Good morning everyone! Well, I've got no idea what happened (providing nobody is configuring tomcat except me), but I've just opened catalina.out and have seen that the error message changed to "Exception opening directory server connection: javax .naming.CommunicationException: raiffeisen.ru:389 [Root exception is java.net.SocketTimeoutException: connect timed out]"
so Tomcat is at least trying to connect to the proper host now. As far as I understand I've entered something wrong in the JNDI Realm properties. Am I right? Here's my present realm config. Can you take a look please? <?xml version="1.0" encoding="UTF-8"?> <Context antiResourceLocking="false" privileged="true" docBase="/opt/tomcat/TC02/logs" reloadable="true"> <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://raiffeisen.ru:389"; alternateURL="ldap://raiffeisen.ru:389"; connectionName="cn=mylogin,dc=raiffeisen,dc=ru" connectionPassword="mypassword" (unencrypted (for development purposes) - is it correct?) referrals="follow" userBase="OU=_Users,DC=raiffeisen,DC=ru" userSearch="(sAMAccountName={0})" userSubtree="true" userPattern="uid={0},ou=_Users,dc=raiffeisen,dc=ru" roleBase="OU=_Groups,DC=raiffeisen,DC=ru" roleName="cn" roleSubtree="true" roleSearch="(member={0})" adCompat="true"/> </Context> Thanks in advance. Best Regards, Karatun Lev, Felix Schumacher <felix.schumac...@internetallee.de> wrote on 10.02.2012 21:51:25: > Felix Schumacher <felix.schumac...@internetallee.de> > 10.02.2012 21:52 > > Please respond to > "Tomcat Users List" <users@tomcat.apache.org> > > To > > users@tomcat.apache.org > > cc > > Subject > > Re: Fw: Problems with LDAP authentication > > Am Freitag, den 10.02.2012, 16:54 +0400 schrieb Lev A KARATUN: > > Felix Schumacher <felix.schumac...@internetallee.de> wrote on 10.02.2012 > > 15:31:43: > > > > > Felix Schumacher <felix.schumac...@internetallee.de> > > > 10.02.2012 15:32 > > > > > > -------------------------------------------------------------------------------- > > > > > > > > Hi again. > > > > > > > > So, my boss told me that it's insecure to give anyone the password to > > > > view > > > > tomcat's logs and that should be an authentication based on Active > > > > Directory. > > > > > > > > I've been reading the manuals for some time, and configured my Tomcat > > > > the > > > > following way: > > > > > > > > $CATALINA_BASE/conf/Catalina/localhost/myapp.xml > > > > > > > > <Context antiResourceLocking="false" privileged="true" > > > > docBase="$CATALINA_BASE/logs" reloadable="true"> > > > > > > > > <Realm className="org.apache.catalina.realm.JNDIRealm" > > > > connectionURL="ldap://raiffeisen.ru:389"; > > > > connectionName="myacco...@raiffeisen.ru" (I also tried the > > > > format connectionName="cn=myaccount,dc=raiffeisen,dc=ru" - does it > > > > matter > > > > what format do I use?) > > > For normal ldap servers it would be the latter one, eg. a fully > > > qualified dn. ADS might accept the mail adress of the user, but I > > > frankly don't know. > > > > Anyway, I tried both variants - the server refuses to accept the > > connection > No wonder, since your error message below tells us, that tomcat is > talking to localhost instead of raiffeisen.ru :) > > > > > > > > > > connectionPassword="mypassword" > > > > referrals="follow" > > > > userBase="OU=_Users,DC=raiffeisen,DC=ru" > > > > userSearch="(sAMAccountName={0})" > > > > userSubtree="true" > > > > roleBase="OU=_Groups,DC=raiffeisen,DC=ru" > > > > roleName="cn" > > > > roleSubtree="true" > > > > roleSearch="(member={0})" > > > For ADS you might want to add adCompat="true" (look at > > > http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further > > > infos). > > > > > > > OK, added, but nothing changed =\ > Again, no wonder. > > > > > > > > > > /> > > > > </Context> > > > > > > > > > > > > WEB-INF/web.xml > > > > > > > > <security-constraint> > > > > <web-resource-collection> > > > > <web-resource-name>Administrative Area</web-resource-name> > > > > <url-pattern>/*</url-pattern> > > > > </web-resource-collection> > > > > <auth-constraint> > > > > <role-name>ADGroupName</role-name> > > > > </auth-constraint> > > > > </security-constraint> > > > > > > > > <security-role> > > > > <description> > > > > The role that is required to view logs > > > > </description> > > > > <role-name>ADGroupName</role-name> > > > > </security-role> > > > > > > > > > > > > I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for > I think, that is not needed since