Re: Tomcat, JSP and LDAP
On Mar 20, 2012 5:26 PM, "Pid *" wrote: > > On 20 Mar 2012, at 00:43, Martin Gainty wrote: > > > > > i would make sure you're welcome-file and form-login-page and url-pattern are all located in the same spot > > And that's an example of why people shouldn't listen to your advice, > which is wrong (again). > > > > /WEB-INF/x/login.jsp > > Never do the above. > > > > /WEB-INF/x/login.jsp > > The above is what I said. > > > > /WEB-INF/x/suites.jsp > > This is nonsense. Answers on a postcard as to why. > > > > any reason why you're placing your jsps under WEB-INF instead of in the usual location of webapps/webAppName? > > a) they're the login form/error page and aren't supposed to be > accessed directly. > > b) because that's a good place to put views that are forwarded to by a > controller, and aren't otherwise supposed to be accessed directly. > > > p > > > > > > Martin > > __ > > Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité > > > > Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. > > Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > > > > > >> From: neilmu...@gmail.com > >> Date: Mon, 19 Mar 2012 10:35:54 + > >> Subject: Re: Tomcat, JSP and LDAP > >> To: users@tomcat.apache.org > >> > >> On 18 March 2012 18:04, Pid wrote: > >>> On 18/03/2012 13:34, Neil Munro wrote: > >>> > >>> > >>> > >>>> As for moving my login and fail_login jsp to web-inf the pages could not be > >>>> located and a had a go working in the web.xml file pointing to a path > >>>> relative to /../web-inf/ or similar, I shall try again but I did try your > >>>> suggestion and will try again just to ensure I didn't simply make a typo. > >>> > >>> WEB-INF not web-inf. > >>> > >>> This will work: > >>> > >>> > >>> > >>> FORM > >>> > >>> /WEB-INF/x/login.jsp > >>> /WEB-INF/x/fail_login.jsp > >>> > >>> > >>> > >>> Substitute the 'x' for the directory of your choice. > >>> > >>> > >>> p > >> > >> This is the layout of my web.xml file: > >> > >> > >> >> Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd";> > >> > >> > >>Regressions Web GUI: V2 > >>A Web GUI for RIP regression test results: Version > >> 2. > >> > >> > >> /WEB-INF/login/login.jsp > >> > >> > >> > >> > >> > >>Public Area > >> > >> > >> > >> > >> > >>my company users > >> > >> > >> > >> > >> > >>Protected Area > >> > >>/WEB-INF/login/suites.jsp > >>/WEB-INF/login/login.jsp > >>/WEB-INF/login/fail_login.jsp > >> > >> > >> > >>my company users > >> > >> > >> > >> > >> > >>FORM > >> > >>/WEB-INF/login/login.jsp > >> /WEB-INF/login/fail_login.jsp > >> > >> > >> > >> > >> > >>my company users > >>
Re: Tomcat, JSP and LDAP
On 19 March 2012 14:36, Christopher Schultz
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Neil,
>
> On 3/19/12 6:35 AM, Neil Munro wrote:
>> This is the layout of my web.xml file:
>>
>> > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
>> "http://java.sun.com/dtd/web-app_2_3.dtd";>
>>
>>
>
> Webapp version mismatch. This almost certainly isn't causing problems,
> but it will eventually. Pick one: 2.3 or 2.4 and stick with it.
>
>>
>> /WEB-INF/login/login.jsp
>>
>
> You don't want that. If you hit http://yourserver/context/ then you'll
> be redirected to /WEB-INF/login/login.jsp and you can't access
> anything in /WEB-INF/ directly like that. This is likely one of your
> initial problems.
>
> Instead, make "index.jsp" or something similar your and
> then let the container redirect to the login page when authentication
> is necessary (that's how it works).
