tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject AW: JNDIRealm - Active Directory Roles
Date Mon, 17 Mar 2014 12:53:18 GMT
Well, I still got a problem. 
After activating my active directory realm the applications don't anymore.

I got this error:

Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor
Schwerwiegend: Error deploying configuration descriptor /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml
java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException:
Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app]]
	at org.apache.catalina.core.ContainerBase.addChildInternal(
	at org.apache.catalina.core.ContainerBase.addChild(
	at org.apache.catalina.core.StandardHost.addChild(
	at org.apache.catalina.startup.HostConfig.deployDescriptor(
	at org.apache.catalina.startup.HostConfig$
	at java.util.concurrent.Executors$
	at java.util.concurrent.ThreadPoolExecutor.runWorker(
	at java.util.concurrent.ThreadPoolExecutor$

Best Regards,

-----Ursprüngliche Nachricht-----
Von: Becker, Björn 
Gesendet: Montag, 17. März 2014 13:06
Betreff: AW: JNDIRealm - Active Directory Roles

Hallo Felix,

thanks for explaination! I got it now! 

What helps was to enable debugging:

# conf/logging.conf
# This would turn on trace-level for everything # the possible levels are: SEVERE, WARNING,
INFO, CONFIG, FINE, FINER, FINEST or ALL #org.apache.catalina.level = ALL #org.apache.catalina.handlers
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true org.apache.catalina.authenticator.level
= ALL org.apache.catalina.authenticator.useParentHandlers = true

I got this realm config now:

	<Realm className="org.apache.catalina.realm.JNDIRealm"
	        	connectionName="CN=SVC_TomcatLdapQuery,OU=Service Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=

And I copy the manager-gui constraint in web.xml of the manager application and put in my
new role:

<role-name>CN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC=

Thanks a lot! 

Best Regards,

-----Ursprüngliche Nachricht-----
Von: Felix Schumacher []
Gesendet: Samstag, 15. März 2014 21:52
Betreff: Re: JNDIRealm - Active Directory Roles

Am 13.03.2014 18:15, schrieb
> Hello,
> I try to implement the authentification for the tomcat manager application against active
> Unfortunately I don't understand the role concept. I like to give the users permissions
to open the manager when they're in this group:
>> memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle 
> server.xml:
>          <Realm className="org.apache.catalina.realm.JNDIRealm"  debug="99"
>                  connectionName="CN=SVC,OU=Service Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de"
>                  connectionPassword="_2VK!WHzybn1SJ8P"
>                  connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)"
>                  userSearch="(sAMAccountName={0})"
>                  userSubtree="true"
>                  roleSearch="(memberof={0})"
>                  roleSubtree="true"
>                  userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
>              />
> <!--            roleBase="DC=DOM,DC=de"
>                  roleName="cn"
> -->
> With this configuration I can open the Manager, but got no permissions.
> Even if the user role relationship will found, I don't understand how I can assign tomcat
roles (e.g. manager-gui) to the user.
Looking at the documentation on
you have three settings which are most probably not correct.

  * roleSearch will only be used, if roleName is set (which is commented out in your configuration)
  * roleSearch will be used to search for objects that match the given filter. In your case
you would find user objects instead of group objects.
  * userRoleName should be the name of an attribute in the user object (cn=... is not a name
of an attribute, but rather a value)

So given your goal, that cn=tomcat admins,... should be a role, you have two options.

  * You could activate roleName=cn (or another attribute name) and change the roleSearch to
member={0}. Then the realm would (hopefully) find the object cn=tomcat admins,...
  * You could change userRoleName to memberOf

In the first case your user would have a role with the name "Tomcat Admins". The second option
would lead to a role name of "cn=Tomcat Admins,...".

In both cases you would have to change the security constraints in the webapp (those are defined
in the WEB-INF/web.xml file).

If your role objects had other attributes with values that match the roles defined in web.xml
you could simply change roleName in the first option above.


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message