You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by dahoffer <dh...@gmail.com> on 2009/05/21 20:43:44 UTC
Re: questions about JNDIRealm and Active Directory
Did you get this working? I too have the same need.
BTW, how to you get the error in the output? I don't see any console or log
errors just failure to login in the browser.
-Dave
maffittd wrote:
>
> I've been reading the tomcat 5.5 doc and searching MARC but still have
> questions about making this work. This seems to come up frequently but I
> have not been able to puzzle out a solution. Has anyone actually gotten
> tomcat to authenticate with Active Directory (AD)? I'm worried that the
> configuration options available in the JNDIRealm are insufficient for AD.
>
> The goal is to allow access to users who are a member of the ccir_user
> group in AD. The error I get (included below) indicates to me that the
> realm never connects to AD. Is it trying to connect anonymously? Is it
> trying to connect with juser3's principal name? distinguished name? I can
> connect to AD using JXplorer and juser3's principal name and password.
> How should I configure JNDIRealm for this situation?
>
> That's a lot of questions but having a thread that answered a complete
> example would help a lot more people than just me.
>
> Thanks for your help. It is appreciated!
>
> -Dave
>
>
> Here is the relevant portion of the web.xml:
>
> <security-role>
>
> <role-name>ccir_user</role-name>
>
> </security-role>
>
>
>
> <security-constraint>
>
> <display-name>Security Constraint</display-name>
>
> <web-resource-collection>
>
> <web-resource-name>Protected Area</web-resource-name>
>
> <!-- Define the context-relative URL(s) to be protected -->
>
> <url-pattern>/*</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <!-- Anyone with one of the listed roles may access this area -->
>
> <role-name>ccir_user</role-name>
>
> </auth-constraint>
>
> </security-constraint>
>
>
>
> <!--
>
> <login-config>
>
> <auth-method>BASIC</auth-method>
>
> </login-config>
>
> -->
>
>
>
> <login-config>
>
> <auth-method>FORM</auth-method>
>
> <realm-name>CCIR Portal</realm-name>
>
> <form-login-config>
>
> <form-login-page>/login.jsp</form-login-page>
>
> <form-error-page>/loginError.jsp</form-error-page>
>
> </form-login-config>
>
> </login-config>
>
>
> http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html indicates that
> setting connectionName and connectionPassword causes tomcat to use
> "comparison mode" which makes the realm retrieve the password from the
> directory. From what I can tell, Active Directory does not allow the
> retrieval of its password field, so this option is not available to me.
>
> I'm attempting to configure the realm like this:
>
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
>
> debug="99"
>
> connectionURL="ldap://10.252.181.50:389"
>
>
> userPattern="sAMAccountName={0},ou=Users,ou=CCIR,dc=red,dc=ccirdev,dc=mir"
>
> roleBase="ou=Groups,ou=CCIR,dc=red,dc=ccirdev,dc=mir"
>
> roleName="cn"
>
> roleSearch="member={0}"
>
> />
>
> I'm confident that connectionURL, userPattern, and roleBase are reasonable
> for my setup. I'm not at all sure about roleName and roleSearch.
>
> I attempt to login as juser3. I can connect to AD using JXplorer and the
> principal name juser3@red.ccirdev.mir<ma...@red.ccirdev.mir> and
> the password. Here is the corresponding object in AD as displayed by
> JXplorer:
>
>
> cn Jeff User3
>
> instanceType 4
>
> nTSecurityDescriptor
>
> objectCategory CN=Person,CN=Schema,CN=Configuration,DC=ccirdev,DC=mir
>
> objectClass top
>
> objectClass person
>
> objectClass organizationalPerson
>
> objectClass user
>
> accountExpires 9223372036854775807
>
> badPasswordTime 128473940593781285
>
> badPwdCount 0
>
> codePage 0
>
> company MIR
>
> countryCode 0
>
> department CCIR
>
> displayName Jeff User3
>
> distinguishedName CN=Jeff User3,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
>
> givenName Jeff
>
> lastLogoff 0
>
> lastLogon 128474750558020052
>
> lastLogonTimestamp 128467468249071167
>
> logonCount 376
>
> mail juser3@ccir.wustl.edu<ma...@ccir.wustl.edu>
>
> memberOf CN=ccir_user,OU=Groups,OU=CCIR,DC=red,DC=ccirdev,DC=mir
>
> name Jeff User3
>
> objectGUID (non string data)
>
> objectSid (non string data)
>
> primaryGroupID 513
>
> pwdLastSet 128421461731492461
>
> sAMAccountName juser3
>
> sAMAccountType 805306368
>
> sn User3
>
> telephoneNumber 314-555-1212
>
> userAccountControl 66048
>
> userPrincipalName juser3@red.ccirdev.mir<ma...@red.ccirdev.mir>
>
> uSNChanged 90445
>
> uSNCreated 51333
>
> whenChanged 20080213154204.0Z
>
> whenCreated 20071214224933.0Z
>
>
>
> Here is the AD object corresponding to the ccir_user group:
>
> groupType -2147483646
>
> instanceType 4
>
> nTSecurityDescriptor
>
> objectCategory CN=Group,CN=Schema,CN=Configuration,DC=ccirdev,DC=mir
>
> objectClass top
>
> objectClass group
>
> cn ccir_user
>
> distinguishedName CN=ccir_user,OU=Groups,OU=CCIR,DC=red,DC=ccirdev,DC=mir
>
> member CN=David Maffitt,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
>
> member CN=Jane User2,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
>
> member CN=Jeff User3,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
>
> member CN=Joe Dev,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
>
> member CN=Joe Exec,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
>
> member CN=Joe Ops,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
>
> member CN=Joe Tech,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
>
> member CN=Joe User1,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
>
> name ccir_user
>
> objectGUID (non string data)
>
> objectSid (non string data)
>
> sAMAccountName ccir_user
>
> sAMAccountType 268435456
>
> uSNChanged 88966
>
> uSNCreated 51096
>
> whenChanged 20080212185444.0Z
>
> whenCreated 20071214211953.0Z
>
>
> Here is the error in catalina.out:
>
>
> Feb 14, 2008 3:39:20 PM org.apache.catalina.realm.JNDIRealm authenticate
>
> SEVERE: Exception performing authentication
>
> javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr:
> DSID-0C090627, comment: In order to perform this operation a successful
> bind must be completed on the connection., data 0, vece^@]; remaining name
> 'sAMAccountName=juser3,ou=Users,ou=CCIR,dc=red,dc=ccirdev,dc=mir'
>
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3025)
>
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
>
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
>
> at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1291)
>
> at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
>
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
>
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
>
> at
> javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
>
> at
> org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:993)
>
> at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:957)
>
> at
> org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:883)
>
> at
> org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:809)
>
> at
> org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
>
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
>
> at
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
>
> at
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
>
> at
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
>
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
>
> at java.lang.Thread.run(Thread.java:595)
>
>
> ________________________________
> The materials in this message are private and may contain Protected
> Healthcare Information. If you are not the intended recipient, be advised
> that any unauthorized use, disclosure, copying or the taking of any action
> in reliance on the contents of this information is strictly prohibited. If
> you have received this email in error, please immediately notify the
> sender via telephone or return mail.
>
>
--
View this message in context: http://www.nabble.com/questions-about-JNDIRealm-and-Active-Directory-tp15491143p23658417.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: questions about JNDIRealm and Active Directory
Posted by dahoffer <dh...@gmail.com>.
Thanks that did the trick!
-Dave
Eric Lenio-2 wrote:
>
> On Thu, May 21, 2009 at 11:43:44AM -0700, dahoffer wrote:
>>
>> Did you get this working? I too have the same need.
>>
>
> I'm a bit late to this thread but I can attest it does work, although I am
> using Tomcat 6. You may want to refer to this (apologies if it was
> already
> shared):
>
> http://www.jspwiki.org/wiki/ActiveDirectoryIntegration
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/questions-about-JNDIRealm-and-Active-Directory-tp15491143p23660407.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: questions about JNDIRealm and Active Directory
Posted by Eric Lenio <er...@lenio.net>.
On Thu, May 21, 2009 at 11:43:44AM -0700, dahoffer wrote:
>
> Did you get this working? I too have the same need.
>
I'm a bit late to this thread but I can attest it does work, although I am
using Tomcat 6. You may want to refer to this (apologies if it was already
shared):
http://www.jspwiki.org/wiki/ActiveDirectoryIntegration
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org