java 1.4.x, even if it is mentioned in > the howto :( I have never used that ldap.jar and wouldn't even know > where to get it. But my jndi-Realms work. > > > > > I > > > > guess a hundred times, but every time I'm getting a message in > > > > catalina.out: > > > > > > > > Throwable occurred: LifecycleException: Exception opening directory > > > > server connection: javax.naming.CommunicationException: > > > > localhost:389 > > > > [Root exception is java.net.ConnectException: A remote host refused > > > > an > > > > attempted connect operation.] > > > Since localhost is another server, than what you told us you had > > > configured, I think your context file is not being used. Search for > > > other context files, where you either have configured localhost or > > > misspelled connectionURL. > > > > But the 389th port is only mentioned in myapp's config file and nowhere > > else. So I assume that Tomcat tries to use myapp.xml, but fails for some > > reason.. > Don't look for 389 explicitly, since that is the default port as is > localhost the default host. Search for another context configuration, > which could be used. > > > > > The other apps' context files are default - like this: > > <?xml version="1.0" encoding="UTF-8"?> > > <Context antiResourceLocking="false" privileged="true" /> > I somehow doubt that privileged="true" is default and that you need it, > but it is certainly irrelevant to your problems. > > > > > > > > > > > > > > > > and > > > > > > > > SEVERE: Error deploying configuration descriptor myapp.xml > > > > Throwable occurred: java.lang.IllegalStateException: > > > > ContainerBase.addChild: start: LifecycleException: Exception opening > > > > directory server connection: javax.naming.CommunicationException: > > > > localhost:389 [Root exception is java.net.ConnectException: A remote > > > > host > > > > refused an attempted connect operation.] > > > > > > > > > > > > I tried to telnet raiffeisen.ru by port 389 and got connected. > > > > I installed JXplorer, entered hostname, port, my credentials and got > > > > connected. > > > telnet localhost 389 and see if you get any errors :) > > > > bash-3.00$ telnet localhost 389 > > Trying... > > telnet: connect: A remote host refused an attempted connect operation. > > > > > > ...but WHY is Tomcat trying to connect to localhost? It's clearly written > > in the realm - connectionURL="ldap://raiffeisen.ru:389"; > > =( > Either ldap.jar confuses it, or it uses another context file, or you > have a typo in your context file, which is not present in the config you > have shown us. > > Regards > Felix > > > > > > > > > Regards > > > Felix > > > > > > > I start Tomcat and get errors. > > > > > > > > Can you please give me an idea about what am I doing wrong? > > > > > > > > Thanks in advance. > > > > > > > > Best Regards, > > > > Karatun Lev. > > > > > > > > > > > > ----------------------------------- > > > > This message and any attachment are confidential and may be > > > > privileged or otherwise protected from disclosure. If you are not the > > > > intended recipient any use, distribution, copying or disclosure is > > > > strictly prohibited. If you have received this message in error, > > > > please notify the sender immediately either by telephone or by e-mail > > > > and delete this message and any attachment from your system. > > > > Correspondence via e-mail is for information purposes only. ZAO > > > > Raiffeisenbank neither makes nor accepts legally binding statements > > > > by > > > > e-mail unless otherwise agreed. > > > > ----------------------------------- > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > > ----------------------------------- > > This message and any attachment are confidential and may be > privileged or otherwise protected from disclosure. If you are not > the intended recipient any use, distribution, copying or disclosure > is strictly prohibited. If you have received this message in error, > please notify the sender immediately either by telephone or by e- > mail and delete this message and any attachment from your system. > Correspondence via e-mail is for information purposes only. ZAO > Raiffeisenbank neither makes nor accepts legally binding statements > by e-mail unless otherwise agreed. > > ----------------------------------- > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > ----------------------------------- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. -----------------------------------
