People,dc=tritus,dc=ca 2003-07-27 13:44:06 JNDIRealm[Standalone]: bind attempt failed 2003-07-27 13:44:06 JNDIRealm[Standalone]: Username [EMAIL PROTECTED] NOT successfully authenticated The lookup functions correctly, but binding fails. Even though I know the user can bind. Info: Tomcat 4.1.24, OpenLDAP 2.1.x Any ideas? A. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm: Authentication Failing
Is 'mail' the naming value? This means, if you export to an ldif file you should find a line dn: [EMAIL PROTECTED],ou=People,dc=tritus,dc=ca Hayo Schmidt Adam Sherman schrieb: I am trying to get JNDIRealm to authenticate against my LDAP tree: Realm className=org.apache.catalina.realm.JNDIRealm debug=200 connectionURL=ldap://localhost:389; userBase=ou=People,dc=tritus,dc=ca userSearch=(mail={0}) roleBase=ou=Groups,dc=tritus,dc=ca roleName=cn roleSearch=(member={0}) / Using a user I can authenticate with the OpenLDAP CLI tools: 2003-07-27 13:44:06 JNDIRealm[Standalone]: Searching for [EMAIL PROTECTED] 2003-07-27 13:44:06 JNDIRealm[Standalone]: base: ou=People,dc=tritus,dc=ca filter: ([EMAIL PROTECTED]) 2003-07-27 13:44:06 JNDIRealm[Standalone]: entry found for [EMAIL PROTECTED] with dn uid=adam,ou=People,dc=tritus,dc=ca 2003-07-27 13:44:06 JNDIRealm[Standalone]: validating credentials by binding as the user 2003-07-27 13:44:06 JNDIRealm[Standalone]: binding as uid=adam,ou=People,dc=tritus,dc=ca 2003-07-27 13:44:06 JNDIRealm[Standalone]: bind attempt failed 2003-07-27 13:44:06 JNDIRealm[Standalone]: Username [EMAIL PROTECTED] NOT successfully authenticated The lookup functions correctly, but binding fails. Even though I know the user can bind. Info: Tomcat 4.1.24, OpenLDAP 2.1.x Any ideas? A. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm using LDAP with SSL
Does anyone have any experience getting ldaps working w/ the JDNIRealms in Tomcat 4.1.24? Regular LDAP is working fine, but when I change the connection URL to ldaps://ldap-host:636 I get the following error: 2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL ldaps://10.1.1.50:636 2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing authentication javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636 [Root exception is javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found] My Realm element in server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 resourceName=UserDatabase connectionURL=ldaps://10.1.1.50:636 connectionName=cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany connectionPassword=password userBase=o=MyCompany userSearch=(amp;(cn={0})(objectClass=inetOrgPerson)) userSubtree=true roleBase=ou=WebAppGrp,ou=MyOU,o=MyCompany roleSearch=(uniqueMember={0}) roleName=cn / Like I said, this works if connectionURL=ldap://10.1.1.50:389;. I can connect to the LDAP server (Novell eDirectory) via SSL using a Java browser if I accept the certificate, so I wonder if that might have something to do with it. I've also successfully followed the Config-SSL-HOWTO, accepted the certificate from the server and setup the keystore for the connector as described, but I get the feeling that this is strictly for enabling SSL over HTTP. Thanks in advance. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm using LDAP with SSL
We've done exactly that. What you need to do is import the root certificate into a .keystore file. I'm not sure if Tomcat will pick up the default cacerts file, or if you always have to specify it like we did (-Djavax.net.ssl.trustStore=sys:/adminsrv/conf/.keystore etc) My guess is that you can set that in the java.security file in java\lib\security instead of specifying it on the command line. If you are doing this on a NetWare server, here is something similar to what we use to import the certificate: keytool -import -v -noprompt -trustcacerts -file sys:/public/RootCert.der -keystore sys:/adminsrv/conf/.keystore -storepass changeit If you are running eDirectory on something besides the server, I'm not exactly sure how to get the RootCert.der file, I'm guessing it can be done as an export from ConsoleOne. Oh, I just read the bottom of your message where you said you have done some work with the keystore. It looks like the documentation is a little different for just setting up the SSL connector. Try doing the import of the root certificate and see if it works any better. Good luck, Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 7/28/03 9:49:56 AM Does anyone have any experience getting ldaps working w/ the JDNIRealms in Tomcat 4.1.24? Regular LDAP is working fine, but when I change the connection URL to ldaps://ldap-host:636 I get the following error: 2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL ldaps://10.1.1.50:636 2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing authentication javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636 [Root exception is javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found] My Realm element in server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 resourceName=UserDatabase connectionURL=ldaps://10.1.1.50:636 connectionName=cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany connectionPassword=password userBase=o=MyCompany userSearch=(amp;(cn={0})(objectClass=inetOrgPerson)) userSubtree=true roleBase=ou=WebAppGrp,ou=MyOU,o=MyCompany roleSearch=(uniqueMember={0}) roleName=cn / Like I said, this works if connectionURL=ldap://10.1.1.50:389;. I can connect to the LDAP server (Novell eDirectory) via SSL using a Java browser if I accept the certificate, so I wonder if that might have something to do with it. I've also successfully followed the Config-SSL-HOWTO, accepted the certificate from the server and setup the keystore for the connector as described, but I get the feeling that this is strictly for enabling SSL over HTTP. Thanks in advance. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm using LDAP with SSL
Jeff Tulley wrote: We've done exactly that. What you need to do is import the root certificate into a .keystore file. I'm not sure if Tomcat will pick up the default cacerts file, or if you always have to specify it like we did (-Djavax.net.ssl.trustStore=sys:/adminsrv/conf/.keystore etc) My guess is that you can set that in the java.security file in java\lib\security instead of specifying it on the command line. Thanks Jeff! I used the command line trick and that worked. I'm not sure about the java.security file since I'm not sure what that is. We are using another filename for the keystore and explicitly specifying it for the https configuration, so I'll bet this would work if the keystore file was the default ~/.keystore. Thanks again. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm: Authentication Failing
I am trying to get JNDIRealm to authenticate against my LDAP tree: Realm className=org.apache.catalina.realm.JNDIRealm debug=200 connectionURL=ldap://localhost:389; userBase=ou=People,dc=tritus,dc=ca userSearch=(mail={0}) roleBase=ou=Groups,dc=tritus,dc=ca roleName=cn roleSearch=(member={0}) / Using a user I can authenticate with the OpenLDAP CLI tools: 2003-07-27 13:44:06 JNDIRealm[Standalone]: Searching for [EMAIL PROTECTED] 2003-07-27 13:44:06 JNDIRealm[Standalone]: base: ou=People,dc=tritus,dc=ca filter: ([EMAIL PROTECTED]) 2003-07-27 13:44:06 JNDIRealm[Standalone]: entry found for [EMAIL PROTECTED] with dn uid=adam,ou=People,dc=tritus,dc=ca 2003-07-27 13:44:06 JNDIRealm[Standalone]: validating credentials by binding as the user 2003-07-27 13:44:06 JNDIRealm[Standalone]: binding as uid=adam,ou=People,dc=tritus,dc=ca 2003-07-27 13:44:06 JNDIRealm[Standalone]: bind attempt failed 2003-07-27 13:44:06 JNDIRealm[Standalone]: Username [EMAIL PROTECTED] NOT successfully authenticated The lookup functions correctly, but binding fails. Even though I know the user can bind. Info: Tomcat 4.1.24, OpenLDAP 2.1.x Any ideas? A. -- Adam Sherman Tritus CG Inc. http://www.tritus.ca/ +1 (613) 797-6819 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
how to set up JNDIRealm in tomcat4.1.24 bundled with Jboss
Hi, I have successfully setup JNDIRealm for FORM based authentication and it is working perfectly in Standalone Tomcat4.1.24. However, I am unable to do the same in Tomcat4.1.24 bundled with JBoss. Could any body please help me out in setting up JNDIRealm in Tomcat4.1.24 bundled with JBoss..please... Thank you very much in advance, Naveen SMS using the Yahoo! Messenger;Download latest version.
