I've been reading the tomcat 5.5 doc and searching MARC but still have
questions about making this work. This seems to come up frequently but I have
not been able to puzzle out a solution. Has anyone actually gotten tomcat to
authenticate with Active Directory (AD)? I'm worried that the configuration
options available in the JNDIRealm are insufficient for AD.
The goal is to allow access to users who are a member of the ccir_user group in
AD. The error I get (included below) indicates to me that the realm never
connects to AD. Is it trying to connect anonymously? Is it trying to connect
with juser3's principal name? distinguished name? I can connect to AD using
JXplorer and juser3's principal name and password. How should I configure
JNDIRealm for this situation?
That's a lot of questions but having a thread that answered a complete example
would help a lot more people than just me.
Thanks for your help. It is appreciated!
-Dave
Here is the relevant portion of the web.xml:
<security-role>
<role-name>ccir_user</role-name>
</security-role>
<security-constraint>
<display-name>Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>ccir_user</role-name>
</auth-constraint>
</security-constraint>
<!--
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
-->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>CCIR Portal</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html indicates that
setting connectionName and connectionPassword causes tomcat to use "comparison
mode" which makes the realm retrieve the password from the directory. From
what I can tell, Active Directory does not allow the retrieval of its password
field, so this option is not available to me.
I'm attempting to configure the realm like this:
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://10.252.181.50:389";
userPattern="sAMAccountName={0},ou=Users,ou=CCIR,dc=red,dc=ccirdev,dc=mir"
roleBase="ou=Groups,ou=CCIR,dc=red,dc=ccirdev,dc=mir"
roleName="cn"
roleSearch="member={0}"
/>
I'm confident that connectionURL, userPattern, and roleBase are reasonable for
my setup. I'm not at all sure about roleName and roleSearch.
I attempt to login as juser3. I can connect to AD using JXplorer and the
principal name [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> and the password.
Here is the corresponding object in AD as displayed by JXplorer:
cn Jeff User3
instanceType 4
nTSecurityDescriptor
objectCategory CN=Person,CN=Schema,CN=Configuration,DC=ccirdev,DC=mir
objectClass top
objectClass person
objectClass organizationalPerson
objectClass user
accountExpires 9223372036854775807
badPasswordTime 128473940593781285
badPwdCount 0
codePage 0
company MIR
countryCode 0
department CCIR
displayName Jeff User3
distinguishedName CN=Jeff User3,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
givenName Jeff
lastLogoff 0
lastLogon 128474750558020052
lastLogonTimestamp 128467468249071167
logonCount 376
mail [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>
memberOf CN=ccir_user,OU=Groups,OU=CCIR,DC=red,DC=ccirdev,DC=mir
name Jeff User3
objectGUID (non string data)
objectSid (non string data)
primaryGroupID 513
pwdLastSet 128421461731492461
sAMAccountName juser3
sAMAccountType 805306368
sn User3
telephoneNumber 314-555-1212
userAccountControl 66048
userPrincipalName [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>
uSNChanged 90445
uSNCreated 51333
whenChanged 20080213154204.0Z
whenCreated 20071214224933.0Z
Here is the AD object corresponding to the ccir_user group:
groupType -2147483646
instanceType 4
nTSecurityDescriptor
objectCategory CN=Group,CN=Schema,CN=Configuration,DC=ccirdev,DC=mir
objectClass top
objectClass group
cn ccir_user
distinguishedName CN=ccir_user,OU=Groups,OU=CCIR,DC=red,DC=ccirdev,DC=mir
member CN=David Maffitt,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
member CN=Jane User2,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
member CN=Jeff User3,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
member CN=Joe Dev,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
member CN=Joe Exec,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
member CN=Joe Ops,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
member CN=Joe Tech,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
member CN=Joe User1,OU=Users,OU=CCIR,DC=red,DC=ccirdev,DC=mir
name ccir_user
objectGUID (non string data)
objectSid (non string data)
sAMAccountName ccir_user
sAMAccountType 268435456
uSNChanged 88966
uSNCreated 51096
whenChanged 20080212185444.0Z
whenCreated 20071214211953.0Z
Here is the error in catalina.out:
Feb 14, 2008 3:39:20 PM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr:
DSID-0C090627, comment: In order to perform this operation a successful bind
must be completed on the connection., data 0, [EMAIL PROTECTED]; remaining name
'sAMAccountName=juser3,ou=Users,ou=CCIR,dc=red,dc=ccirdev,dc=mir'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3025)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1291)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
at
javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
at
org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:993)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:957)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:883)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:809)
at
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
at java.lang.Thread.run(Thread.java:595)
________________________________
The materials in this message are private and may contain Protected Healthcare
Information. If you are not the intended recipient, be advised that any
unauthorized use, disclosure, copying or the taking of any action in reliance
on the contents of this information is strictly prohibited. If you have
received this email in error, please immediately notify the sender via
telephone or return mail.
