You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Lazarow, Neil" <Ne...@ANICO.COM> on 2015/04/28 15:48:35 UTC
JNDI realm Global Catalog question
I have multiple domain controllers, all of which are set to function as global catalog servers.
Is it possible to put multiple alternateURL entires into your JNDIRealm confiugration (see example below)?
Tomcat Version: 6.0.33 on Red Hat Enterprise Linux 5
------------------
<Realm className="org.apache.catalina.realm.JNDIRealm"
adCompat="true"
connectionURL="ldaps://ldap1.my.domainname.com:3269"
alternateURL="ldaps://ldap2.my.domainname.com:3269"
alternateURL="ldaps://ldap3.my.domainname.com:3269"
connectionName="user@my.domain.com"
connectionPassword="password"
referrals="follow"
userBase="CN=Users,dc=my,dc=domainname,dc=com"
userSearch="(sAMAccountName={0})"
userSubtree="true"
userRoleName="memberOf"
roleBase="CN=Users,dc=my,dc=domainname,dc=com"
roleName="CN"
roleSearch="(member={0})"
roleNested="true"
/>
Neil Lazarow
Systems Engineer II
Email: neil.lazarow@anico.com
________________________________
Confidentiality: This transmission, including any attachments, is solely for the use of the intended recipient(s). This transmission may contain information that is confidential or otherwise protected from disclosure. The use or disclosure of the information contained in this transmission, including any attachments, for any purpose other than that intended by its transmittal is strictly prohibited. Unauthorized interception of this email is a violation of federal criminal law. If you are not an intended recipient of this transmission, please immediately destroy all copies received and notify the sender.
Re: JNDI realm Global Catalog question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Neil,
On 4/29/15 12:01 PM, Lazarow, Neil wrote:
> -----Original Message----- From: Felix Schumacher
> [mailto:felix.schumacher@internetallee.de] Sent: Tuesday, April 28,
> 2015 10:18 AM To: Tomcat Users List Subject: Re: JNDI realm Global
> Catalog question
>
>
>
> Am 28. April 2015 17:11:55 MESZ, schrieb Christopher Schultz
> <ch...@christopherschultz.net>:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> Neil,
>>
>> On 4/28/15 9:48 AM, Lazarow, Neil wrote:
>>> I have multiple domain controllers, all of which are set to
>>> function as global catalog servers.
>>>
>>> Is it possible to put multiple alternateURL entires into your
>>> JNDIRealm confiugration (see example below)?
>>>
>>> Tomcat Version: 6.0.33 on Red Hat Enterprise Linux 5
>>>
>>> ------------------ <Realm
>>> className="org.apache.catalina.realm.JNDIRealm"
>>> adCompat="true"
>>> connectionURL="ldaps://ldap1.my.domainname.com:3269"
>>> alternateURL="ldaps://ldap2.my.domainname.com:3269"
>>> alternateURL="ldaps://ldap3.my.domainname.com:3269"
>>> connectionName="user@my.domain.com"
>>> connectionPassword="password" referrals="follow"
>>> userBase="CN=Users,dc=my,dc=domainname,dc=com"
>>> userSearch="(sAMAccountName={0})" userSubtree="true"
>>> userRoleName="memberOf"
>>> roleBase="CN=Users,dc=my,dc=domainname,dc=com" roleName="CN"
>>> roleSearch="(member={0})" roleNested="true" />
>>
>> I don't think this is currently supported, but it would be a
>> nice enhancement. Could you make a request in Bugzilla?
>> http://bz.apache.org/
>>
>> In the meantime, you might be able to get away with a
>> configuration like this:
>>
>> <Realm className="org.apache.catalina.realm.CombinedRealm">
>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>> connectionURL="ldaps://server-1" ... /> <Realm
>> className="org.apache.catalina.realm.JNDIRealm"
>> connectionURL="ldaps://server-2" ... /> <Realm
>> className="org.apache.catalina.realm.JNDIRealm"
>> connectionURL="ldaps://server-3" ... /> </Realm>
>>
>
> You could even try to set connectionURL to all servers at once
> separated by space. I believe jndi supports this. That would be
> something like
>
> connectionURL="ldaps://one ldaps://two ldaps://three"
>
> I haven't tested it, though.
