tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Holman <j.g.hol...@qmul.ac.uk>
Subject Re: IMPORTANT - error while using LDAP/JDNI authentication with tomcat 4.0
Date Fri, 01 Mar 2002 09:32:41 GMT
Frederic

>    # Define an entry to base role searches on
>    dn: dc=roles,dc=mycompany,dc=com
>    cn: roles
>    objectClass: person
>    sn: Roles Entry

This entry has the wrong object class - should be dcObject. Probably it has 
not been created in the directory, so the role search is failing with the 
"no such object error" you are seeing.

You should have seen an error when you tried to load the LDIF file, by the 
way. You can check whether it has been created using
the ldapsearch utility.

John



At 09:29 27/02/02, Fredrick Rinald wrote
>Hello,
>
>Please help me.
>I'm a french student and I need to implement LDAP authentication with 
>tomcat 4 for my project. The user authentication is correct but the 
>authorization failed because of the role search. Tomcat is unable to get 
>the corresponding role in my ldap directory.
>
>Here's my LDAP directory definition (I use openldap):
>
>    include        /usr/local/etc/openldap/schema/core.schema
>    pidfile        /usr/local/var/slapd.pid
>    argsfile    /usr/local/var/slapd.args
>    database ldbm
>    suffix dc="mycompany",dc="com"
>    rootdn "cn=Manager,dc=mycompany,dc=com"
>    directory /usr/local/var/openldap-ldbm
>    rootpw secret
>    index    objectClass    eq
>
>
>Here's my LDAP directory (LDIF file):
>
>    dn : dc=mycompany,dc=com
>    objectclass: dcObject
>    objectclass: organization
>    o: Example Company
>
>    # Define a user named 'tomcat'
>    dn: cn=tomcat,dc=mycompany,dc=com
>    cn: tomcat
>    userPassword: tomcat
>    sn: Tomcat User
>    objectClass: person
>
>    # Define a user named 'role1'
>    dn: cn=role1,dc=mycompany,dc=com
>    cn: role1
>    userPassword: tomcat
>    sn: Role1 User
>    objectClass: person
>
>    # Define a user named 'both'
>    dn: cn=both,dc=mycompany,dc=com
>    cn: both
>    userPassword: tomcat
>    sn: Both User
>    objectClass: person
>
>    # Define an entry to base role searches on
>    dn: dc=roles,dc=mycompany,dc=com
>    cn: roles
>    objectClass: person
>    sn: Roles Entry
>
>    # Define all members of the 'tomcat' role
>    dn: cn=tomcat,dc=roles,dc=mycompany,dc=com
>    cn: tomcat
>    objectClass: groupOfUniqueNames
>    uniqueMember: cn=tomcat,dc=mycompany,dc=com
>    uniqueMember: cn=both,dc=mycompany,dc=com
>
>    # Define all members of the 'role1' role
>    dn: cn=role1,dc=roles,dc=mycompany,dc=com
>    cn: role1
>    objectClass: groupOfUniqueNames
>    uniqueMember: cn=role1,dc=mycompany,dc=com
>    uniqueMember: cn=both,dc=mycompany,dc=com
>
>
>Here's my Tomcat 4 REALM declaration :
>
>
>        <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
>            connectionName="cn=Manager,dc=mycompany,dc=com"
>            connectionPassword="secret"
>            connectionURL="ldap://localhost"
>            roleBase="dc=roles"
>            roleName="cn"
>            roleSearch="(uniqueMember={0})"
>            roleSubtree="false"
>            userPassword="userPassword"
>            userPattern="cn={0},dc=mycompany,dc=com"
>        />
>
>Here's my catalina_log.2002-02-27.txt file :
>
>
>    2002-02-27 10:15:46 HttpConnector Opening server socket on all host
>    IP addresses
>    2002-02-27 10:15:46 JNDIRealm[Standalone]: Connecting to URL
>    ldap://localhost
>    2002-02-27 10:15:59 HttpConnector[8080] Starting background thread
>    2002-02-27 10:15:59 HttpProcessor[8080][1] Starting background thread
>    2002-02-27 10:15:59 HttpProcessor[8080][0] Starting background thread
>    2002-02-27 10:15:59 HttpProcessor[8080][2] Starting background thread
>    2002-02-27 10:15:59 HttpProcessor[8080][3] Starting background thread
>    2002-02-27 10:15:59 HttpProcessor[8080][4] Starting background thread
>    2002-02-27 10:16:19 JNDIRealm[Standalone]: getUserDN(tomcat)
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:
>    dn=cn=tomcat,dc=mycompany,dc=com
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:   retrieving attribute
>    userPassword
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:   retrieving value
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:   validating credentials
>    2002-02-27 10:16:19 JNDIRealm[Standalone]: Username tomcat
>    successfully authenticated
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:
>    getRoles(cn=tomcat,dc=mycompany,dc=com)
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:   Searching role base
>    'dc=roles' for attribute 'cn'
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:   With filter expression
>    '(uniqueMember=cn=tomcat,dc=mycompany,dc=com)'
>    2002-02-27 10:16:19 JNDIRealm[Standalone]: Exception performing
>    authentication
>    javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such
>    Object]; remaining name 'dc=roles'
>        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2761)
>        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2682)
>        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2488)
>        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1660)
>        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1583)
>        at
> 
>com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:371)
>        at
> 
>com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:331)
>        at
> 
>com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:316)
>        at
> 
>javax.naming.directory.InitialDirContext.search(InitialDirContext.java:241)
>        at org.apache.catalina.realm.JNDIRealm.getRoles(Unknown Source)
>        at org.apache.catalina.realm.JNDIRealm.authenticate(Unknown Source)
>        at org.apache.catalina.realm.JNDIRealm.authenticate(Unknown Source)
>        at
>    org.apache.catalina.authenticator.FormAuthenticator.authenticate(Unknown
>    Source)
>        at
>    org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown
>    Source)
>        at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
>    Source)
>        at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
>        at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
>        at org.apache.catalina.core.StandardContext.invoke(Unknown Source)
>        at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source)
>        at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
>    Source)
>        at org.apache.catalina.valves.AccessLogValve.invoke(Unknown Source)
>        at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
>    Source)
>        at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
>        at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
>        at org.apache.catalina.core.StandardEngineValve.invoke(Unknown
>    Source)
>        at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
>    Source)
>        at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
>        at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
>        at
>    org.apache.catalina.connector.http.HttpProcessor.process(Unknown Source)
>        at org.apache.catalina.connector.http.HttpProcessor.run(Unknown
>    Source)
>        at java.lang.Thread.run(Thread.java:484)
>
>    2002-02-27 10:16:19 JNDIRealm[Standalone]: Closing directory context
>
>Thank you for helping me. It's very important because it's an important 
>part of the work that I need to do in my training period.
>------------------------------------------------------------------------
>Frédéric RINALDI, Frederic.Rinaldi@inrialpes.fr,  INRIA, FRANCE
>------------------------------------------------------------------------
>



--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message