On 30/09/2014 15:19, Jesse Barnum wrote: > On Sep 30, 2014, at 2:43 AM, Mark Thomas <ma...@apache.org> wrote: > >> On 30/09/2014 01:11, Jesse Barnum wrote: >>> I'm trying to configure Tomcat to authenticate against our Active Directory >>> server.
<snip/> >> 1. What configuration are you using for roleSearchAsUser > > Mark, thanks for the fast response. > > I did not have that attribute set. I've changed it to true. Here is my Realm > definition after making the change: OK. That should help. > >> <Realm className="org.apache.catalina.realm.JNDIRealm" >> >> connectionURL="ldap://activedirectory.360works.com/cn=Users,dc=360works,dc=com"; >> userPattern="cn={0},cn=Users,dc=360works,dc=com" >> roleBase="" >> roleName="cn" >> roleSearch="(member={0})" >> roleSearchAsUser="true" >> /> > > By the way, I've noticed that I get a NPE if I don't define roleBase with an > empty string (it should be optional, since I've specified the search base in > my connectionURL). I don't have to define userBase; it seems like the > behavior should be consistent for these two attributes. OK. I'll take a look at that NPE. > After adding the roleSearchAsUser attribute, I'm getting a new error: > >> FINE: Checking constraint 'SecurityConstraint[Protected Area]' against GET >> /index.html --> true >> Sep 30, 2014 10:12:22 AM org.apache.catalina.authenticator.AuthenticatorBase >> invoke >> FINE: Calling hasUserDataPermission() >> Sep 30, 2014 10:12:22 AM org.apache.catalina.realm.RealmBase >> hasUserDataPermission >> FINE: User data constraint has no restrictions >> Sep 30, 2014 10:12:22 AM org.apache.catalina.authenticator.AuthenticatorBase >> invoke >> FINE: Calling authenticate() >> Sep 30, 2014 10:12:22 AM org.apache.catalina.realm.CombinedRealm authenticate >> FINE: Attempting to authenticate user "Jesse Barnum" with realm >> "org.apache.catalina.realm.JNDIRealm/1.0" >> Sep 30, 2014 10:12:22 AM org.apache.catalina.realm.JNDIRealm authenticate >> INFO: Exception performing authentication. Retrying... >> java.lang.NullPointerException >> at java.util.Hashtable.put(Hashtable.java:394) >> at javax.naming.InitialContext.addToEnvironment(InitialContext.java:514) >> at >> org.apache.catalina.realm.JNDIRealm.userCredentialsAdd(JNDIRealm.java:1635) >> at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1734) >> at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1169) >> at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) >> at >> org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146) >> at >> org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180) >> at >> org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:164) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:573) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) >> at >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) >> at >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) >> at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) >> at >> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) >> at java.lang.Thread.run(Thread.java:695) Hmm. OK. Let me play around with my AD test environment and see how much of this I can reproduce and fix. >> 2. In the interests of improving the docs, what was it that meant you >> were unable to find this information in the JNDI Realm docs? > > There is no mention of 'roleSearchAsUser' on these pages: > http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm > http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html > > It is mentioned in the method-specific docs on this page, but I didn't see > that because I was setting all of my attributes based on the class-level > JavaDocs that outline the various parameters: > https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/JNDIRealm.html OK. I *really* need to find some time to sit down and re-organise the Tomcat docs. If users would just stop finding bugs for a few months ;) My recommendation would be to use the available reference material in this order of preference: - the attribute by attribute config guide - the Javadoc - the source code - the How-Tos That won't always be the best order but it should work in most cases. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
