Did you get this working? I too have the same need. BTW, how to you get the error in the output? I don't see any console or log errors just failure to login in the browser.
-Dave maffittd wrote: > > I've been reading the tomcat 5.5 doc and searching MARC but still have > questions about making this work. This seems to come up frequently but I > have not been able to puzzle out a solution. Has anyone actually gotten > tomcat to authenticate with Active Directory (AD)? I'm worried that the > configuration options available in the JNDIRealm are insufficient for AD. > > The goal is to allow access to users who are a member of the ccir_user > group in AD. The error I get (included below) indicates to me that the > realm never connects to AD. Is it trying to connect anonymously? Is it > trying to connect with juser3's principal name? distinguished name? I can > connect to AD using JXplorer and juser3's principal name and password. > How should I configure JNDIRealm for this situation? > > That's a lot of questions but having a thread that answered a complete > example would help a lot more people than just me. > > Thanks for your help. It is appreciated! > > -Dave > > > Here is the relevant portion of the web.xml: > > <security-role> > > <role-name>ccir_user</role-name> > > </security-role> > > > > <security-constraint> > > <display-name>Security Constraint</display-name> > > <web-resource-collection> > > <web-resource-name>Protected Area</web-resource-name> > > <!-- Define the context-relative URL(s) to be protected --> > > <url-pattern>/*</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <!-- Anyone with one of the listed roles may access this area --> > > <role-name>ccir_user</role-name> > > </auth-constraint> > > </security-constraint> > > > > <!-- > > <login-config> > > <auth-method>BASIC</auth-method> > > </login-config> > > --> > > > > <login-config> > > <auth-method>FORM</auth-method> > > <realm-name>CCIR Portal</realm-name> > > <form-login-config> > > <form-login-page>/login.jsp</form-login-page> > > <form-error-page>/loginError.jsp</form-error-page> > > </form-login-config> > > </login-config> > > > http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html indicates that > setting connectionName and connectionPassword causes tomcat to use > "comparison mode" which makes the realm retrieve the password from the > directory. From what I can tell, Active Directory does not allow the > retrieval of its password field, so this option is not available to me. > > I'm attempting to configure the realm like this: > > > <Realm className="org.apache.catalina.realm.JNDIRealm" > > debug="99" > > connectionURL="ldap://10.252.181.50:389"; > > > userPattern="sAMAccountName={0},ou=Users,ou=CCIR,dc=red,dc=ccirdev,dc=mir" > > roleBase="ou=Groups,ou=CCIR,dc=red,dc=ccirdev,dc=mir" > > roleName="cn" > > roleSearch="member={0}" > > /> > > I'm confident that connectionURL, userPattern, and roleBase are reasonable > for my setup. I'm not at all sure about roleName and roleSearch. > > I attempt to login as juser3. I can connect to AD using JXplorer and the > principal name jus...@red.ccirdev.mir<mailto:jus...@red.ccirdev.mir> and > the password. Here is the corresponding object in AD as displayed by > JXplorer: > > > cn Jeff User3 > > instanceType 4 > > nTSecurityDescriptor > > objectCategory CN=Person,CN=Schema,CN=Configuration,DC=ccirdev,DC=mir > > objectClass top > > objectClass person > > objectClass organizationalPerson > > objectClass user > > accountExpires 9223372036854775807 > > badPasswordTime 128473940593781285 > > badPwdCount 0 > > codePage 0 > > company MIR > > countryCode 0 > > department CCIR > > displayName Jeff User3 > > distinguishedName CN=Jeff User3,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir > > givenName Jeff > > lastLogoff 0 > > lastLogon 128474750558020052 > > lastLogonTimestamp 128467468249071167 > > logonCount 376 > > mail jus...@ccir.wustl.edu<mailto:jus...@ccir.wustl.edu> > > memberOf CN=ccir_user,OU=Groups,OU=CCIR,DC=red,DC=ccirdev,DC=mir > > name Jeff User3 > > objectGUID (non string data) > > objectSid (non string data) > > primaryGroupID 513 > > pwdLastSet 128421461731492461 > > sAMAccountName juser3 > > sAMAccountType 805306368 > > sn User3 > > telephoneNumber 314-555-1212 > > userAccountControl 66048 > > userPrincipalName jus...@red.ccirdev.mir<mailto:jus...@red.ccirdev.mir> > > uSNChanged 90445 > > uSNCreated 51333 > > whenChanged 20080213154204.0Z > > whenCreated 20071214224933.0Z > > > > Here is the AD object corresponding to the ccir_user group: > > groupType -2147483646 > > instanceType 4 > > nTSecurityDescriptor > > objectCategory CN=Group,CN=Schema,CN=Configuration,DC=ccirdev,DC=mir > > objectClass top > > objectClass group > > cn ccir_user > > distinguishedName CN=ccir_user,OU=Groups,OU=CCIR,DC=red,DC=ccirdev,DC=mir > > member CN=David Maffitt,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir > > member CN=Jane User2,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir > > member CN=Jeff User3,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir > > member CN=Joe Dev,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir > > member CN=Joe Exec,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir > > member CN=Joe Ops,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir > > member CN=Joe Tech,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir > > member CN=Joe User1,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir > > name ccir_user > > objectGUID (non string data) > > objectSid (non string data) > > sAMAccountName ccir_user > > sAMAccountType 268435456 > > uSNChanged 88966 > > uSNCreated 51096 > > whenChanged 20080212185444.0Z > > whenCreated 20071214211953.0Z > > > Here is the error in catalina.out: > > > Feb 14, 2008 3:39:20 PM org.apache.catalina.realm.JNDIRealm authenticate > > SEVERE: Exception performing authentication > > javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: > DSID-0C090627, comment: In order to perform this operation a successful > bind must be completed on the connection., data 0, ve...@]; remaining name > 'sAMAccountName=juser3,ou=Users,ou=CCIR,dc=red,dc=ccirdev,dc=mir' > > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3025) > > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931) > > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737) > > at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1291) > > at > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213) > > at > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121) > > at > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109) > > at > javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123) > > at > org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:993) > > at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:957) > > at > org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:883) > > at > org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:809) > > at > org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258) > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151) > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870) > > at > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) > > at > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) > > at > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) > > at > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685) > > at java.lang.Thread.run(Thread.java:595) > > > ________________________________ > The materials in this message are private and may contain Protected > Healthcare Information. If you are not the intended recipient, be advised > that any unauthorized use, disclosure, copying or the taking of any action > in reliance on the contents of this information is strictly prohibited. If > you have received this email in error, please immediately notify the > sender via telephone or return mail. > > -- View this message in context: http://www.nabble.com/questions-about-JNDIRealm-and-Active-Directory-tp15491143p23658417.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
