I used * as my role-name. Justin
-----Original Message----- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:38 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Justin, I REALLY appreciate your help. I've been stuck for a while. I believe that Users is a CN . (scanning thru the script, I don't see Users ever set as an OU, but I do see it as a CN.) How are you browsing around in AD's LDAP? I have a jndi jsp that I've tried finding things with. One bit of info: The AD I am trying to authenticate to is on a different box than the one I work on. I do know to hit AD with a connection name and password, then I've tried to use the sAMAccountname but have been unsuccessful. I can't quite get my "path" worked out. I will look thru the DN, to see if I can find where all the users are a member. In my web.xml, I have tried form based and basic authentication. Which are you using and don't you have to specify this stuff?: <security-constraint> <web-resource-collection> <web-resource-name></web-resource-name> <url-pattern></url-pattern> </web-resource-collection> <auth-constraint> <role-name></role-name> </auth-constraint> </security-constraint> <login-config> <auth-method></auth-method> <!-- <realm-name></realm-name> --> </login-config> <security-role> <role-name></role-name> </security-role> Would the role-name be the entry in the tomcat users or would it be an entry in the AD? This is a new web-app I'm trying to get up and it will be the first one in our group to authenticate against the AD. Our previous authentication is being eliminated. -----Original Message----- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 11:14 AM To: Tomcat Users List Subject: RE: JNDIRealm...more 1) In terms of active directory, the roleSearch, in this case, would be a group that the person logging in needs to be a member of. In terms of mine, it would be the "ALL" mailing list for my company. What you need to do, is browse around in active directory's LDAP (I assume that you're doing this against active directory) and find the entry that describes the NT group that you want all of your members to be a member of. CN=tomcat is just part of the DN that identifies that group for the other guy in this thread. 2) K, you need to get to your base directory that contrains users. That could be multiple OU's deep, in terms of active directory, it probably is, you'll probably have 1 layer for say, job sites, and another for Users (hence Users). You'll see if it you browse down your active directory tree... just enter the DN describing the level containing your users. 3) web.xml contains the stuff specific to logging in, so essentially, whatever you use for authentication now, can still be used, as long as the data jibes with what's in your active directory. Is that User's there a CN or a OU? Justin -----Original Message----- From: Robyne Vaughn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 12:08 PM To: Tomcat Users List Subject: RE: JNDIRealm...more Hi, I've been watching your emails andI'm still trying to understand. I have a couple of ldap books and I'm trying to figure some things out. I can authenticate to AD with known OU's and known common names, but I can't use basic or form authentication and get them authenticated with just a user-id and password. What is: roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" 1. specifically, what is CN=tomcat ? Is that a role which has been set up in AD? What is: userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" 2. specifically, what is OU=[My OU] ? 3. What did you put in your web-app web.xml? My AD administrators have not been able to explain our tree structure to me. Either I'm asking the wrong questions, or they don't understand it either. They have given me a copy of the script they used to load it. I'm trying to look thru the script to discover the tree structure. Also, they printed a screen print from their AD administrative tool. It has this sort of structure: Active Directory Users and Computers lubbock.isd Builtin CO Computers Disabled Accounts Elem ForeignSecurityPrincipals HS JH LostAndFound Microsoft Exchange System Object OG System Users Should that tell me what to plug into the OU? I know if I hit the AD with an Administrative name, password and its OU, then I authenticate. For instance "CN=Administratorname,OU=CO,dc=lubbock,dc=isd");. CO stands for central office (in this case.) I know that this administrative name is in the OU=CO. What do I do if my user is not in OU=CO? How do I authenticate when I'm not given the person's specific OU? I don't understand why you're specifying 2 different values for OU? Any help would be appreciated. Thanks, rob -----Original Message----- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:13 AM To: Tomcat Users List Subject: RE: JNDIRealm...more I just got it working... A million thank yous! I didn't really understand LDAP until learning (some) about it yesterday, and once I started learning it, your example made perfect sense, and now I can authenticate my users! This rules very much! Justin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: JNDIRealm...more Here's what I have......this works for me....hope this helps.... <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://[domain controller]:389" userBase="OU=Users,OU=[My OU],DC=[Domain],DC=com" userSearch="(sAMAccountName={0})" userRoleName="member" roleBase="OU=Users,OU=[my OU],DC=[Domain],DC=com" roleName="memberOf" roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)" connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com" connectionPassword="[password]" roleSubtree="true" userSubtree="true"/> -----Original Message----- From: Hart, Justin [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:57 PM To: Tomcat Users List Subject: JNDIRealm...more My server.xml now looks like this : <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="A good active directory server" userBase="dc=MY DOMAIN NAME,dc=com" userRoleName="member" roleName="cn" roleSearch="(userPrincipalName={0})" roleSubtree="false" userSubtree="false" referrals="follow" /> Reading through the log shows no errors, just that the realm is openning and closing connections with my LDAP server, after 3 tries, it tells me that I need to use http authentication. What's going wrong here? Justin --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
