You might try remove the:
userPattern="uid={0},ou=people,dc=mydomain,dc=com"
and use (what I am using):
userBase="ou=people,dc=mydomain,dc=com"
userSearch="(uid={0})"
userSubtree="true"
We found the LDAP search to be much more flexible using this than the
pattern matching.
You should also be able to get some error from tomcat if it is failing.
You can turn on access logging:
http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Access_Logs
If you drop the LDAPS, You might also get a trace. (Not sure if SUN can
show the ldap requests) but tcdump (or wireshark) will.
--
-jim
Jim Willeke
On Tue, Aug 27, 2013 at 1:18 PM, John Pimentel <jpimen...@ra.rockwell.com>wrote:
>
> Hi Jim,
>
> Thanks for the response.
>
> We are using Sun LDAP. Let me give you an example from my user account.
> Under my group container
> cn=UN_CTM_AdminGroup,ou=Control-M,ou=group,dc=mydomain,dc=com
> I have a attribute called uniqueMember.
> The value for my account is as follows:
> uid=JPimen,ou=people,dc=mydomain,dc=com
>
> I of course substituted our actual domain for mydomain in this example, but
> everything else is verbatim.
>
> So our groups are nmed by cn but the users are named by uid.
>
> Unfortunately our LDAP server will not accept anything other than ldaps
> connections, so I am stuck there.
>
> Also if you have any recommendation on how to enable security specific
> debug I would appreciate that.
>
> I found what appears to be a log level entry in my jspwiki.properties file.
> I changed
> log4j.rootCategory=INFO,FileLog
> To read
> log4j.rootCategory=DEBUG,FileLog
>
> Now, I do see debug entries in the /web1/dyscq/tomcat/logs/jspwiki.log
> file, but no entries appear when I try (and fail) to log in.
>
> Thanks again for any ideas.
>
> Regards,
> John Pimentel
>
> (Embedded image moved to file: pic11833.gif)Description: Description:
> ralogo_web
> jpimen...@ra.rockwell.com
> Office (414) 382-3354
> Mobile (262) 501-4785
>
>
>
>
> From: Jim Willeke <j...@willeke.com>
> To: user@jspwiki.apache.org
> Date: 08/27/2013 03:40 AM
> Subject: Re: ldaps authentication to jspwiki
>
>
>
> I would guess, as you show no information on your LDAP setup, this line is
> wrong:
> userPattern="uid={0},ou=people,dc=mydomain,dc=com"
>
> Are your users named by uid or cn?
> You show roles as named by cn and since you show dc=,dc= I would guess this
> is AD
>
> Also, try using LDAP vs LDAPS to help troubleshoot.
>
> -jim
>
> --
> -jim
> Jim Willeke
>
>
> On Mon, Aug 26, 2013 at 10:47 AM, John Pimentel
> <jpimen...@ra.rockwell.com>wrote:
>
> >
> > Greetings,
> >
> > I am having difficulties getting LDAPS authentication to work and I think
> I
> > must be missing some fundamental configuration.
> >
> > My current state is that the Site loads and displays content properly,
> but
> > when I go to edit content or I select the log in page directly, my LDAP
> > credentials do not authenticate, and I am repeatedly presented with a
> login
> > page.
> >
> > I used the follwing information as my "How To" for this effort.
> > http://www.ecyrd.com/JSPWiki/wiki/WebContainerAuthenticationViaLDAP
> >
> > This article is very good but appears to be incomplete.
> >
> > I have done the following configuration to get ldaps to work:
> >
> > 1. I have a previously configured LDAP Server and I stored /trusted the
> > cert for this Sun LDAP server into the central java keystore using this
> > command:
> > /usr/lib64/jvm/jre/bin/keytool -import -alias sunldap
> > -file /web1/sst/dysc/content/CA-RA-v3.crt
> > -keystore /usr/lib64/jvm/jre/lib/security/cacerts
> >
> > 2. I have configured the realm and sorted out all the log errors using
> the
> > following realm in the server.xml file. I believe tomcat is successfully
> > connecting to my LDAP server.
> >
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > connectionURL="ldaps://mkedsintp.ds.mydomain.com:636"
> > connectionName="uid=[bind User
> > UID],ou=admin,dc=rmydomain,dc=com"
> > connectionPassword="[Password]"
> > userPattern="uid={0},ou=people,dc=mydomain,dc=com"
> > roleBase="ou=Control-M,ou=group,dc=mydomain,dc=com"
> > roleSubtree="true"
> > roleName="cn"
> > roleSearch="(uniqueMember={0})"
> > />
> >
> > 3. I uncommented the "CONTAINER-MANAGED AUTH" section
> > from /web1/dyscq/webapps/apps/wiki/WEB-INF/web.xml
> >
> > There is a section at the bottom that says "Update JSPWiki security
> policy"
> > If you would like to set permissions to LDAP groups, you can simply add
> > policy entries on authorize.Role. The following is an entry for
> wiki-admin
> > group (from LDAP).
> > grant principal com.ecyrd.jspwiki.auth.authorize.Role "wiki-admin" {
> > permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> > };
> >
> > I'm thinking it might go into web.xml, but I am not sure of that..
> >
> > this section of the xml looks like this:
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Authenticated area</web-resource-name>
> > <url-pattern>/Edit.jsp</url-pattern>
> > <url-pattern>/Comment.jsp</url-pattern>
> > <url-pattern>/Login.jsp</url-pattern>
> > <url-pattern>/NewGroup.jsp</url-pattern>
> > <url-pattern>/Rename.jsp</url-pattern>
> > <url-pattern>/Upload.jsp</url-pattern>
> > <http-method>DELETE</http-method>
> > <http-method>GET</http-method>
> > <http-method>HEAD</http-method>
> > <http-method>POST</http-method>
> > <http-method>PUT</http-method>
> > </web-resource-collection>
> >
> > <web-resource-collection>
> > <web-resource-name>Read-only Area</web-resource-name>
> > <url-pattern>/attach</url-pattern>
> > <http-method>DELETE</http-method>
> > <http-method>POST</http-method>
> > <http-method>PUT</http-method>
> > </web-resource-collection>
> >
> > <auth-constraint>
> > <role-name>Admin</role-name>
> > <role-name>Authenticated</role-name>
> > </auth-constraint>
> > <!--
> > <user-data-constraint>
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > </user-data-constraint>
> > -->
> >
> > </security-constraint>
> >
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <form-login-config>
> > <form-login-page>/LoginForm.jsp</form-login-page>
> > <form-error-page>/LoginForm.jsp</form-error-page>
> > </form-login-config>
> > </login-config>
> >
> > <security-role>
> > <description>
> > This logical role includes all authenticated users
> > </description>
> > <role-name>Authenticated</role-name>
> > </security-role>
> >
> > <security-role>
> > <description>
> > This logical role includes all administrative users
> > </description>
> > <role-name>Admin</role-name>
> > </security-role>
> >
> >
> > Regards,
> > John Pimentel
> >
> > (Embedded image moved to file: pic05844.gif)Description: Description:
> > ralogo_web
> > jpimen...@ra.rockwell.com
> > Office (414) 382-3354
> > Mobile (262) 501-4785
> >
> >
> >
> >
> > From: user-h...@jspwiki.apache.org
> > To: jpimen...@ra.rockwell.com
> > Date: 08/26/2013 08:16 AM
> > Subject: WELCOME to user@jspwiki.apache.org
> >
> >
> >
> > Hi! This is the ezmlm program. I'm managing the
> > user@jspwiki.apache.org mailing list.
> >
> > I'm working for my owner, who can be reached
> > at user-ow...@jspwiki.apache.org.
> >
> > Acknowledgment: I have added the address
> >
> > jpimen...@ra.rockwell.com
> >
> > to the user mailing list.
> >
> > Welcome to user@jspwiki.apache.org!
> >
> > Please save this message so that you know the address you are
> > subscribed under, in case you later want to unsubscribe or change your
> > subscription address.
