On Mar 16, 2012 7:22 PM, "Christopher Schultz" <ch...@christopherschultz.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Neil, > > On 3/16/12 6:23 AM, Neil Munro wrote: > > On 15 March 2012 18:24, Christopher Schultz <Realm > > className="org.apache.catalina.realm.JNDIRealm" > > connectionName="uid={0},ou=my company users,dc=mycompany,dc=com " > > connectionPassword="userPassword" > > connectionURL="ldap://my.ldap.server" > > alternateURL="ldap://my.ldap.server" roleBase="ou=my company > > users,dc=mycompany,dc=com" roleName="cn" > > roleSearch="(uniqueMember={0})" userPattern="uid={0},ou=my company > > users,dc=mycompany,dc=com" /> > > > > I have added those changes, as for which connection mode I need, I > > think bind would be ok for now just to check to see if I can > > establish a connection, but looking at it I think if I will be > > querying ldap for a user name and password then comparison mode is > > what I need. > > That's kind of the first decision you have to make when using LDAP for > authentication: what user makes the initial connection? From your > later post, it's not clear how you are connecting to the LDAP server > in order to fetch the valid user ids. Can you provide the setup > information for your InitialDirContext (sanitized, of course)? > > > However with this configuration my whole app become inaccessible, > > I imagine it's some form of protection or permissions thing, but in > > my floundering around trying things, this is the only thing that > > seems to have any effect on the whole app. > > I thought the whole app was supposed to be unavailable unless the user > successfully logged-in. Do I have that wrong? A misconfigured JNDI > realm *should* lock you out of the entire app because authentication > always fails. > > >> Can you run any queries against the LDAP server outside of Tomcat > >> that give you results that you might expect? For instance, can > >> you do a search of the LDAP tree for a particular user? What does > >> that query look like? When you do that search, are you using > >> anonymous bind or are you using user bind? If user, which user? > >> Some administrative user or the user whose credentials should be > >> checked? > > > > I can connect with a tool called JXplorer, but I have not had any > > luck from other applications, but that's due to inability to find > > any up to date documentation on the libraries I was using. > > In JXplorer, are you able to run queries that look anything like those > you are trying to use in your Realm configuration? > > Here is the most recent configuration you posted: > > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionName="uid={0},ou=my company users,dc=mycompany,dc=com" > connectionPassword="userPassword" > connectionURL="ldap://my.ldap.server.com" > alternateURL="ldap://my.ldap.server.com" > roleBase="ou=my company users,dc=mycompany,dc=com" > roleName="cn" > roleSearch="(uniqueMember={0})" > userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" /> > > You said this "currently works": did you mean that was your current > (non-working) setup, or that this setup actually works? > > I don't believe connectionName can be parameterized. I think that's > intended to be used when using a "manager" user to connect to the LDAP > server in order to perform comparison-mode authentication. > > userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" > > Does this actually match the DN pattern of your users? (It might help > if you were to post the full LDIF record for a sample user. Same with > a group record.) > > roleSearch="(uniqueMember={0})" > > Using OpenLDAP's 'ldapsearch' command-line utility, I can search my > own LDAP database for groups containing myself like this: > > $ ldapsearch -x 'uniqueMember:=uid=schultz,dc=mydomain,dc=mytld' cn > > Note that "-x" means "simple bind" -- that is, anonymous. Also note > that I have to use "uniqueMember:=" instead of simply "uniqueMember=" > because the uniqueMember value contains = signs. I'm not sure if that > will have any effect because I don't have a Java-based JNDI probe > available to me at the moment. > > At this point, you are basically bumbling around in the dark. I highly > recommend enabling debug logging for the JNDIRealm component (really > the container's logger) by adding this into your conf/logging.properties: > > org.apache.catalina.realm.level=FINE > > It's going to generate a ton of output. Try only authenticating a > single time, then shut down Tomcat and read the log file (catalina.out > should contain it). Make sure you follow what is going on, and you can > probably see where things start to go wrong: either some search string > will look wrong, or it will make a decision based upon your > configuration that you didn't anticipate, etc. > > If you can't figure it out, post as much of the log to the list as you > can and we'll take a look. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk9jktYACgkQ9CaO5/Lv0PBsiwCeJ0jsXUamQkD/M9gs+XBQg6Y1 > 9RMAnAgaK0bQ7my2JjbrSlBFvu8xHCu/ > =vSDP > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Ok first things first I shall use my user to make the initial connection, I gather this is something that can't be done anonymously, later if I can I will have admin create a connection user. So with that in mind I replaced {0} with my user name and connectionPassword with my plain text password and with that configured I can access the login page, but not actually login, j_security_check redirects me to the failed login page. My initial thought was that since users can be specified at any time I wanted an anonymous bind connection to get the list of users and then switch to the user entered but I couldn't get very far with that. Yes you are right I wasn't being clear in my meaning, the whole app should be protected unless a user has logged on. Yes I can run uid=* to get a list of all users in both jxplorer and the jsp used in page. So the querys do work else I would not be able to retrieve any users. Unfortunately I cant give you the dirContext until tomorrow when I get back into the office. As for moving my login and fail_login jsp to web-inf the pages could not be located and a had a go working in the web.xml file pointing to a path relative to /../web-inf/ or similar, I shall try again but I did try your suggestion and will try again just to ensure I didn't simply make a typo. You must forgive me if I have missed anything as I only have a phone available to me at weekends but I shall reread and provide further information tomorrow but I thought I should explain what I was trying to do in case its impossible the way I understand it and I have been making myself go in circles.