AW: JNDIRealm - Active Directory Roles

Mon, 17 Mar 2014 06:38:27 -0700 

Yes, I found this error:

Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm 
startInternal
Schwerwiegend: Exception looking up UserDatabase under key UserDatabase
javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this 
Context. Unable to find [UserDatabase].
        at org.apache.naming.NamingContext.lookup(NamingContext.java:820)
        at org.apache.naming.NamingContext.lookup(NamingContext.java:168)
        at 
org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
        at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618)
        at 
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650)
        at 
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582)
        at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:744)

While activating the ad realm I commented out the UserDatabase Resource:

<GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
<!--    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />-->
  </GlobalNamingResources>

and:

<!-- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>-->

May this is my problem? I thought the tomcatuser.xml and the UserDatabaseRealm 
is not necessary anymore?

Best Regards,
Bjoern


-----Ursprüngliche Nachricht-----
Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] 
Gesendet: Montag, 17. März 2014 14:11
An: Tomcat Users List; Becker, Björn
Betreff: Re: JNDIRealm - Active Directory Roles



On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote:
>Well, I still got a problem. 
>After activating my active directory realm the applications don't 
>anymore.
>
>I got this error:
>
>Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig
>deployDescriptor
>Schwerwiegend: Error deploying configuration descriptor 
>/app/tomcat2/tomcat/conf/Catalina/localhost/app.xml
>java.lang.IllegalStateException: ContainerBase.addChild: start:
>org.apache.catalina.LifecycleException: Failed to start component 
>[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app]
>]

 Have you looked at the localhost log file? Maybe you have a problem with 
web.xml?

Regards
Felix

>       at
>org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904)
>       at
>org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
>       at
>org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618)
>       at
>org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650)
>       at
>org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582)
>       at
>java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>       at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>       at
>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>       at
>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>       at java.lang.Thread.run(Thread.java:744)
>
>
>Best Regards,
>Bjoern
>
>
>-----Ursprüngliche Nachricht-----
>Von: Becker, Björn
>Gesendet: Montag, 17. März 2014 13:06
>An: users@tomcat.apache.org
>Betreff: AW: JNDIRealm - Active Directory Roles
>
>Hallo Felix,
>
>thanks for explaination! I got it now! 
>
>What helps was to enable debugging:
>
># conf/logging.conf
># This would turn on trace-level for everything # the possible levels
>are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL 
>#org.apache.catalina.level = ALL #org.apache.catalina.handlers = 
>2localhost.org.apache.juli.FileHandler
>org.apache.catalina.realm.level = ALL
>org.apache.catalina.realm.useParentHandlers = true 
>org.apache.catalina.authenticator.level = ALL 
>org.apache.catalina.authenticator.useParentHandlers = true
>
>I got this realm config now:
>
>       <Realm className="org.apache.catalina.realm.JNDIRealm"
>                       connectionName="CN=SVC_TomcatLdapQuery,OU=Service
>Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= "
>                       connectionPassword="PASS"
>                       
> connectionURL="ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)"
>                       userSearch="(sAMAccountName={0})"
>                       userSubtree="true"
>                       roleSubtree="true"
>                       roleName="CN"
>                       userRoleName="memberOf"
>        />
>
>And I copy the manager-gui constraint in web.xml of the manager 
>application and put in my new role:
>
><role-name>CN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle 
>Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC= </role-name>
>
>Thanks a lot! 
>
>Best Regards,
>Bjoern
>
>-----Ursprüngliche Nachricht-----
>Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
>Gesendet: Samstag, 15. März 2014 21:52
>An: users@tomcat.apache.org
>Betreff: Re: JNDIRealm - Active Directory Roles
>
>Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:
>> Hello,
>>
>> I try to implement the authentification for the tomcat manager
>application against active directory.
>>
>> Unfortunately I don't understand the role concept. I like to give the
>users permissions to open the manager when they're in this group:
>>
>>> memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle 
>>> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
>> server.xml:
>>          <Realm className="org.apache.catalina.realm.JNDIRealm" 
>debug="99"
>>                  connectionName="CN=SVC,OU=Service
>Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de"
>>                  connectionPassword="_2VK!WHzybn1SJ8P"
>>                 
>connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)"
>>          
>>                  userSearch="(sAMAccountName={0})"
>>                  userSubtree="true"
>>
>>                  roleSearch="(memberof={0})"
>>                  roleSubtree="true"
>>                  userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle
>Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de "
>>              />
>>
>> <!--            roleBase="DC=DOM,DC=de"
>>                  roleName="cn"
>> -->
>>
>> With this configuration I can open the Manager, but got no
>permissions.
>>
>> Even if the user role relationship will found, I don't understand how
>I can assign tomcat roles (e.g. manager-gui) to the user.
>Looking at the documentation on
>http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Director
>y_Realm_-_org.apache.catalina.realm.JNDIRealm
>you have three settings which are most probably not correct.
>
>* roleSearch will only be used, if roleName is set (which is commented 
>out in your configuration)
>* roleSearch will be used to search for objects that match the given 
>filter. In your case you would find user objects instead of group 
>objects.
>* userRoleName should be the name of an attribute in the user object 
>(cn=... is not a name of an attribute, but rather a value)
>
>So given your goal, that cn=tomcat admins,... should be a role, you 
>have two options.
>
>* You could activate roleName=cn (or another attribute name) and change 
>the roleSearch to member={0}. Then the realm would (hopefully) find the 
>object cn=tomcat admins,...
>  * You could change userRoleName to memberOf
>
>In the first case your user would have a role with the name "Tomcat 
>Admins". The second option would lead to a role name of "cn=Tomcat 
>Admins,...".
>
>In both cases you would have to change the security constraints in the 
>webapp (those are defined in the WEB-INF/web.xml file).
>
>If your role objects had other attributes with values that match the 
>roles defined in web.xml you could simply change roleName in the first 
>option above.
>
>Regards
>  Felix
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to