On 15 March 2012 18:24, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Neil,
>
> On 3/15/12 1:05 PM, Neil Munro wrote:
>> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
>> connectionURL="ldap://my.ldap.server.com";
>> alternateURL="ldap://my.ldap.server.com"; userPattern="uid={0},ou=my
>> company users,dc=mycompany,dc=com" />
>>
>
> The "debug" attribute does not exist any more. Were you following some
> kind of old example?
Yeah I must have been, I have removed it.
> I think you may need roleBase, roleName, and roleSearch attributes to
> have a prayer of making this work. Also, with no userSearch parameter,
> you are instructing the realm to connect in "bind" mode where the
> user's credentials are used directly to bind to the LDAP server. Is
> this appropriate?
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="uid={0},ou=my company users,dc=mycompany,dc=com "
connectionPassword="userPassword"
connectionURL="ldap://my.ldap.server";
alternateURL="ldap://my.ldap.server";
roleBase="ou=my company users,dc=mycompany,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" />
I have added those changes, as for which connection mode I need, I
think bind would be ok for now just to check to see if I can establish
a connection, but looking at it I think if I will be querying ldap for
a user name and password then comparison mode is what I need.
However with this configuration my whole app become inaccessible, I
imagine it's some form of protection or permissions thing, but in my
floundering around trying things, this is the only thing that seems to
have any effect on the whole app.
> You might want to re-read this section of the realm-howto:
>
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
>
> Can you run any queries against the LDAP server outside of Tomcat that
> give you results that you might expect? For instance, can you do a
> search of the LDAP tree for a particular user? What does that query
> look like? When you do that search, are you using anonymous bind or
> are you using user bind? If user, which user? Some administrative user
> or the user whose credentials should be checked?
I can connect with a tool called JXplorer, but I have not had any luck
from other applications, but that's due to inability to find any up to
date documentation on the libraries I was using.
>> <login-config> <auth-method>FORM</auth-method> <form-login-config>
>> <form-login-page>/login.jsp</form-login-page>
>> <form-error-page>/fail_login.jsp</form-error-page>
>> </form-login-config> </login-config>
>
> That looks just fine: configuring the credential-gathering system is
> usually trivial. It's configuring the authentication system that is
> usually the problem.
Cool, at least some of this is working right, do you need to see those
files btw?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk9iM+sACgkQ9CaO5/Lv0PBhjQCePnWAoRuPgmLUnVt1p3sR/SBt
> 8vwAnib22g8tvT/PpyN2FfUE5Gs7+OVP
> =9g6k
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