REPOST: CLIENT-CERT and JNDIRealm
Hello ! http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 I think, a common solution should be found for this, so i try again to push a discussion: Questions: *) Are there some standards how to map an certificate to an user within an ldap-server *) If not, could/should we implement some of my code directly in an class (say) JNDIRealmCert, and one could simply override an abstract certToUser method. I have tried to use CLIENT-CERT to authenticate the user for our application. JNDIRealm do not support such authentication, so i have tried to implement it. For our infrastructure my solution works well, but i think (know) it is strongly bound to it. The way it works is to get a certificate for an user, and import this certificate to the ActiveDirectory Server. During authentication a user with the matching certificate is searched, and the cn for this user is used furthermore (getRoles() ...) First, I have created a new class JNDIRealmCertAD (JNDIRealm Certificate ActiveDirectory) and introduced a new property certSearch. (I also have copied the *Pattern getter/setter for use with certificate, but havent tested it yet) Much of the code from JNDIRealm has to be copied, due to the private User class, however, this class is a prototype. The advantage (i think) of my solution is, that it does not use the Cert.getSubjectDN() for the username, instead it is using the cn (or any other attribute) for the ldap entry returned when searching the corresponding user for the certificate. With my class it is possible to use BASIC and CLIENT-CERT and always do have the same username for the application. I think the application should not be bothered with the type of authentication. However, currently this solution is bound to our Win2000-Domain. Comments are welcome !! Ciao, Mario
ActiveDirectory not following referrals when using JNDIRealm
I'm using Tomcat 4.1.24 (win32) and I have my JNDIRealm configured like so: Realm className=org.apache.catalina.realm.JNDIRealm debug=5 referrals=follow connectionURL=ldap://vader.arbor.edu; alternateURL=ldap://bsod.arbor.edu; userBase=dc=arbor,dc=edu userSearch=(amp;(objectClass=user) (cn={0})) roleBase=dc=arbor,dc=edu roleName=cn roleSearch=(amp;(objectClass=group) (member={0})) connectionName= distinguished name connectionPassword= password roleSubtree=true userSubtree=true / And I'm getting the following PartialResultException: 2003-06-06 10:25:12 JNDIRealm[Standalone]: Exception performing authentication javax.naming.PartialResultException. Root exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893·] at com.sun.jndi.ldap.LdapReferralContext.init(LdapReferralContext.java:74) at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:132) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEnumeration.java:334) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:207) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:170) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1036) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:913) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:862) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:788) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:161) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:509) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:376) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562) at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619) at java.lang.Thread.run(Thread.java:536) Can anyone tell where I'm going wrong? This configuration works fine in 4.1.18, but not in 4.1.24. (It works in 4.1.18, because I implemented the patch that I submitted to Tomcat for the alternateURL stuff.) Brad Handy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ActiveDirectory not following referrals when using JNDIRealm
I figured it out. The credentials I was using the creation of the InitialDirContext didn't have enough permissions (for some weird reason). I got it to work when I used a different account. Brad Handy At 11:28 AM 6/6/2003, you wrote: I'm using Tomcat 4.1.24 (win32) and I have my JNDIRealm configured like so: Realm className=org.apache.catalina.realm.JNDIRealm debug=5 referrals=follow connectionURL=ldap://vader.arbor.edu; alternateURL=ldap://bsod.arbor.edu; userBase=dc=arbor,dc=edu userSearch=(amp;(objectClass=user) (cn={0})) roleBase=dc=arbor,dc=edu roleName=cn roleSearch=(amp;(objectClass=group) (member={0})) connectionName= distinguished name connectionPassword= password roleSubtree=true userSubtree=true / And I'm getting the following PartialResultException: 2003-06-06 10:25:12 JNDIRealm[Standalone]: Exception performing authentication javax.naming.PartialResultException. Root exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893·] at