> "Geofrey Rainey" <geofrey.rai...@tvnz.co.nz> wrote in message > I had this same issue, both with JNDIRealm, and logging. > > Firstly the JNDIRealm; I was authenticating to an AD server and couldn't > get the parameters right in my Realm definition. This is how I resolved > it - this realm definition resides within an Engine directive:
Luckily, I'm authenticating against a linux ldap server. I've read of troubles with AD authentication. > <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" > connectionURL="ldap://hostname:389"; > connectionName="<username>@test.domain>" > connectionPassword="<password>" > userSearch="(sAMAccountName={0})" > userBase="DC=test,DC=domain" > referrals="follow" > userSubtree="true" > roleBase="DC=test,DC=domain" > roleName="cn" > roleSubtree="true" > roleSearch="(member={0})" > /> Thanks for sharing your config; mine is fairly similar: <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://snoopy.domain.com:389"; debug="true" userPassword="userPassword" userPattern="uid={0},ou=People,dc=domain,dc=com" roleBase="ou=Tomcat,ou=Group,dc=domain,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" /> Note that I am not using ConnectionName or Password as I have ldap set up for anonymous reads. Currently, I have my Role cn's listed in a a Tomcat ou which is under a Group ou. Like I said, I see logging on my ldap server that it is getting requested properly and is responding found, not found, etc. However, I can't seem to get any logs out from Tomcat. > You also have to configure the <security-constraint> parameter in your > web.xml. I am using the admin & manager webapps that are shipped with Tomcat (manager part of Tomcat 6, and admin from Tomcat 5.5). They both work fine when using the UserDatabaseRealm, but when I switch the the JNDIRealm, I get nowhere. > > Secondly logging. It seems odd that it's not working. I didn't have to > do anything with logging, it just wrote to the logs/Catalina..... logs > by default. I'm not getting any LDAP outputs to my logs at all. I even switched to log4j logging by Tomcat in case the default JavaLogger was causing me problems of sorts, but to no additional use. The only thing I have managed to get out in the logs relating to ldap is a single connection line, and that was only once I expliticity enabled all logging for org.apache.catalina.realm package. DEBUG main org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/admin] - Connecting to URL ldap://snoopy.domain.com:389 After that, the next log entries I get are (they don't tell me much, however): DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Checking constraint 'SecurityConstraint[Protected Area]' against GET /index.jsp --> true DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - User data constraint has no restrictions ERROR http-8080-1 org.apache.struts.action.RequestProcessor - Invalid path was requested /login DEBUG http-8080-1 org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/admin].[admin.login_jsp] - Disabling the response for futher output > With the JNDIRealm configuration within Tomcat I'm sure it should just > log by default as mine did..? I would have thought so / hoped so as well. But obviously there must be something different / wrong with my configuration. I am pasting my entire server.xml file here - is there something that I am missing in there? Thanks! Eric SERVER.XML: ----------------- <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <Listener className="org.apache.catalina.core.JasperListener" /> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <GlobalNamingResources> <!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <Service name="Catalina"> <!-- standard HTTP Tomcat Connector --> <Connector port="8080" redirectPort="8443" protocol="HTTP/1.1" maxThreads="500" minSpareThreads="100" maxSpareThreads="25" enableLookups="false" acceptCount="500" connectionTimeout="20000" disableUploadTimeout="true" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css" /> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" minSpareThreads="50" maxThreads="10000" /> <Engine name="Catalina" defaultHost="localhost"> <!-- <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> --> <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://snoopy.domain.com:389"; debug="true" userPassword="userPassword" userPattern="uid={0},ou=People,dc=domain,dc=com" roleBase="ou=Tomcat,ou=Group,dc=domain,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" /> <Host name="localhost" appBase="${catalina.base}/webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> </Host> </Engine> </Service> </Server> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
