You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Josh Fenlason <jf...@ptc.com> on 2002/06/12 20:18:50 UTC
JNDIRealm authentication
I'm trying to do LDAP authentication with Tomcat 4.1.3. I've read through
the how to docs on Tomcat's site,
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#JNDIRealm,
and tried to follow the example. My site loads fine, but I never get an
authentication prompt when I enter my site. If anyone could sees anything
wrong with my <Realm/> or has any ideas of where else I should need to
change things, I would greatly appreciate it. Thanks.
,
Josh.
Here's what I entered for the Realm element in
<tomcat4.1.3_home>/conf/server.xml
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
Hills,o=Bethel"
connectionPassword="secret"
connectionURL="ldap://corvette.mn.ptc.com:389"
roleName="oid"
roleSearch="(uniqueMember={0})"
userPassword="userPassword"
userPattern="oid={0},ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
Hills,o=Bethel"
debug="99"/>
Here's the AuthLDAPURL that works with Apache1 doing the authentication
ldap://corvette.mn.ptc.com:389/ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=A
rden Hills,o=Bethel"
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: JNDIRealm authentication
Posted by Ryan <ni...@yahoo.com>.
Josh,
It depsnds on your LDAP server, if you are running
openldap, look at you slapd.conf file and you should
see a rootpw entry, which is what you should use for
you connectionPassword.
Ryan
--- Josh Fenlason <jf...@ptc.com> wrote:
> Does anyone know what the value of
> connectionPassword, in <Realm/>, should
> be? I tried it with a value of "secret", but I get
> an error when Tomcat
> starts:
> javax.naming.AuthenticationException: [LDAP: error
> code 48 - Inappropriate
> Authentication]
>
> > > I'm trying to do LDAP authentication with Tomcat
> 4.1.3. I've read
> through
> > > the how to docs on Tomcat's site,
> > >
> >
>
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#JNDIRealm,
> > > and tried to follow the example. My site loads
> fine, but I never get an
> > > authentication prompt when I enter my site. If
> anyone could sees
> anything
> > > wrong with my <Realm/> or has any ideas of where
> else I should need to
> > > change things, I would greatly appreciate it.
> Thanks.
> > > ,
> > > Josh.
> > >
> > > Here's what I entered for the Realm element in
> > > <tomcat4.1.3_home>/conf/server.xml
> > >
> > > <Realm
> className="org.apache.catalina.realm.JNDIRealm"
> > >
>
connectionName="ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
> Hills,o=Bethel"
> > > connectionPassword="secret"
> > >
> connectionURL="ldap://corvette.mn.ptc.com:389"
> > > roleName="oid"
> > > roleSearch="(uniqueMember={0})"
> > > userPassword="userPassword"
> > >
>
userPattern="oid={0},ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
> Hills,o=Bethel"
> > > debug="99"/>
> > >
> > > Here's the AuthLDAPURL that works with Apache1
> doing the authentication
> > >
> >
>
ldap://corvette.mn.ptc.com:389/ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=A
> rden Hills,o=Bethel"
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: JNDIRealm authentication
Posted by Josh Fenlason <jf...@ptc.com>.
Does anyone know what the value of connectionPassword, in <Realm/>, should
be? I tried it with a value of "secret", but I get an error when Tomcat
starts:
javax.naming.AuthenticationException: [LDAP: error code 48 - Inappropriate
Authentication]
> > I'm trying to do LDAP authentication with Tomcat 4.1.3. I've read
through
> > the how to docs on Tomcat's site,
> >
>
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#JNDIRealm,
> > and tried to follow the example. My site loads fine, but I never get an
> > authentication prompt when I enter my site. If anyone could sees
anything
> > wrong with my <Realm/> or has any ideas of where else I should need to
> > change things, I would greatly appreciate it. Thanks.
> > ,
> > Josh.
> >
> > Here's what I entered for the Realm element in
> > <tomcat4.1.3_home>/conf/server.xml
> >
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > connectionName="ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
Hills,o=Bethel"
> > connectionPassword="secret"
> > connectionURL="ldap://corvette.mn.ptc.com:389"
> > roleName="oid"
> > roleSearch="(uniqueMember={0})"
> > userPassword="userPassword"
> >
userPattern="oid={0},ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
Hills,o=Bethel"
> > debug="99"/>
> >
> > Here's the AuthLDAPURL that works with Apache1 doing the authentication
> >
>
ldap://corvette.mn.ptc.com:389/ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=A
rden Hills,o=Bethel"
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JNDIRealm authentication
Posted by Jonathan Eric Miller <je...@uchicago.edu>.
Oh yeah, one other thing. I haven't tested this with Apache HTTP Server. I'm
just using Tomcat in standalone mode. I think it may work the same way if
you're using mod_webapp, but, you might want to test it in standalone mode
first to rule out any kind of problems that might be introduced if you're
using Apache HTTP Server on the front end.
Jon
----- Original Message -----
From: "Jonathan Eric Miller" <je...@uchicago.edu>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Wednesday, June 12, 2002 2:20 PM
Subject: Re: JNDIRealm authentication
> Josh,
>
> You also need to put something similar to the following in your web.xml
> file. i.e. the stuff you put in server.xml, just tells Tomcat where to
> authenticate. The stuff in web.xml, tells Tomcat what resources are
> protected and what roles are required in order to access a particular
> resource. I have this in my conf/web.xml and as far as I can tell, it
makes
> it so that it prompts for a password for any resource that is located on
the
> server. If it's just a servlet that you are protecting, I think you should
> be able to put this in the web.xml file for that context. The Servlet 2.3
> spec defines the format of the web.xml file. You can find it at
> http://java.sun.com under the Servlets section.
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>myresource</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>myrole</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>myrealm</realm-name>
> </login-config>
>
> Jon
>
> ----- Original Message -----
> From: "Josh Fenlason" <jf...@ptc.com>
> To: "Tomcat" <to...@jakarta.apache.org>
> Sent: Wednesday, June 12, 2002 1:18 PM
> Subject: JNDIRealm authentication
>
>
> > I'm trying to do LDAP authentication with Tomcat 4.1.3. I've read
through
> > the how to docs on Tomcat's site,
> >
>
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#JNDIRealm,
> > and tried to follow the example. My site loads fine, but I never get an
> > authentication prompt when I enter my site. If anyone could sees
anything
> > wrong with my <Realm/> or has any ideas of where else I should need to
> > change things, I would greatly appreciate it. Thanks.
> > ,
> > Josh.
> >
> > Here's what I entered for the Realm element in
> > <tomcat4.1.3_home>/conf/server.xml
> >
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > connectionName="ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
> > Hills,o=Bethel"
> > connectionPassword="secret"
> > connectionURL="ldap://corvette.mn.ptc.com:389"
> > roleName="oid"
> > roleSearch="(uniqueMember={0})"
> > userPassword="userPassword"
> >
userPattern="oid={0},ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
> > Hills,o=Bethel"
> > debug="99"/>
> >
> > Here's the AuthLDAPURL that works with Apache1 doing the authentication
> >
>
ldap://corvette.mn.ptc.com:389/ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=A
> > rden Hills,o=Bethel"
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: JNDIRealm authentication
Posted by Josh Fenlason <jf...@ptc.com>.
Where does the value of <role-name> come from? Thanks for all your help.
,
Josh.
-----Original Message-----
From: Jonathan Eric Miller [mailto:jemiller@uchicago.edu]
Sent: Wednesday, June 12, 2002 2:21 PM
To: Tomcat Users List
Subject: Re: JNDIRealm authentication
Josh,
You also need to put something similar to the following in your web.xml
file. i.e. the stuff you put in server.xml, just tells Tomcat where to
authenticate. The stuff in web.xml, tells Tomcat what resources are
protected and what roles are required in order to access a particular
resource. I have this in my conf/web.xml and as far as I can tell, it makes
it so that it prompts for a password for any resource that is located on the
server. If it's just a servlet that you are protecting, I think you should
be able to put this in the web.xml file for that context. The Servlet 2.3
spec defines the format of the web.xml file. You can find it at
http://java.sun.com under the Servlets section.
<security-constraint>
<web-resource-collection>
<web-resource-name>myresource</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>myrole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
Jon
----- Original Message -----
From: "Josh Fenlason" <jf...@ptc.com>
To: "Tomcat" <to...@jakarta.apache.org>
Sent: Wednesday, June 12, 2002 1:18 PM
Subject: JNDIRealm authentication
> I'm trying to do LDAP authentication with Tomcat 4.1.3. I've read through
> the how to docs on Tomcat's site,
>
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#JNDIRealm,
> and tried to follow the example. My site loads fine, but I never get an
> authentication prompt when I enter my site. If anyone could sees anything
> wrong with my <Realm/> or has any ideas of where else I should need to
> change things, I would greatly appreciate it. Thanks.
> ,
> Josh.
>
> Here's what I entered for the Realm element in
> <tomcat4.1.3_home>/conf/server.xml
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionName="ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
> Hills,o=Bethel"
> connectionPassword="secret"
> connectionURL="ldap://corvette.mn.ptc.com:389"
> roleName="oid"
> roleSearch="(uniqueMember={0})"
> userPassword="userPassword"
> userPattern="oid={0},ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
> Hills,o=Bethel"
> debug="99"/>
>
> Here's the AuthLDAPURL that works with Apache1 doing the authentication
>
ldap://corvette.mn.ptc.com:389/ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=A
> rden Hills,o=Bethel"
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JNDIRealm authentication
Posted by Jonathan Eric Miller <je...@uchicago.edu>.
The value that you have connectionName set to looks invalid. It looks like
you have it set to the name of a container rather than to the dn of the
admin account that is used to bind to the directory for querying for user
passwords and role information.
Jon
----- Original Message -----
From: "Josh Fenlason" <jf...@ptc.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Wednesday, June 12, 2002 4:10 PM
Subject: RE: JNDIRealm authentication
> Thanks for the pointer. It's prompting me for authentication now. My
> <Realm> isn't right though.
> using the Realm element below I get the following exception. If anyone
has
> any ideas of what I'm doing wrong, I would appreciate your advice.
Thanks.
> ,
> Josh.
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionName="ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
> Hills,o=PTC"
> connectionPassword="secret"
> connectionURL="ldap://camaro.mn.ptc.com:389"
> roleName="uid"
> roleSearch="(uniqueMember={0})"
> userPassword="userPassword"
> userPattern="uid={0},ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
> Hills,o=PTC"
> debug="99"/>
>
> Here's the AuthLDAPURL that works with Apache1 doing the authentication
>
ldap://corvette.mn.ptc.com:389/ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=A
> rden Hills,o=Bethel
>
>
> Catalina.start: LifecycleException: Exception opening directory server
> connection: javax.naming.AuthenticationException: [LDAP: error code 48 -
> Inappropriate Authentication]
> LifecycleException: Exception opening directory server connection:
> javax.naming.AuthenticationException: [LDAP: error code 48 - Inappropriate
> Authentication]
> at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:834)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1108)
> at
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:343)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:388)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:506)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:781)
> at org.apache.catalina.startup.Catalina.execute(Catalina.java:681)
> at org.apache.catalina.startup.Catalina.process(Catalina.java:179)
> at java.lang.reflect.Method.invoke(Native Method)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: JNDIRealm authentication
Posted by Josh Fenlason <jf...@ptc.com>.
Thanks for the pointer. It's prompting me for authentication now. My
<Realm> isn't right though.
using the Realm element below I get the following exception. If anyone has
any ideas of what I'm doing wrong, I would appreciate your advice. Thanks.
,
Josh.
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
Hills,o=PTC"
connectionPassword="secret"
connectionURL="ldap://camaro.mn.ptc.com:389"
roleName="uid"
roleSearch="(uniqueMember={0})"
userPassword="userPassword"
userPattern="uid={0},ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
Hills,o=PTC"
debug="99"/>
Here's the AuthLDAPURL that works with Apache1 doing the authentication
ldap://corvette.mn.ptc.com:389/ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=A
rden Hills,o=Bethel
Catalina.start: LifecycleException: Exception opening directory server
connection: javax.naming.AuthenticationException: [LDAP: error code 48 -
Inappropriate Authentication]
LifecycleException: Exception opening directory server connection:
javax.naming.AuthenticationException: [LDAP: error code 48 - Inappropriate
Authentication]
at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:834)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1108)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:343)
at
org.apache.catalina.core.StandardService.start(StandardService.java:388)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:506)
at org.apache.catalina.startup.Catalina.start(Catalina.java:781)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:681)
at org.apache.catalina.startup.Catalina.process(Catalina.java:179)
at java.lang.reflect.Method.invoke(Native Method)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: JNDIRealm authentication
Posted by Jonathan Eric Miller <je...@uchicago.edu>.
Josh,
You also need to put something similar to the following in your web.xml
file. i.e. the stuff you put in server.xml, just tells Tomcat where to
authenticate. The stuff in web.xml, tells Tomcat what resources are
protected and what roles are required in order to access a particular
resource. I have this in my conf/web.xml and as far as I can tell, it makes
it so that it prompts for a password for any resource that is located on the
server. If it's just a servlet that you are protecting, I think you should
be able to put this in the web.xml file for that context. The Servlet 2.3
spec defines the format of the web.xml file. You can find it at
http://java.sun.com under the Servlets section.
<security-constraint>
<web-resource-collection>
<web-resource-name>myresource</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>myrole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
Jon
----- Original Message -----
From: "Josh Fenlason" <jf...@ptc.com>
To: "Tomcat" <to...@jakarta.apache.org>
Sent: Wednesday, June 12, 2002 1:18 PM
Subject: JNDIRealm authentication
> I'm trying to do LDAP authentication with Tomcat 4.1.3. I've read through
> the how to docs on Tomcat's site,
>
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#JNDIRealm,
> and tried to follow the example. My site loads fine, but I never get an
> authentication prompt when I enter my site. If anyone could sees anything
> wrong with my <Realm/> or has any ideas of where else I should need to
> change things, I would greatly appreciate it. Thanks.
> ,
> Josh.
>
> Here's what I entered for the Realm element in
> <tomcat4.1.3_home>/conf/server.xml
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionName="ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
> Hills,o=Bethel"
> connectionPassword="secret"
> connectionURL="ldap://corvette.mn.ptc.com:389"
> roleName="oid"
> roleSearch="(uniqueMember={0})"
> userPassword="userPassword"
> userPattern="oid={0},ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=Arden
> Hills,o=Bethel"
> debug="99"/>
>
> Here's the AuthLDAPURL that works with Apache1 doing the authentication
>
ldap://corvette.mn.ptc.com:389/ou=People,ou=jfenlason_r62DC,ou=jfenlason,l=A
> rden Hills,o=Bethel"
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>