Am Freitag, den 10.02.2012, 16:54 +0400 schrieb Lev A KARATUN:
> Felix Schumacher <felix.schumac...@internetallee.de> wrote on 10.02.2012
> 15:31:43:
>
> > Felix Schumacher <felix.schumac...@internetallee.de>
> > 10.02.2012 15:32
> >
> --------------------------------------------------------------------------------
> > >
> > > Hi again.
> > >
> > > So, my boss told me that it's insecure to give anyone the password to
> > > view
> > > tomcat's logs and that should be an authentication based on Active
> > > Directory.
> > >
> > > I've been reading the manuals for some time, and configured my Tomcat
> > > the
> > > following way:
> > >
> > > $CATALINA_BASE/conf/Catalina/localhost/myapp.xml
> > >
> > > <Context antiResourceLocking="false" privileged="true"
> > > docBase="$CATALINA_BASE/logs" reloadable="true">
> > >
> > > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > > connectionURL="ldap://raiffeisen.ru:389";
> > > connectionName="myacco...@raiffeisen.ru" (I also tried the
> > > format connectionName="cn=myaccount,dc=raiffeisen,dc=ru" - does it
> > > matter
> > > what format do I use?)
> > For normal ldap servers it would be the latter one, eg. a fully
> > qualified dn. ADS might accept the mail adress of the user, but I
> > frankly don't know.
>
> Anyway, I tried both variants - the server refuses to accept the
> connection
No wonder, since your error message below tells us, that tomcat is
talking to localhost instead of raiffeisen.ru :)
>
> >
> > > connectionPassword="mypassword"
> > > referrals="follow"
> > > userBase="OU=_Users,DC=raiffeisen,DC=ru"
> > > userSearch="(sAMAccountName={0})"
> > > userSubtree="true"
> > > roleBase="OU=_Groups,DC=raiffeisen,DC=ru"
> > > roleName="cn"
> > > roleSubtree="true"
> > > roleSearch="(member={0})"
> > For ADS you might want to add adCompat="true" (look at
> > http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html for further
> > infos).
> >
>
> OK, added, but nothing changed =\
Again, no wonder.
>
> >
> > > />
> > > </Context>
> > >
> > >
> > > WEB-INF/web.xml
> > >
> > > <security-constraint>
> > > <web-resource-collection>
> > > <web-resource-name>Administrative Area</web-resource-name>
> > > <url-pattern>/*</url-pattern>
> > > </web-resource-collection>
> > > <auth-constraint>
> > > <role-name>ADGroupName</role-name>
> > > </auth-constraint>
> > > </security-constraint>
> > >
> > > <security-role>
> > > <description>
> > > The role that is required to view logs
> > > </description>
> > > <role-name>ADGroupName</role-name>
> > > </security-role>
> > >
> > >
> > > I also placed LDAP.jar into $CATALINA_BASE/lib, restarted tomcat for
I think, that is not needed since java 1.4.x, even if it is mentioned in
the howto :( I have never used that ldap.jar and wouldn't even know
where to get it. But my jndi-Realms work.
> > > I
> > > guess a hundred times, but every time I'm getting a message in
> > > catalina.out:
> > >
> > > Throwable occurred: LifecycleException: Exception opening directory
> > > server connection: javax.naming.CommunicationException:
> > > localhost:389
> > > [Root exception is java.net.ConnectException: A remote host refused
> > > an
> > > attempted connect operation.]
> > Since localhost is another server, than what you told us you had
> > configured, I think your context file is not being used. Search for
> > other context files, where you either have configured localhost or
> > misspelled connectionURL.
>
> But the 389th port is only mentioned in myapp's config file and nowhere
> else. So I assume that Tomcat tries to use myapp.xml, but fails for some
> reason..
Don't look for 389 explicitly, since that is the default port as is
localhost the default host. Search for another context configuration,
which could be used.
>
> The other apps' context files are default - like this:
> <?xml version="1.0" encoding="UTF-8"?>
> <Context antiResourceLocking="false" privileged="true" />
I somehow doubt that privileged="true" is default and that you need it,
but it is certainly irrelevant to your problems.
>
>
> >
> > >
> > > and
> > >
> > > SEVERE: Error deploying configuration descriptor myapp.xml
> > > Throwable occurred: java.lang.IllegalStateException:
> > > ContainerBase.addChild: start: LifecycleException: Exception opening
> > > directory server connection: javax.naming.CommunicationException:
> > > localhost:389 [Root exception is java.net.ConnectException: A remote
> > > host
> > > refused an attempted connect operation.]
> > >
> > >
> > > I tried to telnet raiffeisen.ru by port 389 and got connected.
> > > I installed JXplorer, entered hostname, port, my credentials and got
> > > connected.
> > telnet localhost 389 and see if you get any errors :)
>
> bash-3.00$ telnet localhost 389
> Trying...
> telnet: connect: A remote host refused an attempted connect operation.
>
>
> ...but WHY is Tomcat trying to connect to localhost? It's clearly written
> in the realm - connectionURL="ldap://raiffeisen.ru:389";
> =(
Either ldap.jar confuses it, or it uses another context file, or you
have a typo in your context file, which is not present in the config you
have shown us.
Regards
Felix
>
> >
> > Regards
> > Felix
> >
> > > I start Tomcat and get errors.
> > >
> > > Can you please give me an idea about what am I doing wrong?
> > >
> > > Thanks in advance.
> > >
> > > Best Regards,
> > > Karatun Lev.
> > >
> > >
> > > -----------------------------------
> > > This message and any attachment are confidential and may be
> > > privileged or otherwise protected from disclosure. If you are not the
> > > intended recipient any use, distribution, copying or disclosure is
> > > strictly prohibited. If you have received this message in error,
> > > please notify the sender immediately either by telephone or by e-mail
> > > and delete this message and any attachment from your system.
> > > Correspondence via e-mail is for information purposes only. ZAO
> > > Raiffeisenbank neither makes nor accepts legally binding statements
> > > by
> > > e-mail unless otherwise agreed.
> > > -----------------------------------
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
>
>
> -----------------------------------
> This message and any attachment are confidential and may be privileged or
> otherwise protected from disclosure. If you are not the intended recipient
> any use, distribution, copying or disclosure is strictly prohibited. If you
> have received this message in error, please notify the sender immediately
> either by telephone or by e-mail and delete this message and any attachment
> from your system. Correspondence via e-mail is for information purposes only.
> ZAO Raiffeisenbank neither makes nor accepts legally binding statements by
> e-mail unless otherwise agreed.
> -----------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
