Re: [Problem]Tomcat 6.x with Active Directory on Windows Server 2003
org.apache.catalina.authenticator.FormAuthenticator - Authenticating username 'testuser1' DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authenticating username 'testuser1' DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'testuser1' was successful DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'testuser1' was successful DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Redirecting to original '/adtest/session.jsp' DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Redirecting to original '/adtest/session.jsp' DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test ??/adtest/j_security_check DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test ??/adtest/j_security_check .. DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1 does NOT have role TestGroup DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1 does NOT have role TestGroup DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: TestGroup DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: TestGroup DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed accessControl() test DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed accessControl() test I feel quite strange, as you can see in the attachment, the testuser1 is member of TestGroup, and TestGroup is already defined in web.xml, I wonder any further configuration or debug I shoule do? http://www.nabble.com/file/p20375746/adtest.rar adtest.rar -- View this message in context: http://www.nabble.com/-Problem-Tomcat-6.x-with-Active-Directory-on-Windows-Server-2003-tp20375746p20413691.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat
Tomcat 6.0 problems with LDAP ( connection gets blocked for 10 min)
) at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown Source) at javax.naming.spi.NamingManager.getURLObject(Unknown Source) at javax.naming.spi.NamingManager.processURL(Unknown Source) at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source) at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source) ... 23 more Oct 29, 2008 8:30:15 AM org.apache.catalina.realm.JNDIRealm close FINE: Closing directory context Oct 29, 2008 8:30:15 AM org.apache.catalina.core.ApplicationDispatcher doForward FINE: Disabling the response for futher output == 2- Rebooting the machine wil solve the problem 3- Restarting Tomcat won't affect any thing 4- I can connect to the LDAP server using Soferra LDAP Administration during the 10 blocking minutes 5- The system admin checked the log of the AD and nothing there. 6- I have tried to put the realm configuration under the context.xml, and the same thing happens. 7- most probably when i leave the session to expire ( 5 min) and try to login again afterwords it gets blocked. Please help me in this issue, i need it working correctly ASAP. P.S Thanks for every one who helped and will help me in this issue. Regards, -- Hisham Farahat
Re:
I have used Softerra LDAP Admin and it worked while tomcat did not.
How can i increase the verbosity ? i tried to configure log4j, but i could
not build the extra component (extra.xml) because i'm on windows machine and
i've installed tomcat using windows service installer.
Any ideas?
thanks for your help!! *using windows service instdalle**log4jl*
On Mon, Oct 27, 2008 at 1:13 PM, Serge Fonville [EMAIL PROTECTED]wrote:
Perhaps if you download Symas OpenLDAP 2.3 (CDS v3) Silver
Editionjavascript:uiform_click('xanchor_2212_5') (Requires
registration) (an ldap server for windows), you can use the accompanying
uilities to try and do the same tomcat does.That way you can try to
determine if there is anything related to the configuration that is
incorrect.
Also if you increase the verbosity of the
logginghttp://tomcat.apache.org/tomcat-6.0-doc/logging.htmlyou might
be able to determine what exactly went wrong.
Hope this helps
Regards,
Serge Fonville
Links:
On Mon, Oct 27, 2008 at 10:33 AM, Hisham Farahat [EMAIL PROTECTED]
wrote:
It is on a separate server, running windows server 2003.
And no wrong passwords attempts, it happens from the 1st attempt.
Sorry for the title thing :)
On Mon, Oct 27, 2008 at 12:20 PM, André Warnier [EMAIL PROTECTED] wrote:
Hisham Farahat wrote:
Dear All,
I have a problem with my web application. I configured tomcat 6.0 to
authenticate users through Realm ( LDAP), it connects to an active
directory
server. Everything seems OK, but sometimes the connection could not be
established ( Connection refused ) and it continues with this state
for
~
10
minutes. Stopping and starting tomcat again won't affect anything, I
should
restart the machine so that users can access the web application
normally
(
or just wait for 10 minutes). How can I solve this problem?
Regards,
As someone else asked, you need to provide some additional details,
such
as
:
- is this Tomcat running on your workstation ? else on what ?
With only the explanation above, I would guess that the LDAP server
somehow
(maybe after a few unsuccesful attempts with bad passwords ?), puts
your
Tomcat server on some blacklist, and refuses connections from it.
