Hi,
I'm currently trying to protect a tomcat web-app via LDAP. This application
handled the protection against a LDAP server with a customized login procedure
before. As there is now some more sensible content in the web-app, I wanted to
protect the entire web-app by tomcat. Therefore I inserted a JNDIRealm into the
context:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://gssun001:389";
userBase="ou=LDAPusers,dc=prodv"
userSearch="(cn={0})"
roleBase="ou=LDAPusers,dc=prodv"
roleName="(cn={0})"
roleSearch="(userPassword={0})"
/>
Furthermore I inserted this into the web.xml:
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>theApplication</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/autherr.html</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager
Application
</description>
<role-name>manager</role-name>
</security-role>
So, when I try to access the web-app the login.html is displayed as accepted.
When I give credentials that are stored in the LDAP server, the following
appears in the log:
Searching for gast
base: ou=LDAPusers,dc=prodv filter: (cn=gast)
entry found for gast with dn cn=gast,ou=LDAPusers,dc=prodv
validating credentials by binding as the user
binding as cn=gast,ou=LDAPusers,dc=prodv
Username gast successfully authenticated
getRoles(cn=gast,ou=LDAPusers,dc=prodv)
Searching role base 'ou=LDAPusers,dc=prodv' for attribute '(cn={0})'
With filter expression '(userPassword=cn=gast,ou=LDAPusers,dc=prodv)'
Returning 0 roles
Username gast does NOT have role manager
which is "answered" by tomcat with a "403: Access to the requested resource
has been denied"
When I give a wrong password, this is in the log:
Searching for gast
base: ou=LDAPusers,dc=prodv filter: (cn=gast)
entry found for gast with dn cn=gast,ou=LDAPusers,dc=prodv
validating credentials by binding as the user
binding as cn=gast,ou=LDAPusers,dc=prodv
bind attempt failed
Username gast NOT successfully authenticated
I don't see any attributes like roles in the LDAP server, so this is obvious
plain wrong. But, no matter what I tried, I couldn't get it to work, though it
seems that tomcat accepted the credentials, right? The only things stored in
LDAP are name and password. How can I make this work?
Mit freundlichen Grüßen
Axel Leucht Phone: +49-231-9792-251
PRO DV Software AG FAX: +49-231-9792-200
Hauert 6 <mailto:[EMAIL PROTECTED]>
44227 Dortmund <http://www.prodv.de>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
