I have since made some minor progress with LDAP query's this login.jsp file as you can see query's for a list of valid users and creates a drop down list to choose from
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> <%@page import="javax.naming.*,javax.naming.directory.*,java.util.ArrayList;"%> <html> <head> <title>Login</title> </head> <body> <form method="POST" action="j_security_check"> <select> <% DirContext ctx = new InitialDirContext(); NamingEnumeration answer = ctx.search("ldap://my.ldap.server.com:389/ou=my company users,dc=mycompany,dc=com","(uid=*)", null); ArrayList<String> als = new ArrayList(); while(answer.hasMore()) { // Take line in as string String output = answer.next().toString(); String[] tokens = output.split(","); for (String t : tokens) { if( t.contains("uid=uid:")) { String[] ids = t.split(" "); als.add(ids[2]); } } } for(String s: als) { out.println("<option>" + s + "</option>"); } // Close the context when we're done ctx.close(); %> </select> <br> <input type="password" name="j_password"> <br> <input type="submit"> </form> </body> </html> I am however still not able to get the server.xml file working with the realms, I did discover through some trial and error that my own ldap user had not been set up right and my system admin kindly fixed it for me, which could have lead to some working code not to work. This is how it currently works: <Realm className="org.apache.catalina.realm.JNDIRealm" connectionName="uid={0},ou=my company users,dc=mycompany,dc=com" connectionPassword="userPassword" connectionURL="ldap://my.ldap.server.com"; alternateURL="ldap://my.ldap.server.com"; roleBase="ou=my company users,dc=mycompany,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" /> On 16 March 2012 12:05, Pid <p...@pidster.com> wrote: > On 16/03/2012 10:23, Neil Munro wrote: >> On 15 March 2012 18:24, Christopher Schultz >> <ch...@christopherschultz.net> wrote: >> Neil, >> >> On 3/15/12 1:05 PM, Neil Munro wrote: >>>>> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" >>>>> connectionURL="ldap://my.ldap.server.com"; >>>>> alternateURL="ldap://my.ldap.server.com"; userPattern="uid={0},ou=my >>>>> company users,dc=mycompany,dc=com" /> >>>>> >> >> The "debug" attribute does not exist any more. Were you following some >> kind of old example? >> >>> Yeah I must have been, I have removed it. >> >> >> I think you may need roleBase, roleName, and roleSearch attributes to >> have a prayer of making this work. Also, with no userSearch parameter, >> you are instructing the realm to connect in "bind" mode where the >> user's credentials are used directly to bind to the LDAP server. Is >> this appropriate? >> >>> <Realm className="org.apache.catalina.realm.JNDIRealm" >>> connectionName="uid={0},ou=my company users,dc=mycompany,dc=com " >>> connectionPassword="userPassword" >>> connectionURL="ldap://my.ldap.server"; >>> alternateURL="ldap://my.ldap.server"; >>> roleBase="ou=my company users,dc=mycompany,dc=com" >>> roleName="cn" >>> roleSearch="(uniqueMember={0})" >>> userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" /> >> >>> I have added those changes, as for which connection mode I need, I >>> think bind would be ok for now just to check to see if I can establish >>> a connection, but looking at it I think if I will be querying ldap for >>> a user name and password then comparison mode is what I need. >> >>> However with this configuration my whole app become inaccessible, I >>> imagine it's some form of protection or permissions thing, but in my >>> floundering around trying things, this is the only thing that seems to >>> have any effect on the whole app. >> >> You might want to re-read this section of the realm-howto: >> >> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm >> >> Can you run any queries against the LDAP server outside of Tomcat that >> give you results that you might expect? For instance, can you do a >> search of the LDAP tree for a particular user? What does that query >> look like? When you do that search, are you using anonymous bind or >> are you using user bind? If user, which user? Some administrative user >> or the user whose credentials should be checked? >> >>> I can connect with a tool called JXplorer, but I have not had any luck >>> from other applications, but that's due to inability to find any up to >>> date documentation on the libraries I was using. >> >>>>> <login-config> <auth-method>FORM</auth-method> <form-login-config> >>>>> <form-login-page>/login.jsp</form-login-page> >>>>> <form-error-page>/fail_login.jsp</form-error-page> >>>>> </form-login-config> </login-config> > > Side note: I usually recommend putting those files in WEB-INF, in their > own directory, say: WEB-INF/login. > > p > >> That looks just fine: configuring the credential-gathering system is >> usually trivial. It's configuring the authentication system that is >> usually the problem. >> >>> Cool, at least some of this is working right, do you need to see those >>> files btw? >> >> >> -chris >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > -- > > [key:62590808] > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
