Getting Microsoft AD LDAP to work with Jazz on Tomcat
Hi,
I have scoured the forums and net and have tried various modifications of the server.xml file but I still can't get LDAP to work. From my tomcat.log it is clear that the user is authenticating to LDAP but the role match to the group is not taking place.
i.e. ...
DEBUG http-9443-Processor21 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'minerb01' was successful
DEBUG http-9443-Processor25 org.apache.catalina.realm.RealmBase - Username minerb01 does NOT have role JazzUsers
However, one thing I noticed is that it appears tomcat is trying to match "minerb01" which is the userID (the "sAMAccountName" ) to the group. However, the group lists members by the username ("Miner/, Bill") which is the "CN" property of the group section of LDAP. There is no section in AD that matches the userID ("minerb01") in the Group section of LDAP.
So my assumption is to get this to work, I need to set up the server.xml to match the userID ("sAMAccountName") to the "CN" in the role (group section of LDAP).
Any comments on how to do this... or if my assumption is correct?
Note: the user is in the group. Please see a copy of the appropriate section of the server.xml below.
Thanks!
Bill
className = "org.apache.catalina.realm.JNDIRealm"
debug = "99"
connectionURL = "ldap://:389"
authentication = "simple"
referrals = "follow"
connectionName = "SJM\_ussv_ClearQ_LDAP_SA"
connectionPassword = "c1earq1dap"
userBase = "OU=Global Support,DC=ad,DC=sjm,DC=com"
userSearch = "(sAMAccountName={0})"
userSubtree = "true"
userName = "sAMAccountName"
roleBase = "OU=Global Support,DC=ad,DC=sjm,DC=com"
roleSubtree = "true"
roleSearch = "(member={1})"
roleName = "CN"
I have scoured the forums and net and have tried various modifications of the server.xml file but I still can't get LDAP to work. From my tomcat.log it is clear that the user is authenticating to LDAP but the role match to the group is not taking place.
i.e. ...
DEBUG http-9443-Processor21 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'minerb01' was successful
DEBUG http-9443-Processor25 org.apache.catalina.realm.RealmBase - Username minerb01 does NOT have role JazzUsers
However, one thing I noticed is that it appears tomcat is trying to match "minerb01" which is the userID (the "sAMAccountName" ) to the group. However, the group lists members by the username ("Miner/, Bill") which is the "CN" property of the group section of LDAP. There is no section in AD that matches the userID ("minerb01") in the Group section of LDAP.
So my assumption is to get this to work, I need to set up the server.xml to match the userID ("sAMAccountName") to the "CN" in the role (group section of LDAP).
Any comments on how to do this... or if my assumption is correct?
Note: the user is in the group. Please see a copy of the appropriate section of the server.xml below.
Thanks!
Bill
className = "org.apache.catalina.realm.JNDIRealm"
debug = "99"
connectionURL = "ldap://:389"
authentication = "simple"
referrals = "follow"
connectionName = "SJM\_ussv_ClearQ_LDAP_SA"
connectionPassword = "c1earq1dap"
userBase = "OU=Global Support,DC=ad,DC=sjm,DC=com"
userSearch = "(sAMAccountName={0})"
userSubtree = "true"
userName = "sAMAccountName"
roleBase = "OU=Global Support,DC=ad,DC=sjm,DC=com"
roleSubtree = "true"
roleSearch = "(member={1})"
roleName = "CN"
5 answers
Hi,
have you looked at this: http://jazz.net/library/article/92.
Just a thought, you have to also modify the web.xml file of the war files.
Ralph
have you looked at this: http://jazz.net/library/article/92.
Just a thought, you have to also modify the web.xml file of the war files.
Ralph
Hi,
have you looked at this: http://jazz.net/library/article/92.
Just a thought, you have to also modify the web.xml file of the war files.
Ralph
Yes, and many other documents too. web.xml is configured.
Thanks,
Bill
One other thing that comes into mind would be to have a look at the log4j.properties and enable the LDAP specific logging. (RTC3 has it, not sure about RTC 2)
LDAP seems to be an issue.
Ralph
Yes, and many other documents too. web.xml is configured.
Thanks,
Bill
LDAP seems to be an issue.
Ralph
Hi,
have you looked at this: http://jazz.net/library/article/92.
Just a thought, you have to also modify the web.xml file of the war files.
Ralph
Yes, and many other documents too. web.xml is configured.
Thanks,
Bill
Hi All,
thanks for all your input... just wanted to let you know that I solved the issue.
Leasons learned:
1. Verify your settings with an LDAP viewer. I was a member of the group I was using, and a cmd line utility that I was using verifed as much. However, the group did not show up in AD when I looked at it with an LDAP viewer. I changed to another group and all is well. I will be setting up the distinct groups (as per instructions) with this in mind.
2. For the roles, the user needs to be listed explicitly as a member of the group in LDAP. A reference to another group dosn't work.
I have included my updated section in server.xml for reference.
className = "org.apache.catalina.realm.JNDIRealm"
debug = "99"
connectionURL = "ldap://<my>:389"
authentication = "simple"
referrals = "follow"
connectionName = "SJM\connection name"
connectionPassword = "secret password"
userBase = "OU=Global Support,DC=ad,DC=sjm,DC=com"
userSearch = "(sAMAccountName={0})"
userSubtree = "true"
userName = "CN"
roleBase = "OU=Global Support,DC=ad,DC=sjm,DC=com"
roleSubtree = "true"
roleSearch = "(member={0})"
roleName = "CN"
thanks for all your input... just wanted to let you know that I solved the issue.
Leasons learned:
1. Verify your settings with an LDAP viewer. I was a member of the group I was using, and a cmd line utility that I was using verifed as much. However, the group did not show up in AD when I looked at it with an LDAP viewer. I changed to another group and all is well. I will be setting up the distinct groups (as per instructions) with this in mind.
2. For the roles, the user needs to be listed explicitly as a member of the group in LDAP. A reference to another group dosn't work.
I have included my updated section in server.xml for reference.
className = "org.apache.catalina.realm.JNDIRealm"
debug = "99"
connectionURL = "ldap://<my>:389"
authentication = "simple"
referrals = "follow"
connectionName = "SJM\connection name"
connectionPassword = "secret password"
userBase = "OU=Global Support,DC=ad,DC=sjm,DC=com"
userSearch = "(sAMAccountName={0})"
userSubtree = "true"
userName = "CN"
roleBase = "OU=Global Support,DC=ad,DC=sjm,DC=com"
roleSubtree = "true"
roleSearch = "(member={0})"
roleName = "CN"