Interesting. My configuration uses the latter - by doing a bind, getting the user object, and comparing it locally.
Thanks. -----Original Message----- From: news [mailto:n...@ger.gmane.org] On Behalf Of Eric B. Sent: Wednesday, 12 August 2009 7:03 a.m. To: users@tomcat.apache.org Subject: Re: Re: Trouble configuring LDAP authentication > "Geofrey Rainey" <geofrey.rai...@tvnz.co.nz> wrote in message > news:fcff2ec7a020964fbc98b17f17a88ac4018ba...@akvxch01.tvnzad.tvnz.co.nz ... > I remember the big issue I faced regarding the JNDIRealm auth were the > parameters in my Realm definition, there was one line that once added > Everything started working, I think it was either "referrals" or " > "userSearch="(sAMAccountName={0})" - which I recall were both necessary > in my instance, or one of the "role|usersubtree" ones. > > I found the following link invaluable in configuring my server, it's a > must read: > > http://www.jspwiki.org/wiki/ActiveDirectoryIntegration > > Regarding logging, I found this tutorial quite helpful: > > http://wiki.apache.org/tomcat/Logging_Tutorial > Thanks for the links and the feedback. Several hours of reading docs online, source code, pulling hair and of randomly trying things, I finally realized that I had to enable the TRACE level of debugging at the container level to get the debugging out. Unfortunately, doing that means having to put the realm defn in the actual context, or there is way too much noise generated at a higher level. But it did finally give me the logging information I needed. Finally, with some additional help, I discovered that the pwd storage mechanism in the LDAP server didn't match what Tomcat was expecting, so I had to drop the userPassword parameter in the Realm defn, which makes Tomcat validate the user/pwd by trying a simple bind to the LDAP server using the user's username/pwd instead of retreiving the user's object and checking the pwd itself. Finally, everything seems to work. .... Several hours later. Thanks again, Eric --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ========================================================== For more information on the Television New Zealand Group, visit us online at tvnz.co.nz ========================================================== CAUTION: This e-mail and any attachment(s) contain information that is intended to be read only by the named recipient(s). This information is not to be used or stored by any other person and/or organisation. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
