AW: JNDIRealm - Active Directory Roles
Hallo Felix,
thanks for explaination! I got it now!
What helps was to enable debugging:
# conf/logging.conf
# This would turn on trace-level for everything
# the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST
or ALL
#org.apache.catalina.level = ALL
#org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
I got this realm config now:
Realm className=org.apache.catalina.realm.JNDIRealm
connectionName=CN=SVC_TomcatLdapQuery,OU=Service
Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=
connectionPassword=PASS
connectionURL=ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSubtree=true
roleName=CN
userRoleName=memberOf
/
And I copy the manager-gui constraint in web.xml of the manager application and
put in my new role:
role-nameCN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle
Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=easycash,DC=de/role-name
Thanks a lot!
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Gesendet: Samstag, 15. März 2014 21:52
An: users@tomcat.apache.org
Betreff: Re: JNDIRealm - Active Directory Roles
Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:
Hello,
I try to implement the authentification for the tomcat manager application
against active directory.
Unfortunately I don't understand the role concept. I like to give the users
permissions to open the manager when they're in this group:
memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=CN=SVC,OU=Service
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
connectionPassword=_2VK!WHzybn1SJ8P
connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSearch=(memberof={0})
roleSubtree=true
userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
/
!--roleBase=DC=DOM,DC=de
roleName=cn
--
With this configuration I can open the Manager, but got no permissions.
Even if the user role relationship will found, I don't understand how I can
assign tomcat roles (e.g. manager-gui) to the user.
Looking at the documentation on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
you have three settings which are most probably not correct.
* roleSearch will only be used, if roleName is set (which is commented out in
your configuration)
* roleSearch will be used to search for objects that match the given filter.
In your case you would find user objects instead of group objects.
* userRoleName should be the name of an attribute in the user object (cn=...
is not a name of an attribute, but rather a value)
So given your goal, that cn=tomcat admins,... should be a role, you have two
options.
* You could activate roleName=cn (or another attribute name) and change the
roleSearch to member={0}. Then the realm would (hopefully) find the object
cn=tomcat admins,...
* You could change userRoleName to memberOf
In the first case your user would have a role with the name Tomcat Admins.
The second option would lead to a role name of cn=Tomcat Admins,
In both cases you would have to change the security constraints in the webapp
(those are defined in the WEB-INF/web.xml file).
If your role objects had other attributes with values that match the roles
defined in web.xml you could simply change roleName in the first option above.
Regards
Felix
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
AW: JNDIRealm - Active Directory Roles
Well, I still got a problem.
After activating my active directory realm the applications don't anymore.
I got this error:
Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor
Schwerwiegend: Error deploying configuration descriptor
/app/tomcat2/tomcat/conf/Catalina/localhost/app.xml
java.lang.IllegalStateException: ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app]]
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Becker, Björn
Gesendet: Montag, 17. März 2014 13:06
An: users@tomcat.apache.org
Betreff: AW: JNDIRealm - Active Directory Roles
Hallo Felix,
thanks for explaination! I got it now!
What helps was to enable debugging:
# conf/logging.conf
# This would turn on trace-level for everything # the possible levels are:
SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
#org.apache.catalina.level = ALL #org.apache.catalina.handlers =
2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
I got this realm config now:
Realm className=org.apache.catalina.realm.JNDIRealm
connectionName=CN=SVC_TomcatLdapQuery,OU=Service
Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=
connectionPassword=PASS
connectionURL=ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSubtree=true
roleName=CN
userRoleName=memberOf
/
And I copy the manager-gui constraint in web.xml of the manager application and
put in my new role:
role-nameCN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle
Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC= /role-name
Thanks a lot!
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Gesendet: Samstag, 15. März 2014 21:52
An: users@tomcat.apache.org
Betreff: Re: JNDIRealm - Active Directory Roles
Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:
Hello,
I try to implement the authentification for the tomcat manager application
against active directory.
