AW: JNDIRealm - Active Directory Roles
Hallo Felix, thanks for explaination! I got it now! What helps was to enable debugging: # conf/logging.conf # This would turn on trace-level for everything # the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL #org.apache.catalina.level = ALL #org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler org.apache.catalina.realm.level = ALL org.apache.catalina.realm.useParentHandlers = true org.apache.catalina.authenticator.level = ALL org.apache.catalina.authenticator.useParentHandlers = true I got this realm config now: Realm className=org.apache.catalina.realm.JNDIRealm connectionName=CN=SVC_TomcatLdapQuery,OU=Service Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= connectionPassword=PASS connectionURL=ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSubtree=true roleName=CN userRoleName=memberOf / And I copy the manager-gui constraint in web.xml of the manager application and put in my new role: role-nameCN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=easycash,DC=de/role-name Thanks a lot! Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Samstag, 15. März 2014 21:52 An: users@tomcat.apache.org Betreff: Re: JNDIRealm - Active Directory Roles Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de: Hello, I try to implement the authentification for the tomcat manager application against active directory. Unfortunately I don't understand the role concept. I like to give the users permissions to open the manager when they're in this group: memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=CN=SVC,OU=Service Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de connectionPassword=_2VK!WHzybn1SJ8P connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSearch=(memberof={0}) roleSubtree=true userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de / !--roleBase=DC=DOM,DC=de roleName=cn -- With this configuration I can open the Manager, but got no permissions. Even if the user role relationship will found, I don't understand how I can assign tomcat roles (e.g. manager-gui) to the user. Looking at the documentation on http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm you have three settings which are most probably not correct. * roleSearch will only be used, if roleName is set (which is commented out in your configuration) * roleSearch will be used to search for objects that match the given filter. In your case you would find user objects instead of group objects. * userRoleName should be the name of an attribute in the user object (cn=... is not a name of an attribute, but rather a value) So given your goal, that cn=tomcat admins,... should be a role, you have two options. * You could activate roleName=cn (or another attribute name) and change the roleSearch to member={0}. Then the realm would (hopefully) find the object cn=tomcat admins,... * You could change userRoleName to memberOf In the first case your user would have a role with the name Tomcat Admins. The second option would lead to a role name of cn=Tomcat Admins, In both cases you would have to change the security constraints in the webapp (those are defined in the WEB-INF/web.xml file). If your role objects had other attributes with values that match the roles defined in web.xml you could simply change roleName in the first option above. Regards Felix - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: JNDIRealm - Active Directory Roles
Well, I still got a problem. After activating my active directory realm the applications don't anymore. I got this error: Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor Schwerwiegend: Error deploying configuration descriptor /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app]] at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Becker, Björn Gesendet: Montag, 17. März 2014 13:06 An: users@tomcat.apache.org Betreff: AW: JNDIRealm - Active Directory Roles Hallo Felix, thanks for explaination! I got it now! What helps was to enable debugging: # conf/logging.conf # This would turn on trace-level for everything # the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL #org.apache.catalina.level = ALL #org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler org.apache.catalina.realm.level = ALL org.apache.catalina.realm.useParentHandlers = true org.apache.catalina.authenticator.level = ALL org.apache.catalina.authenticator.useParentHandlers = true I got this realm config now: Realm className=org.apache.catalina.realm.JNDIRealm connectionName=CN=SVC_TomcatLdapQuery,OU=Service Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= connectionPassword=PASS connectionURL=ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSubtree=true roleName=CN userRoleName=memberOf / And I copy the manager-gui constraint in web.xml of the manager application and put in my new role: role-nameCN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC= /role-name Thanks a lot! Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Samstag, 15. März 2014 21:52 An: users@tomcat.apache.org Betreff: Re: JNDIRealm - Active Directory Roles Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de: Hello, I try to implement the authentification for the tomcat manager application against active directory. Unfortunately I don't understand the role concept. I like to give the users permissions to open the manager when they're in this group: memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=CN=SVC,OU=Service Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de connectionPassword=_2VK!WHzybn1SJ8P connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSearch=(memberof={0}) roleSubtree=true userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de / !--roleBase=DC=DOM,DC=de roleName=cn -- With this configuration I can open the Manager, but got no permissions. Even if the user role relationship will found, I don't understand how I can assign tomcat roles (e.g. manager-gui) to the user. Looking at the documentation on http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm you have three settings which are most probably not correct. * roleSearch will only be used, if roleName is set (which is commented out in your configuration) * roleSearch will be used to search for objects that match the given filter. In your case you would find user
Re: JNDIRealm - Active Directory Roles