com.sun.jndi.ldap.LdapReferralContext.init(LdapReferralContext.java:74) at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:132) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEnumeration.java:334) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:207) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:170) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1036) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:913) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:862) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:788) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:161) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:509) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:376) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562) at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619) at java.lang.Thread.run(Thread.java:536) Can anyone tell where I'm going wrong? This configuration works fine in 4.1.18, but not in 4.1.24. (It works in 4.1.18, because I
Tomcat JNDIRealm subtree role enumeration
Hi All, Question: Does tomcat enumerate the values of attributes back up the sub-tree if it finds an entry [in the LDAP schema] at a lower layer, or does it only(strictly) give back the value of the attribute of the specific entry that it found? Background: We have an LDAP schema that is organized as follows: dn: cn=user,ou=Groups,o=Canada,... uniqueMember: cn=somecompany,ou=Groups,o=Canada,... and dn: cn=somecompany,ou=Groups,o=Canada,... uniqueMember: uid=someuser,ou=People,o=Canada,... My Tomcat(4.0.6) JNDIRealm configuration is as follows: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://ldaphost01:389; connectionName=cn=Directory Manager connectionPassword= userPattern=uid={0},ou=People,o=Canada,... userPassword=userPassword userSubtree=true roleBase=ou=Groups,o=Canada,... roleName=cn roleSearch=(uniqueMember={0}) roleSubtree=true / When Tomcat finds the entry someuser, I would ideally like the role (cn) enumeration (somecompany, user) back, but I SEEM to be getting [only] (somecompany) back. Is this true? How can I confirm? Is it possible to get my ideal enumeration back? Thanks for your time. Any comment will be greatly appreciated. Markus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Anyone successfully authenticating Tomcat users w/ windows login info using a JNDIRealm?
Try this: http://www.jguru.com/faq/view.jsp?EID=1045412 -- Darian Shimy -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 11:16 AM To: Tomcat Users List Subject: Re: Anyone successfully authenticating Tomcat users w/ windows login info using a JNDIRealm? If you have multiple domains, I think your out of luck. If you run a single active directory domain, you *might* be able to do something like this: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://need.morecowbell.com:389; userBase=dc=more,dc=morecowbell,dc=com userSearch=(userPrincipalName={0}) userRoleName=member roleBase=dc=more,dc=morecowbell,dc=com roleName=cn roleSearch=(member={0}) connectionName=cn=A_USER,cn=Users,dc=more,dc=morecowbell,dc=com connectionPassword=prescription roleSubtree=true userSubtree=true / To connect to active directory, you need a special user connection. Thats why connectionName=cn=A_USER,cn=Users,dc=more,dc=morecowbell,dc=com is used. I hope you have better luck that I had. -Tim Dan Payne wrote: I'm looking for some assistance in setting up single-sign on with our windows 2000 intranet and Tomcat using Windows Active Directory and a Tomcat JINDIRealm and LDAP. What I'm essentially looking for is HttpServletRequest.getRemoteUser() to return the username used to authenticate to the Windows network (Active Directory). My last post was rather vague and elicited no responses. I've done some more research and this seems to be the way to go but it would be nice if anyone who's already done it could relate their experiences or perhaps point me in the right direction to some resources covering this issue. Thanks again, Dan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Anyone successfully authenticating Tomcat users w/ windows login info using a JNDIRealm?
I'm looking for some assistance in setting up single-sign on with our windows 2000 intranet and Tomcat using Windows Active Directory and a Tomcat JINDIRealm and LDAP. What I'm essentially looking for is HttpServletRequest.getRemoteUser() to return the username used to authenticate to the Windows network (Active Directory). My last post was rather vague and elicited no responses. I've done some more research and this seems to be the way to go but it would be nice if anyone who's already done it could relate their experiences or perhaps point me in the right direction to some resources covering this issue. Thanks again, Dan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Anyone successfully authenticating Tomcat users w/ windows logininfo using a JNDIRealm?
If you have multiple domains, I think your out of luck. If you run a single active directory domain, you *might* be able to do something like this: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://need.morecowbell.com:389; userBase=dc=more,dc=morecowbell,dc=com userSearch=(userPrincipalName={0}) userRoleName=member roleBase=dc=more,dc=morecowbell,dc=com roleName=cn roleSearch=(member={0}) connectionName=cn=A_USER,cn=Users,dc=more,dc=morecowbell,dc=com connectionPassword=prescription roleSubtree=true userSubtree=true / To connect to active directory, you need a special user connection. Thats why connectionName=cn=A_USER,cn=Users,dc=more,dc=morecowbell,dc=com is used. I hope you have better luck that I had. -Tim Dan Payne wrote: I'm looking for some assistance in setting up single-sign on with our windows 2000 intranet and Tomcat using Windows Active Directory and a Tomcat JINDIRealm and LDAP. What I'm essentially looking for is HttpServletRequest.getRemoteUser() to return the username used to authenticate to the Windows network (Active Directory). My last post was rather vague and elicited no responses. I've done some more research and this seems to be the way to go but it would be nice if anyone who's already done it could relate their experiences or perhaps point me in the right direction to some resources covering this issue. Thanks again, Dan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Send parameters to the JNDIRealm
Hi. I have an application that it connects to a servlet and send it a set of parameters through OutputStream. I have a JNDIRealm installed and when the application connects to the servlet, my Realm can't to map these parameters (with the client certificate) a none authenticate() method. What parameters is sent to my JNDIRealm?? I think that the authenticate method will be ~ authenticate(X509Certificate[] certs, xxx) - xxx = ?? Regards. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Get URL within JNDIRealm
Hi... I've making a JNDIRealm with LDAP access and I need to get the URL where JNDIRealm is called. I've various security constraints and I would like to distinguish the protected zones. How I can to get the URL within of my own JNDIRealm?? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Retrieve parameters from web.xml in my own JNDIRealm
I've making my own JNDIRealm and my web application has various protected zones. In my JNDIRealm I would like to retrieve the parameters from web.xml (security-constraint subelements) related with the protected zones. For example, in web.xml file I have the following lines: security-constraint web-resource-collection web-resource-namePrivate Zone 1/web-resource-name ... /web-resource-collection ... /security-constraint security-constraint web-resource-collection web-resource-namePrivate Zone 2/web-resource-name ... /web-resource-collection ... /security-constraint In my JNDIRealm I would like to distinguish the different zones for the web-resource-name subelement for to make different things. How I can to retrieve this subelement when my application is running?? Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Searches on JNDIRealm
Hi all. I have making a JNDIRealm for LDAP connections (the JNDIRealm to have to retrieve client certificates from LDAP). I would like to realize searches only for Organization Unit (Organization and Country are fixed); though, the client DN is CN - OU - OU - C (the root search for my LDAP). The code should be as the following: // Set up search controls. SearchControls ctls = new SearchControls(); ctls.setSearchScope(SearchControls.SUBTREE_SCOPE); // Perform search. NamingEnumeration answer = ctx.search(O=myOrganization, C=myCountry, (ou={0}), new Object[] {orgunit}, ctls); orgunit = param to my JNDIRealm (e.g. myOrgUnit) CN = indifferent The previous code does not work (error 32 - No such object). Can somebody help me?? Thanks and regards. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm login failure
