Unable to login using LDAP realm configuration

I have the following entry in LDAP (ApacheDS)
dn: cn=John Eipe,ou=employees,o=csRepository objectclass: top objectclass: inetOrgPerson objectclass: person objectclass: organizationalPerson cn: John Eipe sn: Eipe description: the fist and the single employee as of now mail: johny@mail.com userpassword:: e21kNX1YWlBPdHc0 dn: cn=adminRole,ou=employees,o=csRepository objectClass: top objectClass: groupOfUniqueNames cn: adminRole uniqueMember: cn=John Eipe,ou=employees,o=csRepository

I'm trying to configure LDAP realm on Tomcat.
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://localhost:10389" connectionName="uid=admin, ou=system" connectionPassword="***" userSubtree="true" userPattern="cn={0},ou=employees,o=csRepository" userPassword="userpassword" roleBase="ou=employees,o=csRepository" roleName="cn" roleSearch="(uniqueMember={0})" />

Contents of the application's web.xml
<security-constraint> <web-resource-collection> <web-resource-name>Servlet is protected from POST calls</web- resource-name> <url-pattern>/secure</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <web-resource-collection> <web-resource-name>JSP page protected from any access</web-resource-name> <url-pattern>/secure.jsp</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>adminRole</role-name> </auth-constraint> <user-data-constraint> <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE --> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/index.jsp</form-error-page> </form-login-config> </login-config> <!-- Security roles referenced by this web application --> <security-role> <role-name>adminRole</role-name> </security-role>

Tomcat refuses to log in and I'm directed back to index.jsp. What am I missing?

Is it because i have placed it within the existing Realm definition?

I tried placing it outside and still it doesn't work. :-(

Any suggestions guys?
Looks like tomcat sub-forum is dead or is it that tomcat is no more used by anybody!!!

John Eipe wrote:Any suggestions guys?
Looks like tomcat sub-forum is dead or is it that tomcat is no more used by anybody!!!

Or... it could be that when you use a free forum, you don't have people sitting by 24x7 to answer questions. I normally check in once a day, usually only on weekdays. We do have slow and fast periods, though.

The biggest problem with the LDAP realm is getting your LDAP query properly formulated - providing that you've attended to the usual details such as ensuring that there's no firewall blocking access to the LDAP server and such.

I noticed that you've got it set up to use the user's Common Name (cn) instead of an account ID, though. So the login ID would be "John Eipe". You also don't have SSL enabled for your secure resources (TRANSPORT is set to NONE).

Where did you put your Realm element in Tomcat?

Tim,
Sorry. That was totally out of desperation.

I placed it within
<Realm> <Realm ... default definiton here...> <Realm ... mine goes here...> </Realm>

OK. That's not the way it works in most cases. You would have only 1 Realm, not nested Realms and you wouldn't have multiple Realms active at the same time. There is a compositing Realm, but I don't think that's what you're attempting here. and if you are, remove the compositing until you have basic LDAP functioning so as to minimize the confusion.

Realms may be applied at 1 of 2 levels. At the server.xml level for a given Host or Engine there would be only 1 Realm. It would apply to every webapp for that Host (which usually is the default or "localhost" host).

You can override the Host-level Realm by defining a Realm for a specific webapp in that webapp's Context definition.

I tried in server.xml after commenting out the default realm configurations. But still no results.

Here are 2 things I would like to bring to notice.
1. I'm running tomcat using eclipse. So the configuration is done through eclipse. (It does detect the realm as I got Connection exception when ldap server was stopped.)
2. I have confirmed that the username and password information is correct. Below is a standalone program that I used to test.

// input String cn = "John Eipe"; String dn = "cn=John Eipe,ou=employees,o=csRepository"; String password = "*****"; Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://localhost:10389"); env.put(Context.SECURITY_AUTHENTICATION, "simple"); DirContext ctx = null; ctx = new InitialDirContext(env); // Bind with found DN and given password ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, dn); ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password); // Perform a lookup in order to force a bind operation with JNDI ctx.lookup(dn); System.out.println("Authentication successful");

There are several ways to run Tomcat through Eclipse. Unfortunately, the most common way is via the WTP plugin, which is an abomination that creates an incomplete copy of the original Tomcat configuration and then has to be periodically kicked to get changes made to the Tomcat configuration updated into the WTP configuration copy that it uses to run Tomcat.

A cleaner way to run Tomcat is by using the sysdeo plugin, which doesn't attempt to copy the Tomcat configuration in part or in whole, but rather uses it exactly the same way that stand-alone Tomcat does.

Actual troubleshooting on the LDAP Realm can be a royal pain and it's not something I can easily do for you second-hand. I can make a few observations, though and perhaps they will help.

Firstly, there are 2 ways to authenticate a user using LDAP. The first way is to simply use the candidate's userid and password to connect to the LDAP server itself. If connection succeeds, the user is authenticated, and (presumably) able to check roles. The second way - which it appears that you are using - is to connect via a master userid and password then do a lookup for the actual userid and password. So one way you can run into trouble is if you're not using the right Realm attributes for the authentication process that you're using.

The second "gotcha" can occur if you are doing a lookup into a complex or irregular directory structure. LDAP allows you to limit the number of levels that will be searched, so you'd need to make sure that you've properly defined this in your Realm attributes.

Tim,

Thanks. Sorry to trouble you this far. But i'm still struggling to make it work.

I made few changes.

1) Left server.xml alone. Added Realm configuration into context.xml and removed roleSearch.
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="4" connectionURL="ldap://localhost:10389" userSubtree="true" userSearch="(cn={0})" userPattern="cn={0},ou=employees,o=csRepository" userPassword="userPassword" />

2) Changed web.xml
<auth-constraint> <role-name>*</role-name> </auth-constraint>

Other than the mysterious question of why it's not working, I'm wondering why I don't see any logs.
Only log I see is
WARNING: [SetPropertiesRule]{Context/Realm} Setting property 'debug' to '4' did not find a matching property.
when tomcat starts.