Return-Path: 
 <tomcat-user-return-12591-qmlist-jakarta-archive-tomcat-user=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org
Received: (qmail 22195 invoked from network); 1 Mar 2002 09:32:47 -0000
Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131)
  by daedalus.apache.org with SMTP; 1 Mar 2002 09:32:47 -0000
Received: (qmail 22023 invoked by uid 97); 1 Mar 2002 09:32:29 -0000
Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org
Received: (qmail 22007 invoked by uid 97); 1 Mar 2002 09:32:29 -0000
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-user-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-user-help@jakarta.apache.org>
List-Post: <mailto:tomcat-user@jakarta.apache.org>
List-Id: "Tomcat Users List" <tomcat-user.jakarta.apache.org>
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 21996 invoked from network); 1 Mar 2002 09:32:28 -0000
Message-Id: <5.1.0.14.0.20020301092422.050b8ec0@imap.qmul.ac.uk>
X-Sender: cgaa186@imap.qmul.ac.uk
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 01 Mar 2002 09:32:41 +0000
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
From: John Holman <j.g.holman@qmul.ac.uk>
Subject: Re: IMPORTANT - error while using LDAP/JDNI authentication
  with tomcat 4.0
In-Reply-To: <3C7CA6DE.1070203@inrialpes.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Frederic

>    # Define an entry to base role searches on
>    dn: dc=3Droles,dc=3Dmycompany,dc=3Dcom
>    cn: roles
>    objectClass: person
>    sn: Roles Entry

This entry has the wrong object class - should be dcObject. Probably it has=
=20
not been created in the directory, so the role search is failing with the=20
"no such object error" you are seeing.

You should have seen an error when you tried to load the LDIF file, by the=
=20
way. You can check whether it has been created using
the ldapsearch utility.