On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote: Well, I still got a problem. After activating my active directory realm the applications don't anymore. I got this error: Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor Schwerwiegend: Error deploying configuration descriptor /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app]] Have you looked at the localhost log file? Maybe you have a problem with web.xml? Regards Felix at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Becker, Björn Gesendet: Montag, 17. März 2014 13:06 An: users@tomcat.apache.org Betreff: AW: JNDIRealm - Active Directory Roles Hallo Felix, thanks for explaination! I got it now! What helps was to enable debugging: # conf/logging.conf # This would turn on trace-level for everything # the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL #org.apache.catalina.level = ALL #org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler org.apache.catalina.realm.level = ALL org.apache.catalina.realm.useParentHandlers = true org.apache.catalina.authenticator.level = ALL org.apache.catalina.authenticator.useParentHandlers = true I got this realm config now: Realm className=org.apache.catalina.realm.JNDIRealm connectionName=CN=SVC_TomcatLdapQuery,OU=Service Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= connectionPassword=PASS connectionURL=ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSubtree=true roleName=CN userRoleName=memberOf / And I copy the manager-gui constraint in web.xml of the manager application and put in my new role: role-nameCN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC= /role-name Thanks a lot! Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Samstag, 15. März 2014 21:52 An: users@tomcat.apache.org Betreff: Re: JNDIRealm - Active Directory Roles Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de: Hello, I try to implement the authentification for the tomcat manager application against active directory. Unfortunately I don't understand the role concept. I like to give the users permissions to open the manager when they're in this group: memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=CN=SVC,OU=Service Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de connectionPassword=_2VK!WHzybn1SJ8P connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSearch=(memberof={0}) roleSubtree=true userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de / !--roleBase=DC=DOM,DC=de roleName=cn -- With this configuration I can open the Manager, but got no permissions. Even if the user role relationship will found, I don't understand how I can assign tomcat roles (e.g. manager-gui) to the user. Looking at the documentation on http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm you have three settings which are most probably not correct. * roleSearch will only be used, if roleName is set (which is commented out in your configuration
AW: JNDIRealm - Active Directory Roles
Yes, I found this error: Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm startInternal Schwerwiegend: Exception looking up UserDatabase under key UserDatabase javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this Context. Unable to find [UserDatabase]. at org.apache.naming.NamingContext.lookup(NamingContext.java:820) at org.apache.naming.NamingContext.lookup(NamingContext.java:168) at org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) While activating the ad realm I commented out the UserDatabase Resource: GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- !--Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml /-- /GlobalNamingResources and: !-- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/-- May this is my problem? I thought the tomcatuser.xml and the UserDatabaseRealm is not necessary anymore? Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 14:11 An: Tomcat Users List; Becker, Björn Betreff: Re: JNDIRealm - Active Directory Roles On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote: Well, I still got a problem. After activating my active directory realm the applications don't anymore. I got this error: Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor Schwerwiegend: Error deploying configuration descriptor /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app] ] Have you looked at the localhost log file? Maybe you have a problem with web.xml? Regards Felix at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Becker, Björn Gesendet: Montag, 17. März 2014 13:06 An: users@tomcat.apache.org Betreff: AW: JNDIRealm - Active Directory Roles Hallo Felix, thanks for explaination! I got it now! What helps was to enable debugging: # conf/logging.conf # This would turn on trace-level for everything # the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL #org.apache.catalina.level = ALL #org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler org.apache.catalina.realm.level = ALL org.apache.catalina.realm.useParentHandlers = true org.apache.catalina.authenticator.level = ALL org.apache.catalina.authenticator.useParentHandlers = true I got this realm config now: Realm className=org.apache.catalina.realm.JNDIRealm connectionName=CN
Re: JNDIRealm - Active Directory Roles
Am 17.03.2014 13:05, schrieb bjoern.bec...@easycash.de: Hallo Felix, thanks for explaination! I got it now! What helps was to enable debugging: # conf/logging.conf # This would turn on trace-level for everything # the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL #org.apache.catalina.level = ALL #org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler org.apache.catalina.realm.level = ALL org.apache.catalina.realm.useParentHandlers = true org.apache.catalina.authenticator.level = ALL org.apache.catalina.authenticator.useParentHandlers = true I got this realm config now: Realm className=org.apache.catalina.realm.JNDIRealm connectionName=CN=SVC_TomcatLdapQuery,OU=Service Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= connectionPassword=PASS connectionURL=ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSubtree=true roleName=CN userRoleName=memberOf / You should leave roleName und roleSubtree out of your configuration, since you are using userRoleName. Regards Felix And I copy the manager-gui constraint in web.xml of the manager application and put in my new role: role-nameCN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=easycash,DC=de/role-name Thanks a lot! Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Samstag, 15. März 2014 21:52 An: users@tomcat.apache.org Betreff: Re: JNDIRealm - Active Directory Roles Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de: Hello, I try to implement the authentification for the tomcat manager application against active directory. Unfortunately I don't understand the role concept. I like to give the users permissions to open the manager when they're in this group: memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=CN=SVC,OU=Service Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de connectionPassword=_2VK!WHzybn1SJ8P connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSearch=(memberof={0}) roleSubtree=true userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de / !--roleBase=DC=DOM,DC=de roleName=cn -- With this configuration I can open the Manager, but got no permissions. Even if the user role relationship will found, I don't understand how I can assign tomcat roles (e.g. manager-gui) to the user. Looking at the documentation on http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm you have three settings which are most probably not correct. * roleSearch will only be used, if roleName is set (which is commented out in your configuration) * roleSearch will be used to search for objects that match the given filter. In your case you would find user objects instead of group objects. * userRoleName should be the name of an attribute in the user object (cn=... is not a name of an attribute, but rather a value) So given your goal, that cn=tomcat admins,... should be a role, you have two options. * You could activate roleName=cn (or another attribute name) and change the roleSearch to member={0}. Then the realm would (hopefully) find the object cn=tomcat admins,... * You could change userRoleName to memberOf In the first case your user would have a role with the name Tomcat Admins. The second option would lead to a role name of cn=Tomcat Admins, In both cases you would have to change the security constraints in the webapp (those are defined in the WEB-INF/web.xml file). If your role objects had other attributes with values that match the roles defined in web.xml you could simply change roleName in the first option above. Regards Felix - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDIRealm - Active Directory Roles
Am 17.03.2014 14:31, schrieb bjoern.bec...@easycash.de: Yes, I found this error: Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm startInternal Schwerwiegend: Exception looking up UserDatabase under key UserDatabase javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this Context. Unable to find [UserDatabase]. at org.apache.naming.NamingContext.lookup(NamingContext.java:820) at org.apache.naming.NamingContext.lookup(NamingContext.java:168) at org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) While activating the ad realm I commented out the UserDatabase Resource: GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- !--Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml /-- /GlobalNamingResources and: !-- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/-- May this is my problem? I thought the tomcatuser.xml and the UserDatabaseRealm is not necessary anymore? UserDatabase is needed for any UserDatabaseRealm you might have. So you will have to look into all of your contexts to see if you can disable UserDatabase. And I believe you have to have one Realm (doesn't matter what type) in your host. I think there were some startup mechanisms relying on one realm to be there. Regards Felix Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 14:11 An: Tomcat Users List; Becker, Björn Betreff: Re: JNDIRealm - Active Directory Roles On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote: Well, I still got a problem. After activating my active directory realm the applications don't anymore. I got this error: Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor Schwerwiegend: Error deploying configuration descriptor /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app] ] Have you looked at the localhost log file? Maybe you have a problem with web.xml? Regards Felix at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Becker, Björn Gesendet: Montag, 17. März 2014 13:06 An: users@tomcat.apache.org Betreff: AW: JNDIRealm - Active Directory Roles Hallo Felix, thanks for explaination! I got it now! What helps was to enable debugging: # conf/logging.conf # This would turn on trace-level for everything # the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
AW: JNDIRealm - Active Directory Roles
Thanks again! It keep the Userdatabase realm now, but I removed the path=tomcat-users.xml parameter. It's working now. Regards, Björn -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 15:15 An: users@tomcat.apache.org Betreff: Re: JNDIRealm - Active Directory Roles Am 17.03.2014 14:31, schrieb bjoern.bec...@easycash.de: Yes, I found this error: Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm startInternal Schwerwiegend: Exception looking up UserDatabase under key UserDatabase javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this Context. Unable to find [UserDatabase]. at org.apache.naming.NamingContext.lookup(NamingContext.java:820) at org.apache.naming.NamingContext.lookup(NamingContext.java:168) at org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) While activating the ad realm I commented out the UserDatabase Resource: GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- !--Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml /-- /GlobalNamingResources and: !-- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/-- May this is my problem? I thought the tomcatuser.xml and the UserDatabaseRealm is not necessary anymore? UserDatabase is needed for any UserDatabaseRealm you might have. So you will have to look into all of your contexts to see if you can disable UserDatabase. And I believe you have to have one Realm (doesn't matter what type) in your host. I think there were some startup mechanisms relying on one realm to be there. Regards Felix Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 14:11 An: Tomcat Users List; Becker, Björn Betreff: Re: JNDIRealm - Active Directory Roles On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote: Well, I still got a problem. After activating my active directory realm the applications don't anymore. I got this error: Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor Schwerwiegend: Error deploying configuration descriptor /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ap p] ] Have you looked at the localhost log file? Maybe you have a problem with web.xml? Regards Felix at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Best Regards, Bjoern
