HowTo: Configure Tomcat to use Windows Active Directory

3 views

Skip to first unread message

chris.e...@gmail.com

unread,

Nov 8, 2006, 11:52:18 AM11/8/06

to Vulcan Users

If you want Tomcat to authenticate users against an existing Active
Directory, you can use the JNDIRealm.

Step 1: Find your Primary Domain Controller

In "My Network Places," open "Search Active Directory."
Change the "Find:" value to "Computers."
Click "Browse..."
Select "Domain Controllers" under your domain.
Click "Ok."
Click "Find Now."

The list is populated with one or more Domain Controllers. If you are
unsure which one to use, ask your network support team for help.

Step 2: Create/obtain service account

Active Directory does not allow anonymous bind to ldap. Therefore,
Tomcat will use an account and password to connect to ldap to search
before authenticating users. In many cases, you may be able to use the
existing "ADUser" account. Consult your network support team for help
in getting the password for this account.

Step 2: Figure out your schema

Back in "Search Active Directory," switch "Find:" back to "Users,
Contacts and Groups."
Click the "View" menu and select "Choose columns..."
Select "X500 Distinguished Name" and click "Ok."
Type your own name into the "Name" field and click "Find Now."
The distinguished name that appears should give you an idea of what
value to use for user search.

Step 3: Configure Tomcat security realm

In your Tomcat home, open "server.xml" in the "conf" directory.
Find the UserDatabaseRealm <Realm> node and comment it out.

Enter the following node (replacing template values with your own):

Save server.xml.

Step 4: Configure Vulcan web.xml

Tomcat will use Active Directory groups to role based authorization.
Therefore, WEB-INF/web.xml in Vulcan must declare roles that correspond
to actual groups in Active Directory. Either create new groups in
Active Directory and add users who should be authorized, or change
web.xml to use existing groups.