Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Tomcat and LDAP (connection problem)

 
Hisham Farahat
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear All,

I have a tomcat server 6.0 running on a Windows server 2003, it needs to authenticate users using JNDI realm which connects to an LDAP server ( Active directory running on a different machine).
The realm configuration in server.xml is as the following:
==============================================================
- <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://name.com:389/" connectionName="CN=tomcat,CN=Users,DC=name,DC=com" connectionPassword="************" alternateURL="ldap://ip:389/" userSubtree="true" referrals="follow" userSearch="(| (mailNickname={0}) (givenName={0}) )" userBase="DC=name,DC=com" roleBase="CN=Users,DC=name,DC=com" roleName="description" roleSearch="member={0}" roleSubtree="true" allRolesMode="AuthOnly" />
</Host>
==============================================================

The problem is when i try to login with my AD account, Sometimes ( around 40% of the times) i get a login error and it continues with this state for 10 minutes ( no user can login in this period ). Even the manager and admin accounts that are used to login the manager webapp are not allowed to login. How can i solve this problem? it is so annoying

Some points:
1- The log of the error is :
==================
Oct 29, 2008 8:30:12 AM org.apache.catalina.core.ApplicationDispatcher doForward
FINE: Disabling the response for futher output
Oct 29, 2008 8:30:15 AM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: name.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]]
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1097)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:992)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:941)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:810)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.naming.CommunicationException: name.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]
at com.sun.jndi.ldap.LdapReferralContext.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapReferralException.getReferralContext(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source)
... 20 more
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at com.sun.jndi.ldap.Connection.createSocket(Unknown Source)
at com.sun.jndi.ldap.Connection.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown Source)
at javax.naming.spi.NamingManager.getURLObject(Unknown Source)
at javax.naming.spi.NamingManager.processURL(Unknown Source)
at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source)
at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source)
... 23 more
Oct 29, 2008 8:30:15 AM org.apache.catalina.realm.JNDIRealm close
FINE: Closing directory context
Oct 29, 2008 8:30:15 AM org.apache.catalina.core.ApplicationDispatcher doForward
FINE: Disabling the response for futher output

==================

2- Rebooting the machine wil solve the problem
3- Restarting Tomcat won't affect any thing
4- I can connect to the LDAP server using Soferra LDAP Administration during the 10 blocking minutes
5- The system admin checked the log of the AD and nothing there.
6- I have tried to put the realm configuration under the context.xml, and the same thing happens.
7- most probably when i leave the session to expire ( 5 min) and try to login again afterwords it gets blocked.

Please help me in this issue, i need it working correctly ASAP.


Regards,
 
Joe Ess
Bartender
Posts: 9300
10
Linux Mac OS X Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch.


The error above indicates that there's nothing listening at "name.com" port 389. What server and port do you use to connect to using Softerra ?
More important, can you connect to the LDAP using Softerra from the server where you are running Tomcat?
Are there any firewalls or proxies between the server and the LDAP?
[ October 29, 2008: Message edited by: Joe Ess ]
 
Hisham Farahat
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The same server and port.

Both servers ( LDAP and Tomcat) are in one LAN, there are firewall and proxy but for external traffic .
 
Joe Ess
Bartender
Posts: 9300
10
Linux Mac OS X Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Joe Ess:

More important, can you connect to the LDAP using Softerra from the server where you are running Tomcat?
 
Hisham Farahat
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes i can
 
Joe Ess
Bartender
Posts: 9300
10
Linux Mac OS X Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What does your realm configuration look like?
 
Hisham Farahat
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://name.com:389/" connectionName="CN=tomcat,CN=Users,DC=name,DC=com" connectionPassword="************" alternateURL="ldap://ip:389/" userSubtree="true" referrals="follow" userSearch="(| (mailNickname={0}) (givenName={0}) )" userBase="DC=name,DC=com" roleBase="CN=Users,DC=name,DC=com" roleName="description" roleSearch="member={0}" roleSubtree="true" allRolesMode="AuthOnly" />
</Host>
 
Joe Ess
Bartender
Posts: 9300
10
Linux Mac OS X Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can you use the ip specified in alternateURL="ldap://ip:389/" to connect to the LDAP? It's odd that it only happens occasionally.
 
Hisham Farahat
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
in Tomcat it failed , but using openLdap it connects normaly

i really don't know what to do
 
Jaikiran Pai
Marshal
Pie
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Do you have any anti-virus or firewalls installed on the system which might be blocking access to the server/port? Try disabling those firewall/anti-virus services.
 
Jaikiran Pai
Marshal
Pie
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And what does the following command (from the system where tomcat is installed) return:

 
Hisham Farahat
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I could not connect through telnet
it takes long time, and nothing appeared.
Although the server is working normally right now. (the period of disconnection is not occurring now"
 
Joe Ess
Bartender
Posts: 9300
10
Linux Mac OS X Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Hisham Farahat:
I could not connect through telnet
it takes long time, and nothing appeared.


Did you get an error or did the console just go blank?
When I telnet to my LDAP, the console goes blank. I don't know enough about the LDAP protocol to know what to enter, but if you don't get a connection error, I think you are good.
I'm suspicious that the name.com does not match the IP address you've specified in your realm configuration. That would make sense as the alternateURL setting does not get used unless the connectionURL fails.
Try pinging name.com and see what IP gets used.
 
Eugene kaadoo
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We had the same problem with intermittant ldap authenticaion with TomCat. We found that when we pointed it to a 2003 domain controller everything worked fine.

Not sure if this a problem with the specific version of TomCat we're using; didn't have time to dig further.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic