On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote:
>Well, I still got a problem. 
>After activating my active directory realm the applications don't
>anymore.
>
>I got this error:
>
>Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig
>deployDescriptor
>Schwerwiegend: Error deploying configuration descriptor
>/app/tomcat2/tomcat/conf/Catalina/localhost/app.xml
>java.lang.IllegalStateException: ContainerBase.addChild: start:
>org.apache.catalina.LifecycleException: Failed to start component
>[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app]]

 Have you looked at the localhost log file? Maybe you have a problem with 
web.xml?

Regards
Felix

>       at
>org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904)
>       at
>org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
>       at
>org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618)
>       at
>org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650)
>       at
>org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582)
>       at
>java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>       at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>       at
>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>       at
>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>       at java.lang.Thread.run(Thread.java:744)
>
>
>Best Regards,
>Bjoern
>
>
>-----Ursprüngliche Nachricht-----
>Von: Becker, Björn 
>Gesendet: Montag, 17. März 2014 13:06
>An: users@tomcat.apache.org
>Betreff: AW: JNDIRealm - Active Directory Roles
>
>Hallo Felix,
>
>thanks for explaination! I got it now! 
>
>What helps was to enable debugging:
>
># conf/logging.conf
># This would turn on trace-level for everything # the possible levels
>are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
>#org.apache.catalina.level = ALL #org.apache.catalina.handlers =
>2localhost.org.apache.juli.FileHandler
>org.apache.catalina.realm.level = ALL
>org.apache.catalina.realm.useParentHandlers = true
>org.apache.catalina.authenticator.level = ALL
>org.apache.catalina.authenticator.useParentHandlers = true
>
>I got this realm config now:
>
>       <Realm className="org.apache.catalina.realm.JNDIRealm"
>                       connectionName="CN=SVC_TomcatLdapQuery,OU=Service
>Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= "
>                       connectionPassword="PASS"
>                       
> connectionURL="ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)"
>                       userSearch="(sAMAccountName={0})"
>                       userSubtree="true"
>                       roleSubtree="true"
>                       roleName="CN"
>                       userRoleName="memberOf"
>        />
>
>And I copy the manager-gui constraint in web.xml of the manager
>application and put in my new role:
>
><role-name>CN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle
>Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC= </role-name>
>
>Thanks a lot! 
>
>Best Regards,
>Bjoern
>
>-----Ursprüngliche Nachricht-----
>Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
>Gesendet: Samstag, 15. März 2014 21:52
>An: users@tomcat.apache.org
>Betreff: Re: JNDIRealm - Active Directory Roles
>
>Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de:
>> Hello,
>>
>> I try to implement the authentification for the tomcat manager
>application against active directory.
>>
>> Unfortunately I don't understand the role concept. I like to give the
>users permissions to open the manager when they're in this group:
>>
>>> memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle 
>>> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de
>> server.xml:
>>          <Realm className="org.apache.catalina.realm.JNDIRealm" 
>debug="99"
>>                  connectionName="CN=SVC,OU=Service
>Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de"
>>                  connectionPassword="_2VK!WHzybn1SJ8P"
>>                 
>connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)"
>>          
>>                  userSearch="(sAMAccountName={0})"
>>                  userSubtree="true"
>>
>>                  roleSearch="(memberof={0})"
>>                  roleSubtree="true"
>>                  userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle
>Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de "
>>              />
>>
>> <!--            roleBase="DC=DOM,DC=de"
>>                  roleName="cn"
>> -->
>>
>> With this configuration I can open the Manager, but got no
>permissions.
>>
>> Even if the user role relationship will found, I don't understand how
>I can assign tomcat roles (e.g. manager-gui) to the user.
>Looking at the documentation on
>http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
>you have three settings which are most probably not correct.
>
>* roleSearch will only be used, if roleName is set (which is commented
>out in your configuration)
>* roleSearch will be used to search for objects that match the given
>filter. In your case you would find user objects instead of group
>objects.
>* userRoleName should be the name of an attribute in the user object
>(cn=... is not a name of an attribute, but rather a value)
>
>So given your goal, that cn=tomcat admins,... should be a role, you
>have two options.
>
>* You could activate roleName=cn (or another attribute name) and change
>the roleSearch to member={0}. Then the realm would (hopefully) find the
>object cn=tomcat admins,...
>  * You could change userRoleName to memberOf
>
>In the first case your user would have a role with the name "Tomcat
>Admins". The second option would lead to a role name of "cn=Tomcat
>Admins,...".
>
>In both cases you would have to change the security constraints in the
>webapp (those are defined in the WEB-INF/web.xml file).
>
>If your role objects had other attributes with values that match the
>roles defined in web.xml you could simply change roleName in the first
>option above.
>
>Regards
>  Felix
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to