re: Tomcat with LDAP help

Tue, 29 Nov 2016 15:49:34 -0800 

Hello,

I need some assistance with Tomcat and LDAP authentication -
After trying many different server.xml realm configuration settings I was 
finally able to get connectivity to our LDAP server from Tomcat 8.0.9;   but  
this is still not authenticating any users.

By the following configurations can anyone tell if something is possible 
missing or incorrect in syntax :
I am new to Tomcat /LDAP setup and not sure what could be the issue here:
My server.xml settings:

<Realm className="org.apache.catalina.realm.JNDIRealm"
    connectionName="cn=Users,dc=companyname,dc=com"
     connectionURL="ldap://ldaphostname.com:389";
     alternateURL="ldap://ldaphostname2.visa.com:389";
       userPattern="cn={0},dc=companyname,dc=com"
          roleBase="Ou=Groups,dc=companyname,dc=com"
          roleName="cn"
        roleSearch="(Users={0})"
        roleSubtree="true" />


webapp/WEB-INF/web.xml settings:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
        "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"; 
xsi="http://www.w3.org/2001/XMLSchema-instance"; 
schemalocation="http://java.sun.com/xml/ns/javaee 
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd<http://java.sun.com/xml/ns/javaee%20http:/java.sun.com/xml/ns/javaee/web-app_2_5.xsd>">

<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>

<security-constraint>
  <display-name>SecurityConstraint</display-name>
    <web-resource-collection>
     <web-resource-name>scheduling</web-resource-name>
       <url-pattern>/*</url-pattern>
    </web-resource-collection>
       <auth-constraint>
       <role-name>Groups</role-name>
        </auth-constraint>
        <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>

  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/error.jsp</form-error-page>
  </form-login-config>
  </login-config>
     <security-role>
     <role-name>*</role-name>
    </security-role>
</web-app>



The catalina.log result after attempts to login to the Tomcat web application::



29-Nov-2016 21:48:44.957 INFO [main] org.apache.coyote.AbstractProtocol.start 
Starting ProtocolHandler ["ajp-nio-8009"]
29-Nov-2016 21:48:44.966 INFO [main] org.apache.coyote.AbstractProtocol.start 
Starting ProtocolHandler ["http-bio-443"]
29-Nov-2016 21:48:45.010 INFO [main] 
com.visa.tcserver.properties.SystemPropertiesExporter.lifecycleEvent Effective 
Properties written to 
/opt/webdev/apache-tomcat-8.0.9/conf/effectiveProperties.xml
29-Nov-2016 21:48:45.011 INFO [main] org.apache.catalina.startup.Catalina.start 
Server startup in 29076 ms
29-Nov-2016 21:48:49.225 FINE [http-bio-443-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking 
request GET /scheduling/
29-Nov-2016 21:48:49.230 FINE [http-bio-443-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[scheduling]' against GET /index.jsp --> true
29-Nov-2016 21:48:49.231 FINE [http-bio-443-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling 
hasUserDataPermission()
29-Nov-2016 21:48:49.233 FINE [http-bio-443-exec-1] 
org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data 
constraint already satisfied
29-Nov-2016 21:48:49.233 FINE [http-bio-443-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling 
authenticate()
29-Nov-2016 21:48:49.242 FINE [http-bio-443-exec-1] 
org.apache.catalina.authenticator.FormAuthenticator.authenticate Save request 
in session '21072264578E08ED6F1B38591CDDA9F3'
29-Nov-2016 21:48:49.249 FINE [http-bio-443-exec-1] 
org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage 
Forwarding request for [/scheduling/] made with method [GET] to login page 
[/login.jsp] of context [/scheduling] using request method GET
29-Nov-2016 21:48:49.295 FINE [http-bio-443-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed 
authenticate() test
29-Nov-2016 21:49:01.631 FINE [http-bio-443-exec-2] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking 
request POST /scheduling/j_security_check
29-Nov-2016 21:49:01.636 FINE [http-bio-443-exec-2] 
org.apache.catalina.authenticator.FormAuthenticator.authenticate Authenticating 
username 'hitaylor'
29-Nov-2016 21:49:01.704 FINE [http-bio-443-exec-2] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed 
authenticate() test ??/scheduling/j_security_check




Login.jsp

<body>
<section class="container">
<div class="logo">
<p>VISA</p>
</div>
<br>
<h2 align="center"><font color="#FFFFFF">CSO Operations</font></h2>
<div class="login">
<h1><font color="#CE9E11">Job Scheduling Panel Login</font></h1>
</br>
<form method="POST" action="<%= response.encodeURL(request.getContextPath() + 
"/j_security_check")%>">
<p align="center">UserName
<input type="text" name="j_username" value="" placeholder="Username or 
Email"></p>
<br><p align="center">Password
<input type="password" name="j_password" value="" placeholder="Password"></p>
<br>
<p class="submit"><input type="submit" name="commit" value="Login"></p>
</form>
  </div>


The effectiveProperties.xml file shows the following:

<Realms>
        <Realm.realmPath.realm0>
            <adCompat>false</adCompat>
            <allRolesMode>strict</allRolesMode>
            <alternateURL>ldap://visaldapocc.visa.com:389</alternateURL>
            <authentication>null</authentication>
            <className>org.apache.catalina.realm.JNDIRealm</className>
            <commonRole>null</commonRole>
            <connectionName>cn=Users,dc=visa,dc=com</connectionName>
            <connectionPassword>********</connectionPassword>
            <connectionTimeout>5000</connectionTimeout>
            <connectionURL>ldap://visadcocc.visa.com:389</connectionURL>
            <contextFactory>com.sun.jndi.ldap.LdapCtxFactory</contextFactory>
            <digest>null</digest>
            <digestEncoding>null</digestEncoding>
            <modelerType>org.apache.catalina.realm.JNDIRealm</modelerType>
            <protocol>null</protocol>
            <realmPath>/realm0</realmPath>
            <referrals>null</referrals>
            <roleBase>Ou=Groups,dc=visa,dc=com</roleBase>
            <roleName>cn</roleName>
            <roleNested>false</roleNested>
            <roleSearch>(Users={0})</roleSearch>
            <roleSubtree>true</roleSubtree>
            <stateName>STARTED</stateName>
            <userBase></userBase>
            <userPassword>********</userPassword>
            <userPattern>cn={0},dc=visa,dc=com</userPattern>
            <userRoleName>null</userRoleName>
            <userSearch>null</userSearch>
            <userSubtree>false</userSubtree>
            <validate>true</validate>
        </Realm.realmPath.realm0>
    </Realms>

Thanks for any information or pointers on this.

________________________________
Larry Taylor

Reply via email to