tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: Tomcat, JSP and LDAP
Date Fri, 16 Mar 2012 12:05:26 GMT
On 16/03/2012 10:23, Neil Munro wrote:
> On 15 March 2012 18:24, Christopher Schultz
> <chris@christopherschultz.net> wrote:
> Neil,
> 
> On 3/15/12 1:05 PM, Neil Munro wrote:
>>>> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
>>>> connectionURL="ldap://my.ldap.server.com"
>>>> alternateURL="ldap://my.ldap.server.com" userPattern="uid={0},ou=my
>>>> company users,dc=mycompany,dc=com" />
>>>>
> 
> The "debug" attribute does not exist any more. Were you following some
> kind of old example?
> 
>> Yeah I must have been, I have removed it.
> 
> 
> I think you may need roleBase, roleName, and roleSearch attributes to
> have a prayer of making this work. Also, with no userSearch parameter,
> you are instructing the realm to connect in "bind" mode where the
> user's credentials are used directly to bind to the LDAP server. Is
> this appropriate?
> 
>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>>         connectionName="uid={0},ou=my company users,dc=mycompany,dc=com "
>> 	connectionPassword="userPassword"
>> 	connectionURL="ldap://my.ldap.server"
>> 	alternateURL="ldap://my.ldap.server"
>> 	roleBase="ou=my company users,dc=mycompany,dc=com"
>> 	roleName="cn"
>> 	roleSearch="(uniqueMember={0})"
>> 	userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" />
> 
>> I have added those changes, as for which connection mode I need, I
>> think bind would be ok for now just to check to see if I can establish
>> a connection, but looking at it I think if I will be querying ldap for
>> a user name and password then comparison mode is what I need.
> 
>> However with this configuration my whole app become inaccessible, I
>> imagine it's some form of protection or permissions thing, but in my
>> floundering around trying things, this is the only thing that seems to
>> have any effect on the whole app.
> 
> You might want to re-read this section of the realm-howto:
> 
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
> 
> Can you run any queries against the LDAP server outside of Tomcat that
> give you results that you might expect? For instance, can you do a
> search of the LDAP tree for a particular user? What does that query
> look like? When you do that search, are you using anonymous bind or
> are you using user bind? If user, which user? Some administrative user
> or the user whose credentials should be checked?
> 
>> I can connect with a tool called JXplorer, but I have not had any luck
>> from other applications, but that's due to inability to find any up to
>> date documentation on the libraries I was using.
> 
>>>> <login-config> <auth-method>FORM</auth-method> <form-login-config>
>>>> <form-login-page>/login.jsp</form-login-page>
>>>> <form-error-page>/fail_login.jsp</form-error-page>
>>>> </form-login-config> </login-config>

Side note: I usually recommend putting those files in WEB-INF, in their
own directory, say: WEB-INF/login.

p

> That looks just fine: configuring the credential-gathering system is
> usually trivial. It's configuring the authentication system that is
> usually the problem.
> 
>> Cool, at least some of this is working right, do you need to see those
>> files btw?
> 
> 
> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

-- 

[key:62590808]


Mime
View raw message