Reputation: 31
Problems using Tomcat JNDIRealm/Active Directory in a test setup
I'm trying to test a tomcat 6 web app with Active Directory authentication on a Windows 8 machine. I'm trying to get by with a minimal knowledge of Active Directory. I don't have access to a "real" active directory so I've been trying to use AD LDS (Adam) on my Windows 8 machine with ASDI Edit. I followed directions on MSDN http://technet.microsoft.com/en-us/library/cc770639(v=ws.10).aspx. I created a group/role and added a member to that group. I followed directions to use the JNDIRealm for authentication. I'm running under Netbeans (6.9). I cannot get tomcat to pick up the role. I tried using commonRole thinking that this would at least match some role if the "user" was able to authenticate.
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connecti)onURL="ldap://localhost:389"
alternateURL="ldap://localhost:389"
userPattern="CN={0},OU=AD LDS Users,O=Microsoft,C=US"
roleBase="OU=groups,O=Microsoft,C=US"
roleName="CN"
roleSearch="member={0}"
commonRole="abcde"
/>
I'm not getting much useful logging out of the system. I've followed directions to set logging, but I'm not getting much. I do see an exception in the log if I type in the wrong credentials. If I type the correct credentials an exception isn't logged and the log shows: FINE: Failed authenticate() test and not much more. The lack of exception/stack trace leads me to believe that the user/password was accepted.
Not sure where to turn. Any suggestiosn? Have others had this setup working? Should I be using some other free LDAP solution that would be relatively easy to setup.
Upvotes: 1
Views: 3211
Answers (1)
Reputation: 31
Got it to work ... the AD LDS instance requires authentication to access the group/role. I added a user to my lightweight active directory that I can use to access the directory. I had to add that member to the administrators role in the directory. This new user and password are used to connect to the AD. The connectionName must be the distinguished name of the user.
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://localhost:389"
connectionName="CN=AdPerson,OU=AD LDS Users,O=Microsoft,C=US"
connectionPassword="adp"
userPattern="CN={0},OU=AD LDS Users,O=Microsoft,C=US"
roleBase="OU=Groups,O=Microsoft,C=US"
roleName="CN"
roleSearch="member={0}"
/>
Its unfortunate that there isn't more written to the logfile about the failure I was fighting. I was stumped for a while since it failed silently. In the end, I did use JXplorer to test my connection which is how I discovered I needed some form of authentication and from there discovered that the name needed to be the full DN.
Upvotes: 2
Related Questions
- Configuring Tomcat to authenticate using Windows Active Directory
- javax.naming.OperationNotSupportedException Java application with Active directory
- User authentication against multiple AD groups using tomcat and JNDI
- JNDI with Active Directory PartialResultException
- Trying to configure LDAP as JNDI Resource in Tomcat
- LDAP (JNDI Realm) authentication with apache tomcat 7
- JNDI context initialization fails in Tomcat when connecting via JMX
- creating userPattern for JNDIRealm
- How do I get JNDIRealm in Tomcat to use Kerberos auth?
- Enabling an Active Directory account using JNDI