On 17/4/20 10:28 pm, Mark Thomas wrote:
On 16/04/2020 09:56, Brian Burch wrote:
On 15/4/20 6:24 am, Mark Thomas wrote:
<snip/>
I'd expect you to see an error message if your server.xml isn't quite
right although that is what this looks like.
There was no error message. I think my xml was syntax-free, but it did
not reflect my intent.
Can you provide before and after extracts from server.xml. I'm not 100%
what your non-working configuration looked like. I'll see if we can do
anything to highlight the configuration issue.
<snip/>
My Realm definitions are always nested inside the https Connector and
its Engine definition.
Here is the definitions of the two Realms for tc 7.0.52, which
successfully authenticated the browser-supplied cleartext passwords
against the SHA hashes from my LDAP server.
<Realm className="org.apache.catalina.realm.LockOutRealm"
cacheSize="1000"
failureCount="4"
lockOutTime="1200"
cacheRemovalWarningTime="86400" >
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="uid=tomcatAuthenticate,ou=Special
Users,o=pingtoo.com"
connectionPassword="<redacted>"
connectionURL="ldap://ldap.pingtoo.com:10389"
userBase="ou=people,o=pingtoo.com"
userSubtree="false"
userSearch="(uid={0})"
userRoleName="tomcatRole"
userPassword="userPassword"
digest="SHA" />
</Realm>
The JNDIRealm is nested properly inside the LockoutRealm.
This server.xml could not authenticate users under tomcat 8.54,
presumably because the Realm algorithm parameter had been deprecated.
------------------------------------------------------------
The following Realm definition caused JNDIRealm to call
MessageDigestCredentialHandler.matches, which called its own
getAlgorithm method, which returned null (not SHA-1).
<Realm className="org.apache.catalina.realm.LockOutRealm"
cacheSize="1000"
failureCount="4"
lockOutTime="1200"
cacheRemovalWarningTime="86400" >
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="uid=tomcatAuthenticate,ou=Special
Users,o=pingtoo.com"
connectionPassword="<redacted>"
connectionURL="ldap://ldap.pingtoo.com:10389"
userBase="ou=people,o=pingtoo.com"
userSubtree="false"
userSearch="(uid={0})"
userRoleName="tomcatRole"
userPassword="userPassword" />
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="MD5" />
</Realm>
My mistake was to Nest JNDIRealm properly, but code it as
self-terminating. I guess the CredentialHandler was associated with the
LockoutRealm, rather than the JNDIRealm.
------------------------------------------------------------------
Just to finish the story, here's the properly nested version which works
with SHA-1 and LDAP password hashes prefixed with {SHA}.
<Realm className="org.apache.catalina.realm.LockOutRealm"
cacheSize="1000"
failureCount="4"
lockOutTime="1200"
cacheRemovalWarningTime="86400" >
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="uid=tomcatAuthenticate,ou=Special
Users,o=pingtoo.com"
connectionPassword="<redacted>"
connectionURL="ldap://ldap.pingtoo.com:10389"
userBase="ou=people,o=pingtoo.com"
userSubtree="false"
userSearch="(uid={0})"
userRoleName="tomcatRole"
userPassword="userPassword" >
<CredentialHandler
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="SHA-1" />
</Realm>
</Realm>
Thanks for your help getting me this far!
I will reply to the later points in your last post in subsequent emails.
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org