Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2005
    Posts
    27
    Rep Power
    0

    Tomcat Authenication with LDAP....NEED HELP BAD....


    Hi guys,

    Got a little problem with using LDAP Authentication. I have 4 separate environments setup, all working fine. But one environment I want it to authenticate through active directory. So I modified the context in my server.xml file it to look like the following:
    Code:
    <Context path="/Test" docBase="Test" debug="0"
                     reloadable="true" crossContext="true">
    	<Realm className="org.apache.catalina.realm.JNDIRealm" 
    		debug="99"
    		connectionName="CN=Test User,CN=Users,DC=testDomain,DC=com"
    		connectionPassword="password"
    		connectionURL="ldap://server.testDomain.com:389"
    		referrals="follow"
    		userBase="CN=Users,dc=testDomain,dc=com"
    		userSearch="(sAMAccountName={0})"
    		userSubtree="true"
    		userRoleName="l"
    	/>
    </Context>
     
    // where testDomain is my domain name
    //where Test User is my user i'm trying to authenticate
    and I modified my web.xml file in my environment to look like this:
    Code:
     <security-constraint>
         <display-name>Example Security Constraint</display-name>
           <web-resource-collection>
             <web-resource-name>Entire Application</web-resource-name>
              <url-pattern>/*</url-pattern>
             </web-resource-collection>
              <auth-constraint>
                 <role-name>testSecureAccess</role-name>
               </auth-constraint>    
        </security-constraint>
    
    //where testSecureAccess is my security group in active directory
    Now when I try to login with my test user, I get the following error:

    HTTP Status 403 - Access to the requested resource has been denied
    --------------------------------------------------------------------------------
    type Status report
    message Access to the requested resource has been denied
    description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
    --------------------------------------------------------------------------------

    Now i'm not sure if I got this configured right. Also, should I have Test User in the connection name, what if I have other users in this security group, will they be able to authenticate or do i have to list them in the realm as well.

    Hope someone can shed some light on this.

    Thanks.
  2. #2
  3. Modding: Oracle MsSQL Firebird
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2001
    Location
    Outside US
    Posts
    8,527
    Rep Power
    539
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2005
    Posts
    27
    Rep Power
    0
    Here is the error log. says the user does not have a role to the testSecurityAccess security group in active directory. But the user is admin and a member of this group. ??

    Code:
    JNDIRealm[/Test]:   Searching for testuser
    JNDIRealm[/tEST]:   base: CN=Users,dc=testDomain,dc=com  filter: (sAMAccountName=testuser)
    JNDIRealm[/tEST]:   entry found for testuser with dn CN=Test User,CN=Users,dc=testDomain,dc=com
    JNDIRealm[/tEST]:   retrieving values for attribute l
    JNDIRealm[/tEST]:   validating credentials by binding as the user
    JNDIRealm[/tEST]:   binding as CN=Test User,CN=Users,dc=testDomain,dc=com
    NDIRealm[/tEST]: Username testuser successfully authenticated
    JNDIRealm[/tEST]:   getRoles(CN=Test User,CN=Users,dc=testDomain,dc=com)
    JNDIRealm[/tEST]: Username testuser does NOT have role testSecureAccess
  6. #4
  7. Modding: Oracle MsSQL Firebird
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2001
    Location
    Outside US
    Posts
    8,527
    Rep Power
    539
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2005
    Posts
    27
    Rep Power
    0
    In the active directory I have assigned the administrator role to that account, as well as to the "testSecureAccess" security group.
  10. #6
  11. Modding: Oracle MsSQL Firebird
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2001
    Location
    Outside US
    Posts
    8,527
    Rep Power
    539
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2005
    Posts
    27
    Rep Power
    0
    yeah the checked the security group in the active directory. Everything seems fine with "testSecureAccess".

    This is on a windows 2003 server. I think this use to work fine with windows 2000, would there be something different int he 2003 server?
  14. #8
  15. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    Do you have any sort of LDAP browser? If so you can use it to verify that the user has all the data. Also you can use it to try to log in with that user.

    Also there is are Administrative Tools they come with Windows Server 2003 Service Pack 1. It contains quite a few useful tools. One of them is, Active Directory Users and Computers, with it you can see all the users groups etc... on the server, and can easily see what the permissions that each one has.
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2005
    Posts
    27
    Rep Power
    0
    Hi,

    As for the LDAP browser, I am using Active Directory and Computers with Server 2003. And all the correct permissions are asigned to the security group "testSecureAccess". As well as the user can login on fine to the domain.

    I did change the security group to the Enterprise Admins group, since they have rights to everything and I got the same error.

    "Username testuser does NOT have role Enterprise Admins"

    So do you think this is a permission problem in LDAP or the application. to give you some background this application has work with LDAP before with windows 2000 and there were never any issues.
  18. #10
  19. Modding: Oracle MsSQL Firebird
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2001
    Location
    Outside US
    Posts
    8,527
    Rep Power
    539
  20. #11
  21. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    ya once you try out another one, IF it can login then it's an application problem, (maybe it's not using LDAP protocall 3?) otherwise we can keep trying stuff.
  22. #12
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2005
    Posts
    27
    Rep Power
    0
    thanks guys,

    I'll give another editor a shot and let you know.
  24. #13
  25. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2006
    Posts
    1
    Rep Power
    0
    Code:
    <Realm className="org.apache.catalina.realm.JNDIRealm" 
    		debug="99"
    		connectionName="CN=Test User,CN=Users,DC=testDomain,DC=com"
    		connectionPassword="password"
    		connectionURL="ldap://server.testDomain.com:389"
    		referrals="follow"
    		userBase="CN=Users,dc=testDomain,dc=com"
    		userSearch="(sAMAccountName={0})"
    		userSubtree="true"
    		userRoleName="l">
    Isn't userRoleName supposed to be "member"? I have it, and it works.

    My only problem is that I would love to get rid of connectionName and connectionPassword... Why in earth it can't bind directly with the given username?

    It just can't.
  26. #14
  27. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2009
    Location
    Charlotte, NC
    Posts
    111
    Rep Power
    9
    For Active Directory the Realm key userRoleName="memberOf"
    In Active Directory the user's account will have this attribute and it will contain the list of Windows Groups the user is a member of.
  28. #15
  29. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2009
    Location
    Sheffield, UK
    Posts
    8
    Rep Power
    0

    Unhappy


    I'm also having this problem, my host is setup as follows:

    Code:
    <Host name="ldap" debug="0" appBase="webapps/ldap" unpackWARs="true" autoDeploy="true"
    	xmlValidation="false" xmlNamespaceAware="false">
    	<Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" directory="logs"
    		prefix="ldap_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
    	<Valve className="org.apache.catalina.authenticator.SingleSignOn"/>
    	<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
    			connectionURL="ldap://*********/"
    			connectionName="***************"
    			connectionPassword="********"
    			protocol="DIGEST-MD5"
    			userBase="OU=*****,DC=**,DC=**,DC=**"
    			userSearch="(sAMAccountName={0})"
    			userRoleName="memberOf"
    			roleSubtree="true"
    			userSubtree="true"					
    		/>
    
    	<Context path="" docBase="${catalina.home}/webapps/ldap" debug="0" allowLinking="true">
    		<Resources className="org.apache.naming.resources.FileDirContext" />
    	</Context>
    </Host>
    and my web.xml has the following:

    Code:
    <security-constraint>
    	<web-resource-collection>
    		<web-resource-name>Nrt</web-resource-name>
    		<url-pattern>/index.jsp</url-pattern>
    		<http-method>GET</http-method>
    		<http-method>POST</http-method>
    		<http-method>PUT</http-method>
    		<http-method>DELETE</http-method>
    	</web-resource-collection>
    	<auth-constraint>
    		<role-name>UFI-Users</role-name>
    	</auth-constraint>
    </security-constraint>
    
    <login-config>
    	<auth-method>FORM</auth-method>
    	<realm-name>Unifi</realm-name>
    	<form-login-config>
    		<form-login-page>/WEB-INF/security/login.jsp</form-login-page>
    		<form-error-page>/WEB-INF/security/error.jsp</form-error-page>
    	</form-login-config>
    </login-config>
    
    <security-role>
    	<description>Only 'tomcat' role is allowed to access this web application</description>
    	<role-name>UFI-Users</role-name>
    </security-role>
    The memberof tab definitely has a group with a name UFI-Users yet I still get a 403 error?

    Am I still missing something? I have no idea how to turn logging on and am using Tomcat 5.5 on Win XP Pro.

    Any help much appreciated

    Cheers!

    Paul.
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo