Dear All,
I have a
tomcat server 6.0 running on a Windows server 2003, it needs to authenticate users using JNDI realm which connects to an LDAP server ( Active directory running on a different machine).
The realm configuration in server.xml is as the following:
==============================================================
- <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://name.com:389/" connectionName="CN=tomcat,CN=Users,DC=name,DC=com" connectionPassword="************" alternateURL="ldap://ip:389/" userSubtree="true" referrals="follow" userSearch="(| (mailNickname={0}) (givenName={0}) )" userBase="DC=name,DC=com" roleBase="CN=Users,DC=name,DC=com" roleName="description" roleSearch="member={0}" roleSubtree="true" allRolesMode="AuthOnly" />
</Host>
==============================================================
The problem is when i try to login with my AD account, Sometimes ( around 40% of the times) i get a login error and it continues with this state for 10 minutes ( no user can login in this period ). Even the manager and admin accounts that are used to login the manager webapp are not allowed to login. How can i solve this problem? it is so annoying
Some points:
1- The log of the error is :
==================
Oct 29, 2008 8:30:12 AM org.apache.catalina.core.ApplicationDispatcher doForward
FINE: Disabling the response for futher output
Oct 29, 2008 8:30:15 AM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: name.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]]
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1097)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:992)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:941)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:810)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.naming.CommunicationException: name.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]
at com.sun.jndi.ldap.LdapReferralContext.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapReferralException.getReferralContext(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source)
... 20 more
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at com.sun.jndi.ldap.Connection.createSocket(Unknown Source)
at com.sun.jndi.ldap.Connection.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown Source)
at javax.naming.spi.NamingManager.getURLObject(Unknown Source)
at javax.naming.spi.NamingManager.processURL(Unknown Source)
at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source)
at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source)
... 23 more
Oct 29, 2008 8:30:15 AM org.apache.catalina.realm.JNDIRealm close
FINE: Closing directory context
Oct 29, 2008 8:30:15 AM org.apache.catalina.core.ApplicationDispatcher doForward
FINE: Disabling the response for futher output
==================
2- Rebooting the machine wil solve the problem
3- Restarting Tomcat won't affect any thing
4- I can connect to the LDAP server using Soferra LDAP Administration during the 10 blocking minutes
5- The system admin checked the log of the AD and nothing there.
6- I have tried to put the realm configuration under the context.xml, and the same thing happens.
7- most probably when i leave the session to expire ( 5 min) and try to login again afterwords it gets blocked.
Please help me in this issue, i need it working correctly ASAP.
Regards,