tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paulo Alvim" <al...@powerlogic.com.br>
Subject RES: [java] Re: ActiveDirectory and JNDI LDAP Realm
Date Fri, 30 Apr 2004 11:22:37 GMT
Hi Chong,

Thanks for your answer!...

I think you are right. The problem is that I have also tried many options to
substitute "uid" using attributes that I got from ActiveDirectory:
sAMAccountName, givenName, userPrincipalName, etc...

I'm now wondering if the "userBase" could be wrong (maybe using
"ou=Users"?!). I appreciate if anyone (ActiveDirectory users) could give any
other ideas!

Paulo

-----Mensagem original-----
De: Chong Yu Meng [mailto:chongym@cymulacrum.net]
Enviada em: quinta-feira, 29 de abril de 2004 22:26
Para: Tomcat Users List
Assunto: [java] Re: ActiveDirectory and JNDI LDAP Realm


Hi Paulo !

What is the Active Directory equivalent of "uid" in LDAP ? I had the
same problem as you previously, when I was preparing material for a
Novell eDirectory course. The "canonical" method of structuring the
directory (at least in my part of the world) was to use the CN (like
your ActiveDirectory example). I have a write-up on this at :
http://cymulacrum.net/writings/adv_tomcat/c487.html

I suppose if you substitute the Active Directory equivalent for UID, you
should be able to get it to work.

Hope this helps!

Regards,
pascal chong



Paulo Alvim wrote:

>Hi!
>
>Is there anyone using MS ActiveDirectory with Tomcat 5?
>
>I could authenticate using:
>
> <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
>   connectionURL="ldap://plcbhdc:389"
>     userPattern="cn={0},cn=Users,dc=powerlogic"
>     roleBase="cn=Users,dc=powerlogic"
>     roleName="memberOf"
>   roleSearch="(distinguishedName={0})" />
>
>...but I had to use the full name (ex: Bill Gates) instead of the login
(ex:
>gates).
>
>So I tried to use:
>
> <Realm   className="org.apache.catalina.realm.JNDIRealm" debug="99"
>   connectionURL="ldap://plcbhdc:389"
>    userBase="cn=Users,dc=powerlogic" userSearch="(sAMAccountName={0})"
>userSubtree="true"
>     roleBase="cn=Users,dc=powerlogic"
>     roleName="memberOf"
>   roleSearch="(distinguishedName={0})" />
>
>... with lots of "userSearch" attributes such as "userPrincipalName",
>"givenName", etc.. but It didn't work.
>
>I'm using the default ActiveDirectory installation...
>
>Any help?
>
>Thanks in  advance!
>
>Paulo Alvim
>
>-----Mensagem original-----
>De: Chong Yu Meng [mailto:chongym@cymulacrum.net]
>Enviada em: domingo, 18 de abril de 2004 12:59
>Para: Tomcat Users List
>Assunto: [spam] Re: Authentification against NT Domain Controller
>
>
>Hi Frank !
>
>I seem to remember ActiveDirectory being discussed here, on this mailing
>list. The good thing about ActiveDirectory is that, if you do not have
>an overly complicated schema, you can use the LDAP subset to query the
>directory (you need to do a fair bit of tweaking to get ActiveDirectory
>to output results in LDAP-compliant format though. I'm not an expert on
>ActiveDirectory, so I really cannot advise you on this).
>
>If you're using Windows NT as the PDC, I think you can't get the Tomcat
>realm to work with it (Please, somebody, tell me otherwise!).
>
>As for writing your own Realm implementation, unless you are a really
>seasoned programmer, this can be a very daunting task. An easier way is
>to download and look at SecurityFilter. The example webapp has source
>code that you can look at, and not get confused by it. I highly
>recommend this to implementing your own realm. However, this still does
>not address the problem of extracting user credentials from a PDC.
>
>There is another solution : use Novell's DirXML product to do a periodic
>sync of data in Active Directory or NTLM into an LDAP directory, then
>use the JNDI realm in Tomcat. This is not a free solution, and it does
>require you to read up on another product, but this product is also very
>good for syncing data between different directories (OpenLDAP, Netscape
>Directory Server, Novell eDirectory, even flat files).
>
>Hope this helps !
>
>
>Frank Schaare wrote:
>
>
>
>>Hi,
>>
>>we┬┤re building an Intranet application running on Tomcat 4.1.30
>>(Client OS is Win2K). It would be very suitable to authentificate the
>>users against the NT Domain Controller to avoid a second login.
>>
>>I searched this ML and Google but did not find very much about this
>>theme.
>>
>>There is a SourceForce Project called NTDCRealm which seems to fit our
>>needs, but has absolutely no documentation.
>>
>>Probably, we need to nest a custom NTDCRealm Tag in our WebApp
>>context. To learn, how to do this, i searched the Tomcat documentation
>>
>>
>>
>(http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Standard%
2
>0Realm%20Implementations)
>
>
>>and again, there is a gap:
>>
>>"It is also possible to write your own Realm implementation, and
>>integrate it with Tomcat 4. However, doing this is beyond the scope of
>>this document. See (FIXME - reference to developer stuff) for more
>>information."
>>
>>Here are my questions:
>>
>>Does this reference to developer stuff exist anywhere ?
>>Does anyone ever made the NTDCRealm to work ?
>>Does anyone knows another (documentatet) Implementation of NT
>>authentification ?
>>
>>Any hints, links, documents about this theme are warmly welcome.
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>
>>
>
>--
>A complex system that works is invariably found to have evolved from a
>simple system that works.
>+----------------------------------------------------------------+
>| Pascal Chong                                                   |
>| email: chongym@cymulacrum.net                                  |
>|                                                                |
>| Please visit my site at : http://cymulacrum.net                |
>| If you're using my documentation, please read the Terms and    |
>| and Conditions at http://cymulacrum.net/terms.html             |
>+----------------------------------------------------------------+
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message