Hi all,
I'm trying to get Tomcat to authenticate against Active Directory, but
failing
in that all I seem to get back is the following error:
24-Nov-2009 17:10:18 org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr:
DSID-031006CC,
problem 5012 (DIR_ERROR), data 0 ]; remaining name
'sAMAccountName=spenn'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3081)
...
I've no idea what this error means, and googling for it seems to find it
listed in several log files, but never as the subject of a post, and hence
no answers about what it means or how to resolve it.
So, onto the details...
I'm using Tomcat 6.0.20 with JDK 1.6 on Windows Vista 64. In my server.xml
I have
the following:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="/l3">
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://172.17.10.100:389";
connectionName="cn=SvcUser,cn=users,dc=myorg,dc=local"
connectionPassword="********"
userBase="ou=staff,dc=myorg,dc=local"
userPattern="sAMAccountName={0}"
roleBase="cn=users,dc=myorg,dc=local"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="false"
userSubtree="true"
authentication="simple"
referrals="follow"
/>
</Context>
</Host>
I note that I get a warning message about the debug="99" property, saying
"Setting property 'debug' to '99' did not find a matching property." I
don't
think this is serious, but it's copied out of various example files so I'm
surprised it doesn't appear to work.
In my web.xml for my application, I have the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>L3 Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ECM Team</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>
The role that is required to log in to the L3 Application
</description>
<role-name>ECM Team</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>L3 Application</realm-name>
</login-config>
If I search for (sAMAccountName=spenn) with ldapsearch from Linux, using
the
above credentials, then ldapsearch pulls back the entry. If I try to login
to Tomcat however, it just displays the login dialog ago, and I get the
above error in the logs.
The values for login and userbase etc I've pulled from an Apache HTTPd
config,
which works, so I'm pretty certain these bits are correct.
I'm not certain about the role config however. I'd be happy at this point
if I could just authenticate and not check a user's role (though at some
point this needs to work as well), but can't figure out how to disable the
role checking (my attempts result in no authentication at all).
I've tried several variations of the above, all to no avail. Does anyone
have any ideas what I'm doing wrong? Or at least, how to get more debug out
of it so that I can see what it's actually trying to do?
Thanks for any help,
Sam.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
