You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Davi Leal <da...@leals.com> on 2003/10/11 12:34:07 UTC

JNDIRealm source code - (was: Re: Tomcat vs Bea WebLogic)

Hi,

I am using tomcat 4.1.27, Java sdk-1.4.1_02 and JNDIRealm to use the Micro$oft 
Site Server service to authenticate our webapps.

I get an "error code 2" exception (Protocol Error) only when the user and the 
password is right. That is to say, when an OK is expected. I am thinking 
about modify the JNDIRealm to support that Micro$oft returned 'code', instead 
of raising an exception. It looks easy :) . You can see below the appointed 
catalina log.

Can you supply me any URL, CVS repository, or whatever which points me to the 
JNDI source code?.

I have read the JNDI API I must use is the one included in Java sdk 1.4.2.

Last question: Can we solve the 'M$ protocol' issue just using Tomcat 5.0?.

Regards,
Davi Leal


Tim Funk wrote:
> I have gotten JNDIRealm to work against iPlanet. I have heard others get it
> working against:
> - Active Directory (I personally had problems due to some IT policies)
> - Novell
> - OpenLDAP
>
> But in the worst case - the code is open for change so creating a custom
> Realm should be simple if one understands JNDI programming. Which is what I
> had to do with respect to ActiveDirectory and wacky business rules vs
> domain setup.
>
> -Tim
>
>
> David Diaz wrote:
> > Reference: http://www.weblogic.com/docs51/admindocs/ldap2.html#intro
> >
> >  The WebLogic LDAP realm has been tested against the following LDAP
> > servers:
> >     * OpenLDAP
> >     * iPlanet Directory Server
> >     * Microsoft Site Server
> >
> > I would like to get a similar Tomcat link to show to my boss.





APPENDIX
========



The catalina log
----------------

59 JNDIRealm[Standalone]: Connecting to URL ldap://host:1003


* Testing with a no-existent user:

44 JNDIRealm[Standalone]: lookupUser(davi)
44 JNDIRealm[Standalone]:   dn=cn=davi,ou=Members,o=tpi
44 JNDIRealm[Standalone]:   validating credentials by binding as the user
44 JNDIRealm[Standalone]:   binding as cn=davi,ou=Members,o=org
44 JNDIRealm[Standalone]:   bind attempt failed
44 JNDIRealm[Standalone]: Autentificaci¾n fallida para el usuario davi


* Testing with an user which is right, but using a worng password:

36 JNDIRealm[Standalone]: lookupUser(ph32796)
36 JNDIRealm[Standalone]:   dn=cn=ph32796,ou=Members,o=org
36 JNDIRealm[Standalone]:   validating credentials by binding as the user
36 JNDIRealm[Standalone]:   binding as cn=ph32796,ou=Members,o=org
36 JNDIRealm[Standalone]:   bind attempt failed
36 JNDIRealm[Standalone]: Autentificaci¾n fallida para el usuario ph32796


* Testing with both user and password right:

09 JNDIRealm[Standalone]: lookupUser(phe2796)
09 JNDIRealm[Standalone]:   dn=cn=phe2796,ou=Members,o=org
09 JNDIRealm[Standalone]:   validating credentials by binding as the user
09 JNDIRealm[Standalone]:   binding as cn=phe2796,ou=Members,o=org
09 JNDIRealm[Standalone]: Excepci¾n al realizar la autentificaci¾n
javax.naming.CommunicationException: [LDAP: error code 2 - Protocol Error]; 
remaining name ''
   at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2965)
   ...
09 JNDIRealm[Standalone]: Closing directory context




The realm we are using in server.xml
------------------------------------

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
 connectionName="cn=PHE2796,ou=Members,o=org"
 connectionPassword="****"
 connectionURL="ldap://host:1003"
 userPattern="cn={0},ou=Members,o=org"
 userSubtree="true"
 roleBase="ou=UserCFuncional,ou=CFuncional,ou=Groups,o=org"
 roleName="cn"
 roleSearch="(uniqueMember={0})"
/>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: JNDIRealm source code -

Posted by Tim Funk <fu...@joedog.org>.
http://jakarta.apache.org/site/cvsindex.html

JNDIRealm is jakarta-tomcat-catalina for tomcat5, 
jakarta-tomcat-4.0/catalina/ for tomcat4

I recommend more exploration before accepting an error code2 as a valid 
login. Its a kluge around the MS's ldap implementation and such a kluge 
probably won't make it back into the source tree. I have seen problems with 
respect to JNDIRealm and MS with respect to commas, or other weird characters 
in the DN with respect to escaping. (I don't remember any more details, it is 
to horrifing an experience to recall) There might also be a Bugzilla report 
with respect to it.


