Reference for below is this: Active Directory Integration#
What I did for Tomcat 6.0.18:#
Note: web-app means JSPWiki
1. Specify realm#
Under conf, create a sub directory <service>\<host>\<webappname>.xmlThis would be generally <tomcat>\conf\Catalina\localhost\JSPWiki.xml
Put the realm information in like below.
You can place "realm" information also somewhere else, but specifying it this way, the context becomes web-app specific, which is necessary, because otherwise our realm will interfere with the realm used by tomcat in the server.xml ("UserDatabase", which is the conf/tomcat-users.xml).
<?xml version='1.0' encoding='utf-8'?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!-- The contents of this file will be loaded for each web application --> <Context> <!-- Default set of monitored resources --> <WatchedResource>WEB-INF/web.xml</WatchedResource> <!-- Uncomment this to disable session persistence across Tomcat restarts --> <Manager pathname="" /> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://<domain.server.com>:389" connectionName="<username@domain>" connectionPassword="<password>" referrals="follow" userBase="OU=Objects,DC=<domain>,DC=<server>,DC=<com>" userSearch="(sAMAccountName={0})" userSubtree="true" roleBase="OU=Objects,DC=<domain>,DC=<server>,DC=<com>" roleName="name" roleSubtree="true" roleSearch="(member={0})" /> <!-- Uncomment this to enable Comet connection tacking (provides events on session expiration as well as webapp lifecycle) --> <!-- <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> --> </Context>
2. Test your realm#
Reload your web-app with the tomcat manager.By the way, editing the web-app specific context will make tomcat to reload the web-app also automatically.
You should see results in logs/localhost.YYYY-MM-DD.log
You may want to increase Tomcat logging level. Tomcat uses the java.util.logging by default, not log4j, so do not mix up the levels under conf/logging.properties.
Note: You can also increase the JSPWiki log4j logging level in jspwiki.properties.
It will not help you with authentication, but nevertheless... Uncomment the following and give a proper ".File" path (!) and name.
log4j.appender.FileLog =org.apache.log4j.RollingFileAppender log4j.appender.FileLog.MaxFileSize =10MB log4j.appender.FileLog.MaxBackupIndex =14 log4j.appender.FileLog.File =${catalina.home}/logs/jspwiki.log log4j.appender.FileLog.layout =org.apache.log4j.PatternLayout log4j.appender.FileLog.layout.ConversionPattern=%d [%t] %p %c %x - %m%n log4j.rootCategory=INFO,FileLog
First search for something like "context could not be loaded" or "context is invalid", then something is wrong with your context set up.
If everything is fine, you should find nothing about LDAP and AD in the log.
To force some output, create some errors to get a feeling:
Try 1: Enter an invalid server as connectionURL, then you get something like this:
08.09.2009 16:32:06 org.apache.catalina.realm.JNDIRealm open WARNUNG: Exception performing authentication javax.naming.CommunicationException: <domain.server.comXY>:389 [Root exception is java.net.UnknownHostException: <domain.server.comXY>]
Try 2: Enter an invalid connectionName or connectionPassword, then you get something like this:
08.09.2009 16:35:40 org.apache.catalina.realm.JNDIRealm open WARNUNG: Exception performing authentication javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
3. Edit webapps/JSPWiki/WEB-INF/web.xml#
Update settings as described in the link aboveDisable
<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>or set
<user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint>to disable SSL for now.
4. Adjust WEB-INF\jspwiki.policy#
If you use your AD specific groups you have to tell JSPWiki in WEB-INF\jspwiki.policy.Generally only the group "Admin" can delete pages for example, simply add another entry for your groups
as described here: http://doc.jspwiki.org/2.4/wiki/WikiGroups