>
> Regards Felix
>
>> The timeouts you'll experience to fail-over from one server to
>> the other might not be acceptable for you, though.
>>
>> - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment:
>> GPGTools - http://gpgtools.org
>
> Tomcat appears to accept the list of connectionURL entries
> separated by spaces.
Great, thanks for testing that. Looks like the documentation could use
a tweak. Care to give us a docs patch and get yourself in the Changelog?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVQSeoAAoJEBzwKT+lPKRYrigQALPoA3EAcGdV1ZjxkYBfZu3J
m6fLoDvgRbr9O1WHK9TvyDyhGQEtcgDQvRzv9oI5gAK0Ao99OT1Up5ye36jVDZxw
BHPKBBLSBYaRB6hKUTHaoDEyADbHZ9hW+w5ykpwAs3Jloaph5RbSYM5+rVLx+8LJ
eGm61qNFaJftY5nawkgK7WrI1BwYLOdJbnbENw7j7le4Q0rJflp6Odng2FwbfQ+8
Y57aJxcfc0/lNXd52/jJhhGMNL+9up4xIBo7CRF4QnTOzHUMy/DdxoCXVaw+uN+D
ixHdffGG3DY5YeLvKusQro20FxQeIaTQc4XJSAF+zz1dz8jDnTf77XUhSkqdjOds
lqefW/HXls6oHjf8zNOa97TMD7/ewwbJJMn4Nvmxwyh2msl89Sf6+ua5BSy0IT7G
g/2IQTQ7AGs7FDsnqy4BLtRGFBpZRM41ecxrHoK52/cJMjqr+GNpWFlDu5lyHfKc
qZ0DOOVjLcCifR50e419pKCVzT4Ru7/mP0/r0hUn7kiEaKMKfgH/Xxh+4j8jau5v
3ag8uUOPY6O6EGq9ID9k0c+Zo0ZahPQ8mAYitIa57CLoq8/sRyaYrrWYaIZA8cPP
X/EQdhXDcWFo8tUPYjQHvCEplLTjBgFYOlz8H+q+UVG1R9axLw5zQvB8m3hRrFty
os74yx2VxZ710EUOynGO
=+gdD
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JNDI realm Global Catalog question
Posted by "Lazarow, Neil" <Ne...@ANICO.COM>.
-----Original Message-----
From: Felix Schumacher [mailto:felix.schumacher@internetallee.de]
Sent: Tuesday, April 28, 2015 10:18 AM
To: Tomcat Users List
Subject: Re: JNDI realm Global Catalog question
Am 28. April 2015 17:11:55 MESZ, schrieb Christopher Schultz <ch...@christopherschultz.net>:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Neil,
>
>On 4/28/15 9:48 AM, Lazarow, Neil wrote:
>> I have multiple domain controllers, all of which are set to function
>> as global catalog servers.
>>
>> Is it possible to put multiple alternateURL entires into your
>> JNDIRealm confiugration (see example below)?
>>
>> Tomcat Version: 6.0.33 on Red Hat Enterprise Linux 5
>>
>> ------------------ <Realm
>> className="org.apache.catalina.realm.JNDIRealm" adCompat="true"
>> connectionURL="ldaps://ldap1.my.domainname.com:3269"
>> alternateURL="ldaps://ldap2.my.domainname.com:3269"
>> alternateURL="ldaps://ldap3.my.domainname.com:3269"
>> connectionName="user@my.domain.com" connectionPassword="password"
>> referrals="follow" userBase="CN=Users,dc=my,dc=domainname,dc=com"
>> userSearch="(sAMAccountName={0})" userSubtree="true"
>> userRoleName="memberOf"
>> roleBase="CN=Users,dc=my,dc=domainname,dc=com" roleName="CN"
>> roleSearch="(member={0})" roleNested="true" />
>
>I don't think this is currently supported, but it would be a nice
>enhancement. Could you make a request in Bugzilla?
>http://bz.apache.org/
>
>In the meantime, you might be able to get away with a configuration
>like this:
>
><Realm className="org.apache.catalina.realm.CombinedRealm">
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://server-1"
> ... />
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://server-2"
> ... />
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://server-3"
> ... />
></Realm>
>
You could even try to set connectionURL to all servers at once separated by space. I believe jndi supports this. That would be something like
connectionURL="ldaps://one ldaps://two ldaps://three"
I haven't tested it, though.
Regards
Felix
>The timeouts you'll experience to fail-over from one server to the
>other might not be acceptable for you, though.
>
>- -chris
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2
>Comment: GPGTools - http://gpgtools.org
Felix,
Tomcat appears to accept the list of connectionURL entries separated by spaces.
Neil
Confidentiality: This transmission, including any attachments, is solely for the use of the intended recipient(s). This transmission may contain information that is confidential or otherwise protected from disclosure. The use or disclosure of the information contained in this transmission, including any attachments, for any purpose other than that intended by its transmittal is strictly prohibited. Unauthorized interception of this email is a violation of federal criminal law. If you are not an intended recipient of this transmission, please immediately destroy all copies received and notify the sender.
Re: JNDI realm Global Catalog question
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 28. April 2015 17:11:55 MESZ, schrieb Christopher Schultz <ch...@christopherschultz.net>:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Neil,
>
>On 4/28/15 9:48 AM, Lazarow, Neil wrote:
>> I have multiple domain controllers, all of which are set to
>> function as global catalog servers.
>>
>> Is it possible to put multiple alternateURL entires into your
>> JNDIRealm confiugration (see example below)?
>>
>> Tomcat Version: 6.0.33 on Red Hat Enterprise Linux 5
>>
>> ------------------ <Realm
>> className="org.apache.catalina.realm.JNDIRealm" adCompat="true"
>> connectionURL="ldaps://ldap1.my.domainname.com:3269"
>> alternateURL="ldaps://ldap2.my.domainname.com:3269"
>> alternateURL="ldaps://ldap3.my.domainname.com:3269"
>> connectionName="user@my.domain.com" connectionPassword="password"
>> referrals="follow" userBase="CN=Users,dc=my,dc=domainname,dc=com"
>> userSearch="(sAMAccountName={0})" userSubtree="true"
>> userRoleName="memberOf"
>> roleBase="CN=Users,dc=my,dc=domainname,dc=com" roleName="CN"
>> roleSearch="(member={0})" roleNested="true" />
>
>I don't think this is currently supported, but it would be a nice
>enhancement. Could you make a request in Bugzilla?
>http://bz.apache.org/
>
>In the meantime, you might be able to get away with a configuration
>like this:
>
><Realm className="org.apache.catalina.realm.CombinedRealm">
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://server-1"
> ... />
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://server-2"
> ... />
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://server-3"
> ... />
></Realm>
>
You could even try to set connectionURL to all servers at once separated by space. I believe jndi supports this. That would be something like
connectionURL="ldaps://one ldaps://two ldaps://three"
I haven't tested it, though.
Regards
Felix
>The timeouts you'll experience to fail-over from one server to the
>other might not be acceptable for you, though.
>
>- -chris
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2
>Comment: GPGTools - http://gpgtools.org
>
>iQIcBAEBCAAGBQJVP6M7AAoJEBzwKT+lPKRY1H8P/3wVz99mL4m0imxfUjAm/9XQ
>2fYdeigii7hzDw0tvJKLZ5jh+wMz2xoqI47CD1b0P/Nl+zQHK7AqwT0GbMidZMN5
>+bEHLS66zKfVF+tWoIq1RlvPi78vI1Hzp9dvmlxzp/NOJs8Fm2zeAbPiDkXB48d5
>vqA38m/ZBRQemA0DhsxPmnjvavGvX+ifZ9mpfZryLyQYxTEQqm4Ay2Gu+LkkFilb
>s/iRxZEJzvIJKxXpr9MyMBwv8DXHwG9EhhDWrZ+cmbvP18jruSRZyPdwQsf1N8vu
>jPX+dd5eo9ffDJKT6GjkzNMWLh0S6srZO6HMWMI4YCb2F/z/nB07GcsEd0PDnWl9
>JFuEVNhL07fdlJ31rzZ+OksDGae7+r0Jnur2DIOfAMWRKMmQWrQWXAoYm1uck5ra
>lvFaQEhlRpV8GAUUmYkf3LPvQGjG+yEINNhJu9OXSX4+pyxvF1Oa0wUbWRFa0aoH
>FIfh22ApBsk5KEhPFTVFFQCIoh/yKGS4YDhNlm48606h7SERclz5m50Cicv03vFv
>glIdrrXVL4Idbkrl7jON11CB9oZjK0//ODT4bjF7E3kSyN1DM5uBFxzpiaVIIKiO
>tzeXubcZ/DYf1Qtt+t0yO66jjkr0uei1i2uPHQgS7kJq41jSmqfg2tewWrDkiRSe
>l7hQL8S+t9zWdYmiUdG+
>=3lwQ
>-----END PGP SIGNATURE-----
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JNDI realm Global Catalog question
Posted by "Lazarow, Neil" <Ne...@ANICO.COM>.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Tuesday, April 28, 2015 10:12 AM
To: Tomcat Users List
Subject: Re: JNDI realm Global Catalog question
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Neil,
On 4/28/15 9:48 AM, Lazarow, Neil wrote:
> I have multiple domain controllers, all of which are set to function
> as global catalog servers.
>
> Is it possible to put multiple alternateURL entires into your
> JNDIRealm confiugration (see example below)?
>
> Tomcat Version: 6.0.33 on Red Hat Enterprise Linux 5
>
> ------------------ <Realm
> className="org.apache.catalina.realm.JNDIRealm" adCompat="true"
> connectionURL="ldaps://ldap1.my.domainname.com:3269"
> alternateURL="ldaps://ldap2.my.domainname.com:3269"
> alternateURL="ldaps://ldap3.my.domainname.com:3269"
> connectionName="user@my.domain.com" connectionPassword="password"
> referrals="follow" userBase="CN=Users,dc=my,dc=domainname,dc=com"
> userSearch="(sAMAccountName={0})" userSubtree="true"
> userRoleName="memberOf"
> roleBase="CN=Users,dc=my,dc=domainname,dc=com" roleName="CN"
> roleSearch="(member={0})" roleNested="true" />
I don't think this is currently supported, but it would be a nice enhancement. Could you make a request in Bugzilla? http://bz.apache.org/
In the meantime, you might be able to get away with a configuration like this:
<Realm className="org.apache.catalina.realm.CombinedRealm">
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://server-1"
... />
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://server-2"
... />
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://server-3"
... />
</Realm>
The timeouts you'll experience to fail-over from one server to the other might not be acceptable for you, though.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVP6M7AAoJEBzwKT+lPKRY1H8P/3wVz99mL4m0imxfUjAm/9XQ
2fYdeigii7hzDw0tvJKLZ5jh+wMz2xoqI47CD1b0P/Nl+zQHK7AqwT0GbMidZMN5
+bEHLS66zKfVF+tWoIq1RlvPi78vI1Hzp9dvmlxzp/NOJs8Fm2zeAbPiDkXB48d5
vqA38m/ZBRQemA0DhsxPmnjvavGvX+ifZ9mpfZryLyQYxTEQqm4Ay2Gu+LkkFilb
s/iRxZEJzvIJKxXpr9MyMBwv8DXHwG9EhhDWrZ+cmbvP18jruSRZyPdwQsf1N8vu
jPX+dd5eo9ffDJKT6GjkzNMWLh0S6srZO6HMWMI4YCb2F/z/nB07GcsEd0PDnWl9
JFuEVNhL07fdlJ31rzZ+OksDGae7+r0Jnur2DIOfAMWRKMmQWrQWXAoYm1uck5ra
lvFaQEhlRpV8GAUUmYkf3LPvQGjG+yEINNhJu9OXSX4+pyxvF1Oa0wUbWRFa0aoH
FIfh22ApBsk5KEhPFTVFFQCIoh/yKGS4YDhNlm48606h7SERclz5m50Cicv03vFv
glIdrrXVL4Idbkrl7jON11CB9oZjK0//ODT4bjF7E3kSyN1DM5uBFxzpiaVIIKiO
tzeXubcZ/DYf1Qtt+t0yO66jjkr0uei1i2uPHQgS7kJq41jSmqfg2tewWrDkiRSe
l7hQL8S+t9zWdYmiUdG+
=3lwQ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------
Chris,
This is what I suspected. I looked through a bunch of documentation before
sending this question out, and found nothing. Thanks for your answer.
