Hi Paul, Our entry looks like this: <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://uopnet.plymouth.ac.uk:389" alternateURL="ldap://uopnet.plymouth.ac.uk:389" authentication="simple" referrals="follow" connectionName="ldapusername" connectionPassword="secret" userSearch="(cn={0})" userBase="ou=ADUsers,dc=uopnet,dc=plymouth,dc=ac,dc=uk" userRoleName="objectclass" roleSearch="(member={0})" roleName="cn" roleSubtree="true" roleBase="ou=ADUsers,dc=uopnet,dc=plymouth,dc=ac,dc=uk" /> George From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Paul Cheyne Sent: 01 May 2009 11:46 To: [log in to unmask] Subject: Re: Ldap Authentication problem HI Matt Thanks for the info. I changed the userSearch value but it throws up a 403 access denied error. Full error below HTTP Status 403 - Access to the requested resource has been denied ________________________________ type Status report message Access to the requested resource has been denied description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. ________________________________ Apache Tomcat/6.0.18 I also checked the ports on AD server. 389 and 3268 are both opened. Tried changing it but made no diffrence Paul Cheyne Support Consultant RM (Aberdeen College) Tel: 01224 (61)2550 Email: [log in to unmask]<mailto:[log in to unmask]> From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Matt Dunkin Sent: 01 May 2009 11:28 To: [log in to unmask] Subject: Re: Ldap Authentication problem Paul, As a starter you could try replacing userSearch="(uid={0})" with userSearch="(samAccountName={0})" From memory, I think I'm right in saying AD doesn't have a uid attribute or at least populate it. You might also want to try port 3268 (the global catalog) if your AD is "complicated" as it doesn't return you referrals like a standard LDAP query to AD can on port 389. Matt From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Paul Cheyne Sent: 01 May 2009 11:23 To: [log in to unmask] Subject: Ldap Authentication problem Hi all Well I have now got my authentication page up and running on the SSO (https://localhost/shibboleth-idp/SSO) but when I try and authenticate any users to it throws up the error Incorrect Username and password. I have tried it with a few different user accounts and made sure the passwords was correct I have had a look through the tomcat , idp and Event logs and can't see any errors appear. I have configured the ldap Realm in tomcat's server.xml file. Here the realms config part of the server.xml file <!-- <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> --> <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://**.abcol.ac.uk:389" connectionName="cn=***,cn=Users,dc=abcol,dc=ac,dc=uk" connectionPassword="***" userBase="cn=Users,dc=abcol,dc=ac,dc=uk" userSubtree="true" userSearch="(uid={0})" userRoleName="objectclass" /> I have taken out server names , user names and passwords for security. Here is a copy of the tomcat log file 01-May-2009 11:00:06 org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\tomcat\bin;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\OpenSSL\bin 01-May-2009 11:00:06 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 01-May-2009 11:00:06 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 405 ms 01-May-2009 11:00:06 org.apache.catalina.core.StandardService start INFO: Starting service Catalina 01-May-2009 11:00:06 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.18 01-May-2009 11:00:06 org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive shibboleth-idp.war 01-May-2009 11:00:07 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 01-May-2009 11:00:07 org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /127.0.0.1:8009 01-May-2009 11:00:07 org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/16 config=null 01-May-2009 11:00:07 org.apache.catalina.startup.Catalina start INFO: Server startup in 771 ms Any ideas on what could be causing the problem Thanks in advance Paul Cheyne Support Consultant RM (Aberdeen College) Tel: 01224 (61)2550 Email: [log in to unmask]<mailto:[log in to unmask]> __________________________________________________________________ You might be interested in this... RM ICT Tour 2009 With all the pressures placed on teaching staff today, it's increasingly difficult to justify a full day out to research developments for the classroom. So you don't miss out, we've teamed up with schools and local authorities to bring the latest in ICT to a venue near you. Click here<http://www.rm.com/Events/EvtDetail.asp?cref=EVT1391360&srcurl=ICS010409> for more information and a full list of venues. __________________________________________________________________ P.S. Think Green - don't print this email unless you really need to. This message is confidential, so please treat it appropriately and for its intended purpose only. In particular, if it refers to any technical data, terms or prices not generally available or known, such items are "commercially sensitive information" within the terms of the Freedom of Information Act 2000 and related laws. As it would be prejudicial to RM's commercial interests if these were disclosed, please refrain from doing so. As Internet communications are not secure, please be aware that RM cannot accept responsibility for its contents. Any views or opinions presented are those of the author only and not of RM. If you are not the intended recipient of this e-mail, please accept our apologies and arrange for copies of it to be deleted. For your information, RM may intercept incoming and outgoing email communications. RM Education plc Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire, OX14 4SE, England Registered Number: 1148594