You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Aurélien Allienne <al...@gmail.com> on 2007/04/23 15:28:55 UTC
JNDI Problem
HI,
I have a problem with JNDIRealm.
I have this context.xml :
<?xml version="1.0" encoding="UTF-8"?>
<Context path="/test"
docBase="test"
debug="0"
privileged="false"
reloadable="false">
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="uid=tomcat,ou=appli,dc=univ-lille2,dc=fr"
connectionPassword="g72jfacc"
digest="SHA"
connectionURL="ldap://ldapmasta:1389"
userBase="ou=people,dc=univ-lille2,dc=fr"
userSearch="(supannAliasLogin={0})"
roleBase="ou=appli,dc=univ-lille2,dc=fr"
roleSubtree="true"
roleName="cn"
roleSearch="(member={0})"
debug="99"/>
<!--resourceName="UserDatabase"
/-->
</Context>
And this web.xml :
<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>My secure webapp</display-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>My secure
webapp</web-resource-name>
<description> accessible by authenticated users of
the admin role</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>These roles are allowed
access</description>
<role-name>tomcat admin agenda</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>My secure webapp</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/autherr.html</form-error-page>
<form-default-page>/index.html</form-default-page>
</form-login-config>
</login-config>
<security-role>
<description>Only 'admin' role is allowed to access this web
application</description>
<role-name>tomcat admin agenda</role-name>
</security-role>
</web-app>
I want to authenticate users and get their Roles but in my tomcat.log I have
:
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- entry found for aurelien.allienne with dn
uid=43316,ou=people,dc=univ-lille2,dc=fr
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- entry found for aurelien.allienne with dn
uid=43316,ou=people,dc=univ-lille2,dc=fr
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- validating credentials by binding as the user
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- validating credentials by binding as the user
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- binding as uid=43316,ou=people,dc=univ-lille2,dc=fr
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- binding as uid=43316,ou=people,dc=univ-lille2,dc=fr
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- Username aurelien.allienne successfully authenticated
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- Username aurelien.allienne successfully authenticated
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- getRoles(uid=43316,ou=people,dc=univ-lille2,dc=fr)
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- getRoles(uid=43316,ou=people,dc=univ-lille2,dc=fr)
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- filter :(member=uid=43316,ou=people,dc=univ-lille2,dc=fr)
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- filter :(member=uid=43316,ou=people,dc=univ-lille2,dc=fr)
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- Returning 0 roles
DEBUG http-8080-Processor25
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/test]
- Returning 0 roles
In my ldap i have a "super user" name tomcat who can see all information. I
use it for log in. After I search after a user and this roles. But there is
a problem. I have a group in ldap "tomcat admin agenda" and a user for this
group, me :)
Thanks for your help
Aurelien Allienne
Re: JNDI Problem
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aurélien,
Aurélien Allienne wrote:
> member
Looks like "member" /is/ the correct attribute. Can you execute that
search independently to verify that you're not missing something? I'm
trying to establish if LDAPRealm is broken (which is unlikely) or if
your setup isn't exactly right (which is more likely).
Often, it helps to get a query such as this working in a more familiar
tool (such as phpLDAPadmin, with which I have no familiarity whatsoever)
before moving to a new setup (i.e. Tomcat's LDAPRealm).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGLL789CaO5/Lv0PARAqzyAJ9622JEup9KkaSPPu/K9roUQzeygQCdGyLF
nz1r0HmgYnlKSRRnjbJdcIQ=
=U0Fg
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JNDI Problem
Posted by Aurélien Allienne <al...@gmail.com>.
I have this in phpLDAPadmin :
* cn<http://ldapmasta.univ-lille2.fr/supann/phpldapadmin/schema.php?server_id=1&view=attributes&viewvalue=cn>
* required , rdn tomcat admin agenda
* member<http://ldapmasta.univ-lille2.fr/supann/phpldapadmin/schema.php?server_id=1&view=attributes&viewvalue=member>
* required
<http://ldapmasta.univ-lille2.fr/supann/phpldapadmin/edit.php?server_id=1&dn=uid%3D1006%2Cou%3Dpeople%2Cdc%3Duniv-lille2%2Cdc%3Dfr>
<javascript:dnChooserPopup('edit_form.new_values_member_0', '');>
<http://ldapmasta.univ-lille2.fr/supann/phpldapadmin/edit.php?server_id=1&dn=uid%3D43316%2Cou%3Dpeople%2Cdc%3Duniv-lille2%2Cdc%3Dfr>
<javascript:dnChooserPopup('edit_form.new_values_member_1', '');>
(add value<http://ldapmasta.univ-lille2.fr/supann/phpldapadmin/add_value_form.php?server_id=1&dn=cn%3Dtomcat%20admin%20agenda%2Cou%3Dappli%2Cdc%3Duniv-lille2%2Cdc%3Dfr&attr=member>
)
* objectClass<http://ldapmasta.univ-lille2.fr/supann/phpldapadmin/schema.php?server_id=1&view=attributes&viewvalue=objectClass>
* required
<http://ldapmasta.univ-lille2.fr/supann/phpldapadmin/schema.php?server_id=1&view=objectClasses&viewvalue=groupOfNames>groupOfNames
(structural)
<http://ldapmasta.univ-lille2.fr/supann/phpldapadmin/schema.php?server_id=1&view=objectClasses&viewvalue=top>
Re: JNDI Problem
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aurélien,
Aurélien Allienne wrote:
> roleSearch="(member={0})"
Is this correct? Often, members of a group are "uniqueMember"
attributes. Can you confirm that similar queries return what you are
looking for when you issue them from an LDAP browser or by using
something simple like ldapsearch from the command line?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGLLYX9CaO5/Lv0PARAkOnAJ9y5QtPoU82gw0mFrmLLErsN8QUxQCgrdaa
5tc86MVzuAiq4466HiFeZJ4=
=bH4f
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org