Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password.
What is: roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" 1. specifically, what is CN=tomcat ? Is that a role which has been set up in AD? What is: userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" 2. specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance "CN=Administratorname,OU=CO,dc=lubbock,dc=isd");. CO stands for central office (in this case.) I know that this administrative name is in the OU=CO. What do I do if my user is not in OU=CO? How do I authenticate when I'm not given the person's specific OU? I don't understand why you're specifying 2 different values for OU? Any help would be appreciated. Thanks, rob -----Original Message----- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:13 AM To: Tomcat Users List Subject: RE: JNDIRealm...more I just got it working... A million thank yous! I didn't really understand LDAP until learning (some) about it yesterday, and once I started learning it, your example made perfect sense, and now I can authenticate my users! This rules very much! Justin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have......this works for me....hope this helps.... <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://[domain controller]:389" userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" userSearch="(sAMAccountName={0})" userRoleName="member" roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com" connectionPassword="[password]" roleSubtree="true" userSubtree="true"/> -----Original Message----- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="A good active directory server" userBase="dc=MY DOMAIN NAME,dc=com" userRoleName="member" roleName="cn" roleSearch="(userPrincipalName={0})" roleSubtree="false" userSubtree="false" referrals="follow" /> Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]