I don't know why it doesn't work, but I think this idea is really bad when it comes to Windows
Active Directory, even if you made it work.
* This won't work for trusted domains.
* This won't work for nested domain groups.
* This won't work for local groups.
* You're hard-coding a domain user password.
* You're asking the user to enter his domain credentials, which forces you to run
under SSL (instead of doing single-sign-on).
If you are on Windows, you might want to try http://waffle.codeplex.com instead, it's a drop-in
solution that just works.
dB. @ dblock.org<http://www.dblock.org/>
Moscow|Geneva|Seattle|New York
From: Jill Han [mailto:jill.han@alverno.edu]
Sent: Tuesday, June 15, 2010 9:26 AM
To: users@tomcat.apache.org
Subject: Active Directory authentication
Hi,
I tried to configure tomcat to authenticate against active directory. Here is the relevant
part in server.xml
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionName="admin@tst.mycollege.edu"
connectionPassword="adminpassword"
connectionURL="ldap://tst.mycollege.edu:389"
userBase="DC=tst,DC=mycollege,DC=edu"
userSearch="(sAMAccountName={0})"
userRoleName="memberof"
roleBase="DC=tst,DC=mycollege,DC=edu"
roleName="cn"
roleSearch="(uniqueMember={0})"
userSubtree="true"
roleSubtree="false"
/>
In the web.xml
...
<security-constraint>
.....
<auth-constraint>
<role-name>OU=EMP,dc=tst,DC=mycollege,DC=edu</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>NEWS</realm-name>
</login-config>
<security-role>
<role-name>OU=EMP,dc=tst,DC=mycollege,DC=edu</role-name>
</security-role>
...
The login window will prompt when you access the site, however no login/password will be accepted,
in the log file,
Jun 15, 2010 7:14:53 AM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name
'DC=tst,DC=mycollege,DC=edu'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2763)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1067)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:958)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:907)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:808)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
I don't know what could go wrong, AD setup on active directory site, or the properties in
the server.xml.
Thanks for your help as always,
Jill
|