Hi all, I'm trying to get Tomcat to authenticate against Active Directory, but failing in that all I seem to get back is the following error:
24-Nov-2009 17:10:18 org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0 ]; remaining name 'sAMAccountName=spenn' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3081) ... I've no idea what this error means, and googling for it seems to find it listed in several log files, but never as the subject of a post, and hence no answers about what it means or how to resolve it. So, onto the details... I'm using Tomcat 6.0.20 with JDK 1.6 on Windows Vista 64. In my server.xml I have the following: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> <Context path="/l3"> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://172.17.10.100:389" connectionName="cn=SvcUser,cn=users,dc=myorg,dc=local" connectionPassword="********" userBase="ou=staff,dc=myorg,dc=local" userPattern="sAMAccountName={0}" roleBase="cn=users,dc=myorg,dc=local" roleName="cn" roleSearch="(member={0})" roleSubtree="false" userSubtree="true" authentication="simple" referrals="follow" /> </Context> </Host> I note that I get a warning message about the debug="99" property, saying "Setting property 'debug' to '99' did not find a matching property." I don't think this is serious, but it's copied out of various example files so I'm surprised it doesn't appear to work. In my web.xml for my application, I have the following: <security-constraint> <web-resource-collection> <web-resource-name>L3 Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>ECM Team</role-name> </auth-constraint> </security-constraint> <security-role> <description> The role that is required to log in to the L3 Application </description> <role-name>ECM Team</role-name> </security-role> <login-config> <auth-method>BASIC</auth-method> <realm-name>L3 Application</realm-name> </login-config> If I search for (sAMAccountName=spenn) with ldapsearch from Linux, using the above credentials, then ldapsearch pulls back the entry. If I try to login to Tomcat however, it just displays the login dialog ago, and I get the above error in the logs. The values for login and userbase etc I've pulled from an Apache HTTPd config, which works, so I'm pretty certain these bits are correct. I'm not certain about the role config however. I'd be happy at this point if I could just authenticate and not check a user's role (though at some point this needs to work as well), but can't figure out how to disable the role checking (my attempts result in no authentication at all). I've tried several variations of the above, all to no avail. Does anyone have any ideas what I'm doing wrong? Or at least, how to get more debug out of it so that I can see what it's actually trying to do? Thanks for any help, Sam. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org