tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dB. <dbl...@dblock.org>
Subject RE: Active Directory authentication
Date Tue, 15 Jun 2010 14:55:12 GMT
I don't know why it doesn't work, but I think this idea is really bad when it comes to Windows
Active Directory, even if you made it work.


*         This won't work for trusted domains.

*         This won't work for nested domain groups.

*         This won't work for local groups.

*         You're hard-coding a domain user password.

*         You're asking the user to enter his domain credentials, which forces you to run
under SSL (instead of doing single-sign-on).

If you are on Windows, you might want to try http://waffle.codeplex.com instead, it's a drop-in
solution that just works.
dB. @ dblock.org<http://www.dblock.org/>
Moscow|Geneva|Seattle|New York


From: Jill Han [mailto:jill.han@alverno.edu]
Sent: Tuesday, June 15, 2010 9:26 AM
To: users@tomcat.apache.org
Subject: Active Directory authentication

Hi,
I tried to configure tomcat to authenticate against active directory. Here is the relevant
part in server.xml

<Realm className="org.apache.catalina.realm.JNDIRealm"
              debug="99"
              connectionName="admin@tst.mycollege.edu"
              connectionPassword="adminpassword"
              connectionURL="ldap://tst.mycollege.edu:389"
              userBase="DC=tst,DC=mycollege,DC=edu"
              userSearch="(sAMAccountName={0})"
              userRoleName="memberof"
              roleBase="DC=tst,DC=mycollege,DC=edu"
              roleName="cn"
              roleSearch="(uniqueMember={0})"
              userSubtree="true"
              roleSubtree="false"
      />
In the web.xml
...
<security-constraint>
    .....
    <auth-constraint>
      <role-name>OU=EMP,dc=tst,DC=mycollege,DC=edu</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>NEWS</realm-name>
  </login-config>

  <security-role>
    <role-name>OU=EMP,dc=tst,DC=mycollege,DC=edu</role-name>
  </security-role>
...
The login window will prompt when you access the site, however no login/password will be accepted,
in the log file,

Jun 15, 2010 7:14:53 AM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name
'DC=tst,DC=mycollege,DC=edu'
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2763)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
        at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129)
        at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198)
        at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)
        at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1067)
        at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:958)
        at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:907)
        at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:808)
        at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754)
        at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684)
        at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:595)
I don't know what could go wrong, AD setup on active directory site, or the properties in
the server.xml.
Thanks for your help as always,

Jill

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message