You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Luis Fernandez Martinez <wa...@gmail.com> on 2007/04/02 10:40:14 UTC
Problem with Tomcat Authorization, JndiLoginModule and openLdap
Hello,
I'm havin' a problem trying to Authorize admin console (admin webapp) via
openLdap to some user.
It seems that ldap authenticates the user, but then back to Tomcat, it
doesn't authorize to acces the webApp.
This is the output of the Tomcat-5.5.23:
02-abr-2007 10:00:34 org.apache.struts.action.RequestProcessorprocessMapping
GRAVE: Invalid path /login was requested
[JndiLoginModule] user provider:
ldap://133.200.4.117:389/ou=people,dc=vignette,dc=com
[JndiLoginModule] group provider:
ldap://133.200.4.117:389/ou=group,dc=vignette,dc=com
[JndiLoginModule]: User not found
[JndiLoginModule] tryFirstPass failed with:
javax.security.auth.login.FailedLoginException: User not found
[JndiLoginModule] attemptAuthentication() succeeded
[JndiLoginModule] user: 'alopezz' has UID: 210
[JndiLoginModule] user: 'alopezz' has GID: 520
[JndiLoginModule] regular authentication succeeded
[JndiLoginModule]: added UnixPrincipal,
UnixNumericUserPrincipal,
UnixNumericGroupPrincipal(s),
to Subject
The context.xml of the webapp is as follows:
<Context path="/admin" docBase="server/webapps"
debug="9" privileged="true">
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="9"
appName="admin"
userClassNames="com.sun.security.auth.UnixPrincipal"
roleClassNames="com.sun.security.auth.UnixNumericGroupPrincipal"
connectionURL="ldap://133.200.4.117:389"
connectionName="cn=Manager,dc=vignette,dc=com"
connectionPassword="secret"
userBase="ou=People,dc=vignette,dc=com"
userSearch="(cn={0})"
userPassword="userPassword"
roleBase="ou=Group,dc=vignette,dc=com"
roleName="cn"
roleSubtree="true"
roleSearch="memberUid={0}"/>
</Context>
and my jass.config (wonder if there's a way to avoid it) is:
Catalina {
com.sun.security.auth.module.JndiLoginModule REQUIRED
debug=true
tryFirstPass=true
group.provider.url="ldap://133.200.4.117:389/ou=group,dc=vignette,dc=com "
user.provider.url= "ldap://133.200.4.117:389/ou=people,dc=vignette,dc=com"
useSharedState=true;
};
The ldap structure:
Group:
dn: cn=adminTomcat, ou=Group, dc=vignette,dc=com
gidNumber: 520
userPassword:: e0NSWVBUfVhWRTBXLndaLlU4d0E=
memberUid: uid=alopezz,ou=People,dc=vignette,dc=com
objectClass: top
objectClass: posixGroup
cn: adminTomcat
and user:
dn: cn=alopezz, ou=People, dc=vignette,dc=com
sn: Lopez
userPassword:: e0NSWVBUfWF1Y3FBbHFFTG5rQTI=
loginShell: /bin/bash
uidNumber: 210
gidNumber: 520
objectClass: top
objectClass: posixAccount
objectClass: person
uid: alopezz
cn: alopezz
homeDirectory: /tmp
The web.xml of the admin webapp has the security role added:
<security-role>
<role-name>adminTomcat</role-name>
</security-role>
I'm really interested in solvin this problem because I'm not sure it is
working. I've read the Realm how to from Tomcat site
and after solving the "can't load the ConfigFile" thing adding the
jass.config file to the startup of tomcat I get that the user
authenticates, but cannot be authorize. It seems tomcat don't get the role
of the user. It may be possible by the jass.config¿?
So how is the workaround?¿ What I'm I missing¿? Without the jass.config the
user doesn't even authenticate!
Thanks in advance
Luis