Re: JNDIRealm - Active Directory Roles
Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de: Hello, I try to implement the authentification for the tomcat manager application against active directory. Unfortunately I don't understand the role concept. I like to give the users permissions to open the manager when they're in this group: memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=CN=SVC,OU=Service Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de connectionPassword=_2VK!WHzybn1SJ8P connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSearch=(memberof={0}) roleSubtree=true userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de / !--roleBase=DC=DOM,DC=de roleName=cn -- With this configuration I can open the Manager, but got no permissions. Even if the user role relationship will found, I don't understand how I can assign tomcat roles (e.g. manager-gui) to the user. Looking at the documentation on http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm you have three settings which are most probably not correct. * roleSearch will only be used, if roleName is set (which is commented out in your configuration) * roleSearch will be used to search for objects that match the given filter. In your case you would find user objects instead of group objects. * userRoleName should be the name of an attribute in the user object (cn=... is not a name of an attribute, but rather a value) So given your goal, that cn=tomcat admins,... should be a role, you have two options. * You could activate roleName=cn (or another attribute name) and change the roleSearch to member={0}. Then the realm would (hopefully) find the object cn=tomcat admins,... * You could change userRoleName to memberOf In the first case your user would have a role with the name Tomcat Admins. The second option would lead to a role name of cn=Tomcat Admins, In both cases you would have to change the security constraints in the webapp (those are defined in the WEB-INF/web.xml file). If your role objects had other attributes with values that match the roles defined in web.xml you could simply change roleName in the first option above. Regards Felix - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: JNDIRealm - Active Directory Roles
Hello, thanks for your reply. It doesn't make any difference. I don't understand how the authenticated user receive permissions for one of these roles: role rolename=manager/ role rolename=tomcat/ role rolename=admin/ role rolename=manager-gui/ role rolename=manager-jmx/ Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Leo Donahue [mailto:donahu...@gmail.com] Gesendet: Donnerstag, 13. März 2014 19:31 An: Tomcat Users List Betreff: Re: JNDIRealm - Active Directory Roles On Thu, Mar 13, 2014 at 10:15 AM, bjoern.bec...@easycash.de wrote: Hello, server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=CN=SVC,OU=Service Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de connectionPassword=_2VK!WHzybn1SJ8P connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSearch=(memberof={0}) roleSubtree=true userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de / !--roleBase=DC=DOM,DC=de roleName=cn -- Lines that are different in my context: connectionURL=ldap://fully.qualified.server.name:389; userSearch=(amp;(objectCategory=person)(sAMAccountName={0})) roleSearch=(member={0}) userRoleName=memberOf I don't know if it makes a difference for you or not. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDIRealm - Active Directory Roles
On Fri, Mar 14, 2014 at 2:12 AM, bjoern.bec...@easycash.de wrote: Hello, thanks for your reply. It doesn't make any difference. I don't understand how the authenticated user receive permissions for one of these roles: role rolename=manager/ role rolename=tomcat/ role rolename=admin/ role rolename=manager-gui/ role rolename=manager-jmx/ That is a UserDatabaseRealm: org.apache.catalina.realm.UserDatabaseRealm Those roles are different than what would be in your ldap, which is a: org.apache.catalina.realm.JNDIRealm Which realm do you want to use?
JNDIRealm - Active Directory Roles
Hello, I try to implement the authentification for the tomcat manager application against active directory. Unfortunately I don't understand the role concept. I like to give the users permissions to open the manager when they're in this group: memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=CN=SVC,OU=Service Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de connectionPassword=_2VK!WHzybn1SJ8P connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSearch=(memberof={0}) roleSubtree=true userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de / !--roleBase=DC=DOM,DC=de roleName=cn -- With this configuration I can open the Manager, but got no permissions. Even if the user role relationship will found, I don't understand how I can assign tomcat roles (e.g. manager-gui) to the user. Thanks! Best Regards, Bjoern - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDIRealm - Active Directory Roles
On Thu, Mar 13, 2014 at 10:15 AM, bjoern.bec...@easycash.de wrote: Hello, server.xml: Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=CN=SVC,OU=Service Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de connectionPassword=_2VK!WHzybn1SJ8P connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*) userSearch=(sAMAccountName={0}) userSubtree=true roleSearch=(memberof={0}) roleSubtree=true userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de / !--roleBase=DC=DOM,DC=de roleName=cn -- Lines that are different in my context: connectionURL=ldap://fully.qualified.server.name:389; userSearch=(amp;(objectCategory=person)(sAMAccountName={0})) roleSearch=(member={0}) userRoleName=memberOf I don't know if it makes a difference for you or not.