On 16/03/2012 10:23, Neil Munro wrote: > On 15 March 2012 18:24, Christopher Schultz > <ch...@christopherschultz.net> wrote: > Neil, > > On 3/15/12 1:05 PM, Neil Munro wrote: >>>> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" >>>> connectionURL="ldap://my.ldap.server.com"; >>>> alternateURL="ldap://my.ldap.server.com"; userPattern="uid={0},ou=my >>>> company users,dc=mycompany,dc=com" /> >>>> > > The "debug" attribute does not exist any more. Were you following some > kind of old example? > >> Yeah I must have been, I have removed it. > > > I think you may need roleBase, roleName, and roleSearch attributes to > have a prayer of making this work. Also, with no userSearch parameter, > you are instructing the realm to connect in "bind" mode where the > user's credentials are used directly to bind to the LDAP server. Is > this appropriate? > >> <Realm className="org.apache.catalina.realm.JNDIRealm" >> connectionName="uid={0},ou=my company users,dc=mycompany,dc=com " >> connectionPassword="userPassword" >> connectionURL="ldap://my.ldap.server"; >> alternateURL="ldap://my.ldap.server"; >> roleBase="ou=my company users,dc=mycompany,dc=com" >> roleName="cn" >> roleSearch="(uniqueMember={0})" >> userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" /> > >> I have added those changes, as for which connection mode I need, I >> think bind would be ok for now just to check to see if I can establish >> a connection, but looking at it I think if I will be querying ldap for >> a user name and password then comparison mode is what I need. > >> However with this configuration my whole app become inaccessible, I >> imagine it's some form of protection or permissions thing, but in my >> floundering around trying things, this is the only thing that seems to >> have any effect on the whole app. > > You might want to re-read this section of the realm-howto: > > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm > > Can you run any queries against the LDAP server outside of Tomcat that > give you results that you might expect? For instance, can you do a > search of the LDAP tree for a particular user? What does that query > look like? When you do that search, are you using anonymous bind or > are you using user bind? If user, which user? Some administrative user > or the user whose credentials should be checked? > >> I can connect with a tool called JXplorer, but I have not had any luck >> from other applications, but that's due to inability to find any up to >> date documentation on the libraries I was using. > >>>> <login-config> <auth-method>FORM</auth-method> <form-login-config> >>>> <form-login-page>/login.jsp</form-login-page> >>>> <form-error-page>/fail_login.jsp</form-error-page> >>>> </form-login-config> </login-config>
Side note: I usually recommend putting those files in WEB-INF, in their own directory, say: WEB-INF/login. p > That looks just fine: configuring the credential-gathering system is > usually trivial. It's configuring the authentication system that is > usually the problem. > >> Cool, at least some of this is working right, do you need to see those >> files btw? > > > -chris >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- [key:62590808]
signature.asc
Description: OpenPGP digital signature
