File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes Unable to login using LDAP realm configuration Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » Tomcat
Bookmark "Unable to login using LDAP realm configuration" Watch "Unable to login using LDAP realm configuration" New topic
Author

Unable to login using LDAP realm configuration

John Eipe
Ranch Hand

Joined: May 23, 2008
Posts: 215
I have the following entry in LDAP (ApacheDS)


I'm trying to configure LDAP realm on Tomcat.


Contents of the application's web.xml


Tomcat refuses to log in and I'm directed back to index.jsp. What am I missing?


www.cs-repository.info
John Eipe
Ranch Hand

Joined: May 23, 2008
Posts: 215
Is it because i have placed it within the existing Realm definition?

John Eipe
Ranch Hand

Joined: May 23, 2008
Posts: 215
I tried placing it outside and still it doesn't work. :-(
John Eipe
Ranch Hand

Joined: May 23, 2008
Posts: 215
Any suggestions guys?
Looks like tomcat sub-forum is dead or is it that tomcat is no more used by anybody!!!
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16095
    
  21

John Eipe wrote:Any suggestions guys?
Looks like tomcat sub-forum is dead or is it that tomcat is no more used by anybody!!!


Or... it could be that when you use a free forum, you don't have people sitting by 24x7 to answer questions. I normally check in once a day, usually only on weekdays. We do have slow and fast periods, though.

The biggest problem with the LDAP realm is getting your LDAP query properly formulated - providing that you've attended to the usual details such as ensuring that there's no firewall blocking access to the LDAP server and such.

I noticed that you've got it set up to use the user's Common Name (cn) instead of an account ID, though. So the login ID would be "John Eipe". You also don't have SSL enabled for your secure resources (TRANSPORT is set to NONE).

Where did you put your Realm element in Tomcat?


Customer surveys are for companies who didn't pay proper attention to begin with.
John Eipe
Ranch Hand

Joined: May 23, 2008
Posts: 215
Tim,
Sorry. That was totally out of desperation.

I placed it within
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16095
    
  21

OK. That's not the way it works in most cases. You would have only 1 Realm, not nested Realms and you wouldn't have multiple Realms active at the same time. There is a compositing Realm, but I don't think that's what you're attempting here. and if you are, remove the compositing until you have basic LDAP functioning so as to minimize the confusion.

Realms may be applied at 1 of 2 levels. At the server.xml level for a given Host or Engine there would be only 1 Realm. It would apply to every webapp for that Host (which usually is the default or "localhost" host).

You can override the Host-level Realm by defining a Realm for a specific webapp in that webapp's Context definition.
John Eipe
Ranch Hand

Joined: May 23, 2008
Posts: 215
I tried in server.xml after commenting out the default realm configurations. But still no results.

Here are 2 things I would like to bring to notice.
1. I'm running tomcat using eclipse. So the configuration is done through eclipse. (It does detect the realm as I got Connection exception when ldap server was stopped.)
2. I have confirmed that the username and password information is correct. Below is a standalone program that I used to test.

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16095
    
  21

There are several ways to run Tomcat through Eclipse. Unfortunately, the most common way is via the WTP plugin, which is an abomination that creates an incomplete copy of the original Tomcat configuration and then has to be periodically kicked to get changes made to the Tomcat configuration updated into the WTP configuration copy that it uses to run Tomcat.

A cleaner way to run Tomcat is by using the sysdeo plugin, which doesn't attempt to copy the Tomcat configuration in part or in whole, but rather uses it exactly the same way that stand-alone Tomcat does.

Actual troubleshooting on the LDAP Realm can be a royal pain and it's not something I can easily do for you second-hand. I can make a few observations, though and perhaps they will help.

Firstly, there are 2 ways to authenticate a user using LDAP. The first way is to simply use the candidate's userid and password to connect to the LDAP server itself. If connection succeeds, the user is authenticated, and (presumably) able to check roles. The second way - which it appears that you are using - is to connect via a master userid and password then do a lookup for the actual userid and password. So one way you can run into trouble is if you're not using the right Realm attributes for the authentication process that you're using.

The second "gotcha" can occur if you are doing a lookup into a complex or irregular directory structure. LDAP allows you to limit the number of levels that will be searched, so you'd need to make sure that you've properly defined this in your Realm attributes.
John Eipe
Ranch Hand

Joined: May 23, 2008
Posts: 215
Tim,

Thanks. Sorry to trouble you this far. But i'm still struggling to make it work.

I made few changes.

1) Left server.xml alone. Added Realm configuration into context.xml and removed roleSearch.


2) Changed web.xml


Other than the mysterious question of why it's not working, I'm wondering why I don't see any logs.
Only log I see is
WARNING: [SetPropertiesRule]{Context/Realm} Setting property 'debug' to '4' did not find a matching property.
when tomcat starts.
 
GeeCON Prague 2014
 
subject: Unable to login using LDAP realm configuration