On 10/02/2012 12:54, Lev A KARATUN wrote: > Please see my answers below. > > Best Regards, > Karatun Lev, > > > Felix Schumacher <felix.schumac...@internetallee.de> wrote on 10.02.2012 > 15:31:43: > >> Felix Schumacher <felix.schumac...@internetallee.de> >> 10.02.2012 15:32 >> >> Please respond to >> "Tomcat Users List" <users@tomcat.apache.org> >> >> To >> >> Tomcat Users List <users@tomcat.apache.org> >> >> cc >> >> Subject >> >> Re: Fw: Problems with LDAP authentication >> >> Am 10.02.2012 11:43, schrieb Lev A KARATUN: >>> Does anybody have an idea?.. >>> >>> >>> >> > -------------------------------------------------------------------------------- >>> >>> Hi again. >>> >>> So, my boss told me that it's insecure to give anyone the password to >>> view >>> tomcat's logs and that should be an authentication based on Active >>> Directory. >>> >>> I've been reading the manuals for some time, and configured my Tomcat >>> the >>> following way: >>> >>> $CATALINA_BASE/conf/Catalina/localhost/myapp.xml >>> >>> <Context antiResourceLocking="false" privileged="true" >>> docBase="$CATALINA_BASE/logs" reloadable="true"> >>> >>> <Realm className="org.apache.catalina.realm.JNDIRealm" >>> connectionURL="ldap://raiffeisen.ru:389"; >>> connectionName="myacco...@raiffeisen.ru" (I also tried the >>> format connectionName="cn=myaccount,dc=raiffeisen,dc=ru" - does it >>> matter >>> what format do I use?) >> For normal ldap servers it would be the latter one, eg. a fully >> qualified dn. ADS might accept the mail adress of the user, but I >> frankly don't know. > > Anyway, I tried both variants - the server refuses to accept the > connection > >> >>> connectionPassword="mypassword" >>> referrals="follow" >>> userBase="OU=_Users,DC=raiffeisen,DC=ru" >>> userSearch="(sAMAccountName={0})" >>> userSubtree="true" >>> roleBase="OU=_Groups,DC=raiffeisen,DC=ru" >>> roleName="cn" >>> roleSubtree="true" >>> roleSearch="(member={0})" >> For ADS you might want to add adCompat="true" (look at >> http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further >> infos). >> > > OK, added, but nothing changed =\ > >> >>> /> >>> </Context> >>> >>> >>> WEB-INF/web.xml >>> >>> <security-constraint> >>> <web-resource-collection> >>> <web-resource-name>Administrative Area</web-resource-name> >>> <url-pattern>/*</url-pattern> >>> </web-resource-collection> >>> <auth-constraint> >>> <role-name>ADGroupName</role-name> >>> </auth-constraint> >>> </security-constraint> >>> >>> <security-role> >>> <description> >>> The role that is required to view logs >>> </description> >>> <role-name>ADGroupName</role-name> >>> </security-role> >>> >>> >>> I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for >>> I >>> guess a hundred times, but every time I'm getting a message in >>> catalina.out: >>> >>> Throwable occurred: LifecycleException: Exception opening directory >>> server connection: javax.naming.CommunicationException: >>> localhost:389 >>> [Root exception is java.net.ConnectException: A remote host refused >>> an >>> attempted connect operation.] >> Since localhost is another server, than what you told us you had >> configured, I think your context file is not being used. Search for >> other context files, where you either have configured localhost or >> misspelled connectionURL. > > But the 389th port is only mentioned in myapp's config file and nowhere > else. So I assume that Tomcat tries to use myapp.xml, but fails for some > reason.. > > The other apps' context files are default - like this: > <?xml version="1.0" encoding="UTF-8"?> > <Context antiResourceLocking="false" privileged="true" /> > > >> >>> >>> and >>> >>> SEVERE: Error deploying configuration descriptor myapp.xml >>> Throwable occurred: java.lang.IllegalStateException: >>> ContainerBase.addChild: start: LifecycleException: Exception opening >>> directory server connection: javax.naming.CommunicationException: >>> localhost:389 [Root exception is java.net.ConnectException: A remote >>> host >>> refused an attempted connect operation.] >>> >>> >>> I tried to telnet raiffeisen.ru by port 389 and got connected. >>> I installed JXplorer, entered hostname, port, my credentials and got >>> connected. >> telnet localhost 389 and see if you get any errors :) > > bash-3.00$ telnet localhost 389 > Trying... > telnet: connect: A remote host refused an attempted connect operation. > > > ...but WHY is Tomcat trying to connect to localhost? It's clearly written > in the realm - connectionURL="ldap://raiffeisen.ru:389"; > =(
That's why Felix said that he thought that this config wasn't the one being used. What is the name of the Context xml file in tomcat/conf/Catalina/localhost? Is it "logs.xml" or "myapp.xml" or something else? p -- [key:62590808]
signature.asc
Description: OpenPGP digital signature
