Hi Paul,
Our entry looks like this:
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://uopnet.plymouth.ac.uk:389"
alternateURL="ldap://uopnet.plymouth.ac.uk:389"
authentication="simple"
referrals="follow"
connectionName="ldapusername"
connectionPassword="secret"
userSearch="(cn={0})"
userBase="ou=ADUsers,dc=uopnet,dc=plymouth,dc=ac,dc=uk"
userRoleName="objectclass"
roleSearch="(member={0})"
roleName="cn"
roleSubtree="true"
roleBase="ou=ADUsers,dc=uopnet,dc=plymouth,dc=ac,dc=uk"
/>
George
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Paul Cheyne
Sent: 01 May 2009 11:46
To: [log in to unmask]
Subject: Re: Ldap Authentication problem
HI Matt
Thanks for the info. I changed the userSearch value but it throws up a 403 access denied error. Full error below
HTTP Status 403 - Access to the requested resource has been denied
________________________________
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
________________________________
Apache Tomcat/6.0.18
I also checked the ports on AD server. 389 and 3268 are both opened. Tried changing it but made no diffrence
Paul Cheyne
Support Consultant
RM (Aberdeen College)
Tel: 01224 (61)2550
Email: [log in to unmask]<mailto:[log in to unmask]>
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Matt Dunkin
Sent: 01 May 2009 11:28
To: [log in to unmask]
Subject: Re: Ldap Authentication problem
Paul,
As a starter you could try replacing
userSearch="(uid={0})"
with
userSearch="(samAccountName={0})"
From memory, I think I'm right in saying AD doesn't have a uid attribute or at least populate it.
You might also want to try port 3268 (the global catalog) if your AD is "complicated" as it doesn't return you referrals like a standard LDAP query to AD can on port 389.
Matt
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Paul Cheyne
Sent: 01 May 2009 11:23
To: [log in to unmask]
Subject: Ldap Authentication problem
Hi all
Well I have now got my authentication page up and running on the SSO (https://localhost/shibboleth-idp/SSO) but when I try and authenticate any users to it throws up the error Incorrect Username and password. I have tried it with a few different user accounts and made sure the passwords was correct
I have had a look through the tomcat , idp and Event logs and can't see any errors appear. I have configured the ldap Realm in tomcat's server.xml file. Here the realms config part of the server.xml file
<!--
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/> -->
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://**.abcol.ac.uk:389"
connectionName="cn=***,cn=Users,dc=abcol,dc=ac,dc=uk"
connectionPassword="***"
userBase="cn=Users,dc=abcol,dc=ac,dc=uk"
userSubtree="true"
userSearch="(uid={0})"
userRoleName="objectclass"
/>
I have taken out server names , user names and passwords for security.
Here is a copy of the tomcat log file
01-May-2009 11:00:06 org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\tomcat\bin;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\OpenSSL\bin
01-May-2009 11:00:06 org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
01-May-2009 11:00:06 org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 405 ms
01-May-2009 11:00:06 org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
01-May-2009 11:00:06 org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.18
01-May-2009 11:00:06 org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive shibboleth-idp.war
01-May-2009 11:00:07 org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
01-May-2009 11:00:07 org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /127.0.0.1:8009
01-May-2009 11:00:07 org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/16 config=null
01-May-2009 11:00:07 org.apache.catalina.startup.Catalina start
INFO: Server startup in 771 ms
Any ideas on what could be causing the problem
Thanks in advance
Paul Cheyne
Support Consultant
RM (Aberdeen College)
Tel: 01224 (61)2550
Email: [log in to unmask]<mailto:[log in to unmask]>
__________________________________________________________________
You might be interested in this...
RM ICT Tour 2009
With all the pressures placed on teaching staff today, it's increasingly difficult to justify a full day out to research developments for the classroom. So you don't miss out, we've teamed up with schools and local authorities to bring the latest in ICT to a venue near you.
Click here<http://www.rm.com/Events/EvtDetail.asp?cref=EVT1391360&srcurl=ICS010409> for more information and a full list of venues.
__________________________________________________________________
P.S. Think Green - don't print this email unless you really need to.
This message is confidential, so please treat it appropriately and for its intended purpose only. In particular, if it refers to any technical data, terms or prices not generally available or known, such items are "commercially sensitive information" within the terms of the Freedom of Information Act 2000 and related laws. As it would be prejudicial to RM's commercial interests if these were disclosed, please refrain from doing so.
As Internet communications are not secure, please be aware that RM cannot accept responsibility for its contents. Any views or opinions presented are those of the author only and not of RM. If you are not the intended recipient of this e-mail, please accept our apologies and arrange for copies of it to be deleted. For your information, RM may intercept incoming and outgoing email communications.
RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire, OX14 4SE, England
Registered Number: 1148594
