Tomcat with LDAP/OpenLDAP

[ar...@EASTPOINT.COM]

Hi,

I am new to the Tomcat user list (just signed up a few minutes ago). I have
been trying to get Tomcat authentication working with OpenLDAP. I got it to
the point where the user appears to be getting authenticated OK, but the
roles do not seem to be getting resolved.
I have roleBase, roleName, and roleSearch set so that they should find the
roles in the directory, but they are never found.

In desperation I started looking all over (google, etc) in the hope that
someone else had encountered this problem and reported a solution.
Eventually I came across the message below from Jonathan Eric Miller that
indicates that "JNDIRealm is broken and unusable". Is this correct? Is there
a Bugzilla entry for this, I could not find a bug that indicated that it was
completely broken (but may have missed it).

I hope that Jonathan is referring to Tomcat 5 (or 3 or something). I am
using Tomcat 4.1.24.

Any suggestions? My roleSearch looks like: roleSearch="(uniqueMember={0})"

Oh, for now the application that I am trying to get working is "Tomcat
Administration", so it should be looking for the "admin" role.

In the log I have:
2003-04-22 20:28:41 JNDIRealm[Standalone]: Connecting to URL
ldap://localhost:389
2003-04-22 20:30:41 JNDIRealm[Standalone]: lookupUser(Admin)
2003-04-22 20:30:41 JNDIRealm[Standalone]:
dn=cn=Admin,ou=People,o=EastPoint,c=us
2003-04-22 20:30:41 JNDIRealm[Standalone]:   validating credentials by
binding as the user
2003-04-22 20:30:41 JNDIRealm[Standalone]:   binding as
cn=Admin,ou=People,o=EastPoint,c=us
2003-04-22 20:30:41 JNDIRealm[Standalone]: Username Admin successfully
authenticated
2003-04-22 20:30:41 JNDIRealm[Standalone]:
getRoles(cn=Admin,ou=People,o=EastPoint,c=us)
2003-04-22 20:30:41 JNDIRealm[Standalone]:   Searching role base
'ou=Groups,o=EastPoint,c=us' for attribute 'cn'
2003-04-22 20:30:41 JNDIRealm[Standalone]:   With filter expression
'(uniqueMember=cn=Admin,ou=People,o=EastPoint,c=us)'
2003-04-22 20:30:42 JNDIRealm[Standalone]:   Returning 0 roles
2003-04-22 20:30:42 JNDIRealm[Standalone]: Username Admin does NOT have role
admin


Thank You,
Art

Re: Tomcat with LDAP

*	From: Jonathan Eric Miller 
*	Subject: Re: Tomcat with LDAP 
*	Date: Wed, 02 Apr 2003 13:32:27 -0800 

JNDIRealm is broken and unusable.

Jon


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Tomcat with LDAP/OpenLDAP

["Mark R. Diggory" <md...@latte.harvard.edu>]

Do your groups store users under the "uniqueMember" attribute or 
"member" attribute? We are now using JNDI realm successfully on tomcat 
4.1.24. here's my config for it:

<Context debug="0" reloadable="true" docBase="VDC" path="/VDC">
<Realm className="org.apache.catalina.realm.JNDIRealm" 
connectionURL="ldap://your.host.here:389" 
userPattern="uid={0},ou=vdcid,ou=osprey,o=vdc" roleBase="o=vdc" 
roleName="vdcGroup" roleSearch="(member={0})" roleSubtree="true"/>
</Context>

Our groups are stored in  custom "vdcGroup" entiries, users are stored 
in the "member" attribute.

I may be the case your missing the roleSubtree if your groups aren't all 
one level inside your roleBase.

-Mark

art_w@EASTPOINT.COM wrote:

>Hi,
>
>I am new to the Tomcat user list (just signed up a few minutes ago). I have
>been trying to get Tomcat authentication working with OpenLDAP. I got it to
>the point where the user appears to be getting authenticated OK, but the
>roles do not seem to be getting resolved.
>I have roleBase, roleName, and roleSearch set so that they should find the
>roles in the directory, but they are never found.
>
>In desperation I started looking all over (google, etc) in the hope that
>someone else had encountered this problem and reported a solution.
>Eventually I came across the message below from Jonathan Eric Miller that
>indicates that "JNDIRealm is broken and unusable". Is this correct? Is there
>a Bugzilla entry for this, I could not find a bug that indicated that it was
>completely broken (but may have missed it).
>
>I hope that Jonathan is referring to Tomcat 5 (or 3 or something). I am
>using Tomcat 4.1.24.
>
>Any suggestions? My roleSearch looks like: roleSearch="(uniqueMember={0})"
>
>Oh, for now the application that I am trying to get working is "Tomcat
>Administration", so it should be looking for the "admin" role.
>
>In the log I have:
>2003-04-22 20:28:41 JNDIRealm[Standalone]: Connecting to URL
>ldap://localhost:389
>2003-04-22 20:30:41 JNDIRealm[Standalone]: lookupUser(Admin)
>2003-04-22 20:30:41 JNDIRealm[Standalone]:
>dn=cn=Admin,ou=People,o=EastPoint,c=us
>2003-04-22 20:30:41 JNDIRealm[Standalone]:   validating credentials by
>binding as the user
>2003-04-22 20:30:41 JNDIRealm[Standalone]:   binding as
>cn=Admin,ou=People,o=EastPoint,c=us
>2003-04-22 20:30:41 JNDIRealm[Standalone]: Username Admin successfully
>authenticated
>2003-04-22 20:30:41 JNDIRealm[Standalone]:
>getRoles(cn=Admin,ou=People,o=EastPoint,c=us)
>2003-04-22 20:30:41 JNDIRealm[Standalone]:   Searching role base
>'ou=Groups,o=EastPoint,c=us' for attribute 'cn'
>2003-04-22 20:30:41 JNDIRealm[Standalone]:   With filter expression
>'(uniqueMember=cn=Admin,ou=People,o=EastPoint,c=us)'
>2003-04-22 20:30:42 JNDIRealm[Standalone]:   Returning 0 roles
>2003-04-22 20:30:42 JNDIRealm[Standalone]: Username Admin does NOT have role
>admin
>
>
>Thank You,
>Art
>
>Re: Tomcat with LDAP
>
>*	From: Jonathan Eric Miller 
>*	Subject: Re: Tomcat with LDAP 
>*	Date: Wed, 02 Apr 2003 13:32:27 -0800 
>
>JNDIRealm is broken and unusable.
>
>Jon
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org