On 17. März 2014 13:53:18 MEZ, bjoern.bec...@easycash.de wrote: >Well, I still got a problem. >After activating my active directory realm the applications don't >anymore. > >I got this error: > >Mrz 17, 2014 1:49:28 PM org.apache.catalina.startup.HostConfig >deployDescriptor >Schwerwiegend: Error deploying configuration descriptor >/app/tomcat2/tomcat/conf/Catalina/localhost/app.xml >java.lang.IllegalStateException: ContainerBase.addChild: start: >org.apache.catalina.LifecycleException: Failed to start component >[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/app]]
Have you looked at the localhost log file? Maybe you have a problem with web.xml? Regards Felix > at >org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) > at >org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) > at >org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) > at >org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) > at >org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) > at >java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at >java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at >java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > > >Best Regards, >Bjoern > > >-----Ursprüngliche Nachricht----- >Von: Becker, Björn >Gesendet: Montag, 17. März 2014 13:06 >An: users@tomcat.apache.org >Betreff: AW: JNDIRealm - Active Directory Roles > >Hallo Felix, > >thanks for explaination! I got it now! > >What helps was to enable debugging: > ># conf/logging.conf ># This would turn on trace-level for everything # the possible levels >are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL >#org.apache.catalina.level = ALL #org.apache.catalina.handlers = >2localhost.org.apache.juli.FileHandler >org.apache.catalina.realm.level = ALL >org.apache.catalina.realm.useParentHandlers = true >org.apache.catalina.authenticator.level = ALL >org.apache.catalina.authenticator.useParentHandlers = true > >I got this realm config now: > > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionName="CN=SVC_TomcatLdapQuery,OU=Service >Accounts,OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC= " > connectionPassword="PASS" > > connectionURL="ldap://server:389/OU=,OU=SITES,OU=\#KONFIGURATION,DC=,DC=?sAMAccountName?sub?(objectClass=*)" > userSearch="(sAMAccountName={0})" > userSubtree="true" > roleSubtree="true" > roleName="CN" > userRoleName="memberOf" > /> > >And I copy the manager-gui constraint in web.xml of the manager >application and put in my new role: > ><role-name>CN=DG_R_Tomcat Admins UAT,OU=Roles,OU=Spezielle >Gruppen,OU=Hamburg,OU=SITES,OU=\#KONFIGURATION,DC=,DC= </role-name> > >Thanks a lot! > >Best Regards, >Bjoern > >-----Ursprüngliche Nachricht----- >Von: Felix Schumacher [mailto:felix.schumac...@internetallee.de] >Gesendet: Samstag, 15. März 2014 21:52 >An: users@tomcat.apache.org >Betreff: Re: JNDIRealm - Active Directory Roles > >Am 13.03.2014 18:15, schrieb bjoern.bec...@easycash.de: >> Hello, >> >> I try to implement the authentification for the tomcat manager >application against active directory. >> >> Unfortunately I don't understand the role concept. I like to give the >users permissions to open the manager when they're in this group: >> >>> memberOf: CN=Tomcat Admins,OU=Roles,OU=Spezielle >>> Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de >> server.xml: >> <Realm className="org.apache.catalina.realm.JNDIRealm" >debug="99" >> connectionName="CN=SVC,OU=Service >Accounts,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de" >> connectionPassword="_2VK!WHzybn1SJ8P" >> >connectionURL="ldap://server:389/OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de?sAMAccountName?sub?(objectClass=*)" >> >> userSearch="(sAMAccountName={0})" >> userSubtree="true" >> >> roleSearch="(memberof={0})" >> roleSubtree="true" >> userRoleName="CN=Tomcat Admins,OU=Roles,OU=Spezielle >Gruppen,OU=SITES,OU=\#KONFIGURATION,DC=DOM,DC=de " >> /> >> >> <!-- roleBase="DC=DOM,DC=de" >> roleName="cn" >> --> >> >> With this configuration I can open the Manager, but got no >permissions. >> >> Even if the user role relationship will found, I don't understand how >I can assign tomcat roles (e.g. manager-gui) to the user. >Looking at the documentation on >http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm >you have three settings which are most probably not correct. > >* roleSearch will only be used, if roleName is set (which is commented >out in your configuration) >* roleSearch will be used to search for objects that match the given >filter. In your case you would find user objects instead of group >objects. >* userRoleName should be the name of an attribute in the user object >(cn=... is not a name of an attribute, but rather a value) > >So given your goal, that cn=tomcat admins,... should be a role, you >have two options. > >* You could activate roleName=cn (or another attribute name) and change >the roleSearch to member={0}. Then the realm would (hopefully) find the >object cn=tomcat admins,... > * You could change userRoleName to memberOf > >In the first case your user would have a role with the name "Tomcat >Admins". The second option would lead to a role name of "cn=Tomcat >Admins,...". > >In both cases you would have to change the security constraints in the >webapp (those are defined in the WEB-INF/web.xml file). > >If your role objects had other attributes with values that match the >roles defined in web.xml you could simply change roleName in the first >option above. > >Regards > Felix > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
