-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Neil,
On 3/16/12 6:23 AM, Neil Munro wrote:
> On 15 March 2012 18:24, Christopher Schultz <Realm
> className="org.apache.catalina.realm.JNDIRealm"
> connectionName="uid={0},ou=my company users,dc=mycompany,dc=com "
> connectionPassword="userPassword"
> connectionURL="ldap://my.ldap.server";
> alternateURL="ldap://my.ldap.server"; roleBase="ou=my company
> users,dc=mycompany,dc=com" roleName="cn"
> roleSearch="(uniqueMember={0})" userPattern="uid={0},ou=my company
> users,dc=mycompany,dc=com" />
>
> I have added those changes, as for which connection mode I need, I
> think bind would be ok for now just to check to see if I can
> establish a connection, but looking at it I think if I will be
> querying ldap for a user name and password then comparison mode is
> what I need.
That's kind of the first decision you have to make when using LDAP for
authentication: what user makes the initial connection? From your
later post, it's not clear how you are connecting to the LDAP server
in order to fetch the valid user ids. Can you provide the setup
information for your InitialDirContext (sanitized, of course)?
> However with this configuration my whole app become inaccessible,
> I imagine it's some form of protection or permissions thing, but in
> my floundering around trying things, this is the only thing that
> seems to have any effect on the whole app.
I thought the whole app was supposed to be unavailable unless the user
successfully logged-in. Do I have that wrong? A misconfigured JNDI
realm *should* lock you out of the entire app because authentication
always fails.
>> Can you run any queries against the LDAP server outside of Tomcat
>> that give you results that you might expect? For instance, can
>> you do a search of the LDAP tree for a particular user? What does
>> that query look like? When you do that search, are you using
>> anonymous bind or are you using user bind? If user, which user?
>> Some administrative user or the user whose credentials should be
>> checked?
>
> I can connect with a tool called JXplorer, but I have not had any
> luck from other applications, but that's due to inability to find
> any up to date documentation on the libraries I was using.
In JXplorer, are you able to run queries that look anything like those
you are trying to use in your Realm configuration?
Here is the most recent configuration you posted:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="uid={0},ou=my company users,dc=mycompany,dc=com"
connectionPassword="userPassword"
connectionURL="ldap://my.ldap.server.com";
alternateURL="ldap://my.ldap.server.com";
roleBase="ou=my company users,dc=mycompany,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" />
You said this "currently works": did you mean that was your current
(non-working) setup, or that this setup actually works?
I don't believe connectionName can be parameterized. I think that's
intended to be used when using a "manager" user to connect to the LDAP
server in order to perform comparison-mode authentication.
userPattern="uid={0},ou=my company users,dc=mycompany,dc=com"
Does this actually match the DN pattern of your users? (It might help
if you were to post the full LDIF record for a sample user. Same with
a group record.)
roleSearch="(uniqueMember={0})"
Using OpenLDAP's 'ldapsearch' command-line utility, I can search my
own LDAP database for groups containing myself like this:
$ ldapsearch -x 'uniqueMember:=uid=schultz,dc=mydomain,dc=mytld' cn
Note that "-x" means "simple bind" -- that is, anonymous. Also note
that I have to use "uniqueMember:=" instead of simply "uniqueMember="
because the uniqueMember value contains = signs. I'm not sure if that
will have any effect because I don't have a Java-based JNDI probe
available to me at the moment.
At this point, you are basically bumbling around in the dark. I highly
recommend enabling debug logging for the JNDIRealm component (really
the container's logger) by adding this into your conf/logging.properties:
org.apache.catalina.realm.level=FINE
It's going to generate a ton of output. Try only authenticating a
single time, then shut down Tomcat and read the log file (catalina.out
should contain it). Make sure you follow what is going on, and you can
probably see where things start to go wrong: either some search string
will look wrong, or it will make a decision based upon your
configuration that you didn't anticipate, etc.
If you can't figure it out, post as much of the log to the list as you
can and we'll take a look.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9jktYACgkQ9CaO5/Lv0PBsiwCeJ0jsXUamQkD/M9gs+XBQg6Y1
9RMAnAgaK0bQ7my2JjbrSlBFvu8xHCu/
=vSDP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