>
> I highly recommend that you go back and re-read the servlet
> specification sections on Form Authentication, even if you have read
> it already. It's short and readable and you are obviously a little
> rusty. Re-reading will be very helpful, I'm sure. Make sure you read
> the version of the spec that you are actually using, too ;)
>
>>
>> Public
>> Area
>>my company
>> users
>
>
> You will need a in . Otherwise,
> you aren't protecting anything. Your log file shows that no security
> constraints are applicable, so there is no reason to request
> authentication from the user.
>
> Try setting the to:
>
> /*
>
> That will protect the entire webapp.
>
> You don't need your "protected area" security constraint at all, since
> the container will never allow direct-access to /WEB-INF.
>
>>
>> FORM
>> /WEB-INF/login/login.jsp
>> /WEB-INF/login/fail_login.jsp
>>
>>
>>
>> my company users
>>
>
> Also looks good.
>
>> There is a login directory under WEB-INF with the files inside it,
>> but I just get a 404 error when I try to access the pages that way,
>> I don't understand how this format works, if /login.jsp refers to
>> the login.jsp file located under the jsp directory
>
> It doesn't.
>
>> how does /WEB-INF mean the WEB-INF directory at the same level as
>> jsp and not a directory inside jsp called WEB-INF?
>
> It doesn't.
>
> It sounds like your file structure looks like this:
>
> - - webapp
> |- jsp
> |- WEB-INF
> |- WEB-INF/login
>
> If you have all your /other/ JSP files under webapp/jsp, then you'll
> have to access them using a URL like /webapp/jsp/whatever.jsp. You
> cannot request /WEB-INF/login/login.jsp because the container is
> required to veto such requests. Instead, request another resource...
> the container is allowed to serve indirect requests to
> /WEB-INF/login/login.jsp and so that's what it will do.
>
>> I have been informed there's a global user in the system that can
>> be used to make the initial connection, so my realm config looks
>> like this now: > className="org.apache.catalina.realm.JNDIRealm"
>> connectionName="uid=connectuser,ou=my company
>> users,dc=mycompany,dc=com" connectionPassword="parliament"
>
> That seems like a reasonable thing to do. Anonymous bind might be
> better so you don't have to put any credentials into your server.xml
> file, but you are certainly using a non-privileged user for this, right?
>
>> connectionURL="ldap://my.ldap.server";
>> alternateURL="ldap://my.ldap.server"; userBase="ou=my company
>> users,dc=mycompany,dc=com" userSearch="(sAMAccountName={0})"
>> userPattern="uid={0},ou=my company users,dc=mycompany,dc=com"
>> userPassword="userpassword"
>
> This will configure JNDIRealm to take the user's password, hash it
> (except not in your case since you haven't set a "digest" attribute)
> and then compare it to the user's "userpassword" attribute.
>
>> roleBase="ou=my company users,dc=mycompany,dc=com"
>> roleSubtree="true" roleName="cn" roleSearch="(uniqueMember={0})"
>> />
>>
>> By working what I mean is that with the connection user in place,
>> I get a list of users populating the selection box in the html page
>> so the query runs and returns what I expect it to, but I still
>> cannot get the system to verify a user and take them to a pag
Re: Tomcat, JSP and LDAP
On 18 March 2012 18:04, Pid wrote:
> On 18/03/2012 13:34, Neil Munro wrote:
>
>
>
>> As for moving my login and fail_login jsp to web-inf the pages could not be
>> located and a had a go working in the web.xml file pointing to a path
>> relative to /../web-inf/ or similar, I shall try again but I did try your
>> suggestion and will try again just to ensure I didn't simply make a typo.
>
> WEB-INF not web-inf.
>
> This will work:
>
>
>
> FORM
>
> /WEB-INF/x/login.jsp
> /WEB-INF/x/fail_login.jsp
>
>
>
> Substitute the 'x' for the directory of your choice.
>
>
> p
This is the layout of my web.xml file:
http://java.sun.com/dtd/web-app_2_3.dtd";>
Regressions Web GUI: V2
A Web GUI for RIP regression test results: Version
2.
