tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Bjoern.Bec...@easycash.de>
Subject AW: JNDIRealm - Active Directory Roles
Date Mon, 17 Mar 2014 16:22:01 GMT
Thanks again! It keep the Userdatabase realm now, but I removed the "path=tomcat-users.xml"
parameter.

It's working now. 

Regards,
Björn

-----Ursprüngliche Nachricht-----
Von: Felix Schumacher [mailto:felix.schumacher@internetallee.de] 
Gesendet: Montag, 17. März 2014 15:15
An: users@tomcat.apache.org
Betreff: Re: JNDIRealm - Active Directory Roles

Am 17.03.2014 14:31, schrieb Bjoern.Becker@easycash.de:
> Yes, I found this error:
>
> Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm 
> startInternal
> Schwerwiegend: Exception looking up UserDatabase under key 
> UserDatabase
> javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this Context.
Unable to find [UserDatabase].
>          at org.apache.naming.NamingContext.lookup(NamingContext.java:820)
>          at org.apache.naming.NamingContext.lookup(NamingContext.java:168)
>          at org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255)
>          at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>          at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168)
>          at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>          at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
>          at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
>          at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618)
>          at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650)
>          at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582)
>          at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>          at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>          at java.lang.Thread.run(Thread.java:744)
>
> While activating the ad realm I commented out the UserDatabase Resource:
>
> <GlobalNamingResources>
>      <!-- Editable user database that can also be used by
>           UserDatabaseRealm to authenticate users
>      -->
> <!--    <Resource name="UserDatabase" auth="Container"
>                type="org.apache.catalina.UserDatabase"
>                description="User database that can be updated and saved"
>                factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> 	      pathname="conf/tomcat-users.xml" />-->
>    </GlobalNamingResources>
>
> and:
>
> <!-- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> 	       resourceName="UserDatabase"/>-->
>
> May this is my problem? I thought the tomcatuser.xml and the UserDatabaseRealm is not
necessary anymore?
UserDatabase is needed for any UserDatabaseRealm you might have. So you will have to look
into all of your contexts to see if you can disable UserDatabase.

And I believe you have to have one Realm (doesn't matter what type) in your host. I think
there were some startup mechanisms relying on one realm to be there.

Regards
  Felix
>
> Best Regards,
> Bjoern
>
>
> -----Ursprüngliche Nachricht-----
> Von: Felix Schumacher [mailto:felix.schumacher@internetallee.de]
> Gesendet: Montag, 17. März 2014 14:11
> An: Tomcat Users List; Becker, Björn
> Betreff: Re: JNDIRealm - Active Directory Roles
>
>
>
> On 17. März 2014 13:53:18 MEZ, Bjoern.Becker@easycash.de wrote:
>> Well, I still got a problem.
>> After activating my active directory realm the applications don't 
>> anymore.
>>
>> I got this error:
>>
>> Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig
>> deployDescriptor
>> Schwerwiegend: Error deploying configuration descriptor 
>> /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml
>> java.lang.IllegalStateException: ContainerBase.addChild: start:
>> org.apache.catalina.LifecycleException: Failed to start component 
>> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ap
>> p]
>> ]
>   Have you looked at the localhost log file? Maybe you have a problem with web.xml?
>
> Regards
> Felix
>
>> 	at
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904)
>> 	at
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
>> 	at
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618)
>> 	at
>> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650)
>> 	at
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582)
>> 	at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>> 	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>> 	at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> 	at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> 	at java.lang.Thread.run(Thread.java:744)
>>
>>
>> Best Regards,
>> Bjoern
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Becker, Björn
>> Gesendet: Montag, 17. März 2014 13:06
>> An: users@tomcat.apache.org
>> Betreff: AW: JNDIRealm - Active Directory Roles
>>
>> Hallo Felix,
>>
>> thanks for explaination! I got it now!
>>
>> What helps was to enable debugging:
>>
>> # conf/logging.conf
>> # This would turn on trace-level for everything # the possible levels
>> are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL 
>> #org.apache.catalina.level = ALL #org.apache.catalina.handlers = 
>> 2localhost.org.apache.juli.FileHandler
>> org.apache.catalina.realm.level = ALL 
>> org.apache.catalina.realm.useParentHandlers = true 
>> org.apache.catalina.authenticator.level = ALL 
>> org.apache.catalina.authenticator.useParentHandlers = true
>>
>> I got this realm config now:
>>
>> 	<Realm className="org.apache.catalina.realm.JNDIRealm"
>> 	        	connectionName="CN=SVC_TomcatLdapQuery,OU=Service
>> Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= "
>> 			connectionPassword="PASS"
>> 			connectionURL="ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)"
>> 			userSearch="(sAMAccountName={0})"
>> 			userSubtree="true"
>> 			roleSubtree="true"
>> 			roleName="CN"
>> 			userRoleName="memberOf"
>> 	 />
>>
>> And I copy the manager-gui constraint in web.xml of the manager 
>> application and put in my new role:
>>
>> <role-name>CN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle 
>> Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC= </role-name>
>>
>> Thanks a lot!
>>
>> Best Regards,
>> Bjoern
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Felix Schumacher [mailto:felix.schumacher@internetallee.de]
>> Gesendet: Samstag, 15. März 2014 21:52
>> An: users@tomcat.apache.org
>> Betreff: Re: JNDIRealm - Active Directory Roles
>>
>> Am 13.03.2014 18:15, schrieb Bjoern.Becker@easycash.de:
>>> Hello,
>>>
>>> I try to implement the authentification for the tomcat manager
>> application against active directory.
>>> Unfortunately I don't understand the role concept. I like to give 
>>> the
>> users permissions to open the manager when they're in this group:
>>>> memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle 
>>>> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
>>> server.xml:
>>>           <Realm className="org.apache.catalina.realm.JNDIRealm"
>> debug="99"
>>>                   connectionName="CN=SVC,OU=Service
>> Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de"
>>>                   connectionPassword="_2VK!WHzybn1SJ8P"
>>>                  
>> connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)"
>>>           
>>>                   userSearch="(sAMAccountName={0})"
>>>                   userSubtree="true"
>>>
>>>                   roleSearch="(memberof={0})"
>>>                   roleSubtree="true"
>>>                   userRoleName="CN=Tomcat 
>>> Admins,OU=Roles,OU=Spezielle
>> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de "
>>>               />
>>>
>>> <!--            roleBase="DC=DOM,DC=de"
>>>                   roleName="cn"
>>> -->
>>>
>>> With this configuration I can open the Manager, but got no
>> permissions.
>>> Even if the user role relationship will found, I don't understand 
>>> how
>> I can assign tomcat roles (e.g. manager-gui) to the user.
>> Looking at the documentation on
>> http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Direct
>> or y_Realm_-_org.apache.catalina.realm.JNDIRealm
>> you have three settings which are most probably not correct.
>>
>> * roleSearch will only be used, if roleName is set (which is 
>> commented out in your configuration)
>> * roleSearch will be used to search for objects that match the given 
>> filter. In your case you would find user objects instead of group 
>> objects.
>> * userRoleName should be the name of an attribute in the user object 
>> (cn=... is not a name of an attribute, but rather a value)
>>
>> So given your goal, that cn=tomcat admins,... should be a role, you 
>> have two options.
>>
>> * You could activate roleName=cn (or another attribute name) and 
>> change the roleSearch to member={0}. Then the realm would (hopefully) 
>> find the object cn=tomcat admins,...
>>   * You could change userRoleName to memberOf
>>
>> In the first case your user would have a role with the name "Tomcat 
>> Admins". The second option would lead to a role name of "cn=Tomcat 
>> Admins,...".
>>
>> In both cases you would have to change the security constraints in 
>> the webapp (those are defined in the WEB-INF/web.xml file).
>>
>> If your role objects had other attributes with values that match the 
>> roles defined in web.xml you could simply change roleName in the 
>> first option above.
>>
>> Regards
>>   Felix
>>
>>
>> ---------------------------------------------------------------------
>>
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message