The web.xml roles have a major impact when working with LDAP. For intial testing, I would recommend using your own user and, assuming AD, look at what groups you belong to (such as 'Guest', 'Domain User', etc). Add that group to your web.xml as a role, and that should get you passed the 403 error.
Once you get pass the 403, you may run into the 'user not found' Slide exception. Then you will need to modify your domain.xml for <auto-create-user>. Hope this gets you a little further -- most of my experience is based on JAAS-based authentication/authorization, not the JNDI stores, but it may help. -D > -----Original Message----- > From: Dennis Klein [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 09, 2006 11:42 AM > To: [email protected] > Subject: [Tomcat, LDAP] Authorization failed - 403 > > Hi, > > I have problems getting my JNDIPrincipalStores working. I am > searching the slide-user mailing list and google for days > now. It's really hard to find a complete slide documentation > (for users). If I am wrong and you know a good place with > good documentation stuff, please give me a hint! > > We have a LDAP server with about 900 users and some roles. My > aim is to run a slide server with access control with above > mentioned sets of users and roles. I choosed the "Slide > bundled with Tomcat 5.0.28" > package and got it running fine in default configuration. > > Now, I want to add the required LDAP support. Authentication > is made by Tomcat, so I configured a JNDIRealm in the /slide > context in the server.xml > (http://www-linux.gsi.de/~dklein/slide/server.xml). This > works, here my JNDIRealm log > (http://www-linux.gsi.de/~dklein/slide/jndirealm_log). > > Next, I configured the JNDIPrincipalStores > (http://www-linux.gsi.de/~dklein/slide/Domain.xml) and a > minimum acl (with the help of this mailing list). I > uncommented something security related in my web.xml file > (http://www-linux.gsi.de/~dklein/slide/web.xml). I do not > understand the relation between the security roles in the > web.xml file and the roles from LDAP!? > > When I browse on http://localhost:8080/slide and logon with > above successfully authenticated credentials I get a 403 > ("Access to the requested resource has been denied") error. > > Here are my debug log files: > - catalina.out (http://www-linux.gsi.de/~dklein/slide/catalina.out) > - localhost_log.2006-08-09.txt > (http://www-linux.gsi.de/~dklein/slide/localhost_log.2006-08-09.txt) > - localhost_slide_access_log.2006-08-09.txt > (http://www-linux.gsi.de/~dklein/slide/localhost_slide_access_ > log.2006-08-09.txt) > > Do you have any ideas? If I should do some work in reading > more docs, because my problem is standard, please provide > some resources. > > However, my questions are: > > How can I get this stuff working? > > How is the relationship between my two JNDIPrincipalStores > being configured? Is it done by registering them with the > <userspath> and <rolespath> elements? > > Is it possible to add a third store (additionally to the > JNDIPrincipalStore for roles), let me call it group-store, in > that way, that users can group some users "locally" (which > means, that these groups are only visible to the slide and do > not require changes in ldap server)? > > thx in advance, > all the best, > > Dennis Klein > <[EMAIL PROTECTED]> > > p.s.: Sorry for my bad english. I don't speak english natively. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
