I had this same issue, both with JNDIRealm, and logging. Firstly the JNDIRealm; I was authenticating to an AD server and couldn't get the parameters right in my Realm definition. This is how I resolved it - this realm definition resides within an Engine directive:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://hostname:389"; connectionName="<username>@test.domain>" connectionPassword="<password>" userSearch="(sAMAccountName={0})" userBase="DC=test,DC=domain" referrals="follow" userSubtree="true" roleBase="DC=test,DC=domain" roleName="cn" roleSubtree="true" roleSearch="(member={0})" /> (The test.domain is the domain you setup within your LDAP server) You also have to configure the <security-constraint> parameter in your web.xml. Secondly logging. It seems odd that it's not working. I didn't have to do anything with logging, it just wrote to the logs/Catalina..... logs by default. I did have big problems getting logging to work using my own Customized login module however, in this case I had to instantiate Logging class objects within my Java code and set the logging level in the class to match the logging level in logging.properties, until I did this, I got very minimal logging - but that is within a specific class and I don't think this is your situation right? With the JNDIRealm configuration within Tomcat I'm sure it should just log By default as mine did..? -----Original Message----- From: news [mailto:n...@ger.gmane.org] On Behalf Of Eric B. Sent: Friday, 7 August 2009 8:49 a.m. To: users@tomcat.apache.org Subject: Trouble configuring LDAP authentication Hi, I'm trying to get the JNDIRealms working using my LDAP server in Tomcat 6.0.18 for the manager and admin applications and am having difficulty getting them to work. I tried following instructions in the tomcat doc site, and think I have things fairly well set up. I have enabled full logs on my LDAP server (slapd), and see the requests coming through. The problem is that neither application seems to authenticate properly. My guess is that I made a mistake somewhere in my LDAP tree. I searched around and found additional documentation in Pro Apache Tomcat 6 by Matthew Moodie (apress publishing) that seems to indicate things step by step as well. In the book, he refers to JNDIRealm logs: <snip> For a further insight into the communication between Tomcat and the directory server, examine the log for the service component. JNDIRealm[Catalina]: Connecting to URL ldap://localhost:389 JNDIRealm[Catalina]: lookupUser(admin) JNDIRealm[Catalina]: dn=uid=admin,ou=people,dc=mycompany,dc=com JNDIRealm[Catalina]: retrieving attribute userPassword JNDIRealm[Catalina]: validating credentials JNDIRealm[Catalina]: Username admin successfully authenticated JNDIRealm[Catalina]: getRoles(uid=admin,ou=people,dc=mycompany,dc=com) JNDIRealm[Catalina]: Searching role base 'ou=groups,dc=mycompany,dc=com' for attribute 'cn' JNDIRealm[Catalina]: With filter expression '(uniqueMember=uid=admin,ou=people,dc=mycompany,dc=com)' JNDIRealm[Catalina]: retrieving values for attribute cn JNDIRealm[Catalina]: Returning 1 roles JNDIRealm[Catalina]: Found role admin </snip> However, try as I might, I can't seem to figure out how to enable the logging for the JNDIRealm. I have placed the <Realm> object definition under my <Engine>, but no matter what I see to do, I can't get any logging to display. I have even added the following to logging.properties to no avail. org.apache.catalina.core.ContainerBase.[Catalina].level = ALL org.apache.catalina.core.ContainerBase.[Catalina].handlers = 4admin.org.apache.juli.FileHandler org.apache.catalina.realm.RealmBase.level = ALL org.apache.catalina.realm.RealmBase = 4admin.org.apache.juli.FileHandler Can anyone help point me in the right direction as to how to get this logging to be displayes so that I might be able to resolve my problem? Thanks! Eric --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ========================================================== For more information on the Television New Zealand Group, visit us online at tvnz.co.nz ========================================================== CAUTION: This e-mail and any attachment(s) contain information that is intended to be read only by the named recipient(s). This information is not to be used or stored by any other person and/or organisation. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