/WEB-INF/login/login.jsp
Public Area
my company users
Protected Area
/WEB-INF/login/suites.jsp
/WEB-INF/login/login.jsp
/WEB-INF/login/fail_login.jsp
my company users
FORM
/WEB-INF/login/login.jsp
/WEB-INF/login/fail_login.jsp
my company users
There is a login directory under WEB-INF with the files inside it, but
I just get a 404 error when I try to access the pages that way, I
don't understand how this format works, if /login.jsp refers to the
login.jsp file located under the jsp directory, how does /WEB-INF mean
the WEB-INF directory at the same level as jsp and not a directory
inside jsp called WEB-INF?
I have been informed there's a global user in the system that can be
used to make the initial connection, so my realm config looks like
this now:
ldap://my.ldap.server";
alternateURL="ldap://my.ldap.server";
userBase="ou=my company
users,dc=mycompany,dc=com"
userSearch="(sAMAccountName={0})"
userPattern="uid={0},ou=my company
users,dc=mycompany,dc=com"
userPassword="userpassword"
roleBase="ou=my company
users,dc=mycompany,dc=com"
roleSubtree="true"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
By working what I mean is that with the connection user in place, I
get a list of users populating the selection box in the html page so
the query runs and returns what I expect it to, but I still cannot get
the system to verify a user and take them to a page inside the web
app.
I have appended the logging level line and done as you suggested, here
is the log output:
2012-03-19 10:24:04 Commons Daemon procrun stderr initialized
Mar 19, 2012 10:24:05 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
Mar 19, 2012 10:24:05 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
Mar 19, 2012 10:24:05 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 352 ms
Mar 19, 2012 10:24:05 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Mar 19, 2012 10:24:05 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.35
Mar 19, 2012 10:24:05 AM org.apache.catalina.realm.RealmBase init
FINE: Register Realm Catalina:type=Realm,realmPath=/realm0
Mar 19, 2012 10:24:05 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
Mar 19, 2012 10:24:05 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor manager.xml
Mar 19, 2012 10:24:05 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive regressions.war
Mar 19, 2012 10:24:05 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory docs
Mar 19, 2012 10:24:05 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO:
Re: Tomcat, JSP and LDAP
On Mar 16, 2012 7:22 PM, "Christopher Schultz"
wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Neil,
>
> On 3/16/12 6:23 AM, Neil Munro wrote:
> > On 15 March 2012 18:24, Christopher Schultz > className="org.apache.catalina.realm.JNDIRealm"
> > connectionName="uid={0},ou=my company users,dc=mycompany,dc=com "
> > connectionPassword="userPassword"
> > connectionURL="ldap://my.ldap.server";
> > alternateURL="ldap://my.ldap.server"; roleBase="ou=my company
> > users,dc=mycompany,dc=com" roleName="cn"
> > roleSearch="(uniqueMember={0})" userPattern="uid={0},ou=my company
> > users,dc=mycompany,dc=com" />
> >
> > I have added those changes, as for which connection mode I need, I
> > think bind would be ok for now just to check to see if I can
> > establish a connection, but looking at it I think if I will be
> > querying ldap for a user name and password then comparison mode is
> > what I need.
>
> That's kind of the first decision you have to make when using LDAP for
> authentication: what user makes the initial connection? From your
> later post, it's not clear how you are connecting to the LDAP server
> in order to fetch the valid user ids. Can you provide the setup
> information for your InitialDirContext (sanitized, of course)?
>
> > However with this configuration my whole app become inaccessible,
> > I imagine it's some form of protection or permissions thing, but in
> > my floundering around trying things, this is the only thing that
> > seems to have any effect on the whole app.
>
> I thought the whole app was supposed to be unavailable unless the user
> successfully logged-in. Do I have that wrong? A misconfigured JNDI
> realm *should* lock you out of the entire app because authentication
> always fails.
>
> >> Can you run any queries against the LDAP server outside of Tomcat
> >> that give you results that you might expect? For instance, can
> >> you do a search of the LDAP tree for a particular user? What does
> >> that query look like? When you do that search, are you using
> >> anonymous bind or are you using user bind? If user, which user?
