Re: [Problem]Tomcat 6.x with Active Directory on Windows Server 2003
org.apache.catalina.authenticator.FormAuthenticator - Authenticating username 'testuser1' DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authenticating username 'testuser1' DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'testuser1' was successful DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'testuser1' was successful DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Redirecting to original '/adtest/session.jsp' DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Redirecting to original '/adtest/session.jsp' DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test ??/adtest/j_security_check DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test ??/adtest/j_security_check .. DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1 does NOT have role TestGroup DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1 does NOT have role TestGroup DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: TestGroup DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: TestGroup DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed accessControl() test DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed accessControl() test I feel quite strange, as you can see in the attachment, the testuser1 is member of TestGroup, and TestGroup is already defined in web.xml, I wonder any further configuration or debug I shoule do? http://www.nabble.com/file/p20375746/adtest.rar adtest.rar -- View this message in context: http://www.nabble.com/-Problem-Tomcat-6.x-with-Active-Directory-on-Windows-Server-2003-tp20375746p20413691.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat
Tomcat 6.0 problems with LDAP ( connection gets blocked for 10 min)
) at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown Source) at javax.naming.spi.NamingManager.getURLObject(Unknown Source) at javax.naming.spi.NamingManager.processURL(Unknown Source) at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source) at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source) ... 23 more Oct 29, 2008 8:30:15 AM org.apache.catalina.realm.JNDIRealm close FINE: Closing directory context Oct 29, 2008 8:30:15 AM org.apache.catalina.core.ApplicationDispatcher doForward FINE: Disabling the response for futher output == 2- Rebooting the machine wil solve the problem 3- Restarting Tomcat won't affect any thing 4- I can connect to the LDAP server using Soferra LDAP Administration during the 10 blocking minutes 5- The system admin checked the log of the AD and nothing there. 6- I have tried to put the realm configuration under the context.xml, and the same thing happens. 7- most probably when i leave the session to expire ( 5 min) and try to login again afterwords it gets blocked. Please help me in this issue, i need it working correctly ASAP. P.S Thanks for every one who helped and will help me in this issue. Regards, -- Hisham Farahat
Re:
I have used Softerra LDAP Admin and it worked while tomcat did not. How can i increase the verbosity ? i tried to configure log4j, but i could not build the extra component (extra.xml) because i'm on windows machine and i've installed tomcat using windows service installer. Any ideas? thanks for your help!! *using windows service instdalle**log4jl* On Mon, Oct 27, 2008 at 1:13 PM, Serge Fonville [EMAIL PROTECTED]wrote: Perhaps if you download Symas OpenLDAP 2.3 (CDS v3) Silver Editionjavascript:uiform_click('xanchor_2212_5') (Requires registration) (an ldap server for windows), you can use the accompanying uilities to try and do the same tomcat does.That way you can try to determine if there is anything related to the configuration that is incorrect. Also if you increase the verbosity of the logginghttp://tomcat.apache.org/tomcat-6.0-doc/logging.htmlyou might be able to determine what exactly went wrong. Hope this helps Regards, Serge Fonville Links: On Mon, Oct 27, 2008 at 10:33 AM, Hisham Farahat [EMAIL PROTECTED] wrote: It is on a separate server, running windows server 2003. And no wrong passwords attempts, it happens from the 1st attempt. Sorry for the title thing :) On Mon, Oct 27, 2008 at 12:20 PM, André Warnier [EMAIL PROTECTED] wrote: Hisham Farahat wrote: Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, As someone else asked, you need to provide some additional details, such as : - is this Tomcat running on your workstation ? else on what ? With only the explanation above, I would guess that the LDAP server somehow (maybe after a few unsuccesful attempts with bad passwords ?), puts your Tomcat server on some blacklist, and refuses connections from it. Maybe when you reboot the machine, it gets a different IP address and is thus no longer on the blacklist at first ? It does not sound like a specific Tomcat issue though. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat -- Hisham Farahat
Re:
Source) at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) at com.sun.jndi.ldap.LdapCtx.init(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source) at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown Source) at javax.naming.spi.NamingManager.getURLObject(Unknown Source) at javax.naming.spi.NamingManager.processURL(Unknown Source) at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source) at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source) ... 