• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • paul wheaton
  • Ron McLeod
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Liutauras Vilda
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Carey Brown
  • Piet Souris
Bartenders:

Unable to login using LDAP realm configuration

 
Ranch Hand
Posts: 215
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have the following entry in LDAP (ApacheDS)


I'm trying to configure LDAP realm on Tomcat.


Contents of the application's web.xml


Tomcat refuses to log in and I'm directed back to index.jsp. What am I missing?
 
John Eipe
Ranch Hand
Posts: 215
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is it because i have placed it within the existing Realm definition?

 
John Eipe
Ranch Hand
Posts: 215
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I tried placing it outside and still it doesn't work. :-(
 
John Eipe
Ranch Hand
Posts: 215
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Any suggestions guys?
Looks like tomcat sub-forum is dead or is it that tomcat is no more used by anybody!!!
 
Saloon Keeper
Posts: 28660
211
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

John Eipe wrote:Any suggestions guys?
Looks like tomcat sub-forum is dead or is it that tomcat is no more used by anybody!!!



Or... it could be that when you use a free forum, you don't have people sitting by 24x7 to answer questions. I normally check in once a day, usually only on weekdays. We do have slow and fast periods, though.

The biggest problem with the LDAP realm is getting your LDAP query properly formulated - providing that you've attended to the usual details such as ensuring that there's no firewall blocking access to the LDAP server and such.

I noticed that you've got it set up to use the user's Common Name (cn) instead of an account ID, though. So the login ID would be "John Eipe". You also don't have SSL enabled for your secure resources (TRANSPORT is set to NONE).

Where did you put your Realm element in Tomcat?
 
John Eipe
Ranch Hand
Posts: 215
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Tim,
Sorry. That was totally out of desperation.

I placed it within
 
Tim Holloway
Saloon Keeper
Posts: 28660
211
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK. That's not the way it works in most cases. You would have only 1 Realm, not nested Realms and you wouldn't have multiple Realms active at the same time. There is a compositing Realm, but I don't think that's what you're attempting here. and if you are, remove the compositing until you have basic LDAP functioning so as to minimize the confusion.

Realms may be applied at 1 of 2 levels. At the server.xml level for a given Host or Engine there would be only 1 Realm. It would apply to every webapp for that Host (which usually is the default or "localhost" host).

You can override the Host-level Realm by defining a Realm for a specific webapp in that webapp's Context definition.
 
John Eipe
Ranch Hand
Posts: 215
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I tried in server.xml after commenting out the default realm configurations. But still no results.

Here are 2 things I would like to bring to notice.
1. I'm running tomcat using eclipse. So the configuration is done through eclipse. (It does detect the realm as I got Connection exception when ldap server was stopped.)
2. I have confirmed that the username and password information is correct. Below is a standalone program that I used to test.

 
Tim Holloway
Saloon Keeper
Posts: 28660
211
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There are several ways to run Tomcat through Eclipse. Unfortunately, the most common way is via the WTP plugin, which is an abomination that creates an incomplete copy of the original Tomcat configuration and then has to be periodically kicked to get changes made to the Tomcat configuration updated into the WTP configuration copy that it uses to run Tomcat.

A cleaner way to run Tomcat is by using the sysdeo plugin, which doesn't attempt to copy the Tomcat configuration in part or in whole, but rather uses it exactly the same way that stand-alone Tomcat does.

Actual troubleshooting on the LDAP Realm can be a royal pain and it's not something I can easily do for you second-hand. I can make a few observations, though and perhaps they will help.

Firstly, there are 2 ways to authenticate a user using LDAP. The first way is to simply use the candidate's userid and password to connect to the LDAP server itself. If connection succeeds, the user is authenticated, and (presumably) able to check roles. The second way - which it appears that you are using - is to connect via a master userid and password then do a lookup for the actual userid and password. So one way you can run into trouble is if you're not using the right Realm attributes for the authentication process that you're using.

The second "gotcha" can occur if you are doing a lookup into a complex or irregular directory structure. LDAP allows you to limit the number of levels that will be searched, so you'd need to make sure that you've properly defined this in your Realm attributes.
 
John Eipe
Ranch Hand
Posts: 215
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Tim,

Thanks. Sorry to trouble you this far. But i'm still struggling to make it work.

I made few changes.

1) Left server.xml alone. Added Realm configuration into context.xml and removed roleSearch.


2) Changed web.xml


Other than the mysterious question of why it's not working, I'm wondering why I don't see any logs.
Only log I see is
WARNING: [SetPropertiesRule]{Context/Realm} Setting property 'debug' to '4' did not find a matching property.
when tomcat starts.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic