I've been reading the tomcat 5.5 doc and searching MARC but still have questions about making this work. This seems to come up frequently but I have not been able to puzzle out a solution. Has anyone actually gotten tomcat to authenticate with Active Directory (AD)? I'm worried that the configuration options available in the JNDIRealm are insufficient for AD.
The goal is to allow access to users who are a member of the ccir_user group in AD. The error I get (included below) indicates to me that the realm never connects to AD. Is it trying to connect anonymously? Is it trying to connect with juser3's principal name? distinguished name? I can connect to AD using JXplorer and juser3's principal name and password. How should I configure JNDIRealm for this situation? That's a lot of questions but having a thread that answered a complete example would help a lot more people than just me. Thanks for your help. It is appreciated! -Dave Here is the relevant portion of the web.xml: <security-role> <role-name>ccir_user</role-name> </security-role> <security-constraint> <display-name>Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>ccir_user</role-name> </auth-constraint> </security-constraint> <!-- <login-config> <auth-method>BASIC</auth-method> </login-config> --> <login-config> <auth-method>FORM</auth-method> <realm-name>CCIR Portal</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginError.jsp</form-error-page> </form-login-config> </login-config> http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html indicates that setting connectionName and connectionPassword causes tomcat to use "comparison mode" which makes the realm retrieve the password from the directory. From what I can tell, Active Directory does not allow the retrieval of its password field, so this option is not available to me. I'm attempting to configure the realm like this: <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://10.252.181.50:389" userPattern="sAMAccountName={0},ou=Users,ou=CCIR,dc=red,dc=ccirdev,dc=mir" roleBase="ou=Groups,ou=CCIR,dc=red,dc=ccirdev,dc=mir" roleName="cn" roleSearch="member={0}" /> I'm confident that connectionURL, userPattern, and roleBase are reasonable for my setup. I'm not at all sure about roleName and roleSearch. I attempt to login as juser3. I can connect to AD using JXplorer and the principal name [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> and the password. Here is the corresponding object in AD as displayed by JXplorer: cn Jeff User3 instanceType 4 nTSecurityDescriptor objectCategory CN=Person,CN=Schema,CN=Configuration,DC=ccirdev,DC=mir objectClass top objectClass person objectClass organizationalPerson objectClass user accountExpires 9223372036854775807 badPasswordTime 128473940593781285 badPwdCount 0 codePage 0 company MIR countryCode 0 department CCIR displayName Jeff User3 distinguishedName CN=Jeff User3,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir givenName Jeff lastLogoff 0 lastLogon 128474750558020052 lastLogonTimestamp 128467468249071167 logonCount 376 mail [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> memberOf CN=ccir_user,OU=Groups,OU=CCIR,DC=red,DC=ccirdev,DC=mir name Jeff User3 objectGUID (non string data) objectSid (non string data) primaryGroupID 513 pwdLastSet 128421461731492461 sAMAccountName juser3 sAMAccountType 805306368 sn User3 telephoneNumber 314-555-1212 userAccountControl 66048 userPrincipalName [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> uSNChanged 90445 uSNCreated 51333 whenChanged 20080213154204.0Z whenCreated 20071214224933.0Z Here is the AD object corresponding to the ccir_user group: groupType -2147483646 instanceType 4 nTSecurityDescriptor objectCategory CN=Group,CN=Schema,CN=Configuration,DC=ccirdev,DC=mir objectClass top objectClass group cn ccir_user distinguishedName CN=ccir_user,OU=Groups,OU=CCIR,DC=red,DC=ccirdev,DC=mir member CN=David Maffitt,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir member CN=Jane User2,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir member CN=Jeff User3,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir member CN=Joe Dev,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir member CN=Joe Exec,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir member CN=Joe Ops,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir member CN=Joe Tech,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir member CN=Joe User1,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir name ccir_user objectGUID (non string data) objectSid (non string data) sAMAccountName ccir_user sAMAccountType 268435456 uSNChanged 88966 uSNCreated 51096 whenChanged 20080212185444.0Z whenCreated 20071214211953.0Z Here is the error in catalina.out: Feb 14, 2008 3:39:20 PM org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, [EMAIL PROTECTED]; remaining name 'sAMAccountName=juser3,ou=Users,ou=CCIR,dc=red,dc=ccirdev,dc=mir' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3025) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737) at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1291) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123) at org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:993) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:957) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:883) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:809) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685) at java.lang.Thread.run(Thread.java:595) ________________________________ The materials in this message are private and may contain Protected Healthcare Information. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.