Unfortunately I don't understand the role concept. I like to give the users
permissions to open the manager when they're in this group:
memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=CN=SVC,OU=Service
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
connectionPassword=_2VK!WHzybn1SJ8P
connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSearch=(memberof={0})
roleSubtree=true
userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
/
!--roleBase=DC=DOM,DC=de
roleName=cn
--
With this configuration I can open the Manager, but got no permissions.
Even if the user role relationship will found, I don't understand how I can
assign tomcat roles (e.g. manager-gui) to the user.
Looking at the documentation on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
you have three settings which are most probably not correct.
* roleSearch will only be used, if roleName is set (which is commented out in
your configuration)
* roleSearch will be used to search for objects that match the given filter.
In your case you would find user
Re: JNDIRealm - Active Directory Roles
On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote:
Well, I still got a problem.
After activating my active directory realm the applications don't
anymore.
I got this error:
Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig
deployDescriptor
Schwerwiegend: Error deploying configuration descriptor
/app/tomcat2/tomcat/conf/Catalina/localhost/app.xml
java.lang.IllegalStateException: ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app]]
Have you looked at the localhost log file? Maybe you have a problem with
web.xml?
Regards
Felix
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Becker, Björn
Gesendet: Montag, 17. März 2014 13:06
An: users@tomcat.apache.org
Betreff: AW: JNDIRealm - Active Directory Roles
Hallo Felix,
thanks for explaination! I got it now!
What helps was to enable debugging:
# conf/logging.conf
# This would turn on trace-level for everything # the possible levels
are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
#org.apache.catalina.level = ALL #org.apache.catalina.handlers =
2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
I got this realm config now:
Realm className=org.apache.catalina.realm.JNDIRealm
connectionName=CN=SVC_TomcatLdapQuery,OU=Service
Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=
connectionPassword=PASS
connectionURL=ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSubtree=true
roleName=CN
userRoleName=memberOf
/
And I copy the manager-gui constraint in web.xml of the manager
application and put in my new role:
role-nameCN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle
Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC= /role-name
Thanks a lot!
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Gesendet: Samstag, 15. März 2014 21:52
An: users@tomcat.apache.org
Betreff: Re: JNDIRealm - Active Directory Roles
Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:
Hello,
I try to implement the authentification for the tomcat manager
application against active directory.
Unfortunately I don't understand the role concept. I like to give the
users permissions to open the manager when they're in this group:
memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionName=CN=SVC,OU=Service
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
connectionPassword=_2VK!WHzybn1SJ8P
connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSearch=(memberof={0})
roleSubtree=true
userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
/
!--roleBase=DC=DOM,DC=de
roleName=cn
--
With this configuration I can open the Manager, but got no
permissions.
Even if the user role relationship will found, I don't understand how
I can assign tomcat roles (e.g. manager-gui) to the user.
Looking at the documentation on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
you have three settings which are most probably not correct.
* roleSearch will only be used, if roleName is set (which is commented
out in your configuration
AW: JNDIRealm - Active Directory Roles
Yes, I found this error: Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm startInternal Schwerwiegend: Exception looking up UserDatabase under key UserDatabase javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this Context. Unable to find [UserDatabase]. at org.apache.naming.NamingContext.lookup(NamingContext.java:820) at org.apache.naming.NamingContext.lookup(NamingContext.java:168) at org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) While activating the ad realm I commented out the UserDatabase Resource: GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- !--Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml /-- /GlobalNamingResources and: !-- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/-- May this is my problem? I thought the tomcatuser.xml and the UserDatabaseRealm is not necessary anymore? Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 14:11 An: Tomcat Users List; Becker, Björn Betreff: Re: JNDIRealm - Active Directory Roles On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote: Well, I still got a problem. After activating my active directory realm the applications don't anymore. I got this error: Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor Schwerwiegend: Error deploying configuration descriptor /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app] ] Have you looked at the localhost log file? Maybe you have a problem with web.xml? Regards Felix at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Becker, Björn Gesendet: Montag, 17. März 2014 13:06 An: users@tomcat.apache.org Betreff: AW: JNDIRealm - Active Directory Roles Hallo Felix, thanks for explaination! I got it now! What helps was to enable debugging: # conf/logging.conf # This would turn on trace-level for everything # the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL #org.apache.catalina.level = ALL #org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler org.apache.catalina.realm.level = ALL org.apache.catalina.realm.useParentHandlers = true org.apache.catalina.authenticator.level = ALL org.apache.catalina.authenticator.useParentHandlers = true I got this realm config now: Realm className=org.apache.catalina.realm.JNDIRealm connectionName=CN
Re: JNDIRealm - Active Directory Roles
Am 17.03.2014 13:05, schrieb bjoern.bec...@easycash.de:
Hallo Felix,
thanks for explaination! I got it now!
What helps was to enable debugging:
# conf/logging.conf
# This would turn on trace-level for everything
# the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST
or ALL
#org.apache.catalina.level = ALL
#org.apache.catalina.handlers = 2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
I got this realm config now:
Realm className=org.apache.catalina.realm.JNDIRealm
connectionName=CN=SVC_TomcatLdapQuery,OU=Service
Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=
connectionPassword=PASS
connectionURL=ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSubtree=true
roleName=CN
userRoleName=memberOf
/
You should leave roleName und roleSubtree out of your configuration,
since you are using userRoleName.
Regards
Felix
And I copy the manager-gui constraint in web.xml of the manager application and
put in my new role:
role-nameCN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle
Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=easycash,DC=de/role-name
Thanks a lot!
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Gesendet: Samstag, 15. März 2014 21:52
An: users@tomcat.apache.org
Betreff: Re: JNDIRealm - Active Directory Roles
Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:
Hello,
I try to implement the authentification for the tomcat manager application
against active directory.
Unfortunately I don't understand the role concept. I like to give the users
permissions to open the manager when they're in this group:
memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=CN=SVC,OU=Service
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
connectionPassword=_2VK!WHzybn1SJ8P
connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSearch=(memberof={0})
roleSubtree=true
userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
/
!--roleBase=DC=DOM,DC=de
roleName=cn
--
With this configuration I can open the Manager, but got no permissions.
Even if the user role relationship will found, I don't understand how I can
assign tomcat roles (e.g. manager-gui) to the user.
Looking at the documentation on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
you have three settings which are most probably not correct.
* roleSearch will only be used, if roleName is set (which is commented out
in your configuration)
* roleSearch will be used to search for objects that match the given filter.
In your case you would find user objects instead of group objects.
* userRoleName should be the name of an attribute in the user object (cn=...
is not a name of an attribute, but rather a value)
So given your goal, that cn=tomcat admins,... should be a role, you have two
options.
* You could activate roleName=cn (or another attribute name) and change the
roleSearch to member={0}. Then the realm would (hopefully) find the object
cn=tomcat admins,...
* You could change userRoleName to memberOf
In the first case your user would have a role with the name Tomcat Admins. The second
option would lead to a role name of cn=Tomcat Admins,
In both cases you would have to change the security constraints in the webapp
(those are defined in the WEB-INF/web.xml file).
If your role objects had other attributes with values that match the roles
defined in web.xml you could simply change roleName in the first option above.
Regards
Felix
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDIRealm - Active Directory Roles
Am 17.03.2014 14:31, schrieb bjoern.bec...@easycash.de: Yes, I found this error: Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm startInternal Schwerwiegend: Exception looking up UserDatabase under key UserDatabase javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this Context. Unable to find [UserDatabase]. at org.apache.naming.NamingContext.lookup(NamingContext.java:820) at org.apache.naming.NamingContext.lookup(NamingContext.java:168) at org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) While activating the ad realm I commented out the UserDatabase Resource: GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- !--Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml /-- /GlobalNamingResources and: !-- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/-- May this is my problem? I thought the tomcatuser.xml and the UserDatabaseRealm is not necessary anymore? UserDatabase is needed for any UserDatabaseRealm you might have. So you will have to look into all of your contexts to see if you can disable UserDatabase. And I believe you have to have one Realm (doesn't matter what type) in your host. I think there were some startup mechanisms relying on one realm to be there. Regards Felix Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 14:11 An: Tomcat Users List; Becker, Björn Betreff: Re: JNDIRealm - Active Directory Roles On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote: Well, I still got a problem. After activating my active directory realm the applications don't anymore. I got this error: Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor Schwerwiegend: Error deploying configuration descriptor /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app] ] Have you looked at the localhost log file? Maybe you have a problem with web.xml? Regards Felix at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Becker, Björn Gesendet: Montag, 17. März 2014 13:06 An: users@tomcat.apache.org Betreff: AW: JNDIRealm - Active Directory Roles Hallo Felix, thanks for explaination! I got it now! What helps was to enable debugging: # conf/logging.conf # This would turn on trace-level for everything # the possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
AW: JNDIRealm - Active Directory Roles
Thanks again! It keep the Userdatabase realm now, but I removed the path=tomcat-users.xml parameter. It's working now. Regards, Björn -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 15:15 An: users@tomcat.apache.org Betreff: Re: JNDIRealm - Active Directory Roles Am 17.03.2014 14:31, schrieb bjoern.bec...@easycash.de: Yes, I found this error: Mrz 17, 2014 12:50:59 PM org.apache.catalina.realm.UserDatabaseRealm startInternal Schwerwiegend: Exception looking up UserDatabase under key UserDatabase javax.naming.NameNotFoundException: Name [UserDatabase] is not bound in this Context. Unable to find [UserDatabase]. at org.apache.naming.NamingContext.lookup(NamingContext.java:820) at org.apache.naming.NamingContext.lookup(NamingContext.java:168) at org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:255) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5168) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) While activating the ad realm I commented out the UserDatabase Resource: GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- !--Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml /-- /GlobalNamingResources and: !-- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/-- May this is my problem? I thought the tomcatuser.xml and the UserDatabaseRealm is not necessary anymore? UserDatabase is needed for any UserDatabaseRealm you might have. So you will have to look into all of your contexts to see if you can disable UserDatabase. And I believe you have to have one Realm (doesn't matter what type) in your host. I think there were some startup mechanisms relying on one realm to be there. Regards Felix Best Regards, Bjoern -Ursprüngliche Nachricht- Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Gesendet: Montag, 17. März 2014 14:11 An: Tomcat Users List; Becker, Björn Betreff: Re: JNDIRealm - Active Directory Roles On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote: Well, I still got a problem. After activating my active directory realm the applications don't anymore. I got this error: Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor Schwerwiegend: Error deploying configuration descriptor /app/tomcat2/tomcat/conf/Catalina/localhost/app.xml java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ap p] ] Have you looked at the localhost log file? Maybe you have a problem with web.xml? Regards Felix at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Best Regards, Bjoern
Re: JNDIRealm - Active Directory Roles
Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:
Hello,
I try to implement the authentification for the tomcat manager application
against active directory.
Unfortunately I don't understand the role concept. I like to give the users
permissions to open the manager when they're in this group:
memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=CN=SVC,OU=Service
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
connectionPassword=_2VK!WHzybn1SJ8P
connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSearch=(memberof={0})
roleSubtree=true
userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
/
!--roleBase=DC=DOM,DC=de
roleName=cn
--
With this configuration I can open the Manager, but got no permissions.
Even if the user role relationship will found, I don't understand how I can
assign tomcat roles (e.g. manager-gui) to the user.
Looking at the documentation on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
you have three settings which are most probably not correct.
* roleSearch will only be used, if roleName is set (which is commented
out in your configuration)
* roleSearch will be used to search for objects that match the given
filter. In your case you would find user objects instead of group objects.
* userRoleName should be the name of an attribute in the user object
(cn=... is not a name of an attribute, but rather a value)
So given your goal, that cn=tomcat admins,... should be a role, you have
two options.
* You could activate roleName=cn (or another attribute name) and
change the roleSearch to member={0}. Then the realm would (hopefully)
find the object cn=tomcat admins,...
* You could change userRoleName to memberOf
In the first case your user would have a role with the name Tomcat
Admins. The second option would lead to a role name of cn=Tomcat
Admins,
In both cases you would have to change the security constraints in the
webapp (those are defined in the WEB-INF/web.xml file).
If your role objects had other attributes with values that match the
roles defined in web.xml you could simply change roleName in the first
option above.
Regards
Felix
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
AW: JNDIRealm - Active Directory Roles
Hello,
thanks for your reply. It doesn't make any difference.
I don't understand how the authenticated user receive permissions for one of
these roles:
role rolename=manager/
role rolename=tomcat/
role rolename=admin/
role rolename=manager-gui/
role rolename=manager-jmx/
Best Regards,
Bjoern
-Ursprüngliche Nachricht-
Von: Leo Donahue [mailto:donahu...@gmail.com]
Gesendet: Donnerstag, 13. März 2014 19:31
An: Tomcat Users List
Betreff: Re: JNDIRealm - Active Directory Roles
On Thu, Mar 13, 2014 at 10:15 AM, bjoern.bec...@easycash.de wrote:
Hello,
server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=CN=SVC,OU=Service
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
connectionPassword=_2VK!WHzybn1SJ8P
connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSearch=(memberof={0})
roleSubtree=true
userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
/
!--roleBase=DC=DOM,DC=de
roleName=cn
--
Lines that are different in my context:
connectionURL=ldap://fully.qualified.server.name:389;
userSearch=(amp;(objectCategory=person)(sAMAccountName={0}))
roleSearch=(member={0})
userRoleName=memberOf
I don't know if it makes a difference for you or not.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDIRealm - Active Directory Roles
On Fri, Mar 14, 2014 at 2:12 AM, bjoern.bec...@easycash.de wrote: Hello, thanks for your reply. It doesn't make any difference. I don't understand how the authenticated user receive permissions for one of these roles: role rolename=manager/ role rolename=tomcat/ role rolename=admin/ role rolename=manager-gui/ role rolename=manager-jmx/ That is a UserDatabaseRealm: org.apache.catalina.realm.UserDatabaseRealm Those roles are different than what would be in your ldap, which is a: org.apache.catalina.realm.JNDIRealm Which realm do you want to use?
JNDIRealm - Active Directory Roles
Hello,
I try to implement the authentification for the tomcat manager application
against active directory.
Unfortunately I don't understand the role concept. I like to give the users
permissions to open the manager when they're in this group:
memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=CN=SVC,OU=Service
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
connectionPassword=_2VK!WHzybn1SJ8P
connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSearch=(memberof={0})
roleSubtree=true
userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
/
!--roleBase=DC=DOM,DC=de
roleName=cn
--
With this configuration I can open the Manager, but got no permissions.
Even if the user role relationship will found, I don't understand how I can
assign tomcat roles (e.g. manager-gui) to the user.
Thanks!
Best Regards,
Bjoern
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDIRealm - Active Directory Roles
On Thu, Mar 13, 2014 at 10:15 AM, bjoern.bec...@easycash.de wrote:
Hello,
server.xml:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionName=CN=SVC,OU=Service
Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
connectionPassword=_2VK!WHzybn1SJ8P
connectionURL=ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)
userSearch=(sAMAccountName={0})
userSubtree=true
roleSearch=(memberof={0})
roleSubtree=true
userRoleName=CN=Tomcat Admins,OU=Roles,OU=Spezielle
Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
/
!--roleBase=DC=DOM,DC=de
roleName=cn
--
Lines that are different in my context:
connectionURL=ldap://fully.qualified.server.name:389;
userSearch=(amp;(objectCategory=person)(sAMAccountName={0}))
roleSearch=(member={0})
userRoleName=memberOf
I don't know if it makes a difference for you or not.