-Tim

Davi Leal wrote:
> Hi,
> 
> I am using tomcat 4.1.27, Java sdk-1.4.1_02 and JNDIRealm to use the Micro$oft 
> Site Server service to authenticate our webapps.
> 
> I get an "error code 2" exception (Protocol Error) only when the user and the 
> password is right. That is to say, when an OK is expected. I am thinking 
> about modify the JNDIRealm to support that Micro$oft returned 'code', instead 
> of raising an exception. It looks easy :) . You can see below the appointed 
> catalina log.
> 
> Can you supply me any URL, CVS repository, or whatever which points me to the 
> JNDI source code?.
> 
> I have read the JNDI API I must use is the one included in Java sdk 1.4.2.
> 
> Last question: Can we solve the 'M$ protocol' issue just using Tomcat 5.0?.
> 
> Regards,
> Davi Leal
> 
> 
> Tim Funk wrote:
> 
>>I have gotten JNDIRealm to work against iPlanet. I have heard others get it
>>working against:
>>- Active Directory (I personally had problems due to some IT policies)
>>- Novell
>>- OpenLDAP
>>
>>But in the worst case - the code is open for change so creating a custom
>>Realm should be simple if one understands JNDI programming. Which is what I
>>had to do with respect to ActiveDirectory and wacky business rules vs
>>domain setup.
>>
>>-Tim
>>
>>
>>David Diaz wrote:
>>
>>>Reference: http://www.weblogic.com/docs51/admindocs/ldap2.html#intro
>>>
>>> The WebLogic LDAP realm has been tested against the following LDAP
>>>servers:
>>>    * OpenLDAP
>>>    * iPlanet Directory Server
>>>    * Microsoft Site Server
>>>
>>>I would like to get a similar Tomcat link to show to my boss.
> 
> 
> 
> 
> 
> 
> APPENDIX
> ========
> 
> 
> 
> The catalina log
> ----------------
> 
> 59 JNDIRealm[Standalone]: Connecting to URL ldap://host:1003
> 
> 
> * Testing with a no-existent user:
> 
> 44 JNDIRealm[Standalone]: lookupUser(davi)
> 44 JNDIRealm[Standalone]:   dn=cn=davi,ou=Members,o=tpi
> 44 JNDIRealm[Standalone]:   validating credentials by binding as the user
> 44 JNDIRealm[Standalone]:   binding as cn=davi,ou=Members,o=org
> 44 JNDIRealm[Standalone]:   bind attempt failed
> 44 JNDIRealm[Standalone]: Autentificaci¾n fallida para el usuario davi
> 
> 
> * Testing with an user which is right, but using a worng password:
> 
> 36 JNDIRealm[Standalone]: lookupUser(ph32796)
> 36 JNDIRealm[Standalone]:   dn=cn=ph32796,ou=Members,o=org
> 36 JNDIRealm[Standalone]:   validating credentials by binding as the user
> 36 JNDIRealm[Standalone]:   binding as cn=ph32796,ou=Members,o=org
> 36 JNDIRealm[Standalone]:   bind attempt failed
> 36 JNDIRealm[Standalone]: Autentificaci¾n fallida para el usuario ph32796
> 
> 
> * Testing with both user and password right:
> 
> 09 JNDIRealm[Standalone]: lookupUser(phe2796)
> 09 JNDIRealm[Standalone]:   dn=cn=phe2796,ou=Members,o=org
> 09 JNDIRealm[Standalone]:   validating credentials by binding as the user
> 09 JNDIRealm[Standalone]:   binding as cn=phe2796,ou=Members,o=org
> 09 JNDIRealm[Standalone]: Excepci¾n al realizar la autentificaci¾n
> javax.naming.CommunicationException: [LDAP: error code 2 - Protocol Error]; 
> remaining name ''
>    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2965)
>    ...
> 09 JNDIRealm[Standalone]: Closing directory context
> 
> 
> 
> 
> The realm we are using in server.xml
> ------------------------------------
> 
> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
>  connectionName="cn=PHE2796,ou=Members,o=org"
>  connectionPassword="****"
>  connectionURL="ldap://host:1003"
>  userPattern="cn={0},ou=Members,o=org"
>  userSubtree="true"
>  roleBase="ou=UserCFuncional,ou=CFuncional,ou=Groups,o=org"
>  roleName="cn"
>  roleSearch="(uniqueMember={0})"
> />
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org