Hello,
I hope that I am not to late to post here. I have just returned to the
land of the living and have started to catch up on my reading. I noticed
that Robyne you were trying to find the "collective all" for your users.
I have just recently figured this out after working on it for two days.
Here is my working server.xml:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://your.AD.com";
alternateURL="ldap://other.AD.com";
connectionName="cn=USER DISPLAY NAME,ou=FIRST
SUB-GROUP,dc=AD,dc=com"
connectionPassword="XXXXXX"
referrals="follow"
userBase="dc=AD,dc=com"
userSearch="(&(sAMAccountName={0})(objectClass=user))"
userSubtree="true"
roleBase="dc=AD,dc=com"
roleSearch="(uniqueMember={0})"
roleName="cn"
/>
KEY:
cn = common name
ou = organizational unit
dc = domain controller
your.AD.com ----> www.yahoo.com
other.AD.com ----> mail.yahoo.com
USER DISPLAY NAME ----> This is the full name that shows up in
your AD, ie user might be johnd but full
name is John Doe.
For the connection name and password, it must be user that has
authority to access AD. This part is necessary to connect.
FIRST SUB-GROUP ----> This depends on how your organization is
built in AD. You might have departments like: Accounting, Human
Resources, Information Technologies.
In an AD structure it might look something like this:
COM
|
|_Yahoo
|
|
|_Accounting
| |_John Doe
|
|_Information Technologies
| |_Jack Daniels
|
|_Human Resources
|_Mary Jane
sAMAccountName ----> is the account name you most commonly login into
your computers with
objectClass="user" ----> this should be user, as defined in AD unless
your sys admin or someone has tampered
the AD.
referrals="follow" ----> this is necessary to traverse the full AD
without knowing the user's base location.
I hope that this clears up some issues for you. Please let me know if I
can help you more.
Dean E. Searle
Computing Oasis
989.245.7369 (P)
989.921.3904 (F)
-----Original Message-----
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:25 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks.
-----Original Message-----
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:10 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Good luck.
-----Original Message-----
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 1:07 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Thanks, Justin,
You've given me some good pointers. I guess I'll do some more hammering
and snooping. Our AD is on a server and the administrators gave me an
administrator type password to try hitting it with, but they don't want
me snooping around too much. I don't actually have direct access to it.
Like I said, I have hit it with some JNDI, but that is new to me also,
and I still couldn't discover the tree structure adequately.
Anyway, I guess I'll try to pull things out of the loading script and my
LDAP books. It's so frustrating. I can't find and the administrators
don't know where the collective "all" of our users are located. They
found an example script, used it, and don't really know what they have
yet.
I really appreciate your time.
Thanks,
Rob
Ps I expect I'll have more questions later. Right now, I'm still stuck
just figuring out where "all users" are.
-----Original Message-----
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 11:40 AM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Oh, for the AD LDAP, I've been using the programs that came with Active
Directory. There is also an ldp.exe, I dunno where that came from, but
that's pretty useful.
-----Original Message-----
From: Hart, Justin
Sent: Tuesday, November 04, 2003 12:39 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
I used * as my role-name.
Justin
-----Original Message-----
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:38 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Justin,
I REALLY appreciate your help. I've been stuck for a while.
I believe that Users is a CN . (scanning thru the script, I don't see
Users ever set as an OU, but I do see it as a CN.)
How are you browsing around in AD's LDAP? I have a jndi jsp that I've
tried finding things with.
One bit of info: The AD I am trying to authenticate to is on a
different box than the one I work on. I do know to hit AD with a
connection name and password, then I've tried to use the sAMAccountname
but have been unsuccessful. I can't quite get my "path" worked out.
I will look thru the DN, to see if I can find where all the users are a
member.
In my web.xml, I have tried form based and basic authentication. Which
are you using and don't you have to specify this stuff?:
<security-constraint>
<web-resource-collection>
<web-resource-name></web-resource-name>
<url-pattern></url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name></role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method></auth-method>
<!-- <realm-name></realm-name> -->
</login-config>
<security-role>
<role-name></role-name>
</security-role>
Would the role-name be the entry in the tomcat users or would it be an
entry in the AD? This is a new web-app I'm trying to get up and it will
be the first one in our group to authenticate against the AD. Our
previous authentication is being eliminated.
-----Original Message-----
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 11:14 AM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
1) In terms of active directory, the roleSearch, in this case, would be
a group that the person logging in needs to be a member of. In terms of
mine, it would be the "ALL" mailing list for my company. What you need
to do, is browse around in active directory's LDAP (I assume that you're
doing this against active directory) and find the entry that describes
the NT group that you want all of your members to be a member of.
CN=tomcat is just part of the DN that identifies that group for the
other guy in this thread.
2) K, you need to get to your base directory that contrains users. That
could be multiple OU's deep, in terms of active directory, it probably
is, you'll probably have 1 layer for say, job sites, and another for
Users (hence Users). You'll see if it you browse down your active
directory tree... just enter the DN describing the level containing your
users.
3) web.xml contains the stuff specific to logging in, so essentially,
whatever you use for authentication now, can still be used, as long as
the data jibes with what's in your active directory.
Is that User's there a CN or a OU?
Justin
-----Original Message-----
From: Robyne Vaughn [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 12:08 PM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
Hi,
I've been watching your emails andI'm still trying to understand. I
have a couple of ldap books and I'm trying to figure some things out. I
can authenticate to AD with known OU's and known common names, but I
can't use basic or form authentication and get them authenticated with
just a user-id and password.
What is: roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)"
1. specifically, what is CN=tomcat ? Is that a role which has been
set up in AD?
What is: userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com"
2. specifically, what is OU=[My OU] ?
3. What did you put in your web-app web.xml?
My AD administrators have not been able to explain our tree structure to
me. Either I'm asking the wrong questions, or they don't understand it
either. They have given me a copy of the script they used to load it.
I'm trying to look thru the script to discover the tree structure.
Also, they printed a screen print from their AD administrative tool. It
has this sort of structure: Active Directory Users and Computers
lubbock.isd
Builtin
CO
Computers
Disabled Accounts
Elem
ForeignSecurityPrincipals
HS
JH
LostAndFound
Microsoft Exchange System Object
OG
System
Users
Should that tell me what to plug into the OU? I know if I hit the AD
with an Administrative name, password and its OU, then I authenticate.
For instance "CN=Administratorname,OU=CO,dc=lubbock,dc=isd");. CO
stands for central office (in this case.) I know that this
administrative name is in the OU=CO. What do I do if my user is not in
OU=CO?
How do I authenticate when I'm not given the person's specific OU?
I don't understand why you're specifying 2 different values for OU?
Any help would be appreciated.
Thanks,
rob
-----Original Message-----
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 9:13 AM
To: Tomcat Users List
Subject: RE: JNDIRealm...more
I just got it working...
A million thank yous! I didn't really understand LDAP until learning
(some) about it yesterday, and once I started learning it, your example
made perfect sense, and now I can authenticate my users!
This rules very much!
Justin
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 4:16 PM
To: [EMAIL PROTECTED]
Subject: RE: JNDIRealm...more
Here's what I have......this works for me....hope this helps....
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://[domain controller]:389"
userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com"
userSearch="(sAMAccountName={0})"
userRoleName="member"
roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com"
roleName="memberOf"
roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)"
connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com"
connectionPassword="[password]"
roleSubtree="true"
userSubtree="true"/>
-----Original Message-----
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 12:57 PM
To: Tomcat Users List
Subject: JNDIRealm...more
My server.xml now looks like this :
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="A good active directory server"
userBase="dc=MY DOMAIN NAME,dc=com"
userRoleName="member"
roleName="cn"
roleSearch="(userPrincipalName={0})"
roleSubtree="false"
userSubtree="false"
referrals="follow"
/>
Reading through the log shows no errors, just that the realm is openning
and closing connections with my LDAP server, after 3 tries, it tells me
that I need to use http authentication.
What's going wrong here?
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
