I remember the big issue I faced regarding the JNDIRealm auth were the
parameters in my Realm definition, there was one line that once added
Everything started working, I think it was either "referrals" or "
"userSearch="(sAMAccountName={0})" - which I recall were both necessary
in my instance, or one of the "role|usersubtree" ones.I found the following link invaluable in configuring my server, it's a must read: http://www.jspwiki.org/wiki/ActiveDirectoryIntegration Regarding logging, I found this tutorial quite helpful: http://wiki.apache.org/tomcat/Logging_Tutorial -----Original Message----- From: news [mailto:n...@ger.gmane.org] On Behalf Of Eric B. Sent: Friday, 7 August 2009 1:49 p.m. To: users@tomcat.apache.org Subject: Re: Trouble configuring LDAP authentication > "Geofrey Rainey" <geofrey.rai...@tvnz.co.nz> wrote in message > I had this same issue, both with JNDIRealm, and logging. > > Firstly the JNDIRealm; I was authenticating to an AD server and couldn't > get the parameters right in my Realm definition. This is how I resolved > it - this realm definition resides within an Engine directive: Luckily, I'm authenticating against a linux ldap server. I've read of troubles with AD authentication. > <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" > connectionURL="ldap://hostname:389"; > connectionName="<username>@test.domain>" > connectionPassword="<password>" > userSearch="(sAMAccountName={0})" > userBase="DC=test,DC=domain" > referrals="follow" > userSubtree="true" > roleBase="DC=test,DC=domain" > roleName="cn" > roleSubtree="true" > roleSearch="(member={0})" > /> Thanks for sharing your config; mine is fairly similar: <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://snoopy.domain.com:389"; debug="true" userPassword="userPassword" userPattern="uid={0},ou=People,dc=domain,dc=com" roleBase="ou=Tomcat,ou=Group,dc=domain,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" /> Note that I am not using ConnectionName or Password as I have ldap set up for anonymous reads. Currently, I have my Role cn's listed in a a Tomcat ou which is under a Group ou. Like I said, I see logging on my ldap server that it is getting requested properly and is responding found, not found, etc. However, I can't seem to get any logs out from Tomcat. > You also have to configure the <security-constraint> parameter in your > web.xml. I am using the admin & manager webapps that are shipped with Tomcat (manager part of Tomcat 6, and admin from Tomcat 5.5). They both work fine when using the UserDatabaseRealm, but when I switch the the JNDIRealm, I get nowhere. > > Secondly logging. It seems odd that it's not working. I didn't have to > do anything with logging, it just wrote to the logs/Catalina..... logs > by default. I'm not getting any LDAP outputs to my logs at all. I even switched to log4j logging by Tomcat in case the default JavaLogger was causing me problems of sorts, but to no additional use. The only thing I have managed to get out in the logs relating to ldap is a single connection line, and that was only once I expliticity enabled all logging for org.apache.catalina.realm package. DEBUG main org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/admin] - Connecting to URL ldap://snoopy.domain.com:389 After that, the next log entries I get are (they don't tell me much, however): DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Checking constraint 'SecurityConstraint[Protected Area]' against GET /index.jsp --> true DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - User data constraint has no restrictions ERROR http-8080-1 org.apache.struts.action.RequestProcessor - Invalid path was requested /login DEBUG http-8080-1 org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/admin].[ admin.login_jsp] - Disabling the response for futher output > With the JNDIRealm configuration within Tomcat I'm sure it should just > log by default as mine did..? I would have thought so / hoped so as well. But obviously there must be something different / wrong with my configuration. I am pasting my entire server.xml file here - is there something that I am missing in there? Thanks! Eric SERVER.XML: ----------------- <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <Listener className="org.apache.catalina.core.JasperListener" /> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <GlobalNamingResources> <!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <Service name="Catalina"> <!-- standard HTTP Tomcat Connector --> <Connector port="8080" redirectPort="8443" protocol="HTTP/1.1" maxThreads="500" minSpareThreads="100" maxSpareThreads="25" enableLookups="false" acceptCount="500" connectionTimeout="20000" disableUploadTimeout="true" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text /css" /> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" minSpareThreads="50" maxThreads="10000" /> <Engine name="Catalina" defaultHost="localhost"> <!-- <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> --> <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://snoopy.domain.com:389"; debug="true" userPassword="userPassword" userPattern="uid={0},ou=People,dc=domain,dc=com" roleBase="ou=Tomcat,ou=Group,dc=domain,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" /> <Host name="localhost" appBase="${catalina.base}/webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> </Host> </Engine> </Service> </Server> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ========================================================== For more information on the Television New Zealand Group, visit us online at tvnz.co.nz ========================================================== CAUTION: This e-mail and any attachment(s) contain information that is intended to be read only by the named recipient(s). This information is not to be used or stored by any other person and/or organisation. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
