tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ar...@EASTPOINT.COM
Subject RE: Tomcat with LDAP/OpenLDAP
Date Wed, 23 Apr 2003 19:49:19 GMT
This is encouraging, so it should be able to work.

I am using the uniqueMember attribute of the groupOfUniqueNames objectClass.
My groups are right under the ou=Groups element.

I tried roleSubtree="true" anyway and it did not make any difference - still
does not work.

If I paste the filter from the Tomcat log into an LBE (LDAP Browser\Editor)
search it finds it.

I was just looking at the LDAP log. I see the word anonymous in there, could
Tomcat be authenticating to LDAP as anonymous to get the roles? Wouldn't it
use the already established and authenticated connection? Here is what I
see:

Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=6 BIND
dn="cn=Admin,ou=People,o=EastPoint,c=us" method=128
Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=6 AUTHZ
dn="cn=Admin,ou=People,o=EastPoint,c=us" mech=simple ssf=0
Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=6 RESULT tag=97 err=0 text=
Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=7 SRCH base="" scope=0
filter="(objectClass=*)"
Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=7 RESULT tag=101 err=0 text=
Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=9 AUTHZ anonymous
mech=implicit ssf=0
Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=9 BIND dn="" method=128
Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=9 RESULT tag=97 err=0 text=
Apr 23 15:33:45 dev1 slapd[34706]: conn=113 op=10 SRCH
base="ou=Groups,o=EastPoint,c=us" scope=2
filter="(uniqueMember=cn=admin,ou=people,o=eastpoint,c=us)"

Maybe I am reading this wrong, I do not find the OpenLDAP log the easiest
thing to parse.

Thank You,
Art

-----Original Message-----
From: Mark R. Diggory [mailto:mdiggory@latte.harvard.edu] 
Sent: Wednesday, April 23, 2003 2:47 PM
To: Tomcat Users List
Subject: Re: Tomcat with LDAP/OpenLDAP


Do your groups store users under the "uniqueMember" attribute or 
"member" attribute? We are now using JNDI realm successfully on tomcat 
4.1.24. here's my config for it:

<Context debug="0" reloadable="true" docBase="VDC" path="/VDC"> <Realm
className="org.apache.catalina.realm.JNDIRealm" 
connectionURL="ldap://your.host.here:389" 
userPattern="uid={0},ou=vdcid,ou=osprey,o=vdc" roleBase="o=vdc" 
roleName="vdcGroup" roleSearch="(member={0})" roleSubtree="true"/>
</Context>

Our groups are stored in  custom "vdcGroup" entiries, users are stored 
in the "member" attribute.

I may be the case your missing the roleSubtree if your groups aren't all 
one level inside your roleBase.

-Mark

art_w@EASTPOINT.COM wrote:

>Hi,
>
>I am new to the Tomcat user list (just signed up a few minutes ago). I 
>have been trying to get Tomcat authentication working with OpenLDAP. I 
>got it to the point where the user appears to be getting authenticated 
>OK, but the roles do not seem to be getting resolved. I have roleBase, 
>roleName, and roleSearch set so that they should find the roles in the 
>directory, but they are never found.
>
>In desperation I started looking all over (google, etc) in the hope 
>that someone else had encountered this problem and reported a solution. 
>Eventually I came across the message below from Jonathan Eric Miller 
>that indicates that "JNDIRealm is broken and unusable". Is this 
>correct? Is there a Bugzilla entry for this, I could not find a bug 
>that indicated that it was completely broken (but may have missed it).
>
>I hope that Jonathan is referring to Tomcat 5 (or 3 or something). I am 
>using Tomcat 4.1.24.
>
>Any suggestions? My roleSearch looks like: 
>roleSearch="(uniqueMember={0})"
>
>Oh, for now the application that I am trying to get working is "Tomcat 
>Administration", so it should be looking for the "admin" role.
>
>In the log I have:
>2003-04-22 20:28:41 JNDIRealm[Standalone]: Connecting to URL 
>ldap://localhost:389 2003-04-22 20:30:41 JNDIRealm[Standalone]: 
>lookupUser(Admin) 2003-04-22 20:30:41 JNDIRealm[Standalone]:
>dn=cn=Admin,ou=People,o=EastPoint,c=us
>2003-04-22 20:30:41 JNDIRealm[Standalone]:   validating credentials by
>binding as the user
>2003-04-22 20:30:41 JNDIRealm[Standalone]:   binding as
>cn=Admin,ou=People,o=EastPoint,c=us
>2003-04-22 20:30:41 JNDIRealm[Standalone]: Username Admin successfully
>authenticated
>2003-04-22 20:30:41 JNDIRealm[Standalone]:
>getRoles(cn=Admin,ou=People,o=EastPoint,c=us)
>2003-04-22 20:30:41 JNDIRealm[Standalone]:   Searching role base
>'ou=Groups,o=EastPoint,c=us' for attribute 'cn'
>2003-04-22 20:30:41 JNDIRealm[Standalone]:   With filter expression
>'(uniqueMember=cn=Admin,ou=People,o=EastPoint,c=us)'
>2003-04-22 20:30:42 JNDIRealm[Standalone]:   Returning 0 roles
>2003-04-22 20:30:42 JNDIRealm[Standalone]: Username Admin does NOT have
role
>admin
>
>
>Thank You,
>Art
>
>Re: Tomcat with LDAP
>
>*	From: Jonathan Eric Miller 
>*	Subject: Re: Tomcat with LDAP 
>*	Date: Wed, 02 Apr 2003 13:32:27 -0800 
>
>JNDIRealm is broken and unusable.
>
>Jon
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message