I configured OpenLDAP to log everything, and here's the error (as you suspected):
1. Tomcat authenticates the user, but cannot find the role he belongs to. Below is the OpenLDAP log output for the search operation. Note the "filter: (?=undefined) message.
Mar 27 14:53:53 localhost slapd[5166]: SRCH "ou=groups,o=cymulacrum" 1 3
Mar 27 14:53:53 localhost slapd[5166]: 0 0 0
Mar 27 14:53:53 localhost slapd[5166]: begin get_filter
Mar 27 14:53:53 localhost slapd[5166]: EQUALITY
Mar 27 14:53:53 localhost slapd[5166]: end get_filter 0
Mar 27 14:53:53 localhost slapd[5166]: filter: (?=undefined)
Mar 27 14:53:53 localhost slapd[5166]: => get_ctrls
Mar 27 14:53:53 localhost slapd[5166]: => get_ctrls:
oid="2.16.840.1.113730.3.4.2" (noncritical)
Mar 27 14:53:53 localhost slapd[5166]: <= get_ctrls: n=1 rc=0 err=""
Mar 27 14:53:53 localhost slapd[5166]: attrs:
Mar 27 14:53:53 localhost slapd[5166]: cn
Mar 27 14:53:53 localhost slapd[5166]: Mar 27 14:53:53 localhost slapd[5166]: conn=1 op=4 SRCH
base="ou=groups,o=cymulacrum" scope=1 filter="(?=undefined)"
Mar 27 14:53:53 localhost slapd[5166]: conn=1 op=4 SRCH attr=cn
Mar 27 14:53:53 localhost slapd[5166]: => ldbm_back_search
2. If I use ldapsearch with equivalent syntax, I get:
Mar 27 14:49:41 localhost slapd[5166]: SRCH "ou=groups,o=cymulacrum" 2 0
Mar 27 14:49:41 localhost slapd[5166]: 0 0 0
Mar 27 14:49:41 localhost slapd[5166]: begin get_filter
Mar 27 14:49:41 localhost slapd[5166]: PRESENT
Mar 27 14:49:41 localhost slapd[5166]: end get_filter 0
Mar 27 14:49:41 localhost slapd[5166]: filter: (cn=*)
Mar 27 14:49:41 localhost slapd[5166]: attrs:
Mar 27 14:49:41 localhost slapd[5166]: Mar 27 14:49:41 localhost slapd[5166]: conn=0 op=1 SRCH
base="ou=groups,o=cymula
crum" scope=2 filter="(cn=*)"
Mar 27 14:49:41 localhost slapd[5166]: => ldbm_back_search
Both operations performed on the same OpenLDAP server.
Hope this helps !
Thanks and Regards,
Jeff Tulley wrote:
Pascal, What version of Tomcsat are you using? In response to a defect, I added a feature to JNDIRealm a while back, that applied a "filter" to certain JNDI realms to encode characters such as " and ( Later we learned that I should have focused that filtering a little more on a specific string, and too much was being filtered, so I submitted a fix. It was very simple, really only a one or two-line fix.
The reason I suspect this is that your output below has "\28" and "\29" in the filter expression, which are the encodings for the parenthesis that would be surrounding the expression. The bug was that only the DN should have been encoded, not the whole filter expression.
It looks like from CVS logs that the fix should be in 5.0.19, and 5.0.20, but not 5.0.18
Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com
Hello, all ![EMAIL PROTECTED] 3/25/04 6:14:06 AM >>>
I've got a really strange problem that is probably caused by my eyesight. I followed the JNDI Real HowTo on the Jakarta site, and I setup the necessary LDIF file and put the necessary entries inside server.xml. After struggling with various typo errors and configuration
mistakes (I was having a migraine at the time), I finally got Tomcat to
authenticate with my OpenLDAP server. The trouble is, it cannot find
the role, so I always get kicked out with an authorization error.
This is the error I am getting when I try to login to the Tomcat Web Administration page :
2004-03-25 20:42:53 JNDIRealm[Catalina]: lookupUser(tcadmin)
2004-03-25 20:42:53 JNDIRealm[Catalina]: dn=uid=tcadmin,ou=people,o=cymulacrum
2004-03-25 20:42:53 JNDIRealm[Catalina]: validating credentials by binding as the user
2004-03-25 20:42:53 JNDIRealm[Catalina]: binding as uid=tcadmin,ou=people,o=cymulacrum
2004-03-25 20:42:53 JNDIRealm[Catalina]: Username tcadmin successfully
authenticated
2004-03-25 20:42:53 JNDIRealm[Catalina]: getRoles(uid=tcadmin,ou=people,o=cymulacrum)
2004-03-25 20:42:53 JNDIRealm[Catalina]: Searching role base 'ou=groups,o=cymulacrum' for attribute 'cn'
2004-03-25 20:42:53 JNDIRealm[Catalina]: With filter expression '\28uniqueMember=uid=tcadmin,ou=people,o=cymulacrum\29'
2004-03-25 20:42:53 JNDIRealm[Catalina]: Returning 0 roles
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--
"There is nothing so absurd but some philosopher has said it." -- Marcus Tullius Cicero
+----------------------------------------------------------------+
| Pascal Chong |
| email: [EMAIL PROTECTED] |
| |
| Please visit my site at : http://cymulacrum.net |
| If you're using my documentation, please read the Terms and |
| and Conditions at http://cymulacrum.net/terms.html |
+----------------------------------------------------------------+
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
