On Tue, 24 Nov 2009 13:04:34 -0600, "Caldarale, Charles R" <chuck.caldar...@unisys.com> wrote: >> From: Samuel Penn [mailto:s...@glendale.org.uk] >> Subject: AD Authentication > >> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" >> connectionURL="ldap://172.17.10.100:389"; >> connectionName="cn=SvcUser,cn=users,dc=myorg,dc=local" >> connectionPassword="********" >> userBase="ou=staff,dc=myorg,dc=local" >> userPattern="sAMAccountName={0}" >> roleBase="cn=users,dc=myorg,dc=local" >> roleName="cn" >> roleSearch="(member={0})" >> roleSubtree="false" >> userSubtree="true" >> authentication="simple" >> referrals="follow" >> /> > > The doc says that userPattern can be used *instead of* userSearch, > userSubtree, and userBase; no mention is made of what happens when you > specify all of them, but it wouldn't surprise me that things get confused.
I think I've amalgamated several examples from the docs as time has gone on. With just userPattern, I get no errors, a failed login and no useful messages at all to say why it's failing. Which may be better, but I can't tell at this stage. > Also, it seems odd that the roleName attribute is part of the roleBase - > that doesn't seem to make any sense. The roles are of the format: cn=ECM Team, cn=Users,DC=MyOrg,DC=local So my understanding is that it's looking for a cn within another cn. I can't comment on whether this is valid, but it's what is setup in our directory. > >> I note that I get a warning message about the debug="99" property, > > The debug attribute hasn't been used in quite some time, but the doc lags > behind. I take it I need to configure debug through log4j now then? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
