In order to query the LDAP tree, you have to bind to it. Binding requires that anonymous bind be enabled, or that you bind with a user id and password. This is just how LDAP works.
The information that I sent you was information I learned while creating an LDAP authentication module for our software. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 > -----Original Message----- > From: Michal Kwiatek [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 11, 2005 9:30 AM > To: Tomcat Users List > Subject: RE: tomcat and active directory > > I have just seen that it works. But I don't understand it: if tomcat > uses bind to authenticate the user accessing the webpage, why does it > need a different AD user? > > Isn't it a bug in the realm implementation? > > Michal. > > > -----Original Message----- > > From: George Sexton [mailto:[EMAIL PROTECTED] > > Sent: Thursday, August 11, 2005 5:27 PM > > To: 'Tomcat Users List' > > Subject: RE: tomcat and active directory > > > > It looks like you are configured for anonymous bind. > > > > By default, the AD LDAP implementation does not allow > > anonymous bind. You have two ways of handling this: > > > > 1. Configure your AD tree to allow anonymous bind. > > Essentially, you will need to create an ACL against the > > appropriate object (container) in the tree. > > 2. Create a low powered user that has read access to the > > directory tree and configure the realm to bind as that user.. > > > > > > > > George Sexton > > MH Software, Inc. > > http://www.mhsoftware.com/ > > Voice: 303 438 9585 > > > > > > > -----Original Message----- > > > From: Michal Kwiatek [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, August 11, 2005 8:17 AM > > > To: Tomcat Users List > > > Subject: tomcat and active directory > > > > > > Has any of you managed to configure tomcat JNDIRealm to > > talk to Active > > > Directory? > > > I'm having a hard time setting it up and my wild guess is > that the > > > JNDIRealm does not support SASL mechanism. > > > > > > Here's my config: > > > > > > <Realm className="org.apache.catalina.realm.JNDIRealm" > debug="99" > > > connectionURL="ldap://cern.ch"; > > > userBase="OU=Organic Units,DC=cern,DC=ch" > > > userSearch="(userPrincipalName={0})" > > > userRoleName="memberOf" > > > /> > > > > > > my error message: > > > > > > 2005-08-11 15:57:06 org.apache.catalina.realm.JNDIRealm > authenticate > > > SEVERE: Exception performing authentication > > > javax.naming.NamingException: [LDAP: error code 1 - > > 00000000: LdapErr: > > > DSID-0C09 > > > 0627, comment: In order to perform this operation a > successful bind > > > must be comp leted on the connection., data 0, vece ]; > > remaining name > > > 'OU=Organic Units,DC=ce rn,DC=ch' > > > > > > At the same time, I can connect to Active Directory with the same > > > settings using ldapsearch: > > > > > > ldapsearch -h cerndc01.cern.ch -p 389 -D [EMAIL PROTECTED] -w > > > my_password -b 'OU=Organic Units,DC=cern,DC=ch' > > > [EMAIL PROTECTED] > > > > > > Any ideas? > > > > > > Thanks in advance, > > > Michal. > > > > > > > -----Original Message----- > > > > From: Michal Kwiatek [mailto:[EMAIL PROTECTED] > > > > Sent: Thursday, August 11, 2005 4:06 PM > > > > To: Tomcat Users List > > > > Subject: RE: realm in context in war file > > > > > > > > I've sorted it out: the problem was in the syntax! I was using > > > > "context" > > > > instead of "Context", and tomcat (5.0.28) simply ignored > > it without > > > > writing any error message. > > > > > > > > But thanks for the tip for 5.5 - I'm going to migrate > soon, so it > > > > will be useful. > > > > > > > > Michal. > > > > > > > > > -----Original Message----- > > > > > From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] > > > > > Sent: Thursday, August 11, 2005 4:03 PM > > > > > To: Tomcat Users List > > > > > Subject: RE: realm in context in war file > > > > > > > > > > > From: Michal Kwiatek [mailto:[EMAIL PROTECTED] > > > > > > Subject: realm in context in war file > > > > > > > > > > > > I have the following context definition: > > > > > > > > > > > > <context path="/test1" override="true" > > > > > docBase="webapps/test1"> <realm > > > > > > className="org.apache.catalina.realm.MemoryRealm" > > > > > > debug="9999" > > > > > > pathname="webapps/test1/META-INF/context-users.xml" > > > > > > /> > > > > > > </context> > > > > > > > > > > What level of Tomcat are you using? If it's 5.5, you > > > > should not have > > > > > a path attribute. If you remove the pathname attribute > > from the > > > > > <realm> tag, does authentication function with the default > > > > > conf/tomcat-users.xml? > > > > > > > > > > - Chuck > > > > > > > > > > > > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE > > > > > PROPRIETARY MATERIAL and is thus for use only by the intended > > > > > recipient. If you received this in error, please contact > > > the sender > > > > > and delete the e-mail and its attachments from all computers. > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > > > > For additional commands, e-mail: > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: > [EMAIL PROTECTED] > > > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
