Tomcat5 and LDAP authentication

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat5 and LDAP authentication

Derrick Woo
I'm having a bit of a tough time getting Tomcat5 to authenticate correctly
to our LDAP server.  It connects using the service account, and then
attempts to bind using the username and password entered at the login page
to confirm if it is valid.

As it is set up right now, if an invalid username/password is entered,
catalina_log confirms that "bind attempt failed" and "Username XXX NOT
successfully authenticated" just as we expect.  However, if we enter in a
correct username/password combination, it binds correctly, however it just
hangs there as if it were awaiting response.  The LDAP logs indicate that it
did successfully bind correctly with the username/password combination, but
no search was performed.

Here is the relevent section of my server.xml file:

      <Realm className="org.apache.catalina.realm .JNDIRealm" debug="99"
             connectionURL="ldap://ldap.domain.com"
             connectionName="uid=admin,ou=ldapadmin,o=domain.com"
             connectionPassword="xxxxxx"
             userPattern="uid={0},ou=it,o=domain.com"
             userBase="ou=it,o=domain.com"
             />

Am I missing out on something here?  I tried playing around with some of the
different attributes mentioned in the Jakarta Tomcat JNDIRealm
documentation, but still get the same results.  We are not using any roles.

How can we get it so that if the correct username/password is entered, it
lets us pass the login page?
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat5 and LDAP authentication

Derrick Woo
Nobody?

On 1/6/06, Derrick Woo <[hidden email]> wrote:

>
> I'm having a bit of a tough time getting Tomcat5 to authenticate correctly
> to our LDAP server.  It connects using the service account, and then
> attempts to bind using the username and password entered at the login page
> to confirm if it is valid.
>
> As it is set up right now, if an invalid username/password is entered,
> catalina_log confirms that "bind attempt failed" and "Username XXX NOT
> successfully authenticated" just as we expect.  However, if we enter in a
> correct username/password combination, it binds correctly, however it just
> hangs there as if it were awaiting response.  The LDAP logs indicate that
> it did successfully bind correctly with the username/password combination,
> but no search was performed.
>
> Here is the relevent section of my server.xml file:
>
>       <Realm className="org.apache.catalina.realm .JNDIRealm" debug="99"
>              connectionURL="ldap://ldap.domain.com"
>              connectionName="uid=admin,ou=ldapadmin,o=domain.com"
>              connectionPassword="xxxxxx"
>              userPattern="uid={0},ou=it,o=domain.com"
>              userBase="ou=it,o=domain.com"
>              />
>
> Am I missing out on something here?  I tried playing around with some of
> the different attributes mentioned in the Jakarta Tomcat JNDIRealm
> documentation, but still get the same results.  We are not using any roles.
>
> How can we get it so that if the correct username/password is entered, it
> lets us pass the login page?
>
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat5 and LDAP authentication

pulkitsinghal
Hello,

> However, if we enter in a
> correct username/password combination, it binds correctly, however it just
> hangs there as if it were awaiting response.  The LDAP logs indicate that
> it did successfully bind correctly with the username/password combination,
> but no search was performed.
> How can we get it so that if the correct username/password is entered, it
> lets us pass the login page?

Seeing how nobody seems to have responded to your message yet...I do have a
suggestion for you:
- Try to find forums and/or mailing lists for your Directory Server and
posting this issue there
- for ex: if you happen to be using Sun ONE DS 5.2 then you can use their
forums at http://swforum.sun.com/jive/forum.jspa?forumID=13
- Or if you have a proprietary DS...try contacting their support...I think
tomcat *should be* popular enough for them to have run into this with
another client at least once.
- Oh and by the way...do post the solution/progress here...should you
find/make any.

Cheers,
- Pulkit

On 1/9/06, Derrick <[hidden email]> wrote:

>
> Nobody?
>
> On 1/6/06, Derrick Woo <[hidden email]> wrote:
> >
> > I'm having a bit of a tough time getting Tomcat5 to authenticate
> correctly
> > to our LDAP server.  It connects using the service account, and then
> > attempts to bind using the username and password entered at the login
> page
> > to confirm if it is valid.
> >
> > As it is set up right now, if an invalid username/password is entered,
> > catalina_log confirms that "bind attempt failed" and "Username XXX NOT
> > successfully authenticated" just as we expect.  However, if we enter in
> a
> > correct username/password combination, it binds correctly, however it
> just
> > hangs there as if it were awaiting response.  The LDAP logs indicate
> that
> > it did successfully bind correctly with the username/password
> combination,
> > but no search was performed.
> >
> > Here is the relevent section of my server.xml file:
> >
> >       <Realm className="org.apache.catalina.realm .JNDIRealm" debug="99"
> >              connectionURL="ldap://ldap.domain.com"
> >              connectionName="uid=admin,ou=ldapadmin,o=domain.com"
> >              connectionPassword="xxxxxx"
> >              userPattern="uid={0},ou=it,o=domain.com"
> >              userBase="ou=it,o=domain.com"
> >              />
> >
> > Am I missing out on something here?  I tried playing around with some of
> > the different attributes mentioned in the Jakarta Tomcat JNDIRealm
> > documentation, but still get the same results.  We are not using any
> roles.
> >
> > How can we get it so that if the correct username/password is entered,
> it
> > lets us pass the login page?
> >
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat5 and LDAP authentication

Derrick Woo
Hi Pulkit,

Thanks for the suggestions. After MUCH testing and searching, it did turn
out to be the LDAP's configuration and not Tomcat.  I verified this by
authenticating to another test LDAP server we had.  The original LDAP we
were authenticating to isn't commercial or publicly distributed software,
but something someone in the department put together.

Derrick

On 1/9/06, Pulkit Singhal <[hidden email]> wrote:

>
> Hello,
>
> > However, if we enter in a
> > correct username/password combination, it binds correctly, however it
> just
> > hangs there as if it were awaiting response.  The LDAP logs indicate
> that
> > it did successfully bind correctly with the username/password
> combination,
> > but no search was performed.
> > How can we get it so that if the correct username/password is entered,
> it
> > lets us pass the login page?
>
> Seeing how nobody seems to have responded to your message yet...I do have
> a
> suggestion for you:
> - Try to find forums and/or mailing lists for your Directory Server and
> posting this issue there
> - for ex: if you happen to be using Sun ONE DS 5.2 then you can use their
> forums at http://swforum.sun.com/jive/forum.jspa?forumID=13
> - Or if you have a proprietary DS...try contacting their support...I think
> tomcat *should be* popular enough for them to have run into this with
> another client at least once.
> - Oh and by the way...do post the solution/progress here...should you
> find/make any.
>
> Cheers,
> - Pulkit
>
> On 1/9/06, Derrick <[hidden email]> wrote:
> >
> > Nobody?
> >
> > On 1/6/06, Derrick Woo <[hidden email]> wrote:
> > >
> > > I'm having a bit of a tough time getting Tomcat5 to authenticate
> > correctly
> > > to our LDAP server.  It connects using the service account, and then
> > > attempts to bind using the username and password entered at the login
> > page
> > > to confirm if it is valid.
> > >
> > > As it is set up right now, if an invalid username/password is entered,
> > > catalina_log confirms that "bind attempt failed" and "Username XXX NOT
> > > successfully authenticated" just as we expect.  However, if we enter
> in
> > a
> > > correct username/password combination, it binds correctly, however it
> > just
> > > hangs there as if it were awaiting response.  The LDAP logs indicate
> > that
> > > it did successfully bind correctly with the username/password
> > combination,
> > > but no search was performed.
> > >
> > > Here is the relevent section of my server.xml file:
> > >
> > >       <Realm className="org.apache.catalina.realm .JNDIRealm"
> debug="99"
> > >              connectionURL="ldap://ldap.domain.com"
> > >              connectionName="uid=admin,ou=ldapadmin,o=domain.com"
> > >              connectionPassword="xxxxxx"
> > >              userPattern="uid={0},ou=it,o=domain.com"
> > >              userBase="ou=it,o=domain.com"
> > >              />
> > >
> > > Am I missing out on something here?  I tried playing around with some
> of
> > > the different attributes mentioned in the Jakarta Tomcat JNDIRealm
> > > documentation, but still get the same results.  We are not using any
> > roles.
> > >
> > > How can we get it so that if the correct username/password is entered,
> > it
> > > lets us pass the login page?
> > >
> >
> >
>
>