You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Frederic Rinaldi <Fr...@inrialpes.fr> on 2002/02/27 10:29:02 UTC
IMPORTANT - error while using LDAP/JDNI authentication with tomcat 4.0
Hello,
Please help me.
I'm a french student and I need to implement LDAP authentication with
tomcat 4 for my project. The user authentication is correct but the
authorization failed because of the role search. Tomcat is unable to get
the corresponding role in my ldap directory.
Here's my LDAP directory definition (I use openldap):
include /usr/local/etc/openldap/schema/core.schema
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
database ldbm
suffix dc="mycompany",dc="com"
rootdn "cn=Manager,dc=mycompany,dc=com"
directory /usr/local/var/openldap-ldbm
rootpw secret
index objectClass eq
Here's my LDAP directory (LDIF file):
dn : dc=mycompany,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
# Define a user named 'tomcat'
dn: cn=tomcat,dc=mycompany,dc=com
cn: tomcat
userPassword: tomcat
sn: Tomcat User
objectClass: person
# Define a user named 'role1'
dn: cn=role1,dc=mycompany,dc=com
cn: role1
userPassword: tomcat
sn: Role1 User
objectClass: person
# Define a user named 'both'
dn: cn=both,dc=mycompany,dc=com
cn: both
userPassword: tomcat
sn: Both User
objectClass: person
# Define an entry to base role searches on
dn: dc=roles,dc=mycompany,dc=com
cn: roles
objectClass: person
sn: Roles Entry
# Define all members of the 'tomcat' role
dn: cn=tomcat,dc=roles,dc=mycompany,dc=com
cn: tomcat
objectClass: groupOfUniqueNames
uniqueMember: cn=tomcat,dc=mycompany,dc=com
uniqueMember: cn=both,dc=mycompany,dc=com
# Define all members of the 'role1' role
dn: cn=role1,dc=roles,dc=mycompany,dc=com
cn: role1
objectClass: groupOfUniqueNames
uniqueMember: cn=role1,dc=mycompany,dc=com
uniqueMember: cn=both,dc=mycompany,dc=com
Here's my Tomcat 4 REALM declaration :
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionName="cn=Manager,dc=mycompany,dc=com"
connectionPassword="secret"
connectionURL="ldap://localhost"
roleBase="dc=roles"
roleName="cn"
roleSearch="(uniqueMember={0})"
roleSubtree="false"
userPassword="userPassword"
userPattern="cn={0},dc=mycompany,dc=com"
/>
Here's my catalina_log.2002-02-27.txt file :
2002-02-27 10:15:46 HttpConnector Opening server socket on all host
IP addresses
2002-02-27 10:15:46 JNDIRealm[Standalone]: Connecting to URL
ldap://localhost
2002-02-27 10:15:59 HttpConnector[8080] Starting background thread
2002-02-27 10:15:59 HttpProcessor[8080][1] Starting background thread
2002-02-27 10:15:59 HttpProcessor[8080][0] Starting background thread
2002-02-27 10:15:59 HttpProcessor[8080][2] Starting background thread
2002-02-27 10:15:59 HttpProcessor[8080][3] Starting background thread
2002-02-27 10:15:59 HttpProcessor[8080][4] Starting background thread
2002-02-27 10:16:19 JNDIRealm[Standalone]: getUserDN(tomcat)
2002-02-27 10:16:19 JNDIRealm[Standalone]:
dn=cn=tomcat,dc=mycompany,dc=com
2002-02-27 10:16:19 JNDIRealm[Standalone]: retrieving attribute
userPassword
2002-02-27 10:16:19 JNDIRealm[Standalone]: retrieving value
2002-02-27 10:16:19 JNDIRealm[Standalone]: validating credentials
2002-02-27 10:16:19 JNDIRealm[Standalone]: Username tomcat
successfully authenticated
2002-02-27 10:16:19 JNDIRealm[Standalone]:
getRoles(cn=tomcat,dc=mycompany,dc=com)
2002-02-27 10:16:19 JNDIRealm[Standalone]: Searching role base
'dc=roles' for attribute 'cn'
2002-02-27 10:16:19 JNDIRealm[Standalone]: With filter expression
'(uniqueMember=cn=tomcat,dc=mycompany,dc=com)'
2002-02-27 10:16:19 JNDIRealm[Standalone]: Exception performing
authentication
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such
Object]; remaining name 'dc=roles'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2761)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2682)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2488)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1660)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1583)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:371)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:331)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:316)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:241)
at org.apache.catalina.realm.JNDIRealm.getRoles(Unknown Source)