Maybe when you reboot the machine, it gets a different IP address and
is
thus no longer on the blacklist at first ?
It does not sound like a specific Tomcat issue though.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Hisham Farahat
--
Hisham Farahat
Re:
Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.init(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown
Source)
at javax.naming.spi.NamingManager.getURLObject(Unknown Source)
at javax.naming.spi.NamingManager.processURL(Unknown Source)
at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source)
at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source)
... 23 more
Oct 28, 2008 2:33:26 PM org.apache.catalina.realm.JNDIRealm close
FINE: Closing directory context
Oct 28, 2008 2:33:26 PM org.apache.catalina.core.ApplicationDispatcher
doForward
FINE: Disabling the response for futher output
The error 401 is very strange, because i did not access the the system that
time.
BTW the session expiration is 5 minuets.
Please Help me in this.
On Tue, Oct 28, 2008 at 1:39 PM, Serge Fonville [EMAIL PROTECTED]wrote:
You can build it on windows, since ant for windows can be downloaded the
same as for any other platform it is available for
the fact tomcat was installed as a service has no impact on what can and
can't be loaded inside tomcat
since tomcat loads it's configuration file on startup and has all libraies
in its classpath avaiable to it.
the rest can be found on the tomcat website about logging (which yoiu
clearly already found)
Perhaps you got a specific error during building.
If so, what was it and what steps did you take (before,during,after)
Regards,
Serge Fonville
On Tue, Oct 28, 2008 at 11:17 AM, Hisham Farahat [EMAIL PROTECTED]
wrote:
I have used Softerra LDAP Admin and it worked while tomcat did not.
How can i increase the verbosity ? i tried to configure log4j, but i
could
not build the extra component (extra.xml) because i'm on windows machine
and
i've installed tomcat using windows service installer.
Any ideas?
thanks for your help!! *using windows service instdalle**log4jl*
On Mon, Oct 27, 2008 at 1:13 PM, Serge Fonville
[EMAIL PROTECTED]
wrote:
Perhaps if you download Symas OpenLDAP 2.3 (CDS v3) Silver
Editionjavascript:uiform_click('xanchor_2212_5') (Requires
registration) (an ldap server for windows), you can use the
accompanying
uilities to try and do the same tomcat does.That way you can try to
determine if there is anything related to the configuration that is
incorrect.
Also if you increase the verbosity of the
logginghttp://tomcat.apache.org/tomcat-6.0-doc/logging.htmlyou might
be able to determine what exactly went wrong.
Hope this helps
Regards,
Serge Fonville
Links:
On Mon, Oct 27, 2008 at 10:33 AM, Hisham Farahat
[EMAIL PROTECTED]
wrote:
It is on a separate server, running windows server 2003.
And no wrong passwords attempts, it happens from the 1st attempt.
Sorry for the title thing :)
On Mon, Oct 27, 2008 at 12:20 PM, André Warnier [EMAIL PROTECTED]
wrote:
Hisham Farahat wrote:
Dear All,
I have a problem with my web application. I configured tomcat 6.0
to
authenticate users through Realm ( LDAP), it connects to an active
directory
server. Everything seems OK, but sometimes the connection could
not
be
established ( Connection refused ) and it continues with this
state
for
~
10
minutes. Stopping and starting tomcat again won't affect anything,
I
should
restart the machine so that users can access the web application
normally
(
or just wait for 10 minutes). How can I solve this problem?
Regards,
As someone else asked, you need to provide some additional details,
such
as
:
- is this Tomcat running on your workstation ? else on what ?
With only the explanation above, I would guess that the LDAP server
somehow
(maybe after a few unsuccesful attempts with bad passwords ?), puts
your
Tomcat server on some blacklist, and refuses connections from it.
Maybe when you reboot the machine, it gets a different IP address
and
is
thus no longer on the blacklist at first ?