Neil
Confidentiality: This transmission, including any attachments, is solely for the use of the intended recipient(s). This transmission may contain information that is confidential or otherwise protected from disclosure. The use or disclosure of the information contained in this transmission, including any attachments, for any purpose other than that intended by its transmittal is strictly prohibited. Unauthorized interception of this email is a violation of federal criminal law. If you are not an intended recipient of this transmission, please immediately destroy all copies received and notify the sender.
Re: JNDI realm Global Catalog question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Neil,
On 4/28/15 9:48 AM, Lazarow, Neil wrote:
> I have multiple domain controllers, all of which are set to
> function as global catalog servers.
>
> Is it possible to put multiple alternateURL entires into your
> JNDIRealm confiugration (see example below)?
>
> Tomcat Version: 6.0.33 on Red Hat Enterprise Linux 5
>
> ------------------ <Realm
> className="org.apache.catalina.realm.JNDIRealm" adCompat="true"
> connectionURL="ldaps://ldap1.my.domainname.com:3269"
> alternateURL="ldaps://ldap2.my.domainname.com:3269"
> alternateURL="ldaps://ldap3.my.domainname.com:3269"
> connectionName="user@my.domain.com" connectionPassword="password"
> referrals="follow" userBase="CN=Users,dc=my,dc=domainname,dc=com"
> userSearch="(sAMAccountName={0})" userSubtree="true"
> userRoleName="memberOf"
> roleBase="CN=Users,dc=my,dc=domainname,dc=com" roleName="CN"
> roleSearch="(member={0})" roleNested="true" />
I don't think this is currently supported, but it would be a nice
enhancement. Could you make a request in Bugzilla? http://bz.apache.org/
In the meantime, you might be able to get away with a configuration
like this:
<Realm className="org.apache.catalina.realm.CombinedRealm">
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://server-1"
... />
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://server-2"
... />
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://server-3"
... />
</Realm>
The timeouts you'll experience to fail-over from one server to the
other might not be acceptable for you, though.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVP6M7AAoJEBzwKT+lPKRY1H8P/3wVz99mL4m0imxfUjAm/9XQ
2fYdeigii7hzDw0tvJKLZ5jh+wMz2xoqI47CD1b0P/Nl+zQHK7AqwT0GbMidZMN5
+bEHLS66zKfVF+tWoIq1RlvPi78vI1Hzp9dvmlxzp/NOJs8Fm2zeAbPiDkXB48d5
vqA38m/ZBRQemA0DhsxPmnjvavGvX+ifZ9mpfZryLyQYxTEQqm4Ay2Gu+LkkFilb
s/iRxZEJzvIJKxXpr9MyMBwv8DXHwG9EhhDWrZ+cmbvP18jruSRZyPdwQsf1N8vu
jPX+dd5eo9ffDJKT6GjkzNMWLh0S6srZO6HMWMI4YCb2F/z/nB07GcsEd0PDnWl9
JFuEVNhL07fdlJ31rzZ+OksDGae7+r0Jnur2DIOfAMWRKMmQWrQWXAoYm1uck5ra
lvFaQEhlRpV8GAUUmYkf3LPvQGjG+yEINNhJu9OXSX4+pyxvF1Oa0wUbWRFa0aoH
FIfh22ApBsk5KEhPFTVFFQCIoh/yKGS4YDhNlm48606h7SERclz5m50Cicv03vFv
glIdrrXVL4Idbkrl7jON11CB9oZjK0//ODT4bjF7E3kSyN1DM5uBFxzpiaVIIKiO
tzeXubcZ/DYf1Qtt+t0yO66jjkr0uei1i2uPHQgS7kJq41jSmqfg2tewWrDkiRSe
l7hQL8S+t9zWdYmiUdG+
=3lwQ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org