> >
> >
> > --- Administrative commands for the user list ---
> >
> > I can handle administrative requests automatically. Please
> > do not send them to the list address! Instead, send
> > your message to the correct command address:
> >
> > To subscribe to the list, send a message to:
> > <user-subscr...@jspwiki.apache.org>
> >
> > To remove your address from the list, send a message to:
> > <user-unsubscr...@jspwiki.apache.org>
> >
> > Send mail to the following for info and FAQ for this list:
> > <user-i...@jspwiki.apache.org>
> > <user-...@jspwiki.apache.org>
> >
> > Similar addresses exist for the digest list:
> > <user-digest-subscr...@jspwiki.apache.org>
> > <user-digest-unsubscr...@jspwiki.apache.org>
> >
> > To get messages 123 through 145 (a maximum of 100 per request), mail:
> > <user-get.123_...@jspwiki.apache.org>
> >
> > To get an index with subject and author for messages 123-456 , mail:
> > <user-index.123_...@jspwiki.apache.org>
> >
> > They are always returned as sets of 100, max 2000 per request,
> > so you'll actually get 100-499.
> >
> > To receive all messages with the same subject as message 12345,
> > send a short message to:
> > <user-thread.12...@jspwiki.apache.org>
> >
> > The messages should contain one line or word of text to avoid being
> > treated as sp@m, but I will ignore their content.
> > Only the ADDRESS you send to is important.
> >
> > You can start a subscription for an alternate address,
> > for example "john@host.domain", just add a hyphen and your
> > address (with '=' instead of '@') after the command word:
> > <user-subscribe-john=host.dom...@jspwiki.apache.org>
> >
> > To stop subscription for this address, mail:
> > <user-unsubscribe-john=host.dom...@jspwiki.apache.org>
> >
> > In both cases, I'll send a confirmation message to that address. When
> > you receive it, simply reply to it to complete your subscription.
> >
> > If despite following these instructions, you do not get the
> > desired results, please contact my owner at
> > user-ow...@jspwiki.apache.org. Please be patient, my owner is a
> > lot slower than I am ;-)
> >
> > --- Enclosed is a copy of the request I received.
> >
> > Return-Path: <jpimen...@ra.rockwell.com>
> > Received: (qmail 84748 invoked by uid 99); 26 Aug 2013 13:16:04 -0000
> > Received: from athena.apache.org (HELO athena.apache.org)
> (140.211.11.136)
> > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013 13:16:04
> > +0000
> > X-ASF-Spam-Status: No, hits=-0.0 required=5.0
> > tests=SPF_PASS
> > X-Spam-Check-By: apache.org
> > Received-SPF: pass (athena.apache.org: local policy)
> > Received: from [205.175.240.251] (HELO ramilwsmtp01.ra.rockwell.com)
> > (205.175.240.251)
> > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013 13:16:00
> > +0000
> > In-Reply-To: <1377522681.70768.ez...@jspwiki.apache.org>
> > References: <1377522681.70768.ez...@jspwiki.apache.org>
> > Subject: Re: confirm subscribe to user@jspwiki.apache.org
> > X-KeepSent: D7D57B0D:E2A05A18-86257BD3:0048D45A;
> > type=4; name=$KeepSent
> > To:
> > user-sc.1377522681.pagaldeamkeafdeakcap-jpimentel=
> > ra.rockwell....@jspwiki.apache.org
> >
> > X-Mailer: Lotus Notes Release 8.5.2FP2 March 23, 2011
> > Message-ID:
> >
> <ofd7d57b0d.e2a05a18-on86257bd3.0048d45a-86257bd3.0048d...@ra.rockwell.com
> > >
> > From: John Pimentel <jpimen...@ra.rockwell.com>
> > Date: Mon, 26 Aug 2013 08:15:38 -0500
> > X-MIMETrack: Serialize by Router on RAMilwSMTP01/Milwaukee/RA/Rockwell at
> > 08/26/2013 08:15:59
> > AM
> > MIME-Version: 1.0
> > Content-type: multipart/mixed;
> >
> > Boundary="0__=09BBF140DFDB52CA8f9e8a93df938690918c09BBF140DFDB52CA"
> > Content-Disposition: inline
> > X-Virus-Checked: Checked by ClamAV on apache.org
> >
> >
>
