tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paulo Alvim" <al...@powerlogic.com.br>
Subject RES: [work] RES: [java] Re: ActiveDirectory and JNDI LDAP Realm
Date Fri, 30 Apr 2004 17:22:11 GMT
Hi!

I've just solved the authentication issue by renaming de "cn" property of
the user in the ActiveDirectory and using the userPattern.

The "uid" in ActiveDirectory is the name that is showed in its tree by
default. Very simple. The problem is that this property isn't the logon name
(sAMAccountName) neither any names you type while creating a new user. It's
a new property (the "cn") that ActiveDirectory creates based on the names
you type on the first time.

<Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
   connectionURL="ldap://plcbhdc:389"
     userPattern="cn={0},cn=Users,dc=powerlogic"
     roleBase="cn=Users,dc=powerlogic"
     roleName="memberOf"
   roleSearch="(distinguishedName={0})" />

Now I'm trying to get roles without success...

-----Mensagem original-----
De: Paulo Alvim [mailto:alvim@powerlogic.com.br]
Enviada em: sexta-feira, 30 de abril de 2004 08:23
Para: Tomcat Users List
Assunto: [work] RES: [java] Re: ActiveDirectory and JNDI LDAP Realm


Hi Chong,

Thanks for your answer!...

I think you are right. The problem is that I have also tried many options to
substitute "uid" using attributes that I got from ActiveDirectory:
sAMAccountName, givenName, userPrincipalName, etc...

I'm now wondering if the "userBase" could be wrong (maybe using
"ou=Users"?!). I appreciate if anyone (ActiveDirectory users) could give any
other ideas!

Paulo

-----Mensagem original-----
De: Chong Yu Meng [mailto:chongym@cymulacrum.net]
Enviada em: quinta-feira, 29 de abril de 2004 22:26
Para: Tomcat Users List
Assunto: [java] Re: ActiveDirectory and JNDI LDAP Realm


Hi Paulo !

What is the Active Directory equivalent of "uid" in LDAP ? I had the
same problem as you previously, when I was preparing material for a
Novell eDirectory course. The "canonical" method of structuring the
directory (at least in my part of the world) was to use the CN (like
your ActiveDirectory example). I have a write-up on this at :
http://cymulacrum.net/writings/adv_tomcat/c487.html

I suppose if you substitute the Active Directory equivalent for UID, you
should be able to get it to work.

Hope this helps!

Regards,
pascal chong



Paulo Alvim wrote:

>Hi!
>
>Is there anyone using MS ActiveDirectory with Tomcat 5?
>
>I could authenticate using:
>
> <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
>   connectionURL="ldap://plcbhdc:389"
>     userPattern="cn={0},cn=Users,dc=powerlogic"
>     roleBase="cn=Users,dc=powerlogic"
>     roleName="memberOf"
>   roleSearch="(distinguishedName={0})" />
>
>...but I had to use the full name (ex: Bill Gates) instead of the login
(ex:
>gates).
>
>So I tried to use:
>
> <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
>   connectionURL="ldap://plcbhdc:389"
>    userBase="cn=Users,dc=powerlogic" userSearch="(sAMAccountName={0})"
>userSubtree="true"
>     roleBase="cn=Users,dc=powerlogic"
>     roleName="memberOf"
>   roleSearch="(distinguishedName={0})" />
>
>... with lots of "userSearch" attributes such as "userPrincipalName",
>"givenName", etc.. but It didn't work.
>
>I'm using the default ActiveDirectory installation...
>
>Any help?
>
>Thanks in  advance!
>
>Paulo Alvim
>
>-----Mensagem original-----
>De: Chong Yu Meng [mailto:chongym@cymulacrum.net]
>Enviada em: domingo, 18 de abril de 2004 12:59
>Para: Tomcat Users List
>Assunto: [spam] Re: Authentification against NT Domain Controller
>
>
>Hi Frank !
>
>I seem to remember ActiveDirectory being discussed here, on this mailing
>list. The good thing about ActiveDirectory is that, if you do not have
>an overly complicated schema, you can use the LDAP subset to query the
>directory (you need to do a fair bit of tweaking to get ActiveDirectory
>to output results in LDAP-compliant format though. I'm not an expert on
>ActiveDirectory, so I really cannot advise you on this).
>
>If you're using Windows NT as the PDC, I think you can't get the Tomcat
>realm to work with it (Please, somebody, tell me otherwise!).
>
>As for writing your own Realm implementation, unless you are a really
>seasoned programmer, this can be a very daunting task. An easier way is
>to download and look at SecurityFilter. The example webapp has source
>code that you can look at, and not get confused by it. I highly
>recommend this to implementing your own realm. However, this still does
>not address the problem of extracting user credentials from a PDC.
>
>There is another solution : use Novell's DirXML product to do a periodic
>sync of data in Active Directory or NTLM into an LDAP directory, then
>use the JNDI realm in Tomcat. This is not a free solution, and it does
>require you to read up on another product, but this product is also very
>good for syncing data between different directories (OpenLDAP, Netscape
>Directory Server, Novell eDirectory, even flat files).
>
>Hope this helps !
>
>
>Frank Schaare wrote:
>
>
>
>>Hi,
>>
>>we┬┤re building an Intranet application running on Tomcat 4.1.30
>>(Client OS is Win2K). It would be very suitable to authentificate the
>>users against the NT Domain Controller to avoid a second login.
>>
>>I searched this ML and Google but did not find very much about this
>>theme.
>>
>>There is a SourceForce Project called NTDCRealm which seems to fit our
>>needs, but has absolutely no documentation.
>>
>>Probably, we need to nest a custom NTDCRealm Tag in our WebApp
>>context. To learn, how to do this, i searched the Tomcat documentation
>>
>>
>>
>(http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Standard%
2
>0Realm%20Implementations)
>
>
>>and again, there is a gap:
>>
>>"It is also possible to write your own Realm implementation, and
>>integrate it with Tomcat 4. However, doing this is beyond the scope of
>>this document. See (FIXME - reference to developer stuff) for more
>>information."
>>
>>Here are my questions:
>>
>>Does this reference to developer stuff exist anywhere ?
>>Does anyone ever made the NTDCRealm to work ?
>>Does anyone knows another (documentatet) Implementation of NT
>>authentification ?
>>
>>Any hints, links, documents about this theme are warmly welcome.
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>
>>
>
>--
>A complex system that works is invariably found to have evolved from a
>simple system that works.
>+----------------------------------------------------------------+
>| Pascal Chong                                                   |
>| email: chongym@cymulacrum.net                                  |
>|                                                                |
>| Please visit my site at : http://cymulacrum.net                |
>| If you're using my documentation, please read the Terms and    |
>| and Conditions at http://cymulacrum.net/terms.html             |
>+----------------------------------------------------------------+
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message