John



At 09:29 27/02/02, Fredrick Rinald wrote
>Hello,
>
>Please help me.
>I'm a french student and I need to implement LDAP authentication with=20
>tomcat 4 for my project. The user authentication is correct but the=20
>authorization failed because of the role search. Tomcat is unable to get=20
>the corresponding role in my ldap directory.
>
>Here's my LDAP directory definition (I use openldap):
>
>    include        /usr/local/etc/openldap/schema/core.schema
>    pidfile        /usr/local/var/slapd.pid
>    argsfile    /usr/local/var/slapd.args
>    database ldbm
>    suffix dc=3D"mycompany",dc=3D"com"
>    rootdn "cn=3DManager,dc=3Dmycompany,dc=3Dcom"
>    directory /usr/local/var/openldap-ldbm
>    rootpw secret
>    index    objectClass    eq
>
>
>Here's my LDAP directory (LDIF file):
>
>    dn : dc=3Dmycompany,dc=3Dcom
>    objectclass: dcObject
>    objectclass: organization
>    o: Example Company
>
>    # Define a user named 'tomcat'
>    dn: cn=3Dtomcat,dc=3Dmycompany,dc=3Dcom
>    cn: tomcat
>    userPassword: tomcat
>    sn: Tomcat User
>    objectClass: person
>
>    # Define a user named 'role1'
>    dn: cn=3Drole1,dc=3Dmycompany,dc=3Dcom
>    cn: role1
>    userPassword: tomcat
>    sn: Role1 User
>    objectClass: person
>
>    # Define a user named 'both'
>    dn: cn=3Dboth,dc=3Dmycompany,dc=3Dcom
>    cn: both
>    userPassword: tomcat
>    sn: Both User
>    objectClass: person
>
>    # Define an entry to base role searches on
>    dn: dc=3Droles,dc=3Dmycompany,dc=3Dcom
>    cn: roles
>    objectClass: person
>    sn: Roles Entry
>
>    # Define all members of the 'tomcat' role
>    dn: cn=3Dtomcat,dc=3Droles,dc=3Dmycompany,dc=3Dcom
>    cn: tomcat
>    objectClass: groupOfUniqueNames
>    uniqueMember: cn=3Dtomcat,dc=3Dmycompany,dc=3Dcom
>    uniqueMember: cn=3Dboth,dc=3Dmycompany,dc=3Dcom
>
>    # Define all members of the 'role1' role
>    dn: cn=3Drole1,dc=3Droles,dc=3Dmycompany,dc=3Dcom
>    cn: role1
>    objectClass: groupOfUniqueNames
>    uniqueMember: cn=3Drole1,dc=3Dmycompany,dc=3Dcom
>    uniqueMember: cn=3Dboth,dc=3Dmycompany,dc=3Dcom
>
>
>Here's my Tomcat 4 REALM declaration :
>
>
>        <Realm   className=3D"org.apache.catalina.realm.JNDIRealm"=
 debug=3D"99"
>            connectionName=3D"cn=3DManager,dc=3Dmycompany,dc=3Dcom"
>            connectionPassword=3D"secret"
>            connectionURL=3D"ldap://localhost"
>            roleBase=3D"dc=3Droles"
>            roleName=3D"cn"
>            roleSearch=3D"(uniqueMember=3D{0})"
>            roleSubtree=3D"false"
>            userPassword=3D"userPassword"
>            userPattern=3D"cn=3D{0},dc=3Dmycompany,dc=3Dcom"
>        />
>
>Here's my catalina_log.2002-02-27.txt file :
>
>
>    2002-02-27 10:15:46 HttpConnector Opening server socket on all host
>    IP addresses
>    2002-02-27 10:15:46 JNDIRealm[Standalone]: Connecting to URL
>    ldap://localhost
>    2002-02-27 10:15:59 HttpConnector[8080] Starting background thread
>    2002-02-27 10:15:59 HttpProcessor[8080][1] Starting background thread
>    2002-02-27 10:15:59 HttpProcessor[8080][0] Starting background thread
>    2002-02-27 10:15:59 HttpProcessor[8080][2] Starting background thread
>    2002-02-27 10:15:59 HttpProcessor[8080][3] Starting background thread
>    2002-02-27 10:15:59 HttpProcessor[8080][4] Starting background thread
>    2002-02-27 10:16:19 JNDIRealm[Standalone]: getUserDN(tomcat)
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:
>    dn=3Dcn=3Dtomcat,dc=3Dmycompany,dc=3Dcom
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:   retrieving attribute
>    userPassword
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:   retrieving value
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:   validating credentials
>    2002-02-27 10:16:19 JNDIRealm[Standalone]: Username tomcat
>    successfully authenticated
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:
>    getRoles(cn=3Dtomcat,dc=3Dmycompany,dc=3Dcom)
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:   Searching role base
>    'dc=3Droles' for attribute 'cn'
>    2002-02-27 10:16:19 JNDIRealm[Standalone]:   With filter expression
>    '(uniqueMember=3Dcn=3Dtomcat,dc=3Dmycompany,dc=3Dcom)'
>    2002-02-27 10:16:19 JNDIRealm[Standalone]: Exception performing
>    authentication
>    javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such
>    Object]; remaining name 'dc=3Droles'
>        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2761)
>        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2682)
>        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2488)
>        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1660)
>        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1583)
>        at
>=20
>com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.j=
ava:371)
>        at
>=20
>com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialComposite=
DirContext.java:331)
>        at
>=20
>com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialComposite=
DirContext.java:316)
>        at
>=20
>javax.naming.directory.InitialDirContext.search(InitialDirContext.java:241)
>        at org.apache.catalina.realm.JNDIRealm.getRoles(Unknown Source)
>        at org.apache.catalina.realm.JNDIRealm.authenticate(Unknown Source)
>        at org.apache.catalina.realm.JNDIRealm.authenticate(Unknown Source)
>        at
>   =
 org.apache.catalina.authenticator.FormAuthenticator.authenticate(Unknown
>    Source)
>        at
>    org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown
>    Source)
>        at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
>    Source)
>        at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
>        at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
>        at org.apache.catalina.core.StandardContext.invoke(Unknown Source)
>        at org.apache.catalina.core.StandardHostValve.invoke(Unknown=
 Source)
>        at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
>    Source)
>        at org.apache.catalina.valves.AccessLogValve.invoke(Unknown Source)
>        at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
>    Source)
>        at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
>        at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
>        at org.apache.catalina.core.StandardEngineValve.invoke(Unknown
>    Source)
>        at org.apache.catalina.core.StandardPipeline.invokeNext(Unknown
>    Source)
>        at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
>        at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
>        at
>    org.apache.catalina.connector.http.HttpProcessor.process(Unknown=
 Source)
>        at org.apache.catalina.connector.http.HttpProcessor.run(Unknown
>    Source)
>        at java.lang.Thread.run(Thread.java:484)
>
>    2002-02-27 10:16:19 JNDIRealm[Standalone]: Closing directory context
>
>Thank you for helping me. It's very important because it's an important=20
>part of the work that I need to do in my training period.
>------------------------------------------------------------------------
>Fr=E9d=E9ric RINALDI, Frederic.Rinaldi@inrialpes.fr,  INRIA, FRANCE
>------------------------------------------------------------------------
>



--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>