I am trying to get LDAP authentication using Tomcat 7.
I have the below configuration in my server.xml
<Context path="/WebApp" reloadable="false" docBase="E:\ESS\Tomcat 7\webapps\WebApp">
<ResourceLink name="mail/WebAPPMS" type="javax.mail.Session" global="mail_Session"/>
<Manager checkInterval="60" debug="99"/>
<ResourceLink name="jdbc/WebAppDS" type="javax.sql.DataSource" global="WebAppDataSource"/>
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://company.com:3268" userBase="DC=company,DC=com" userSubtree="true" userSearch="(CN={0})"/>
<ResourceLink name="directory/WebAppReports" type="java.lang.String" global="SchemaReportsDirectory"/>
</Context>
Now in our LDAP, anonymous bind is not allowed. So I need to bind before searching and authenticating.
However, I cannot pass connectionName, connectionPassword and userPassword, since it would create authentication in Comparison mode, which is not allowed by LDAP.
Using the above config I am getting the following error:
May 8, 2014 1:25:44 PM org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece ]; remaining name 'DC=company,DC=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source) at javax.naming.directory.InitialDirContext.search(Unknown Source) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1446) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1297) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1253) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1194) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:164) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:573) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2441) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2430) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
Which clearly means LDAP is not connected and I need to bind before authenticating.
After searching web, I found this, but I don't know how to create custom Realms:
connectionUser, do the search, find the user, then rebind as that user, letting the LDAP server do the authentication. - user207421