Re: JNDIRealm - Active Directory Roles

Mon, 17 Mar 2014 07:17:37 -0700 

Am 17.03.2014 14:31, schrieb bjoern.bec...@easycash.de:

Yes, I found this error:

Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm 
startInternal
Schwerwiegend: Exception looking up UserDatabase under key UserDatabase
javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this 
Context. Unable to find [UserDatabase].
         at org.apache.naming.NamingContext.lookup(NamingContext.java:820)
         at org.apache.naming.NamingContext.lookup(NamingContext.java:168)
         at 
org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255)
         at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
         at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168)
         at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
         at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
         at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
         at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618)
         at 
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650)
         at 
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582)
         at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
         at java.util.concurrent.FutureTask.run(FutureTask.java:262)
         at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
         at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
         at java.lang.Thread.run(Thread.java:744)

While activating the ad realm I commented out the UserDatabase Resource:

<GlobalNamingResources>
     <!-- Editable user database that can also be used by
          UserDatabaseRealm to authenticate users
     -->
<!--    <Resource name="UserDatabase" auth="Container"
               type="org.apache.catalina.UserDatabase"
               description="User database that can be updated and saved"
               factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />-->
   </GlobalNamingResources>

and:

<!-- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>-->

May this is my problem? I thought the tomcatuser.xml and the UserDatabaseRealm 
is not necessary anymore?
UserDatabase is needed for any UserDatabaseRealm you might have. So you will have to look into all of your contexts to see if you can disable UserDatabase.
And I believe you have to have one Realm (doesn't matter what type) in your host. I think there were some startup mechanisms relying on one realm to be there. 

Regards
 Felix


Best Regards,
Bjoern


-----Ursprüngliche Nachricht-----
Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Gesendet: Montag, 17. März 2014 14:11
An: Tomcat Users List; Becker, Björn
Betreff: Re: JNDIRealm - Active Directory Roles



On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote:

Well, I still got a problem.
After activating my active directory realm the applications don't
anymore.

I got this error:

Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig
deployDescriptor
Schwerwiegend: Error deploying configuration descriptor
/app/tomcat2/tomcat/conf/Catalina/localhost/app.xml
java.lang.IllegalStateException: ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app]
]

  Have you looked at the localhost log file? Maybe you have a problem with 
web.xml?

Regards
Felix


        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904)
        at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
        at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618)
        at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650)
        at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582)
        at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:744)


Best Regards,
Bjoern


-----Ursprüngliche Nachricht-----
Von: Becker, Björn
Gesendet: Montag, 17. März 2014 13:06
An: users@tomcat.apache.org
Betreff: AW: JNDIRealm - Active Directory Roles

Hallo Felix,

thanks for explaination! I got it now!

What helps was to enable debugging:

# conf/logging.conf
# This would turn on trace-level for everything # the possible levels
are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
#org.apache.catalina.level = ALL #org.apache.catalina.handlers =
2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true

I got this realm config now:

        <Realm className="org.apache.catalina.realm.JNDIRealm"
                        connectionName="CN=SVC_TomcatLdapQuery,OU=Service
Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= "
                        connectionPassword="PASS"
                        
connectionURL="ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)"
                        userSearch="(sAMAccountName={0})"
                        userSubtree="true"
                        roleSubtree="true"
                        roleName="CN"
                        userRoleName="memberOf"
         />

And I copy the manager-gui constraint in web.xml of the manager
application and put in my new role:

<role-name>CN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle
Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC= </role-name>

Thanks a lot!

Best Regards,
Bjoern

-----Ursprüngliche Nachricht-----
Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Gesendet: Samstag, 15. März 2014 21:52
An: users@tomcat.apache.org
Betreff: Re: JNDIRealm - Active Directory Roles

Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:

Hello,

I try to implement the authentification for the tomcat manager

application against active directory.

Unfortunately I don't understand the role concept. I like to give the

users permissions to open the manager when they're in this group:

memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de

server.xml:
          <Realm className="org.apache.catalina.realm.JNDIRealm"

debug="99"

                  connectionName="CN=SVC,OU=Service

Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de"

                  connectionPassword="_2VK!WHzybn1SJ8P"

connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)"
userSearch="(sAMAccountName={0})" 
                  userSubtree="true"

                  roleSearch="(memberof={0})"
                  roleSubtree="true"
                  userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle

Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de "

              />

<!--            roleBase="DC=DOM,DC=de"
                  roleName="cn"
-->

With this configuration I can open the Manager, but got no

permissions.

Even if the user role relationship will found, I don't understand how

I can assign tomcat roles (e.g. manager-gui) to the user.
Looking at the documentation on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Director
y_Realm_-_org.apache.catalina.realm.JNDIRealm
you have three settings which are most probably not correct.

* roleSearch will only be used, if roleName is set (which is commented
out in your configuration)
* roleSearch will be used to search for objects that match the given
filter. In your case you would find user objects instead of group
objects.
* userRoleName should be the name of an attribute in the user object
(cn=... is not a name of an attribute, but rather a value)

So given your goal, that cn=tomcat admins,... should be a role, you
have two options.

* You could activate roleName=cn (or another attribute name) and change
the roleSearch to member={0}. Then the realm would (hopefully) find the
object cn=tomcat admins,...
  * You could change userRoleName to memberOf

In the first case your user would have a role with the name "Tomcat
Admins". The second option would lead to a role name of "cn=Tomcat
Admins,...".

In both cases you would have to change the security constraints in the
webapp (those are defined in the WEB-INF/web.xml file).

If your role objects had other attributes with values that match the
roles defined in web.xml you could simply change roleName in the first
option above.

Regards
  Felix


---------------------------------------------------------------------





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to