tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: Tomcat, JSP and LDAP
Date Fri, 16 Mar 2012 18:55:25 GMT
On 16/03/2012 14:56, Neil Munro wrote:
> On 16 March 2012 14:41, Pid <pid@pidster.com> wrote:
>> On 16/03/2012 14:13, Neil Munro wrote:
>>> I have since made some minor progress with LDAP query's this login.jsp
>>> file as you can see query's for a list of valid users and creates a
>>> drop down list to choose from
>>>
>>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
>>> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
>>> <%@page import="javax.naming.*,javax.naming.directory.*,java.util.ArrayList;"%>
>>> <html>
>>>       <head>
>>>               <title>Login</title>
>>>       </head>
>>>       <body>
>>>               <form method="POST" action="j_security_check">
>>>                       <select>
>>
>> What are you expecting this select element to do?
> 
> To do exactly what it does do, allow me to select from a list of users
> that's generated from the below jsp. It's about the only thing in my
> code that does work :S

It allows to you select, but then doesn't do anything with it because it
has no name parameter.


p

>> p
>>
>>>                       <%
>>>                               DirContext ctx = new InitialDirContext();
>>>                               NamingEnumeration answer =
>>> ctx.search("ldap://my.ldap.server.com:389/ou=my company
>>> users,dc=mycompany,dc=com","(uid=*)", null);
>>>                   ArrayList<String> als = new ArrayList();
>>>
>>>
>>>                               while(answer.hasMore()) {
>>>                     // Take line in as string
>>>                                       String output = answer.next().toString();
>>>
>>>                                       String[] tokens = output.split(",");
>>>                                       for (String t : tokens) {
>>>                                               if( t.contains("uid=uid:")) {
>>>                                                       String[] ids = t.split("
");
>>>                                                       als.add(ids[2]);
>>>                                               }
>>>                                       }
>>>                               }
>>>
>>>                               for(String s: als) {
>>>                                       out.println("<option>" + s + "</option>");
>>>                               }
>>>
>>>                               // Close the context when we're done
>>>                               ctx.close();
>>>                       %>
>>>                       </select>
>>>                       <br>
>>>                       <input type="password" name="j_password">
>>>                       <br>
>>>                       <input type="submit">
>>>               </form>
>>>       </body>
>>> </html>
>>>
>>> I am however still not able to get the server.xml file working with
>>> the realms, I did discover through some trial and error that my own
>>> ldap user had not been set up right and my system admin kindly fixed
>>> it for me, which could have lead to some working code not to work.
>>>
>>> This is how it currently works:
>>>               <Realm className="org.apache.catalina.realm.JNDIRealm"
>>>                               connectionName="uid={0},ou=my company users,dc=mycompany,dc=com"
>>>                               connectionPassword="userPassword"
>>>                               connectionURL="ldap://my.ldap.server.com"
>>>                               alternateURL="ldap://my.ldap.server.com"
>>>                               roleBase="ou=my company users,dc=mycompany,dc=com"
>>>                               roleName="cn"
>>>                               roleSearch="(uniqueMember={0})"
>>>                               userPattern="uid={0},ou=my company users,dc=mycompany,dc=com"
/>
>>>
>>> On 16 March 2012 12:05, Pid <pid@pidster.com> wrote:
>>>> On 16/03/2012 10:23, Neil Munro wrote:
>>>>> On 15 March 2012 18:24, Christopher Schultz
>>>>> <chris@christopherschultz.net> wrote:
>>>>> Neil,
>>>>>
>>>>> On 3/15/12 1:05 PM, Neil Munro wrote:
>>>>>>>> <Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
>>>>>>>> connectionURL="ldap://my.ldap.server.com"
>>>>>>>> alternateURL="ldap://my.ldap.server.com" userPattern="uid={0},ou=my
>>>>>>>> company users,dc=mycompany,dc=com" />
>>>>>>>>
>>>>>
>>>>> The "debug" attribute does not exist any more. Were you following some
>>>>> kind of old example?
>>>>>
>>>>>> Yeah I must have been, I have removed it.
>>>>>
>>>>>
>>>>> I think you may need roleBase, roleName, and roleSearch attributes to
>>>>> have a prayer of making this work. Also, with no userSearch parameter,
>>>>> you are instructing the realm to connect in "bind" mode where the
>>>>> user's credentials are used directly to bind to the LDAP server. Is
>>>>> this appropriate?
>>>>>
>>>>>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>>>>>>         connectionName="uid={0},ou=my company users,dc=mycompany,dc=com
"
>>>>>>      connectionPassword="userPassword"
>>>>>>      connectionURL="ldap://my.ldap.server"
>>>>>>      alternateURL="ldap://my.ldap.server"
>>>>>>      roleBase="ou=my company users,dc=mycompany,dc=com"
>>>>>>      roleName="cn"
>>>>>>      roleSearch="(uniqueMember={0})"
>>>>>>      userPattern="uid={0},ou=my company users,dc=mycompany,dc=com"
/>
>>>>>
>>>>>> I have added those changes, as for which connection mode I need,
I
>>>>>> think bind would be ok for now just to check to see if I can establish
>>>>>> a connection, but looking at it I think if I will be querying ldap
for
>>>>>> a user name and password then comparison mode is what I need.
>>>>>
>>>>>> However with this configuration my whole app become inaccessible,
I
>>>>>> imagine it's some form of protection or permissions thing, but in
my
>>>>>> floundering around trying things, this is the only thing that seems
to
>>>>>> have any effect on the whole app.
>>>>>
>>>>> You might want to re-read this section of the realm-howto:
>>>>>
>>>>> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
>>>>>
>>>>> Can you run any queries against the LDAP server outside of Tomcat that
>>>>> give you results that you might expect? For instance, can you do a
>>>>> search of the LDAP tree for a particular user? What does that query
>>>>> look like? When you do that search, are you using anonymous bind or
>>>>> are you using user bind? If user, which user? Some administrative user
>>>>> or the user whose credentials should be checked?
>>>>>
>>>>>> I can connect with a tool called JXplorer, but I have not had any
luck
>>>>>> from other applications, but that's due to inability to find any
up to
>>>>>> date documentation on the libraries I was using.
>>>>>
>>>>>>>> <login-config> <auth-method>FORM</auth-method>
<form-login-config>
>>>>>>>> <form-login-page>/login.jsp</form-login-page>
>>>>>>>> <form-error-page>/fail_login.jsp</form-error-page>
>>>>>>>> </form-login-config> </login-config>
>>>>
>>>> Side note: I usually recommend putting those files in WEB-INF, in their
>>>> own directory, say: WEB-INF/login.
>>>>
>>>> p
>>>>
>>>>> That looks just fine: configuring the credential-gathering system is
>>>>> usually trivial. It's configuring the authentication system that is
>>>>> usually the problem.
>>>>>
>>>>>> Cool, at least some of this is working right, do you need to see
those
>>>>>> files btw?
>>>>>
>>>>>
>>>>> -chris
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>> --
>>>>
>>>> [key:62590808]
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>>
>> --
>>
>> [key:62590808]
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


-- 

[key:62590808]


Mime
View raw message