Gil Check whether the directory server is configured to time out idle connections. If so, the first attempt made by Tomcat to authenticate after a long enough period of inactivity will fail in the manner you describe. If this is the problem, you should find that after a second login attempt has succeeded other users can authenticate straight away - until the next long period of inactivity. You may be able fix the problem by disabling timeout on the directory server. (You don't say which directory server you are using). Really there should be an option for JNDIRealm to check whether the connection is valid and reconnect if not before the authentication attempt is made. However its connection management is very basic! John. Gil Chilton wrote: I have created a simple tomcat web app that uses a JNDIRealm for authentication per the instructions in the Tomcat 4.1 documentation. When I start tomcat, the login process for this web app works fine for a few minutes or logins. Eventually, I reach a state where the first login always fails until I restart Tomcat. Each failed login results in the following error in the logs: 2003-01-06 14:33:35 JNDIRealm[Standalone]: Exception performing authentication javax.naming.CommunicationException. Root exception is java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:168) at java.io.BufferedInputStream.fill(BufferedInputStream.java:183) at java.io.BufferedInputStream.read1(BufferedInputStream.java:222) at java.io.BufferedInputStream.read(BufferedInputStream.java:277) at com.sun.jndi.ldap.Connection.run(Connection.java:779) at java.lang.Thread.run(Thread.java:536) If the user backs up and resubmits the login a second time, it works with no additional log entries. I have seen this on Tomcat 4.1.12 and now 4.1.18 with BASIC or FORM based authentication. I have searched the web and mailing lists without a match. The platform is RedHat Linux 7.3 or 8.0 with Sun's SDK 1.4.1_01 installed. Any ideas? Thanks __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JNDIRealm login failure
I have created a simple tomcat web app that uses a JNDIRealm for authentication per the instructions in the Tomcat 4.1 documentation. When I start tomcat, the login process for this web app works fine for a few minutes or logins. Eventually, I reach a state where the first login always fails until I restart Tomcat. Each failed login results in the following error in the logs: 2003-01-06 14:33:35 JNDIRealm[Standalone]: Exception performing authentication javax.naming.CommunicationException. Root exception is java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:168) at java.io.BufferedInputStream.fill(BufferedInputStream.java:183) at java.io.BufferedInputStream.read1(BufferedInputStream.java:222) at java.io.BufferedInputStream.read(BufferedInputStream.java:277) at com.sun.jndi.ldap.Connection.run(Connection.java:779) at java.lang.Thread.run(Thread.java:536) If the user backs up and resubmits the login a second time, it works with no additional log entries. I have seen this on Tomcat 4.1.12 and now 4.1.18 with BASIC or FORM based authentication. I have searched the web and mailing lists without a match. The platform is RedHat Linux 7.3 or 8.0 with Sun's SDK 1.4.1_01 installed. Any ideas? Thanks __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JNDIRealm expires?
I have been able to successfully set up a JNDIRealm in tomcat for authentication. Only problem is after about 12 (rough guess) I get the dreaded black page instead of seeing my login form. The workaround is to restart tomcat. Obviously, this won't work well for a always-on service. Maybe there might be a way to reinitialize an idle connection? Thanks. 2002-10-08 12:35:18 CoyoteAdapter An exception or error occurred in the container during the request processing java.lang.NullPointerException at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:173) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2516) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2458) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2432) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1837) at com.sun.jndi.ldap.LdapCtx.doSearchOnce(LdapCtx.java:1829) at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1223) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:121) at org.apache.catalina.realm.JNDIRealm.bindAsUser(JNDIRealm.java:1051) at org.apache.catalina.realm.JNDIRealm.checkCredentials(JNDIRealm.java:957) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:729) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:671) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:263) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:458) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2397) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:380) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533) at java.lang.Thread.run(Thread.java:536) -- Vincent Stoessel Linux Systems Developer vincent xaymaca.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
AW: JNDIRealm expires?
