LDAPS bind error on JTS running RTC
I have a problem with RTC v4.0.0.1 running the JTS with LDAPS.
I have installed the Certs in the Trusted cacerts files using keyman.
I ran through the setup process specifically step 6, and when pressing Test Connection the connection to LDAPS indicates that the connection worked. I also get the message to copy all the xml files.
Once I copy the files and restart the server, I then try to log in which fails.
The log files in tomcat7-stderr reports that the ldap connection requires a bind to complete the connection.
So why does the setup step work, connect the server, but when the server is started the connection fails?
I have installed the Certs in the Trusted cacerts files using keyman.
I ran through the setup process specifically step 6, and when pressing Test Connection the connection to LDAPS indicates that the connection worked. I also get the message to copy all the xml files.
Once I copy the files and restart the server, I then try to log in which fails.
The log files in tomcat7-stderr reports that the ldap connection requires a bind to complete the connection.
So why does the setup step work, connect the server, but when the server is started the connection fails?
One answer
It looks like JNDIRealm might be in there someplace because the error does reference dc=<xxx>,dc=US, dc=<yyy>, dc=com which suggests tomcat knows something about your LDAP server.
If I take out the following values from that element I can reproduce your error.
connectionName="CN=user,CN=Users,DC=domain,DC=ibm,DC=com"
connectionPassword="password"
If I completely remove the element I don't get any error but I can't log in.
And if I use the wrong password I get an error trying to start tomcat.
Here's what mine looks like formatted to be easier to read as it was on one line in the file.
The bold text is the stuff I removed to reproduce your error.
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="CN=user,CN=Users,DC=domain,DC=ibm,DC=com"
connectionPassword="password"
connectionURL="ldap://server:3268"
debug="99" referrals="follow"
roleBase="CN=Users,DC=domain,DC=ibm,DC=com"
roleName="cn" roleSearch="(member={0})"
roleSubtree="true"
userBase="CN=Users,DC=domain,DC=ibm,DC=com"
userSearch="(sAMAccountName={0})"
userSubtree="true"/>
If I take out the following values from that element I can reproduce your error.
connectionName="CN=user,CN=Users,DC=domain,DC=ibm,DC=com"
connectionPassword="password"
If I completely remove the element I don't get any error but I can't log in.
And if I use the wrong password I get an error trying to start tomcat.
Here's what mine looks like formatted to be easier to read as it was on one line in the file.
The bold text is the stuff I removed to reproduce your error.
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="CN=user,CN=Users,DC=domain,DC=ibm,DC=com"
connectionPassword="password"
connectionURL="ldap://server:3268"
debug="99" referrals="follow"
roleBase="CN=Users,DC=domain,DC=ibm,DC=com"
roleName="cn" roleSearch="(member={0})"
roleSubtree="true"
userBase="CN=Users,DC=domain,DC=ibm,DC=com"
userSearch="(sAMAccountName={0})"
userSubtree="true"/>
Comments
Karl Weinert
JAZZ DEVELOPER Dec 20 '12, 11:56 a.m.Can you provide the full error from the tomcat log.
Check the <Jazz Install dir>\server\tomcat\conf\server.xml file for the correct values under the JNDIRealm Realm element
<Realm className="org.apache.catalina.realm.JNDIRealm"
LDAP stuff here
Feel free to paste in the values of the Realm element. Be sure to remove any passwords and secure information.
Mark Blaschke
Dec 20 '12, 12:27 p.m.Error from log
org.apache.catalina.realm.JNDIRealm authenticate
SERVERE: Exception performing authentication
Throwable occurred: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1 ]; Remaining name: 'dc=<xxx>,dc=US, dc=<yyy>, dc=com
at com.sun.jndi.ldap.LdapCtx.mappErrorcode(LdapCtx.java:3107)
Entry from server.xml
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="acct04\JazzAD"
connectionURL="ldaps:<server>.acct04.us.<site>.com:636"
debug="99"
roleBase="dc=acct04, dc=us, dc=<site>,dc=com"
roleName="cn" roleSearch="(member=(0))" roleSubtree="true"
userBase="dc=acct04,dc=US,dc=<site>,dc=com"
userSearch="<sAMAccountName=(0))" userSubtree=true"/>
Karl Weinert
JAZZ DEVELOPER Dec 20 '12, 12:28 p.m.The original server.xml won't have that element. Did you replace the server.xml file with the one create during setup?
Mine for example looks like server-LDAP20121220114545.xml