I would guess, as you show no information on your LDAP setup, this line is
wrong:
userPattern="uid={0},ou=people,dc=mydomain,dc=com"Are your users named by uid or cn? You show roles as named by cn and since you show dc=,dc= I would guess this is AD Also, try using LDAP vs LDAPS to help troubleshoot. -jim -- -jim Jim Willeke On Mon, Aug 26, 2013 at 10:47 AM, John Pimentel <jpimen...@ra.rockwell.com>wrote: > > Greetings, > > I am having difficulties getting LDAPS authentication to work and I think I > must be missing some fundamental configuration. > > My current state is that the Site loads and displays content properly, but > when I go to edit content or I select the log in page directly, my LDAP > credentials do not authenticate, and I am repeatedly presented with a login > page. > > I used the follwing information as my "How To" for this effort. > http://www.ecyrd.com/JSPWiki/wiki/WebContainerAuthenticationViaLDAP > > This article is very good but appears to be incomplete. > > I have done the following configuration to get ldaps to work: > > 1. I have a previously configured LDAP Server and I stored /trusted the > cert for this Sun LDAP server into the central java keystore using this > command: > /usr/lib64/jvm/jre/bin/keytool -import -alias sunldap > -file /web1/sst/dysc/content/CA-RA-v3.crt > -keystore /usr/lib64/jvm/jre/lib/security/cacerts > > 2. I have configured the realm and sorted out all the log errors using the > following realm in the server.xml file. I believe tomcat is successfully > connecting to my LDAP server. > > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionURL="ldaps://mkedsintp.ds.mydomain.com:636" > connectionName="uid=[bind User > UID],ou=admin,dc=rmydomain,dc=com" > connectionPassword="[Password]" > userPattern="uid={0},ou=people,dc=mydomain,dc=com" > roleBase="ou=Control-M,ou=group,dc=mydomain,dc=com" > roleSubtree="true" > roleName="cn" > roleSearch="(uniqueMember={0})" > /> > > 3. I uncommented the "CONTAINER-MANAGED AUTH" section > from /web1/dyscq/webapps/apps/wiki/WEB-INF/web.xml > > There is a section at the bottom that says "Update JSPWiki security policy" > If you would like to set permissions to LDAP groups, you can simply add > policy entries on authorize.Role. The following is an entry for wiki-admin > group (from LDAP). > grant principal com.ecyrd.jspwiki.auth.authorize.Role "wiki-admin" { > permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*"; > }; > > I'm thinking it might go into web.xml, but I am not sure of that.. > > this section of the xml looks like this: > > <security-constraint> > <web-resource-collection> > <web-resource-name>Authenticated area</web-resource-name> > <url-pattern>/Edit.jsp</url-pattern> > <url-pattern>/Comment.jsp</url-pattern> > <url-pattern>/Login.jsp</url-pattern> > <url-pattern>/NewGroup.jsp</url-pattern> > <url-pattern>/Rename.jsp</url-pattern> > <url-pattern>/Upload.jsp</url-pattern> > <http-method>DELETE</http-method> > <http-method>GET</http-method> > <http-method>HEAD</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > > <web-resource-collection> > <web-resource-name>Read-only Area</web-resource-name> > <url-pattern>/attach</url-pattern> > <http-method>DELETE</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > > <auth-constraint> > <role-name>Admin</role-name> > <role-name>Authenticated</role-name> > </auth-constraint> > <!-- > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > --> > > </security-constraint> > > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page>/LoginForm.jsp</form-login-page> > <form-error-page>/LoginForm.jsp</form-error-page> > </form-login-config> > </login-config> > > <security-role> > <description> > This logical role includes all authenticated users > </description> > <role-name>Authenticated</role-name> > </security-role> > > <security-role> > <description> > This logical role includes all administrative users > </description> > <role-name>Admin</role-name> > </security-role> > > > Regards, > John Pimentel > > (Embedded image moved to file: pic05844.gif)Description: Description: > ralogo_web > jpimen...@ra.rockwell.com > Office (414) 382-3354 > Mobile (262) 501-4785 > > > > > From: user-h...@jspwiki.apache.org > To: jpimen...@ra.rockwell.com > Date: 08/26/2013 08:16 AM > Subject: WELCOME to user@jspwiki.apache.org > > > > Hi! This is the ezmlm program. I'm managing the > user@jspwiki.apache.org mailing list. > > I'm working for my owner, who can be reached > at user-ow...@jspwiki.apache.org. > > Acknowledgment: I have added the address > > jpimen...@ra.rockwell.com > > to the user mailing list. > > Welcome to user@jspwiki.apache.org! > > Please save this message so that you know the address you are > subscribed under, in case you later want to unsubscribe or change your > subscription address. > > > --- Administrative commands for the user list --- > > I can handle administrative requests automatically. Please > do not send them to the list address! Instead, send > your message to the correct command address: > > To subscribe to the list, send a message to: > <user-subscr...@jspwiki.apache.org> > > To remove your address from the list, send a message to: > <user-unsubscr...@jspwiki.apache.org> > > Send mail to the following for info and FAQ for this list: > <user-i...@jspwiki.apache.org> > <user-...@jspwiki.apache.org> > > Similar addresses exist for the digest list: > <user-digest-subscr...@jspwiki.apache.org> > <user-digest-unsubscr...@jspwiki.apache.org> > > To get messages 123 through 145 (a maximum of 100 per request), mail: > <user-get.123_...@jspwiki.apache.org> > > To get an index with subject and author for messages 123-456 , mail: > <user-index.123_...@jspwiki.apache.org> > > They are always returned as sets of 100, max 2000 per request, > so you'll actually get 100-499. > > To receive all messages with the same subject as message 12345, > send a short message to: > <user-thread.12...@jspwiki.apache.org> > > The messages should contain one line or word of text to avoid being > treated as sp@m, but I will ignore their content. > Only the ADDRESS you send to is important. > > You can start a subscription for an alternate address, > for example "john@host.domain", just add a hyphen and your > address (with '=' instead of '@') after the command word: > <user-subscribe-john=host.dom...@jspwiki.apache.org> > > To stop subscription for this address, mail: > <user-unsubscribe-john=host.dom...@jspwiki.apache.org> > > In both cases, I'll send a confirmation message to that address. When > you receive it, simply reply to it to complete your subscription. > > If despite following these instructions, you do not get the > desired results, please contact my owner at > user-ow...@jspwiki.apache.org. Please be patient, my owner is a > lot slower than I am ;-) > > --- Enclosed is a copy of the request I received. > > Return-Path: <jpimen...@ra.rockwell.com> > Received: (qmail 84748 invoked by uid 99); 26 Aug 2013 13:16:04 -0000 > Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013 13:16:04 > +0000 > X-ASF-Spam-Status: No, hits=-0.0 required=5.0 > tests=SPF_PASS > X-Spam-Check-By: apache.org > Received-SPF: pass (athena.apache.org: local policy) > Received: from [205.175.240.251] (HELO ramilwsmtp01.ra.rockwell.com) > (205.175.240.251) > by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013 13:16:00 > +0000 > In-Reply-To: <1377522681.70768.ez...@jspwiki.apache.org> > References: <1377522681.70768.ez...@jspwiki.apache.org> > Subject: Re: confirm subscribe to user@jspwiki.apache.org > X-KeepSent: D7D57B0D:E2A05A18-86257BD3:0048D45A; > type=4; name=$KeepSent > To: > user-sc.1377522681.pagaldeamkeafdeakcap-jpimentel= > ra.rockwell....@jspwiki.apache.org > > X-Mailer: Lotus Notes Release 8.5.2FP2 March 23, 2011 > Message-ID: > <ofd7d57b0d.e2a05a18-on86257bd3.0048d45a-86257bd3.0048d...@ra.rockwell.com > > > From: John Pimentel <jpimen...@ra.rockwell.com> > Date: Mon, 26 Aug 2013 08:15:38 -0500 > X-MIMETrack: Serialize by Router on RAMilwSMTP01/Milwaukee/RA/Rockwell at > 08/26/2013 08:15:59 > AM > MIME-Version: 1.0 > Content-type: multipart/mixed; > > Boundary="0__=09BBF140DFDB52CA8f9e8a93df938690918c09BBF140DFDB52CA" > Content-Disposition: inline > X-Virus-Checked: Checked by ClamAV on apache.org > >
