Am Freitag, den 10.02.2012, 16:54 +0400 schrieb Lev A KARATUN: > Felix Schumacher <felix.schumac...@internetallee.de> wrote on 10.02.2012 > 15:31:43: > > > Felix Schumacher <felix.schumac...@internetallee.de> > > 10.02.2012 15:32 > > > -------------------------------------------------------------------------------- > > > > > > Hi again. > > > > > > So, my boss told me that it's insecure to give anyone the password to > > > view > > > tomcat's logs and that should be an authentication based on Active > > > Directory. > > > > > > I've been reading the manuals for some time, and configured my Tomcat > > > the > > > following way: > > > > > > $CATALINA_BASE/conf/Catalina/localhost/myapp.xml > > > > > > <Context antiResourceLocking="false" privileged="true" > > > docBase="$CATALINA_BASE/logs" reloadable="true"> > > > > > > <Realm className="org.apache.catalina.realm.JNDIRealm" > > > connectionURL="ldap://raiffeisen.ru:389" > > > connectionName="myacco...@raiffeisen.ru" (I also tried the > > > format connectionName="cn=myaccount,dc=raiffeisen,dc=ru" - does it > > > matter > > > what format do I use?) > > For normal ldap servers it would be the latter one, eg. a fully > > qualified dn. ADS might accept the mail adress of the user, but I > > frankly don't know. > > Anyway, I tried both variants - the server refuses to accept the > connection No wonder, since your error message below tells us, that tomcat is talking to localhost instead of raiffeisen.ru :)
> > > > > > connectionPassword="mypassword" > > > referrals="follow" > > > userBase="OU=_Users,DC=raiffeisen,DC=ru" > > > userSearch="(sAMAccountName={0})" > > > userSubtree="true" > > > roleBase="OU=_Groups,DC=raiffeisen,DC=ru" > > > roleName="cn" > > > roleSubtree="true" > > > roleSearch="(member={0})" > > For ADS you might want to add adCompat="true" (look at > > http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further > > infos). > > > > OK, added, but nothing changed =\ Again, no wonder. > > > > > > /> > > > </Context> > > > > > > > > > WEB-INF/web.xml > > > > > > <security-constraint> > > > <web-resource-collection> > > > <web-resource-name>Administrative Area</web-resource-name> > > > <url-pattern>/*</url-pattern> > > > </web-resource-collection> > > > <auth-constraint> > > > <role-name>ADGroupName</role-name> > > > </auth-constraint> > > > </security-constraint> > > > > > > <security-role> > > > <description> > > > The role that is required to view logs > > > </description> > > > <role-name>ADGroupName</role-name> > > > </security-role> > > > > > > > > > I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for I think, that is not needed since java 1.4.x, even if it is mentioned in the howto :( I have never used that ldap.jar and wouldn't even know where to get it. But my jndi-Realms work. > > > I > > > guess a hundred times, but every time I'm getting a message in > > > catalina.out: > > > > > > Throwable occurred: LifecycleException: Exception opening directory > > > server connection: javax.naming.CommunicationException: > > > localhost:389 > > > [Root exception is java.net.ConnectException: A remote host refused > > > an > > > attempted connect operation.] > > Since localhost is another server, than what you told us you had > > configured, I think your context file is not being used. Search for > > other context files, where you either have configured localhost or > > misspelled connectionURL. > > But the 389th port is only mentioned in myapp's config file and nowhere > else. So I assume that Tomcat tries to use myapp.xml, but fails for some > reason.. Don't look for 389 explicitly, since that is the default port as is localhost the default host. Search for another context configuration, which could be used. > > The other apps' context files are default - like this: > <?xml version="1.0" encoding="UTF-8"?> > <Context antiResourceLocking="false" privileged="true" /> I somehow doubt that privileged="true" is default and that you need it, but it is certainly irrelevant to your problems. > > > > > > > > > > and > > > > > > SEVERE: Error deploying configuration descriptor myapp.xml > > > Throwable occurred: java.lang.IllegalStateException: > > > ContainerBase.addChild: start: LifecycleException: Exception opening > > > directory server connection: javax.naming.CommunicationException: > > > localhost:389 [Root exception is java.net.ConnectException: A remote > > > host > > > refused an attempted connect operation.] > > > > > > > > > I tried to telnet raiffeisen.ru by port 389 and got connected. > > > I installed JXplorer, entered hostname, port, my credentials and got > > > connected. > > telnet localhost 389 and see if you get any errors :) > > bash-3.00$ telnet localhost 389 > Trying... > telnet: connect: A remote host refused an attempted connect operation. > > > ...but WHY is Tomcat trying to connect to localhost? It's clearly written > in the realm - connectionURL="ldap://raiffeisen.ru:389" > =( Either ldap.jar confuses it, or it uses another context file, or you have a typo in your context file, which is not present in the config you have shown us. Regards Felix > > > > > Regards > > Felix > > > > > I start Tomcat and get errors. > > > > > > Can you please give me an idea about what am I doing wrong? > > > > > > Thanks in advance. > > > > > > Best Regards, > > > Karatun Lev. > > > > > > > > > ----------------------------------- > > > This message and any attachment are confidential and may be > > > privileged or otherwise protected from disclosure. If you are not the > > > intended recipient any use, distribution, copying or disclosure is > > > strictly prohibited. If you have received this message in error, > > > please notify the sender immediately either by telephone or by e-mail > > > and delete this message and any attachment from your system. > > > Correspondence via e-mail is for information purposes only. ZAO > > > Raiffeisenbank neither makes nor accepts legally binding statements > > > by > > > e-mail unless otherwise agreed. > > > ----------------------------------- > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > ----------------------------------- > This message and any attachment are confidential and may be privileged or > otherwise protected from disclosure. If you are not the intended recipient > any use, distribution, copying or disclosure is strictly prohibited. If you > have received this message in error, please notify the sender immediately > either by telephone or by e-mail and delete this message and any attachment > from your system. Correspondence via e-mail is for information purposes only. > ZAO Raiffeisenbank neither makes nor accepts legally binding statements by > e-mail unless otherwise agreed. > ----------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org