at org.apache.catalina.realm.JNDIRealm.authenticate(Unknown Source)
at org.apache.catalina.realm.JNDIRealm.authenticate(Unknown Source)
at
org.apache.catalina.authenticator.FormAuthenticator.authenticate(Unknown
Source)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown
Source)
at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
Source)
at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
at org.apache.catalina.core.StandardContext.invoke(Unknown Source)
at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source)
at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
Source)
at org.apache.catalina.valves.AccessLogValve.invoke(Unknown Source)
at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
Source)
at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
at org.apache.catalina.core.StandardEngineValve.invoke(Unknown
Source)
at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
Source)
at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
at
org.apache.catalina.connector.http.HttpProcessor.process(Unknown Source)
at org.apache.catalina.connector.http.HttpProcessor.run(Unknown
Source)
at java.lang.Thread.run(Thread.java:484)
2002-02-27 10:16:19 JNDIRealm[Standalone]: Closing directory context
Thank you for helping me. It's very important because it's an important
part of the work that I need to do in my training period.
------------------------------------------------------------------------
Frédéric RINALDI, Frederic.Rinaldi@inrialpes.fr, INRIA, FRANCE
------------------------------------------------------------------------
Re: IMPORTANT - error while using LDAP/JDNI authentication
with tomcat 4.0
Posted by John Holman <j....@qmul.ac.uk>.
Frederic
> # Define an entry to base role searches on
> dn: dc=roles,dc=mycompany,dc=com
> cn: roles
> objectClass: person
> sn: Roles Entry
This entry has the wrong object class - should be dcObject. Probably it has
not been created in the directory, so the role search is failing with the
"no such object error" you are seeing.
You should have seen an error when you tried to load the LDIF file, by the
way. You can check whether it has been created using
the ldapsearch utility.
John
At 09:29 27/02/02, Fredrick Rinald wrote
>Hello,
>
>Please help me.
>I'm a french student and I need to implement LDAP authentication with
>tomcat 4 for my project. The user authentication is correct but the
>authorization failed because of the role search. Tomcat is unable to get
>the corresponding role in my ldap directory.
>
>Here's my LDAP directory definition (I use openldap):
>
> include /usr/local/etc/openldap/schema/core.schema
> pidfile /usr/local/var/slapd.pid
> argsfile /usr/local/var/slapd.args
> database ldbm
> suffix dc="mycompany",dc="com"
> rootdn "cn=Manager,dc=mycompany,dc=com"
> directory /usr/local/var/openldap-ldbm
> rootpw secret
> index objectClass eq
>
>
>Here's my LDAP directory (LDIF file):
>
> dn : dc=mycompany,dc=com
> objectclass: dcObject
> objectclass: organization
> o: Example Company
>
> # Define a user named 'tomcat'
> dn: cn=tomcat,dc=mycompany,dc=com
> cn: tomcat
> userPassword: tomcat
> sn: Tomcat User
> objectClass: person
>
> # Define a user named 'role1'
> dn: cn=role1,dc=mycompany,dc=com
> cn: role1
> userPassword: tomcat
> sn: Role1 User
> objectClass: person
>
> # Define a user named 'both'
> dn: cn=both,dc=mycompany,dc=com
> cn: both
> userPassword: tomcat
> sn: Both User
> objectClass: person
>
> # Define an entry to base role searches on
> dn: dc=roles,dc=mycompany,dc=com
> cn: roles
> objectClass: person
> sn: Roles Entry
>
> # Define all members of the 'tomcat' role
> dn: cn=tomcat,dc=roles,dc=mycompany,dc=com
> cn: tomcat
> objectClass: groupOfUniqueNames
> uniqueMember: cn=tomcat,dc=mycompany,dc=com
> uniqueMember: cn=both,dc=mycompany,dc=com
>
> # Define all members of the 'role1' role
> dn: cn=role1,dc=roles,dc=mycompany,dc=com
> cn: role1
> objectClass: groupOfUniqueNames
> uniqueMember: cn=role1,dc=mycompany,dc=com
> uniqueMember: cn=both,dc=mycompany,dc=com
>
>
>Here's my Tomcat 4 REALM declaration :
>
>
> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> connectionName="cn=Manager,dc=mycompany,dc=com"
> connectionPassword="secret"
> connectionURL="ldap://localhost"
> roleBase="dc=roles"
> roleName="cn"
> roleSearch="(uniqueMember={0})"
> roleSubtree="false"
> userPassword="userPassword"
> userPattern="cn={0},dc=mycompany,dc=com"
> />
>
>Here's my catalina_log.2002-02-27.txt file :
>
>
> 2002-02-27 10:15:46 HttpConnector Opening server socket on all host
> IP addresses
> 2002-02-27 10:15:46 JNDIRealm[Standalone]: Connecting to URL
> ldap://localhost
> 2002-02-27 10:15:59 HttpConnector[8080] Starting background thread
> 2002-02-27 10:15:59 HttpProcessor[8080][1] Starting background thread
> 2002-02-27 10:15:59 HttpProcessor[8080][0] Starting background thread
> 2002-02-27 10:15:59 HttpProcessor[8080][2] Starting background thread
> 2002-02-27 10:15:59 HttpProcessor[8080][3] Starting background thread
> 2002-02-27 10:15:59 HttpProcessor[8080][4] Starting background thread
> 2002-02-27 10:16:19 JNDIRealm[Standalone]: getUserDN(tomcat)
> 2002-02-27 10:16:19 JNDIRealm[Standalone]:
> dn=cn=tomcat,dc=mycompany,dc=com
> 2002-02-27 10:16:19 JNDIRealm[Standalone]: retrieving attribute
> userPassword
> 2002-02-27 10:16:19 JNDIRealm[Standalone]: retrieving value
> 2002-02-27 10:16:19 JNDIRealm[Standalone]: validating credentials
> 2002-02-27 10:16:19 JNDIRealm[Standalone]: Username tomcat
> successfully authenticated
> 2002-02-27 10:16:19 JNDIRealm[Standalone]:
> getRoles(cn=tomcat,dc=mycompany,dc=com)
> 2002-02-27 10:16:19 JNDIRealm[Standalone]: Searching role base
> 'dc=roles' for attribute 'cn'
> 2002-02-27 10:16:19 JNDIRealm[Standalone]: With filter expression
> '(uniqueMember=cn=tomcat,dc=mycompany,dc=com)'
> 2002-02-27 10:16:19 JNDIRealm[Standalone]: Exception performing
> authentication
> javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such
> Object]; remaining name 'dc=roles'
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2761)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2682)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2488)
> at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1660)
> at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1583)
> at
>
>com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:371)
> at
>
>com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:331)
> at
>
>com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:316)
> at
>
>javax.naming.directory.InitialDirContext.search(InitialDirContext.java:241)
> at org.apache.catalina.realm.JNDIRealm.getRoles(Unknown Source)
> at org.apache.catalina.realm.JNDIRealm.authenticate(Unknown Source)
> at org.apache.catalina.realm.JNDIRealm.authenticate(Unknown Source)
> at
> org.apache.catalina.authenticator.FormAuthenticator.authenticate(Unknown
> Source)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown
> Source)
> at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
> Source)
> at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
> at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
> at org.apache.catalina.core.StandardContext.invoke(Unknown Source)
> at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source)
> at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
> Source)
> at org.apache.catalina.valves.AccessLogValve.invoke(Unknown Source)
> at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
> Source)
> at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
> at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
> at org.apache.catalina.core.StandardEngineValve.invoke(Unknown
> Source)
> at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
> Source)
> at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
> at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
> at
> org.apache.catalina.connector.http.HttpProcessor.process(Unknown Source)
> at org.apache.catalina.connector.http.HttpProcessor.run(Unknown
> Source)
> at java.lang.Thread.run(Thread.java:484)
>
> 2002-02-27 10:16:19 JNDIRealm[Standalone]: Closing directory context
>
>Thank you for helping me. It's very important because it's an important
>part of the work that I need to do in my training period.
>------------------------------------------------------------------------
>Frédéric RINALDI, Frederic.Rinaldi@inrialpes.fr, INRIA, FRANCE
>------------------------------------------------------------------------
>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>