It does not sound like a specific Tomcat issue though.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Hisham Farahat
--
Hisham Farahat
--
Hisham Farahat
Re:
I meant the errors you had when building commons for log4j (since you said you couldn't build it) I went to the easier way, using java.util.logger :) Have you tried manually connecting to the AD server with a commandline LDAP client yes, using a program called Softerra LDAP Admin. And it connects normally. is the tomcat host and the AD server the same system? No it is not. Looking at the AD logs, and verifying sockets needs the system admin authorization. I'll check with him. Thanks :) On Tue, Oct 28, 2008 at 3:31 PM, Serge Fonville [EMAIL PROTECTED]wrote: I would start looking at the logs of the AD server It seems the AD server has refused the connection, so maybe there is a more clear error there I meant the errors you had when building commons for log4j (since you said you couldn't build it) Have you tried manually connecting to the AD server with a commandline LDAP client Perhaps you can try to telnet to the address you connect to Since these errors at this time not yet make sense, perhaps it is advisable to run wireshark on the AD server and perform a netstat to verify sockets are listeneing as you would expect. Is the tomcat host and the AD server the same system (have you tried on another system) windows has it quirks(not being able to connecto to the local IP for example Regards, Serge Fonville On Tue, Oct 28, 2008 at 1:13 PM, Hisham Farahat [EMAIL PROTECTED] wrote: Ok, i used the normal logger with ALL messages showing out, here is the part of the log where the error occurred: Oct 28, 2008 2:21:07 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Found role Infonet-Admins Oct 28, 2008 2:24:07 PM org.apache.catalina.core.StandardHostValve custom FINE: Processing ErrorPage[errorCode=401, location=/401.jsp] Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getUserBySearch FINER: entry found for tomcat with dn CN=tomcat,CN=Users,DC=company,DC=com Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm bindAsUser FINER: validating credentials by binding as the user Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm bindAsUser FINER: binding as CN=tomcat,CN=Users,DC=company,DC=com Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm checkCredentials FINER: Username tomcat successfully authenticated Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: getRoles(CN=tomcat,CN=Users,DC=company,DC=com) Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm addAttributeValues FINER: retrieving values for attribute description Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm addAttributeValues FINER: retrieving values for attribute description Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm addAttributeValues FINER: retrieving values for attribute description Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Returning 3 roles Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Found role admin Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Found role manager Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Found role Infonet-Admins Oct 28, 2008 2:33:22 PM org.apache.catalina.core.ApplicationDispatcher doForward FINE: Disabling the response for futher output Oct 28, 2008 2:33:26 PM org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: company.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]] at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1097) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:992) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:941) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:810) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
Re:
Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, -- Hisham Farahat
Re:
Thanx for your reply
1- yes , the log has this exception each time i need to login :
[Root exception is java.net.ConnectException: Connection refused: connect]]
2- What do you mean by functioning?
3- this is the realm in server.xml ( By the way i tried to put it in both
server.xml and context.xml ,with both the same problem occured)
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL =ldap://company.com:389/; connectionName=
CN=tomcat,CN=Users,DC=company,DC=com connectionPassword= ***
alternateURL =ldap://192.168.205.2:389/; userSubtree = true
referrals=follow userSearch=### userBase=DC=company,DC=com
roleBase=CN=Users,DC=company,DC=com roleName=description
roleSearch=member={0} roleSubtree = true allRolesMode=AuthOnly /
4- no, just 20% of the times when i logged in. sometimes it happens once a
day and sometimes i could not even login it contuisly doing this issue.
5- no randomly
6- the whole server takes 500 MB, it 's not that much.
7- if with busy you mean, how frequent users use it. Then no it is not, im
the only one it still in testing phase.
8- Windows server 2003
9- I think yes, if not then how users are logging to their domain using AD
accounts
On Mon, Oct 27, 2008 at 11:52 AM, Serge Fonville
[EMAIL PROTECTED]wrote:
I would need a little bit more information about your environment
Have you looked at te loggingHow is your network functioning
How is the realm configured
Has it always been like this or at some point
Are there specific times of day it occurs
How is the memory usage of tomcat
How busy is tomcat
What OS is it running on
Can you use ldap manually without errors
Regards,
Serge Fonville
On Mon, Oct 27, 2008 at 9:18 AM, Hisham Farahat [EMAIL PROTECTED]
wrote:
Dear All,
I have a problem with my web application. I configured tomcat 6.0 to
authenticate users through Realm ( LDAP), it connects to an active
directory
server. Everything seems OK, but sometimes the connection could not be
established ( Connection refused ) and it continues with this state for ~
10
minutes. Stopping and starting tomcat again won't affect anything, I
should
restart the machine so that users can access the web application normally
(
or just wait for 10 minutes). How can I solve this problem?
Regards,
--
Hisham Farahat
--
Hisham Farahat
Re:
One more issue, most probably it occurs when i try to login after a previous
timed out session
On Mon, Oct 27, 2008 at 12:18 PM, Hisham Farahat [EMAIL PROTECTED]wrote:
Thanx for your reply
1- yes , the log has this exception each time i need to login :
[Root exception is java.net.ConnectException: Connection refused: connect]]
2- What do you mean by functioning?
3- this is the realm in server.xml ( By the way i tried to put it in both
server.xml and context.xml ,with both the same problem occured)
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL =ldap://company.com:389/; connectionName=
CN=tomcat,CN=Users,DC=company,DC=com connectionPassword= ***
alternateURL =ldap://192.168.205.2:389/; userSubtree = true
referrals=follow userSearch=### userBase=DC=company,DC=com
roleBase=CN=Users,DC=company,DC=com roleName=description
roleSearch=member={0} roleSubtree = true allRolesMode=AuthOnly /
4- no, just 20% of the times when i logged in. sometimes it happens once a
day and sometimes i could not even login it contuisly doing this issue.
5- no randomly
6- the whole server takes 500 MB, it 's not that much.
7- if with busy you mean, how frequent users use it. Then no it is not, im
the only one it still in testing phase.
8- Windows server 2003
9- I think yes, if not then how users are logging to their domain using AD
accounts
On Mon, Oct 27, 2008 at 11:52 AM, Serge Fonville [EMAIL PROTECTED]
wrote:
I would need a little bit more information about your environment
Have you looked at te loggingHow is your network functioning
How is the realm configured
Has it always been like this or at some point
Are there specific times of day it occurs
How is the memory usage of tomcat
How busy is tomcat
What OS is it running on
Can you use ldap manually without errors
Regards,
Serge Fonville
On Mon, Oct 27, 2008 at 9:18 AM, Hisham Farahat [EMAIL PROTECTED]
wrote:
Dear All,
I have a problem with my web application. I configured tomcat 6.0 to
authenticate users through Realm ( LDAP), it connects to an active
directory
server. Everything seems OK, but sometimes the connection could not be
established ( Connection refused ) and it continues with this state for
~
10
minutes. Stopping and starting tomcat again won't affect anything, I
should
restart the machine so that users can access the web application
normally (
or just wait for 10 minutes). How can I solve this problem?
Regards,
--
Hisham Farahat
--
Hisham Farahat
--
Hisham Farahat
Re:
It is on a separate server, running windows server 2003. And no wrong passwords attempts, it happens from the 1st attempt. Sorry for the title thing :) On Mon, Oct 27, 2008 at 12:20 PM, André Warnier [EMAIL PROTECTED] wrote: Hisham Farahat wrote: Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, As someone else asked, you need to provide some additional details, such as : - is this Tomcat running on your workstation ? else on what ? With only the explanation above, I would guess that the LDAP server somehow (maybe after a few unsuccesful attempts with bad passwords ?), puts your Tomcat server on some blacklist, and refuses connections from it. Maybe when you reboot the machine, it gets a different IP address and is thus no longer on the blacklist at first ? It does not sound like a specific Tomcat issue though. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat
Tomcat server with two websites with two different authentications
Dear All, Can i configure tomcat to host to different websites? How can i do it? any directions? Moreover i need to have two different authentication methods for the two websites, (e.g. one using LDAP and the other using normal tomcat user list ( tomcat-users.xml) I hope some one help me in this. regards, -- Hisham Farahat
Re: Tomcat server with two websites with two different authentications
Thanks for your reply. How can i configure the virtual hosts in tomcat? On Mon, Oct 27, 2008 at 1:49 PM, Tim Funk [EMAIL PROTECTED] wrote: You need to configure a Realm per Virtual Host (or if different webapps in the same vhost need different authentication schemes - the Realm element can be per context too) http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html -Tim Hisham Farahat wrote: Dear All, Can i configure tomcat to host to different websites? How can i do it? any directions? Moreover i need to have two different authentication methods for the two websites, (e.g. one using LDAP and the other using normal tomcat user list ( tomcat-users.xml) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat
