Well, I still got a problem.
After activating my active directory realm the applications don't anymore.
I got this error:
Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig deployDescriptor
Schwerwiegend: Error deploying configuration descriptor
/app/tomcat2/tomcat/conf/Catalina/localhost/app.xml
java.lang.IllegalStateException: ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app]]
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Best Regards,
Bjoern
-----Ursprüngliche Nachricht-----
Von: Becker, Björn
Gesendet: Montag, 17. März 2014 13:06
An: [email protected]
Betreff: AW: JNDIRealm - Active Directory Roles
Hallo Felix,
thanks for explaination! I got it now!
What helps was to enable debugging:
# conf/logging.conf
# This would turn on trace-level for everything # the possible levels are:
SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
#org.apache.catalina.level = ALL #org.apache.catalina.handlers =
2localhost.org.apache.juli.FileHandler
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
I got this realm config now:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="CN=SVC_TomcatLdapQuery,OU=Service
Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= "
connectionPassword="PASS"
connectionURL="ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleSubtree="true"
roleName="CN"
userRoleName="memberOf"
/>
And I copy the manager-gui constraint in web.xml of the manager application and
put in my new role:
<role-name>CN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle
Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC= </role-name>
Thanks a lot!
Best Regards,
Bjoern
-----Ursprüngliche Nachricht-----
Von: Felix Schumacher [mailto:[email protected]]
Gesendet: Samstag, 15. März 2014 21:52
An: [email protected]
Betreff: Re: JNDIRealm - Active Directory Roles
Am 13.03.2014 18:15, schrieb [email protected]:
> Hello,
>
> I try to implement the authentification for the tomcat manager application
> against active directory.
>
> Unfortunately I don't understand the role concept. I like to give the users
> permissions to open the manager when they're in this group:
>
>> memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle
>> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
> server.xml:
> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> connectionName="CN=SVC,OU=Service
> Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de"
> connectionPassword="_2VK!WHzybn1SJ8P"
>
> connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)"
>
> userSearch="(sAMAccountName={0})"
> userSubtree="true"
>
> roleSearch="(memberof={0})"
> roleSubtree="true"
> userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle
> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de "
> />
>
> <!-- roleBase="DC=DOM,DC=de"
> roleName="cn"
> -->
>
> With this configuration I can open the Manager, but got no permissions.
>
> Even if the user role relationship will found, I don't understand how I can
> assign tomcat roles (e.g. manager-gui) to the user.
Looking at the documentation on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
you have three settings which are most probably not correct.
* roleSearch will only be used, if roleName is set (which is commented out in
your configuration)
* roleSearch will be used to search for objects that match the given filter.
In your case you would find user objects instead of group objects.
* userRoleName should be the name of an attribute in the user object (cn=...
is not a name of an attribute, but rather a value)
So given your goal, that cn=tomcat admins,... should be a role, you have two
options.
* You could activate roleName=cn (or another attribute name) and change the
roleSearch to member={0}. Then the realm would (hopefully) find the object
cn=tomcat admins,...
* You could change userRoleName to memberOf
In the first case your user would have a role with the name "Tomcat Admins".
The second option would lead to a role name of "cn=Tomcat Admins,...".
In both cases you would have to change the security constraints in the webapp
(those are defined in the WEB-INF/web.xml file).
If your role objects had other attributes with values that match the roles
defined in web.xml you could simply change roleName in the first option above.
Regards
Felix
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