> >> Some administrative user or the user whose credentials should be
> >> checked?
> >
> > I can connect with a tool called JXplorer, but I have not had any
> > luck from other applications, but that's due to inability to find
> > any up to date documentation on the libraries I was using.
>
> In JXplorer, are you able to run queries that look anything like those
> you are trying to use in your Realm configuration?
>
> Here is the most recent configuration you posted:
>
>connectionName="uid={0},ou=my company users,dc=mycompany,dc=com"
> connectionPassword="userPassword"
> connectionURL="ldap://my.ldap.server.com";
> alternateURL="ldap://my.ldap.server.com";
> roleBase="ou=my company users,dc=mycompany,dc=com"
> roleName="cn"
> roleSearch="(uniqueMember={0})"
> userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" />
>
> You said this "currently works": did you mean that was your current
> (non-working) setup, or that this setup actually works?
>
> I don't believe connectionName can be parameterized. I think that's
> intended to be used when using a "manager" user to connect to the LDAP
> server in order to perform comparison-mode authentication.
>
> userPattern="uid={0},ou=my company users,dc=mycompany,dc=com"
>
> Does this actually match the DN pattern of your users? (It might help
> if you were to post the full LDIF record for a sample user. Same with
> a group record.)
>
> roleSearch="(uniqueMember={0})"
>
> Using OpenLDAP's 'ldapsearch' command-line utility, I can search my
> own LDAP database for groups containing myself like this:
>
> $ ldapsearch -x 'uniqueMember:=uid=schultz,dc=mydomain,dc=mytld' cn
>
> Note that "-x" means "simple bind" -- that is, anonymous. Also note
> that I have to use "uniqueMember:=" instead of simply "uniqueMember="
> because the uniqueMember value contains = signs. I'm not sure if that
> will have any effect because I don't have a Java-based JNDI probe
> available to me at the moment.
>
> At this point, you are basically bumbling around in the dark. I highly
> recommend enabling debug logging for the JNDIRealm component (really
> the contain
Re: Tomcat, JSP and LDAP
Yeah, sorry, that's fixed too now. My first error is that I have my
server.xml realm almost set up, it's just when I try to load any page
it's protected and can't be loaded, including the login.jsp file.
Didn't even get to the login stage.
On 16 March 2012 15:07, Daniel Mikusa wrote:
>
>
> - Original Message -
> From: "Neil Munro"
> To: "Tomcat Users List"
> Sent: Friday, March 16, 2012 10:56:56 AM
> Subject: Re: Tomcat, JSP and LDAP
>
> On 16 March 2012 14:41, Pid wrote:
>> On 16/03/2012 14:13, Neil Munro wrote:
>>> I have since made some minor progress with LDAP query's this login.jsp
>>> file as you can see query's for a list of valid users and creates a
>>> drop down list to choose from
>>>
>>> >> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
>>> <%@page
>>> import="javax.naming.*,javax.naming.directory.*,java.util.ArrayList;"%>
>>>
>>>
>>> Login
>>>
>>>
>>>
>>>
>
> If you're intending this to replace the standard login form's user name input
> text box then you'll need to set the name attribute of the select tag to
> 'j_username'.
>
> Like this...
>
>
>
> Dan
>
>>
>> What are you expecting this select element to do?
>
> To do exactly what it does do, allow me to select from a list of users
> that's generated from the below jsp. It's about the only thing in my
> code that does work :S
>
>>
>>
>> p
>>
>>> <%
>>> DirContext ctx = new InitialDirContext();
>>> NamingEnumeration answer =
>>> ctx.search("ldap://my.ldap.server.com:389/ou=my company
>>> users,dc=mycompany,dc=com","(uid=*)", null);
>>> ArrayList als = new ArrayList();
>>>
>>>
>>> while(answer.hasMore()) {
>>> // Take line in as string
>>> String output =
>>> answer.next().toString();
>>>
>>> String[] tokens = output.split(",");
>>> for (String t : tokens) {
>>> if( t.contains("uid=uid:")) {
>>> String[] ids =
>>> t.split(" ");
>>> als.add(ids[2]);
>>> }
>>> }
>>> }
>>>
>>> for(String s: als) {
>>> out.println("" + s +
>>> "");
>>> }
>>>
>>> // Close the context when we're done
>>> ctx.close();
>>> %>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> I am however still not able to get the server.xml file working with
>>> the realms, I did discover through some trial and error that my own
>>> ldap user had not been set up right and my system admin kindly fixed
>>> it for me, which could have lead to some working code not to work.
>>>
>>> This is how it currently works:
>>> >> connectionName="uid={0},ou=my company
>>> users,dc=mycompany,dc=com"
>>> connectionPassword="userPassword"
>>> connectionURL="ldap://my.ldap.server.com";
>>> alternateURL="ldap://my.ldap.server.com";
>>> roleBase="ou=my company
>>> users,dc=mycompany,dc=com"
>>> roleName="cn"
>>> roleSearch="(uniqueMember={0})"
>>> userPattern="uid={0},ou=my company
Re: Tomcat, JSP and LDAP
On 16 March 2012 14:41, Pid wrote:
> On 16/03/2012 14:13, Neil Munro wrote:
>> I have since made some minor progress with LDAP query's this login.jsp
>> file as you can see query's for a list of valid users and creates a
>> drop down list to choose from
>>
>> > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
>> <%@page
>> import="javax.naming.*,javax.naming.directory.*,java.util.ArrayList;"%>
>>
>>
>> Login
>>
>>
>>
>>
>
> What are you expecting this select element to do?
To do exactly what it does do, allow me to select from a list of users
that's generated from the below jsp. It's about the only thing in my
code that does work :S
>
>
> p
>
>> <%
>> DirContext ctx = new InitialDirContext();
>> NamingEnumeration answer =
>> ctx.search("ldap://my.ldap.server.com:389/ou=my company
>> users,dc=mycompany,dc=com","(uid=*)", null);
>> ArrayList als = new ArrayList();
>>
>>
>> while(answer.hasMore()) {
>> // Take line in as string
>> String output =
>> answer.next().toString();
>>
>> String[] tokens = output.split(",");
>> for (String t : tokens) {
>> if( t.contains("uid=uid:")) {
>> String[] ids =
>> t.split(" ");
>> als.add(ids[2]);
>> }
>> }
>> }
>>
>> for(String s: als) {
>> out.println("" + s +
>> "");
>> }
>>
>> // Close the context when we're done
>> ctx.close();
>> %>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> I am however still not able to get the server.xml file working with
>> the realms, I did discover through some trial and error that my own
>> ldap user had not been set up right and my system admin kindly fixed
>> it for me, which could have lead to some working code not to work.
>>
>> This is how it currently works:
>> > connectionName="uid={0},ou=my company
>> users,dc=mycompany,dc=com"
>> connectionPassword="userPassword"
>> connectionURL="ldap://my.ldap.server.com";
>> alternateURL="ldap://my.ldap.server.com";
>> roleBase="ou=my company
>> users,dc=mycompany,dc=com"
>> roleName="cn"
>> roleSearch="(uniqueMember={0})"
>> userPattern="uid={0},ou=my company
>> users,dc=mycompany,dc=com" />
>>
>> On 16 March 2012 12:05, Pid wrote:
>>> On 16/03/2012 10:23, Neil Munro wrote:
>>>> On 15 March 2012 18:24, Christopher Schultz
>>>> wrote:
>>>> Neil,
>>>>
>>>> On 3/15/12 1:05 PM, Neil Munro wrote:
>>>>>>> >>>>>> connectionURL="ldap://my.ldap.server.com";
>>>>>>> alternateURL="ldap://my.ldap.server.com"; userPattern="uid={0},ou=my
>>>>>>> company users,dc=mycompany,dc=com" />
>>>>>>>
>>>>
>>>> The "debug" attribute does not exist any more. Were you following some
>>>> kind of old example?
>>>>
>>>>> Yeah I must have been, I have removed it.
>>>>
>>>>
>>>> I think you may need roleBase, roleName, and roleSearch attributes to
>>>> have a prayer of making this work. Also, with no userSearch parameter,
>>>> you are instructing the realm to connect
Re: Tomcat, JSP and LDAP
I have since made some minor progress with LDAP query's this login.jsp
file as you can see query's for a list of valid users and creates a
drop down list to choose from
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<%@page import="javax.naming.*,javax.naming.directory.*,java.util.ArrayList;"%>
Login
<%
DirContext ctx = new InitialDirContext();
NamingEnumeration answer =
ctx.search("ldap://my.ldap.server.com:389/ou=my company
users,dc=mycompany,dc=com","(uid=*)", null);
ArrayList als = new ArrayList();
while(answer.hasMore()) {
// Take line in as string
String output =
answer.next().toString();
String[] tokens = output.split(",");
for (String t : tokens) {
if( t.contains("uid=uid:")) {
String[] ids =
t.split(" ");
als.add(ids[2]);
}
}
}
for(String s: als) {
out.println("" + s +
"");
}
// Close the context when we're done
ctx.close();
%>
I am however still not able to get the server.xml file working with
the realms, I did discover through some trial and error that my own
ldap user had not been set up right and my system admin kindly fixed
it for me, which could have lead to some working code not to work.
This is how it currently works:
ldap://my.ldap.server.com";
alternateURL="ldap://my.ldap.server.com";
roleBase="ou=my company
users,dc=mycompany,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
userPattern="uid={0},ou=my company
users,dc=mycompany,dc=com" />
On 16 March 2012 12:05, Pid wrote:
> On 16/03/2012 10:23, Neil Munro wrote:
>> On 15 March 2012 18:24, Christopher Schultz
>> wrote:
>> Neil,
>>
>> On 3/15/12 1:05 PM, Neil Munro wrote:
>>>>> >>>> connectionURL="ldap://my.ldap.server.com";
>>>>> alternateURL="ldap://my.ldap.server.com"; userPattern="uid={0},ou=my
>>>>> company users,dc=mycompany,dc=com" />
>>>>>
>>
>> The "debug" attribute does not exist any more. Were you following some
>> kind of old example?
>>
>>> Yeah I must have been, I have removed it.
>>
>>
>> I think you may need roleBase, roleName, and roleSearch attributes to
>> have a prayer of making this work. Also, with no userSearch parameter,
>> you are instructing the realm to connect in "bind" mode where the
>> user's credentials are used directly to bind to the LDAP server. Is
>> this appropriate?
>>
>>> >> connectionName="uid={0},ou=my company users,dc=mycompany,dc=com "
>>> connectionPassword="userPassword"
>>> connectionURL="ldap://my.ldap.server";
>>> alternateURL="ldap://my.ldap.server";
>>> roleBase="ou=my company users,dc=mycompany,dc=com"
>>> roleName="cn"
>>> roleSearch="(uniqueMember={0})"
>>> userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" />
>>
>>> I have added those changes, as for which connection mode I need, I
>>> think bind would be ok for now just to check to see if I can establish
>>> a connection, but looking at it I think if I will be querying ldap for
>>> a user name and password then comparison mode is what I need.
>>
>>> However with this configuration my whole app become inaccessible, I
>>> imagine it's some form of protection or permissions thing, but in my
>>> floundering around trying thing
Re: Tomcat, JSP and LDAP
On 15 March 2012 18:24, Christopher Schultz
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Neil,
>
> On 3/15/12 1:05 PM, Neil Munro wrote:
>> > connectionURL="ldap://my.ldap.server.com";
>> alternateURL="ldap://my.ldap.server.com"; userPattern="uid={0},ou=my
>> company users,dc=mycompany,dc=com" />
>>
>
> The "debug" attribute does not exist any more. Were you following some
> kind of old example?
Yeah I must have been, I have removed it.
> I think you may need roleBase, roleName, and roleSearch attributes to
> have a prayer of making this work. Also, with no userSearch parameter,
> you are instructing the realm to connect in "bind" mode where the
> user's credentials are used directly to bind to the LDAP server. Is
> this appropriate?
ldap://my.ldap.server";
alternateURL="ldap://my.ldap.server";
roleBase="ou=my company users,dc=mycompany,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" />
I have added those changes, as for which connection mode I need, I
think bind would be ok for now just to check to see if I can establish
a connection, but looking at it I think if I will be querying ldap for
a user name and password then comparison mode is what I need.
However with this configuration my whole app become inaccessible, I
imagine it's some form of protection or permissions thing, but in my
floundering around trying things, this is the only thing that seems to
have any effect on the whole app.
> You might want to re-read this section of the realm-howto:
>
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
>
> Can you run any queries against the LDAP server outside of Tomcat that
> give you results that you might expect? For instance, can you do a
> search of the LDAP tree for a particular user? What does that query
> look like? When you do that search, are you using anonymous bind or
> are you using user bind? If user, which user? Some administrative user
> or the user whose credentials should be checked?
I can connect with a tool called JXplorer, but I have not had any luck
from other applications, but that's due to inability to find any up to
date documentation on the libraries I was using.
>> FORM
>> /login.jsp
>> /fail_login.jsp
>>
>
> That looks just fine: configuring the credential-gathering system is
> usually trivial. It's configuring the authentication system that is
> usually the problem.
Cool, at least some of this is working right, do you need to see those
files btw?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk9iM+sACgkQ9CaO5/Lv0PBhjQCePnWAoRuPgmLUnVt1p3sR/SBt
> 8vwAnib22g8tvT/PpyN2FfUE5Gs7+OVP
> =9g6k
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat, JSP and LDAP
On 15 March 2012 17:01, Pid * wrote:
> On 15 Mar 2012, at 16:23, Neil Munro wrote:
>
>> Hi all,
>> I am trying to implement a means to authenticate a user on a
>> web app via ldap, I have been trying for some time and am now
>> intimately familiar with the files I need to edit, but not exactly
>> how.
>>
>> I know that much of the ldap stuff goes into the server.xml file
>> inside of the tomcat conf directory, it is here I have been trying to
>> configure an ldap realm.
>
> OK. Can you post that bit of config, inline in your reply? Passwords
> etc redacted in necessary.
Sure, here you are:
ldap://my.ldap.server.com";
alternateURL="ldap://my.ldap.server.com";
userPattern="uid={0},ou=my company
users,dc=mycompany,dc=com" />
>
>> I have attached the files I have been working
>> with, the basic idea is that a user must first log on before they can
>> access any area of the site, also all users can log in, and access all
>> areas of the site.
>
> Can you explain how you are configuring the auth, please? Are you
> using the container FORM authentication, for example?
>
> If so, can you post that bit of config inline in your reply?
Yes I am using, or rather trying to use a html form to get the
information to pass to ldap to authenticate.
FORM
/login.jsp
/fail_login.jsp
Thank's,
Neil
>
> p
>
>
>> A user is presented with the login page, and if they cannot be
>> authenticated they are alerted and are given the option to redirect
>> back to the login page. Which I have working, thought I think that's
>> simply because I cannot get the logging in bit work.
>>
>> I do not have access to the LDAP server or schema and cannot implement
>> changes to that, I can however alter the tomcat server, jsp files etc.
>> I am trying to write a company wide web app, and have free reign, but
>> it's historically been written in jsp so we want to keep as much of
>> that as we can.
>>
>> Software and versions: Tomcat 6.0.35, Java 1.4 through to 1.7 (I am
>> required to have all installed) and Windows 7 64.
>>
>> Any help would be fantastic as I have read lots of resources but
>> there's no definitive tutorial to set such a thing up.
>>
>> Thanks,
>> Neil Munro
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
