Apache Tomcat integrate with Active Directory

[jms0...@yahoo.com]

Hello ,
I am trying to authenticate users in Apache Tomcat 5.5 from active
directory.
The way my users are structured in AD is there's a department root OU
and then sub OU's for each departments . The Groups OU is in its in OU.
This is the syntax Im using for the server.xml file. I have created
two groups am and thc and put the neccesary users in the groups.

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"

connectionURL="ldap://dc1:389"
alternateURL="ldap://fs6:389"
userRoleName="member"
userBase="OU=Departments,dc=2krecovery,dc=com"
userPattern="cn={0},OU=Departments,dc=2krecovery,dc=com"
roleBase="OU=Groups,dc=2krecovery,dc=com"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="false"
userSubtree="true"
/>
Could someone tell me if this is right? Running a Windows 2000 native
domain level with 2 windows 2000 dc's and one windows 2003 dc.

Here's the web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Tax Housing Compliance</web-resource-name>
<url-pattern>/thc/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>thc</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Asset Management</web-resource-name>
<url-pattern>/am/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>am</role-name>
</auth-constraint>
</security-constraint>

Thanks

[Raymond DeCampo]

jms0...@yahoo.com wrote:
> Hello ,
> I am trying to authenticate users in Apache Tomcat 5.5 from active
> directory.
> The way my users are structured in AD is there's a department root OU
> and then sub OU's for each departments . The Groups OU is in its in OU.
> This is the syntax Im using for the server.xml file. I have created
> two groups am and thc and put the neccesary users in the groups.
>
> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
>
> connectionURL="ldap://dc1:389"
> alternateURL="ldap://fs6:389"
> userRoleName="member"
> userBase="OU=Departments,dc=2krecovery,dc=com"
> userPattern="cn={0},OU=Departments,dc=2krecovery,dc=com"
> roleBase="OU=Groups,dc=2krecovery,dc=com"
> roleName="cn"
> roleSearch="(member={0})"
> roleSubtree="false"
> userSubtree="true"
> />
> Could someone tell me if this is right? Running a Windows 2000 native
> domain level with 2 windows 2000 dc's and one windows 2003 dc.

Did it work? What happens when you try it?

>
> Here's the web.xml
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Tax Housing Compliance</web-resource-name>
> <url-pattern>/thc/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>thc</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Asset Management</web-resource-name>
> <url-pattern>/am/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>am</role-name>
> </auth-constraint>
> </security-constraint>
>
> Thanks
>

Ray

--
This signature intentionally left blank.

[jms0...@yahoo.com]

No It doesn't seem to authenticate. Where can I check to see where
its failing is there a logn in tomcat . I pretty new to setting this up
up.

Thanks

[Raymond DeCampo]

You are going to have to give us more to go on if you expect any help.
What are the visible results? Is there a stack trace? Post it here.

You might want to try the tomcat mailing list (see http://www.apache.org).

HTH,

[jms0...@yahoo.com]

Sorry for the ignorance. Im pretty new at setting this up.
Here's the log file.

Jan 27, 2006 9:41:01 AM org.apache.catalina.realm.JNDIRealm
authenticate
SEVERE: Exception performing authentication
javax.naming.PartialResultException: Unprocessed Continuation
Reference(s); remaining name 'dc=bcapital,dc=com'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2763)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1808)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1731)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
at
org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1063)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:967)
at
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:916)
at
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:809)
at
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:256)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:391)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:738)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:526)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)