23 more Oct 28, 2008 2:33:26 PM org.apache.catalina.realm.JNDIRealm close FINE: Closing directory context Oct 28, 2008 2:33:26 PM org.apache.catalina.core.ApplicationDispatcher doForward FINE: Disabling the response for futher output The error 401 is very strange, because i did not access the the system that time. BTW the session expiration is 5 minuets. Please Help me in this. On Tue, Oct 28, 2008 at 1:39 PM, Serge Fonville [EMAIL PROTECTED]wrote: You can build it on windows, since ant for windows can be downloaded the same as for any other platform it is available for the fact tomcat was installed as a service has no impact on what can and can't be loaded inside tomcat since tomcat loads it's configuration file on startup and has all libraies in its classpath avaiable to it. the rest can be found on the tomcat website about logging (which yoiu clearly already found) Perhaps you got a specific error during building. If so, what was it and what steps did you take (before,during,after) Regards, Serge Fonville On Tue, Oct 28, 2008 at 11:17 AM, Hisham Farahat [EMAIL PROTECTED] wrote: I have used Softerra LDAP Admin and it worked while tomcat did not. How can i increase the verbosity ? i tried to configure log4j, but i could not build the extra component (extra.xml) because i'm on windows machine and i've installed tomcat using windows service installer. Any ideas? thanks for your help!! *using windows service instdalle**log4jl* On Mon, Oct 27, 2008 at 1:13 PM, Serge Fonville [EMAIL PROTECTED] wrote: Perhaps if you download Symas OpenLDAP 2.3 (CDS v3) Silver Editionjavascript:uiform_click('xanchor_2212_5') (Requires registration) (an ldap server for windows), you can use the accompanying uilities to try and do the same tomcat does.That way you can try to determine if there is anything related to the configuration that is incorrect. Also if you increase the verbosity of the logginghttp://tomcat.apache.org/tomcat-6.0-doc/logging.htmlyou might be able to determine what exactly went wrong. Hope this helps Regards, Serge Fonville Links: On Mon, Oct 27, 2008 at 10:33 AM, Hisham Farahat [EMAIL PROTECTED] wrote: It is on a separate server, running windows server 2003. And no wrong passwords attempts, it happens from the 1st attempt. Sorry for the title thing :) On Mon, Oct 27, 2008 at 12:20 PM, André Warnier [EMAIL PROTECTED] wrote: Hisham Farahat wrote: Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, As someone else asked, you need to provide some additional details, such as : - is this Tomcat running on your workstation ? else on what ? With only the explanation above, I would guess that the LDAP server somehow (maybe after a few unsuccesful attempts with bad passwords ?), puts your Tomcat server on some blacklist, and refuses connections from it. Maybe when you reboot the machine, it gets a different IP address and is thus no longer on the blacklist at first ? It does not sound like a specific Tomcat issue though. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat -- Hisham Farahat -- Hisham Farahat
Re:
I meant the errors you had when building commons for log4j (since you said you couldn't build it) I went to the easier way, using java.util.logger :) Have you tried manually connecting to the AD server with a commandline LDAP client yes, using a program called Softerra LDAP Admin. And it connects normally. is the tomcat host and the AD server the same system? No it is not. Looking at the AD logs, and verifying sockets needs the system admin authorization. I'll check with him. Thanks :) On Tue, Oct 28, 2008 at 3:31 PM, Serge Fonville [EMAIL PROTECTED]wrote: I would start looking at the logs of the AD server It seems the AD server has refused the connection, so maybe there is a more clear error there I meant the errors you had when building commons for log4j (since you said you couldn't build it) Have you tried manually connecting to the AD server with a commandline LDAP client Perhaps you can try to telnet to the address you connect to Since these errors at this time not yet make sense, perhaps it is advisable to run wireshark on the AD server and perform a netstat to verify sockets are listeneing as you would expect. Is the tomcat host and the AD server the same system (have you tried on another system) windows has it quirks(not being able to connecto to the local IP for example Regards, Serge Fonville On Tue, Oct 28, 2008 at 1:13 PM, Hisham Farahat [EMAIL PROTECTED] wrote: Ok, i used the normal logger with ALL messages showing out, here is the part of the log where the error occurred: Oct 28, 2008 2:21:07 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Found role Infonet-Admins Oct 28, 2008 2:24:07 PM org.apache.catalina.core.StandardHostValve custom FINE: Processing ErrorPage[errorCode=401, location=/401.jsp] Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getUserBySearch FINER: entry found for tomcat with dn CN=tomcat,CN=Users,DC=company,DC=com Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm bindAsUser FINER: validating credentials by binding as the user Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm bindAsUser FINER: binding as CN=tomcat,CN=Users,DC=company,DC=com Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm checkCredentials FINER: Username tomcat successfully authenticated Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: getRoles(CN=tomcat,CN=Users,DC=company,DC=com) Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm addAttributeValues FINER: retrieving values for attribute description Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm addAttributeValues FINER: retrieving values for attribute description Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm addAttributeValues FINER: retrieving values for attribute description Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Returning 3 roles Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Found role admin Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Found role manager Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Found role Infonet-Admins Oct 28, 2008 2:33:22 PM org.apache.catalina.core.ApplicationDispatcher doForward FINE: Disabling the response for futher output Oct 28, 2008 2:33:26 PM org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: company.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]] at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1097) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:992) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:941) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:810) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
Re:
Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, -- Hisham Farahat
Re:
Thanx for your reply 1- yes , the log has this exception each time i need to login : [Root exception is java.net.ConnectException: Connection refused: connect]] 2- What do you mean by functioning? 3- this is the realm in server.xml ( By the way i tried to put it in both server.xml and context.xml ,with both the same problem occured) Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL =ldap://company.com:389/; connectionName= CN=tomcat,CN=Users,DC=company,DC=com connectionPassword= *** alternateURL =ldap://192.168.205.2:389/; userSubtree = true referrals=follow userSearch=### userBase=DC=company,DC=com roleBase=CN=Users,DC=company,DC=com roleName=description roleSearch=member={0} roleSubtree = true allRolesMode=AuthOnly / 4- no, just 20% of the times when i logged in. sometimes it happens once a day and sometimes i could not even login it contuisly doing this issue. 5- no randomly 6- the whole server takes 500 MB, it 's not that much. 7- if with busy you mean, how frequent users use it. Then no it is not, im the only one it still in testing phase. 8- Windows server 2003 9- I think yes, if not then how users are logging to their domain using AD accounts On Mon, Oct 27, 2008 at 11:52 AM, Serge Fonville [EMAIL PROTECTED]wrote: I would need a little bit more information about your environment Have you looked at te loggingHow is your network functioning How is the realm configured Has it always been like this or at some point Are there specific times of day it occurs How is the memory usage of tomcat How busy is tomcat What OS is it running on Can you use ldap manually without errors Regards, Serge Fonville On Mon, Oct 27, 2008 at 9:18 AM, Hisham Farahat [EMAIL PROTECTED] wrote: Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, -- Hisham Farahat -- Hisham Farahat
Re:
One more issue, most probably it occurs when i try to login after a previous timed out session On Mon, Oct 27, 2008 at 12:18 PM, Hisham Farahat [EMAIL PROTECTED]wrote: Thanx for your reply 1- yes , the log has this exception each time i need to login : [Root exception is java.net.ConnectException: Connection refused: connect]] 2- What do you mean by functioning? 3- this is the realm in server.xml ( By the way i tried to put it in both server.xml and context.xml ,with both the same problem occured) Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL =ldap://company.com:389/; connectionName= CN=tomcat,CN=Users,DC=company,DC=com connectionPassword= *** alternateURL =ldap://192.168.205.2:389/; userSubtree = true referrals=follow userSearch=### userBase=DC=company,DC=com roleBase=CN=Users,DC=company,DC=com roleName=description roleSearch=member={0} roleSubtree = true allRolesMode=AuthOnly / 4- no, just 20% of the times when i logged in. sometimes it happens once a day and sometimes i could not even login it contuisly doing this issue. 5- no randomly 6- the whole server takes 500 MB, it 's not that much. 7- if with busy you mean, how frequent users use it. Then no it is not, im the only one it still in testing phase. 8- Windows server 2003 9- I think yes, if not then how users are logging to their domain using AD accounts On Mon, Oct 27, 2008 at 11:52 AM, Serge Fonville [EMAIL PROTECTED] wrote: I would need a little bit more information about your environment Have you looked at te loggingHow is your network functioning How is the realm configured Has it always been like this or at some point Are there specific times of day it occurs How is the memory usage of tomcat How busy is tomcat What OS is it running on Can you use ldap manually without errors Regards, Serge Fonville On Mon, Oct 27, 2008 at 9:18 AM, Hisham Farahat [EMAIL PROTECTED] wrote: Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, -- Hisham Farahat -- Hisham Farahat -- Hisham Farahat
Re:
It is on a separate server, running windows server 2003. And no wrong passwords attempts, it happens from the 1st attempt. Sorry for the title thing :) On Mon, Oct 27, 2008 at 12:20 PM, André Warnier [EMAIL PROTECTED] wrote: Hisham Farahat wrote: Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, As someone else asked, you need to provide some additional details, such as : - is this Tomcat running on your workstation ? else on what ? With only the explanation above, I would guess that the LDAP server somehow (maybe after a few unsuccesful attempts with bad passwords ?), puts your Tomcat server on some blacklist, and refuses connections from it. Maybe when you reboot the machine, it gets a different IP address and is thus no longer on the blacklist at first ? It does not sound like a specific Tomcat issue though. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat
Tomcat server with two websites with two different authentications
Dear All, Can i configure tomcat to host to different websites? How can i do it? any directions? Moreover i need to have two different authentication methods for the two websites, (e.g. one using LDAP and the other using normal tomcat user list ( tomcat-users.xml) I hope some one help me in this. regards, -- Hisham Farahat
Re: Tomcat server with two websites with two different authentications
Thanks for your reply. How can i configure the virtual hosts in tomcat? On Mon, Oct 27, 2008 at 1:49 PM, Tim Funk [EMAIL PROTECTED] wrote: You need to configure a Realm per Virtual Host (or if different webapps in the same vhost need different authentication schemes - the Realm element can be per context too) http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html -Tim Hisham Farahat wrote: Dear All, Can i configure tomcat to host to different websites? How can i do it? any directions? Moreover i need to have two different authentication methods for the two websites, (e.g. one using LDAP and the other using normal tomcat user list ( tomcat-users.xml) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat