RE: JNDIRealm...more
I can use that. Thanks. Robyne -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 5:58 AM To: Tomcat Users List Subject: RE: JNDIRealm...more getRemoteUser(), if your familiar with jsp's then you'll know how to use it. Unfortunately I don't, but I guess that is why we have web application developers on staff. :-) Dean Searle Computing Oasis 989.245.7369 (p) 989.921.3904 (f) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 5:00 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks for the pointer, I'll see about pointing to one of our 2 mail servers. I wonder if they "talk" back and forth. Also, Do you know how I can extract the sign-ed on user's user-id once they've authenticated? robyne -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 2:06 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Great to hear that information worked for you. I included the alternateURL in the event our primary AD went down for one reason or another and our users could still access the password protected sites. Without an alternate AD active or specified you will not have access to your web applications. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wed 11/5/2003 13:46 To: Tomcat Users List Cc: Subject:RE: JNDIRealm...more Dean! Mine works! A thousand thanks! I hope I can return the favor some time. Your nice explanation helped. I did not need the alternatURL in mine. I found out that we have 2 mail servers, well the server.xml only allows for 1 alternate. I decided to try it without any and it worked. Much appreciation, Robyne Vaughn -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the "collective all" for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: ldap://your.AD.com"; alternateURL="ldap://other.AD.com"; connectionName="cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com" connectionPassword="XX" referrals="follow" userBase="dc=AD,dc=com" userSearch="(&(sAMAccountName={0})(objectClass=user))" userSubtree="true" roleBase="dc=AD,dc=com" roleSearch="(uniqueMember={0})" roleName="cn" /> KEY: cn = common name ou = organizational unit dc = domain controller your.AD.com>www.yahoo.com other.AD.com >mail.yahoo.com USER DISPLAY NAME > This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP > This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName > is the account name you most commonly login into your computers with objectClass="user" > this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals="follow" > this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snoopin
RE: JNDIRealm...more
getRemoteUser() will give you the username of the user logged in. This is going to be the name that they typed in when they got authenticated, not their DN. Justin -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 6:58 AM To: Tomcat Users List Subject: RE: JNDIRealm...more getRemoteUser(), if your familiar with jsp's then you'll know how to use it. Unfortunately I don't, but I guess that is why we have web application developers on staff. :-) Dean Searle Computing Oasis 989.245.7369 (p) 989.921.3904 (f) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 5:00 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks for the pointer, I'll see about pointing to one of our 2 mail servers. I wonder if they "talk" back and forth. Also, Do you know how I can extract the sign-ed on user's user-id once they've authenticated? robyne -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 2:06 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Great to hear that information worked for you. I included the alternateURL in the event our primary AD went down for one reason or another and our users could still access the password protected sites. Without an alternate AD active or specified you will not have access to your web applications. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wed 11/5/2003 13:46 To: Tomcat Users List Cc: Subject:RE: JNDIRealm...more Dean! Mine works! A thousand thanks! I hope I can return the favor some time. Your nice explanation helped. I did not need the alternatURL in mine. I found out that we have 2 mail servers, well the server.xml only allows for 1 alternate. I decided to try it without any and it worked. Much appreciation, Robyne Vaughn -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the "collective all" for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: ldap://your.AD.com"; alternateURL="ldap://other.AD.com"; connectionName="cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com" connectionPassword="XX" referrals="follow" userBase="dc=AD,dc=com" userSearch="(&(sAMAccountName={0})(objectClass=user))" userSubtree="true" roleBase="dc=AD,dc=com" roleSearch="(uniqueMember={0})" roleName="cn" /> KEY: cn = common name ou = organizational unit dc = domain controller your.AD.com>www.yahoo.com other.AD.com >mail.yahoo.com USER DISPLAY NAME > This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP > This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName > is the account name you most commonly login into your computers with objectClass="user" > this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals="follow" > this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List S
RE: JNDIRealm...more
getRemoteUser(), if your familiar with jsp's then you'll know how to use it. Unfortunately I don't, but I guess that is why we have web application developers on staff. :-) Dean Searle Computing Oasis 989.245.7369 (p) 989.921.3904 (f) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 5:00 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks for the pointer, I'll see about pointing to one of our 2 mail servers. I wonder if they "talk" back and forth. Also, Do you know how I can extract the sign-ed on user's user-id once they've authenticated? robyne -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 2:06 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Great to hear that information worked for you. I included the alternateURL in the event our primary AD went down for one reason or another and our users could still access the password protected sites. Without an alternate AD active or specified you will not have access to your web applications. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wed 11/5/2003 13:46 To: Tomcat Users List Cc: Subject:RE: JNDIRealm...more Dean! Mine works! A thousand thanks! I hope I can return the favor some time. Your nice explanation helped. I did not need the alternatURL in mine. I found out that we have 2 mail servers, well the server.xml only allows for 1 alternate. I decided to try it without any and it worked. Much appreciation, Robyne Vaughn -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the "collective all" for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: ldap://your.AD.com"; alternateURL="ldap://other.AD.com"; connectionName="cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com" connectionPassword="XX" referrals="follow" userBase="dc=AD,dc=com" userSearch="(&(sAMAccountName={0})(objectClass=user))" userSubtree="true" roleBase="dc=AD,dc=com" roleSearch="(uniqueMember={0})" roleName="cn" /> KEY: cn = common name ou = organizational unit dc = domain controller your.AD.com>www.yahoo.com other.AD.com >mail.yahoo.com USER DISPLAY NAME > This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP > This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName > is the account name you most commonly login into your computers with objectClass="user" > this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals="follow" > this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have dir
RE: JNDIRealm...more
Thanks for the pointer, I'll see about pointing to one of our 2 mail servers. I wonder if they "talk" back and forth. Also, Do you know how I can extract the sign-ed on user's user-id once they've authenticated? robyne -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 2:06 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Great to hear that information worked for you. I included the alternateURL in the event our primary AD went down for one reason or another and our users could still access the password protected sites. Without an alternate AD active or specified you will not have access to your web applications. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wed 11/5/2003 13:46 To: Tomcat Users List Cc: Subject: RE: JNDIRealm...more Dean! Mine works! A thousand thanks! I hope I can return the favor some time. Your nice explanation helped. I did not need the alternatURL in mine. I found out that we have 2 mail servers, well the server.xml only allows for 1 alternate. I decided to try it without any and it worked. Much appreciation, Robyne Vaughn -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the "collective all" for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: ldap://your.AD.com"; alternateURL="ldap://other.AD.com"; connectionName="cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com" connectionPassword="XX" referrals="follow" userBase="dc=AD,dc=com" userSearch="(&(sAMAccountName={0})(objectClass=user))" userSubtree="true" roleBase="dc=AD,dc=com" roleSearch="(uniqueMember={0})" roleName="cn" /> KEY: cn = common name ou = organizational unit dc = domain controller your.AD.com>www.yahoo.com other.AD.com >mail.yahoo.com USER DISPLAY NAME > This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP > This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName > is the account name you most commonly login into your computers with objectClass="user" > this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals="follow" > this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective "all" of our users are located. They found an example script,
RE: JNDIRealm...more
Great to hear that information worked for you. I included the alternateURL in the event our primary AD went down for one reason or another and our users could still access the password protected sites. Without an alternate AD active or specified you will not have access to your web applications. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Wed 11/5/2003 13:46 To: Tomcat Users List Cc: Subject:RE: JNDIRealm...more Dean! Mine works! A thousand thanks! I hope I can return the favor some time. Your nice explanation helped. I did not need the alternatURL in mine. I found out that we have 2 mail servers, well the server.xml only allows for 1 alternate. I decided to try it without any and it worked. Much appreciation, Robyne Vaughn -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the "collective all" for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: ldap://your.AD.com"; alternateURL="ldap://other.AD.com"; connectionName="cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com" connectionPassword="XX" referrals="follow" userBase="dc=AD,dc=com" userSearch="(&(sAMAccountName={0})(objectClass=user))" userSubtree="true" roleBase="dc=AD,dc=com" roleSearch="(uniqueMember={0})" roleName="cn" /> KEY: cn = common name ou = organizational unit dc = domain controller your.AD.com>www.yahoo.com other.AD.com >mail.yahoo.com USER DISPLAY NAME > This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP > This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName > is the account name you most commonly login into your computers with objectClass="user" > this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals="follow" > this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective "all" of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where "all users" are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for th
RE: JNDIRealm...more
Dean! Mine works! A thousand thanks! I hope I can return the favor some time. Your nice explanation helped. I did not need the alternatURL in mine. I found out that we have 2 mail servers, well the server.xml only allows for 1 alternate. I decided to try it without any and it worked. Much appreciation, Robyne Vaughn -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the "collective all" for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: ldap://your.AD.com"; alternateURL="ldap://other.AD.com"; connectionName="cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com" connectionPassword="XX" referrals="follow" userBase="dc=AD,dc=com" userSearch="(&(sAMAccountName={0})(objectClass=user))" userSubtree="true" roleBase="dc=AD,dc=com" roleSearch="(uniqueMember={0})" roleName="cn" /> KEY: cn = common name ou = organizational unit dc = domain controller your.AD.com>www.yahoo.com other.AD.com >mail.yahoo.com USER DISPLAY NAME > This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP > This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName > is the account name you most commonly login into your computers with objectClass="user" > this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals="follow" > this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective "all" of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where "all users" are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users
RE: JNDIRealm...more
Ok, figured it out. For those who are curious (IE the handful of other people who've been taking part in JNDIRealm threads on this list: roleBase="OU=Users,OU=[Your OU from the userBase],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(Whatever group all members allowed to log in should be a part of)" Now, when you refer to their role in the rest of your application, you use the DN of the NT Group that they are supposed to be a part of. That way, you can use NT permissions to control your web app. Justin -Original Message- From: Hart, Justin Sent: Wednesday, November 05, 2003 12:00 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Ok, cool, so, how I have a question about the parts: roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" This is going to specify what "roles" apply to the user under the "role-name" portion of the web.xml, correct? As well as for use with isUserInRole(), right? If I want the roles that apply to my user to be their NT Groups, would I make it something akin to: roleBase="CN=Users,DC=[Domain],DC=com" roleName="memberOf" Will it take all of their roles, even with roleSearch specified? Am I on the Right Track(tm) with all of this? Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps ldap://[domain controller]:389" userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" userSearch="(sAMAccountName={0})" userRoleName="member" roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com" connectionPassword="[password]" roleSubtree="true" userSubtree="true"/>To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Ok, cool, so, how I have a question about the parts: roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" This is going to specify what "roles" apply to the user under the "role-name" portion of the web.xml, correct? As well as for use with isUserInRole(), right? If I want the roles that apply to my user to be their NT Groups, would I make it something akin to: roleBase="CN=Users,DC=[Domain],DC=com" roleName="memberOf" Will it take all of their roles, even with roleSearch specified? Am I on the Right Track(tm) with all of this? Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps ldap://[domain controller]:389" userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" userSearch="(sAMAccountName={0})" userRoleName="member" roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com" connectionPassword="[password]" roleSubtree="true" userSubtree="true"/>To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Dean, WOW, this is enlightening. Thanks, I'll let you know how it goes. I believe I have the connection name part working. I have not been able to find the user. This helps a lot. Much appreciation, I'll let you know how it goes. Rob -Original Message- From: Dean Searle [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:48 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the "collective all" for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: ldap://your.AD.com"; alternateURL="ldap://other.AD.com"; connectionName="cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com" connectionPassword="XX" referrals="follow" userBase="dc=AD,dc=com" userSearch="(&(sAMAccountName={0})(objectClass=user))" userSubtree="true" roleBase="dc=AD,dc=com" roleSearch="(uniqueMember={0})" roleName="cn" /> KEY: cn = common name ou = organizational unit dc = domain controller your.AD.com>www.yahoo.com other.AD.com >mail.yahoo.com USER DISPLAY NAME > This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP > This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName > is the account name you most commonly login into your computers with objectClass="user" > this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals="follow" > this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective "all" of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where "all users" are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your he
RE: JNDIRealm...more
Hello, I hope that I am not to late to post here. I have just returned to the land of the living and have started to catch up on my reading. I noticed that Robyne you were trying to find the "collective all" for your users. I have just recently figured this out after working on it for two days. Here is my working server.xml: ldap://your.AD.com"; alternateURL="ldap://other.AD.com"; connectionName="cn=USER DISPLAY NAME,ou=FIRST SUB-GROUP,dc=AD,dc=com" connectionPassword="XX" referrals="follow" userBase="dc=AD,dc=com" userSearch="(&(sAMAccountName={0})(objectClass=user))" userSubtree="true" roleBase="dc=AD,dc=com" roleSearch="(uniqueMember={0})" roleName="cn" /> KEY: cn = common name ou = organizational unit dc = domain controller your.AD.com>www.yahoo.com other.AD.com >mail.yahoo.com USER DISPLAY NAME > This is the full name that shows up in your AD, ie user might be johnd but full name is John Doe. For the connection name and password, it must be user that has authority to access AD. This part is necessary to connect. FIRST SUB-GROUP > This depends on how your organization is built in AD. You might have departments like: Accounting, Human Resources, Information Technologies. In an AD structure it might look something like this: COM | |_Yahoo | | |_Accounting | |_John Doe | |_Information Technologies ||_Jack Daniels | |_Human Resources |_Mary Jane sAMAccountName > is the account name you most commonly login into your computers with objectClass="user" > this should be user, as defined in AD unless your sys admin or someone has tampered the AD. referrals="follow" > this is necessary to traverse the full AD without knowing the user's base location. I hope that this clears up some issues for you. Please let me know if I can help you more. Dean E. Searle Computing Oasis 989.245.7369 (P) 989.921.3904 (F) -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:25 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective "all" of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where "all users" are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection
RE: JNDIRealm...more
Thanks. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:10 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective "all" of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where "all users" are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my "path" worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the "ALL" mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id
RE: JNDIRealm...more
Good luck. -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 1:07 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective "all" of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where "all users" are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my "path" worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the "ALL" mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" 1.specifically, what is CN=tomcat ?Is that a role which has been set up i
RE: JNDIRealm...more
Thanks, Justin, You've given me some good pointers. I guess I'll do some more hammering and snooping. Our AD is on a server and the administrators gave me an administrator type password to try hitting it with, but they don't want me snooping around too much. I don't actually have direct access to it. Like I said, I have hit it with some JNDI, but that is new to me also, and I still couldn't discover the tree structure adequately. Anyway, I guess I'll try to pull things out of the loading script and my LDAP books. It's so frustrating. I can't find and the administrators don't know where the collective "all" of our users are located. They found an example script, used it, and don't really know what they have yet. I really appreciate your time. Thanks, Rob Ps I expect I'll have more questions later. Right now, I'm still stuck just figuring out where "all users" are. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:40 AM To: Tomcat Users List Subject: RE: JNDIRealm...more Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my "path" worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the "ALL" mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml?
RE: JNDIRealm...more
Oh, for the AD LDAP, I've been using the programs that came with Active Directory. There is also an ldp.exe, I dunno where that came from, but that's pretty useful. -Original Message- From: Hart, Justin Sent: Tuesday, November 04, 2003 12:39 PM To: Tomcat Users List Subject: RE: JNDIRealm...more I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my "path" worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the "ALL" mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance "CN=Administratorname,OU=CO,dc=lubbock,dc=isd");. CO stands for central office (in this case.) I know that this administrative name is in the OU=CO. What do I do if my user is not in OU=CO? How do I authenticate when I'm not given the person's
RE: JNDIRealm...more
I used * as my role-name. Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my "path" worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the "ALL" mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance "CN=Administratorname,OU=CO,dc=lubbock,dc=isd");. CO stands for central office (in this case.) I know that this administrative name is in the OU=CO. What do I do if my user is not in OU=CO? How do I authenticate when I'm not given the person's specific OU? I don't understand why you're specifying 2 different values for OU? Any help would be appreciated. Thanks, rob -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:13 AM To: Tomcat Users List Subject: RE: JNDIRealm...more I just got i
RE: JNDIRealm...more
Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my "path" worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the "ALL" mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance "CN=Administratorname,OU=CO,dc=lubbock,dc=isd");. CO stands for central office (in this case.) I know that this administrative name is in the OU=CO. What do I do if my user is not in OU=CO? How do I authenticate when I'm not given the person's specific OU? I don't understand why you're specifying 2 different values for OU? Any help would be appreciated. Thanks, rob -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:13 AM To: Tomcat Users List Subject: RE: JNDIRealm...more I just got it working... A million thank yous! I didn't really understand LDAP until learning (some) about it yesterday, and once I started learning it, your example made perfect sense, and now I can au
RE: JNDIRealm...more
1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the "ALL" mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -Original Message- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance "CN=Administratorname,OU=CO,dc=lubbock,dc=isd");. CO stands for central office (in this case.) I know that this administrative name is in the OU=CO. What do I do if my user is not in OU=CO? How do I authenticate when I'm not given the person's specific OU? I don't understand why you're specifying 2 different values for OU? Any help would be appreciated. Thanks, rob -Original Message----- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:13 AM To: Tomcat Users List Subject: RE: JNDIRealm...more I just got it working... A million thank yous! I didn't really understand LDAP until learning (some) about it yesterday, and once I started learning it, your example made perfect sense, and now I can authenticate my users! This rules very much! Justin -Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps ldap://[domain controller]:389" userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" userSearch="(sAMAccountName={0})" userRoleName="member" roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com" connectionPassword="[password]" roleSubtree="true" userSubtree="true"/> -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tr
RE: JNDIRealm...more
Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" 1.specifically, what is CN=tomcat ?Is that a role which has been set up in AD? What is:userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" 2.specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance "CN=Administratorname,OU=CO,dc=lubbock,dc=isd");. CO stands for central office (in this case.) I know that this administrative name is in the OU=CO. What do I do if my user is not in OU=CO? How do I authenticate when I'm not given the person's specific OU? I don't understand why you're specifying 2 different values for OU? Any help would be appreciated. Thanks, rob -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:13 AM To: Tomcat Users List Subject: RE: JNDIRealm...more I just got it working... A million thank yous! I didn't really understand LDAP until learning (some) about it yesterday, and once I started learning it, your example made perfect sense, and now I can authenticate my users! This rules very much! Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps ldap://[domain controller]:389" userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" userSearch="(sAMAccountName={0})" userRoleName="member" roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com" connectionPassword="[password]" roleSubtree="true" userSubtree="true"/> -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
I just got it working... A million thank yous! I didn't really understand LDAP until learning (some) about it yesterday, and once I started learning it, your example made perfect sense, and now I can authenticate my users! This rules very much! Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps ldap://[domain controller]:389" userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" userSearch="(sAMAccountName={0})" userRoleName="member" roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com" connectionPassword="[password]" roleSubtree="true" userSubtree="true"/> -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Ok, what about sAMAccountname? I'm browsing through my LDAP, and don't see any keys that match that... would that be whatever key matches the username I want typed in? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:26 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more You don't need the admin password, you do need a domain account the has read permissions.just about any account will do thiscreate a test account.and use that instead of the admin account.. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:18 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Is there a way to do this without the admin password in the file? What is sAMAccountName? Also, not terribly versed in LDAP, what is "My OU"? Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps ldap://[domain controller]:389" userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" userSearch="(sAMAccountName={0})" userRoleName="member" roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com" connectionPassword="[password]" roleSubtree="true" userSubtree="true"/> -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
You don't need the admin password, you do need a domain account the has read permissions.just about any account will do thiscreate a test account.and use that instead of the admin account.. -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:18 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Is there a way to do this without the admin password in the file? What is sAMAccountName? Also, not terribly versed in LDAP, what is "My OU"? Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps ldap://[domain controller]:389" userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" userSearch="(sAMAccountName={0})" userRoleName="member" roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com" connectionPassword="[password]" roleSubtree="true" userSubtree="true"/> -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Is there a way to do this without the admin password in the file? What is sAMAccountName? Also, not terribly versed in LDAP, what is "My OU"? Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have..this works for mehope this helps ldap://[domain controller]:389" userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" userSearch="(sAMAccountName={0})" userRoleName="member" roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com" connectionPassword="[password]" roleSubtree="true" userSubtree="true"/> -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm...more
Here's what I have..this works for mehope this helps ldap://[domain controller]:389" userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" userSearch="(sAMAccountName={0})" userRoleName="member" roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com" connectionPassword="[password]" roleSubtree="true" userSubtree="true"/> -Original Message- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]