Win a copy of Head First Android this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Rob Spoor
  • Bear Bibeault
Saloon Keepers:
  • Jesse Silverman
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Al Hobbs
  • salvin francis

How to configure tomcat for LDAP

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi friends,

I'm having a really hard time configuring my tomcat to authenticate a user by AD .

My server structure is :
users -->CN=testUser,OU=tomcat,OU=system,DC=company,DC=com
Roles-->CN=Admin,OU=Roles,OU=tomcat,OU=system,DC=company,DC=com

server.xml file :
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://SERVER_URL:389"
connectionName="CN=testUser,OU=tomcat,OU=system,DC=company,DC=com"
connectionPassword="**Password**"
userBase="OU=tomcat,OU=system,DC=company,DC=com"
userSearch="(CN={0})"
userSubtree="true"
roleBase="OU=Roles,OU=tomcat,OU=system,DC=company,DC=com"
roleName="Admin"
roleSearch="(member={0})"
roleSubtree="true"
/>

I am using basic authentication in my web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>Logging Area</web-resource-name>
<description>
Authentication for registered users.
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>*</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>enter Username</realm-name>
</login-config>

Problem is :When i try to login with userName: testUser ,I am getting error message :javax.naming.InvalidNameException.
But when i login with userName:CN=testUser,OU=tomcat,OU=system,DC=company,DC=com,I can login .
I dont understand why I am not able to login with just userName only???
Or what changes i need to do ,to make it work correctly




 
Ranch Hand
Posts: 199
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
you have to login with your distinguished name "CN=testUser,OU=tomcat,OU=system,DC=company,DC=com" not with your user name "testUser".
You have a bind user to connect with ldap and your full dn is how the ldap recognizes you, the user name alone mean nothing to ldap.

No changes to do, because is the expected behaviour.


Cheers,

 
Jyoti Dinkar
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks Carles for your reply.

but I want to login with userName only,Is that possible??
If yes,then how??
 
Carles Gasques
Ranch Hand
Posts: 199
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sorry I was misleading you,
My mistake messing the login of the ldap bind user with the login of the tomcat users.

Have you tested

instead of



Best reggards and my appologies,
 
Jyoti Dinkar
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I tried this also..

it doesn't help:(
to login I still need to give the complete pattern:


 
Saloon Keeper
Posts: 24553
168
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One of the biggest mistakes that people make when setting up LDAP is trying to mirror the corporate structure as directories in LDAP. It doesn't work well, and when people move around, it's a real pain for maintenance.

So my LDAP directory is organized more like this:

ou=employees,dc=mousetech,dc=com
[ list of CNs of employees, with uid and password attributes]

ou=users,ou=tomcat,ou=services,dc=mousetech,dc=com
[ list of memberUids corresponding to employee uids]

ou=groups,ou=tomcat,ou=services,dc=mousetech,dc=com
ou=administrators,ou=groups,ou=tomcat,ou=services,dc=mousetech,dc=com
[ list of memberUids of authorized administrators ]
ou=auditors,ou=groups,ou=tomcat,ou=services,dc=mousetech,dc=com
[ list of memberUids of authorized auditors ]

There are also 2 different ways to test authorization using the LDAP realm. One is to configure it so that the Realm will attempt to connect to the LDAP server using the user-supplied id and password from the login form. Successful connection means successful login.

The other way to test authorization is to use a general query connection userid/password to connect to LDAP and have the LDAP server do searches for the actual userid/password. You must provide the search query.

The search query under the scheme I outlined above would be more like this:


I didn't have a working example handy, so this isn't a full and authoritative solution, but it's the basic plan that I use. The Tomcat LDAP Realm docs are more complete and accurate.

Note that if your "LDAP" is actually Active Directory and you want to use the user's Windows login credentials, they have their own particular format.
 
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic