aspose file tools*
The moose likes Tomcat and the fly likes Tomcat and LDAP (connection problem) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat and LDAP (connection problem)" Watch "Tomcat and LDAP (connection problem)" New topic
Author

Tomcat and LDAP (connection problem)

Hisham Farahat
Greenhorn

Joined: Oct 29, 2008
Posts: 6
Dear All,

I have a tomcat server 6.0 running on a Windows server 2003, it needs to authenticate users using JNDI realm which connects to an LDAP server ( Active directory running on a different machine).
The realm configuration in server.xml is as the following:
==============================================================
- <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://name.com:389/" connectionName="CN=tomcat,CN=Users,DC=name,DC=com" connectionPassword="************" alternateURL="ldap://ip:389/" userSubtree="true" referrals="follow" userSearch="(| (mailNickname={0}) (givenName={0}) )" userBase="DC=name,DC=com" roleBase="CN=Users,DC=name,DC=com" roleName="description" roleSearch="member={0}" roleSubtree="true" allRolesMode="AuthOnly" />
</Host>
==============================================================

The problem is when i try to login with my AD account, Sometimes ( around 40% of the times) i get a login error and it continues with this state for 10 minutes ( no user can login in this period ). Even the manager and admin accounts that are used to login the manager webapp are not allowed to login. How can i solve this problem? it is so annoying

Some points:
1- The log of the error is :
==================
Oct 29, 2008 8:30:12 AM org.apache.catalina.core.ApplicationDispatcher doForward
FINE: Disabling the response for futher output
Oct 29, 2008 8:30:15 AM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: name.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]]
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1097)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:992)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:941)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:810)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.naming.CommunicationException: name.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]
at com.sun.jndi.ldap.LdapReferralContext.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapReferralException.getReferralContext(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source)
... 20 more
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at com.sun.jndi.ldap.Connection.createSocket(Unknown Source)
at com.sun.jndi.ldap.Connection.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown Source)
at javax.naming.spi.NamingManager.getURLObject(Unknown Source)
at javax.naming.spi.NamingManager.processURL(Unknown Source)
at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source)
at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source)
... 23 more
Oct 29, 2008 8:30:15 AM org.apache.catalina.realm.JNDIRealm close
FINE: Closing directory context
Oct 29, 2008 8:30:15 AM org.apache.catalina.core.ApplicationDispatcher doForward
FINE: Disabling the response for futher output

==================

2- Rebooting the machine wil solve the problem
3- Restarting Tomcat won't affect any thing
4- I can connect to the LDAP server using Soferra LDAP Administration during the 10 blocking minutes
5- The system admin checked the log of the AD and nothing there.
6- I have tried to put the realm configuration under the context.xml, and the same thing happens.
7- most probably when i leave the session to expire ( 5 min) and try to login again afterwords it gets blocked.

Please help me in this issue, i need it working correctly ASAP.


Regards,
Joe Ess
Bartender

Joined: Oct 29, 2001
Posts: 8867
    
    8

Welcome to the JavaRanch.


The error above indicates that there's nothing listening at "name.com" port 389. What server and port do you use to connect to using Softerra ?
More important, can you connect to the LDAP using Softerra from the server where you are running Tomcat?
Are there any firewalls or proxies between the server and the LDAP?
[ October 29, 2008: Message edited by: Joe Ess ]

"blabbing like a narcissistic fool with a superiority complex" ~ N.A.
[How To Ask Questions On JavaRanch]
Hisham Farahat
Greenhorn

Joined: Oct 29, 2008
Posts: 6
The same server and port.

Both servers ( LDAP and Tomcat) are in one LAN, there are firewall and proxy but for external traffic .
Joe Ess
Bartender

Joined: Oct 29, 2001
Posts: 8867
    
    8

Originally posted by Joe Ess:

More important, can you connect to the LDAP using Softerra from the server where you are running Tomcat?
Hisham Farahat
Greenhorn

Joined: Oct 29, 2008
Posts: 6
Yes i can
Joe Ess
Bartender

Joined: Oct 29, 2001
Posts: 8867
    
    8

What does your realm configuration look like?
Hisham Farahat
Greenhorn

Joined: Oct 29, 2008
Posts: 6
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://name.com:389/" connectionName="CN=tomcat,CN=Users,DC=name,DC=com" connectionPassword="************" alternateURL="ldap://ip:389/" userSubtree="true" referrals="follow" userSearch="(| (mailNickname={0}) (givenName={0}) )" userBase="DC=name,DC=com" roleBase="CN=Users,DC=name,DC=com" roleName="description" roleSearch="member={0}" roleSubtree="true" allRolesMode="AuthOnly" />
</Host>
Joe Ess
Bartender

Joined: Oct 29, 2001
Posts: 8867
    
    8

Can you use the ip specified in alternateURL="ldap://ip:389/" to connect to the LDAP? It's odd that it only happens occasionally.
Hisham Farahat
Greenhorn

Joined: Oct 29, 2008
Posts: 6
in Tomcat it failed , but using openLdap it connects normaly

i really don't know what to do
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10052
    
163

Do you have any anti-virus or firewalls installed on the system which might be blocking access to the server/port? Try disabling those firewall/anti-virus services.


[My Blog] [JavaRanch Journal]
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10052
    
163

And what does the following command (from the system where tomcat is installed) return:

Hisham Farahat
Greenhorn

Joined: Oct 29, 2008
Posts: 6
I could not connect through telnet
it takes long time, and nothing appeared.
Although the server is working normally right now. (the period of disconnection is not occurring now"
Joe Ess
Bartender

Joined: Oct 29, 2001
Posts: 8867
    
    8

Originally posted by Hisham Farahat:
I could not connect through telnet
it takes long time, and nothing appeared.


Did you get an error or did the console just go blank?
When I telnet to my LDAP, the console goes blank. I don't know enough about the LDAP protocol to know what to enter, but if you don't get a connection error, I think you are good.
I'm suspicious that the name.com does not match the IP address you've specified in your realm configuration. That would make sense as the alternateURL setting does not get used unless the connectionURL fails.
Try pinging name.com and see what IP gets used.
Eugene kaadoo
Greenhorn

Joined: Jun 05, 2013
Posts: 1
We had the same problem with intermittant ldap authenticaion with TomCat. We found that when we pointed it to a 2003 domain controller everything worked fine.

Not sure if this a problem with the specific version of TomCat we're using; didn't have time to dig further.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Tomcat and LDAP (connection problem)