I apoligize for the false alarm. My password had expired (arghh) that is why the login process failed. Back to the regularly scheduled program. Vincent Stoessel wrote: I have been able to successfully set up a JNDIRealm in tomcat for authentication. Only problem is after about 12 (rough guess) I get the dreaded black page instead of seeing my login form. The workaround is to restart tomcat. Obviously, this won't work well for a always-on service. Maybe there might be a way to reinitialize an idle connection? Thanks. 2002-10-08 12:35:18 CoyoteAdapter An exception or error occurred in the container during the request processing java.lang.NullPointerException at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:173) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2516) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2458) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2432) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1837) at com.sun.jndi.ldap.LdapCtx.doSearchOnce(LdapCtx.java:1829) at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1223) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:121) at org.apache.catalina.realm.JNDIRealm.bindAsUser(JNDIRealm.java:1051) at org.apache.catalina.realm.JNDIRealm.checkCredentials(JNDIRealm.java:957) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:729) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:671) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:263) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:458) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2397) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:380) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533) at java.lang.Thread.run(Thread.java:536) smime.p7s Description: S/MIME Cryptographic Signature
RE: JNDIRealm and 4.1.10 with iPlanet
Looks like you are using parentheses around the 0 rather than brackets. That is probably why it is being passed literal rather than being expanded. --- Sorry to jump in on this discussion. But I think people with LDAP experience are having a look on it. Realm className=org.apache.catalina.realm.JNDIRealm debug=999 connectionName=cn=Directory Manager connectionPassword=mypassword connectionURL=ldap://192.168.90.120:11592; roleBase=dc=my-company,dc=com roleName=uid roleSearch=(uid={0}) roleSubtree=false userPassword=userPassword userPattern=uid={0}, ou=People, dc=my-company, dc=com / As he has almost the same declaration like I, I'm wondering why in my case the query gets sent to the OpenLDAP server, but uid=(0) is not changed to the users name. Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://localhost; userPattern=uid=(0),ou=people,dc=yikester,dc=net roleBase=ou=groups,dc=yikester,dc=net roleName=cn roleSearch=(uniqueMember=(0)) userPassword=userPassword / On the OpenLDAP server I see in the logfile: SRCH base=uid=(0),ou=people,dc=yikester,dc=net scope=0 filter=(objectClass=*) Can it be that this code in Tomcat still is very new and not many people are using it? Stephan -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: JNDIRealm and 4.1.10 with iPlanet
This was exactly my problem. I had not seen that I needed to do this while reviewing the documentation. With this help I was able to get everything working. It looks like LDAP dynamic groups aren't currently supported by Tomcat. Does anyone have information that conflicts this? I ended up using a static group. --- Did you protect the resource that you're trying to access with a security-constraint in your web.xml? Jon - Original Message - From: Douglas L Stewart [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 23, 2002 11:31 AM Subject: JNDIRealm and 4.1.10 with iPlanet I'm using Tomcat 4.1.10 trying to authenticate against iPlanet Directory Server 5.0. I've created a Realm inside of the Engine declaration: Realm className=org.apache.catalina.realm.JNDIRealm debug=999 connectionName=cn=Directory Manager connectionPassword=mypassword connectionURL=ldap://192.168.90.120:11592; roleBase=dc=my-company,dc=com roleName=uid roleSearch=(uid={0}) roleSubtree=false userPassword=userPassword userPattern=uid={0}, ou=People, dc=my-company, dc=com / I'm getting this in the log when I start Tomcat: 2002-09-23 11:09:49 JNDIRealm[Standalone]: Connecting to URL ldap://192.168.90.120:11592 According to the documentation putting the Realm declaration in the Engine section should make it used globally, but when I try to view some of my servlets I see nothing in the log and I'm not prompted for a login, it just shows the page. What am I missing? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JNDIRealm and 4.1.10 with iPlanet
I'm using Tomcat 4.1.10 trying to authenticate against iPlanet Directory Server 5.0. I've created a Realm inside of the Engine declaration: Realm className=org.apache.catalina.realm.JNDIRealm debug=999 connectionName=cn=Directory Manager connectionPassword=mypassword connectionURL=ldap://192.168.90.120:11592; roleBase=dc=my-company,dc=com roleName=uid roleSearch=(uid={0}) roleSubtree=false userPassword=userPassword userPattern=uid={0}, ou=People, dc=my-company, dc=com / I'm getting this in the log when I start Tomcat: 2002-09-23 11:09:49 JNDIRealm[Standalone]: Connecting to URL ldap://192.168.90.120:11592 According to the documentation putting the Realm declaration in the Engine section should make it used globally, but when I try to view some of my servlets I see nothing in the log and I'm not prompted for a login, it just shows the page. What am I missing? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]