tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paulo Alvim" <>
Subject ActiveDirectory and JNDI LDAP Realm
Date Thu, 29 Apr 2004 22:10:16 GMT


Is there anyone using MS ActiveDirectory with Tomcat 5?

I could authenticate using:

 <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
   roleSearch="(distinguishedName={0})" />

...but I had to use the full name (ex: Bill Gates) instead of the login (ex:

So I tried to use:

 <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
    userBase="cn=Users,dc=powerlogic" userSearch="(sAMAccountName={0})"
   roleSearch="(distinguishedName={0})" />

... with lots of "userSearch" attributes such as "userPrincipalName",
"givenName", etc.. but It didn't work.

I'm using the default ActiveDirectory installation...

Any help?

Thanks in  advance!

Paulo Alvim

-----Mensagem original-----
De: Chong Yu Meng []
Enviada em: domingo, 18 de abril de 2004 12:59
Para: Tomcat Users List
Assunto: [spam] Re: Authentification against NT Domain Controller

Hi Frank !

I seem to remember ActiveDirectory being discussed here, on this mailing
list. The good thing about ActiveDirectory is that, if you do not have
an overly complicated schema, you can use the LDAP subset to query the
directory (you need to do a fair bit of tweaking to get ActiveDirectory
to output results in LDAP-compliant format though. I'm not an expert on
ActiveDirectory, so I really cannot advise you on this).

If you're using Windows NT as the PDC, I think you can't get the Tomcat
realm to work with it (Please, somebody, tell me otherwise!).

As for writing your own Realm implementation, unless you are a really
seasoned programmer, this can be a very daunting task. An easier way is
to download and look at SecurityFilter. The example webapp has source
code that you can look at, and not get confused by it. I highly
recommend this to implementing your own realm. However, this still does
not address the problem of extracting user credentials from a PDC.

There is another solution : use Novell's DirXML product to do a periodic
sync of data in Active Directory or NTLM into an LDAP directory, then
use the JNDI realm in Tomcat. This is not a free solution, and it does
require you to read up on another product, but this product is also very
good for syncing data between different directories (OpenLDAP, Netscape
Directory Server, Novell eDirectory, even flat files).

Hope this helps !

Frank Schaare wrote:

> Hi,
> we┬┤re building an Intranet application running on Tomcat 4.1.30
> (Client OS is Win2K). It would be very suitable to authentificate the
> users against the NT Domain Controller to avoid a second login.
> I searched this ML and Google but did not find very much about this
> theme.
> There is a SourceForce Project called NTDCRealm which seems to fit our
> needs, but has absolutely no documentation.
> Probably, we need to nest a custom NTDCRealm Tag in our WebApp
> context. To learn, how to do this, i searched the Tomcat documentation
> and again, there is a gap:
> "It is also possible to write your own Realm implementation, and
> integrate it with Tomcat 4. However, doing this is beyond the scope of
> this document. See (FIXME - reference to developer stuff) for more
> information."
> Here are my questions:
> Does this reference to developer stuff exist anywhere ?
> Does anyone ever made the NTDCRealm to work ?
> Does anyone knows another (documentatet) Implementation of NT
> authentification ?
> Any hints, links, documents about this theme are warmly welcome.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

A complex system that works is invariably found to have evolved from a
simple system that works.
| Pascal Chong                                                   |
| email:                                  |
|                                                                |
| Please visit my site at :                |
| If you're using my documentation, please read the Terms and    |
| and Conditions at             |

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message