I am trying to connect to tomcat with an active directory user.
When the password is in plain text like the following:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://localhost:389"
connectionName="user_name"
connectionPassword="password"
userBase="OU=blabla,DC=aaa,DC=com"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=blabla,DC=aaa,DC=com"
roleName="cn"
roleSubtree="true"
roleSearch="(member={0})" />
the authentication is ok. BUT, I don't want a password in my configuration file.
I tried the following:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://localhost:389"
digest="MD5"
connectionName="user_name"
connectionPassword="encrypted_password"
userBase="OU=blabla,DC=aaa,DC=com"
userSubtree="true"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="OU=blabla,DC=aaa,DC=com"
roleName="cn"
roleSubtree="true"
roleSearch="(member={0})" />
but the authentication fails.
I didn't find any solution.
I will really appreciate any help
thank you
I think your only alternative is to subclass JNDIRealm and make a new attribute that will have some sort of encrypted connection password. The password can't be hashed (with, e.g. MD5 as you specify) because hashes are one-way--there's no undoing a hash--and Tomcat needs the password in its original unhashed form to authenticate against the AD installation.
If you use a reversible encryption in your JNDIRealm subclass, then when Tomcat needs the password you can decrypt the password and pass it along.
Related
During migration to wildfly 26 in order to encrypt dbpassword of datasource I must use Elytron instead of Picketbox.
what is the best way to show database password encrypted in standalone.xml?
is it possible to get it working only by using elytron.bat?
a working example appreciated!
The Problem was because of a bug in elytron.bat in Wildfly 26.0.0 (JBEAP-23015)
By using Wildlfy 25.0.1.Final Version it was possible to create a credentialstore and add a password credential in a batch file.
elytron-tool.bat credential-store --create --
location="%appserver_home%/standalone/data/mycredstore.cs" --password StorePass
elytron-tool.bat credential-store --
location="%appserver_home%/standalone/data/mycredstore.cs" --password StorePass
--add=database-pw --secret=myDBPassword
To refer this credential store in standalone.xml
<credential-stores>
<credential-store name="mycredstore" relative-to="jboss.server.data.dir"
path="mycredstore.cs" create="true">
<credential-reference clear-text="StorePass"/>
</credential-store>
</credential-stores>
I Installed nifi-1.13.2
and I need to authenticate with LDAP
but there is some issue
when I want to use multiple account in different "OU"
I get this error
"Unable to validate the supplied credentials. Please contact the system administrator."
this is my login-identity-providers.xml:
login-identity-providers.xml
this is my LDAP Server table:
LDAP
I found The Solution
you should change ldap port to 3268
like this
<property name="Url">ldap://10.1.21.2:3268</property>
<property name="User Search Base">DC=COM</property>
this port is for Global catalog and mostly use for authentication
A user tries to connect to a tomcat application. Her password contains the € glyph.
On other applications, it works just fine.
On our in-house application, it fails.
We use a linux box, tomcat 8.5, jdk 1.8, with -Dfile.encoding=UTF-8, Basic auth with a JNDIrealm.
The header Basic XXXXXX is good.
<Realm
className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://someurl:389"
connectionName="someName"
connectionPassword="somePassword"
referrals="follow" userBase="DC=EXAMPLE,DC=COM"
userSearch="(sAMAccountName={0})"
userSubtree="true"
adCompat="true" />
What is wrong ?
Found it. You have to use a Valve with the encoding specified.
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
charset="UTF-8" />
See https://cwiki.apache.org/confluence/display/TOMCAT/Character+Encoding#CharacterEncoding-Q10HowtoconfiguretheBASICauthenticationschemetouseUTF-8
I am using a Tomcat 7.0.52 server and using a hashed password in the tomcat-users.xml.
My server is accepting logins using the plain-text password and hashed password both.
How do I prevent / block users from logging in using the hashed password and force them to use the plaintext password?
Snippet of the following files
web.xml :
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>testvalue</realm-name>
</login-config>
server.xml
<Realm className="org.apache.catalina.realm.MemoryRealm" digest="SHA"/>
tomcat-users.xml
<user username="testuser" password="xxxx--------------yyyy" roles="testrole"/>
I know this isn't strictly the answer to what you asked but I would recommend upgrading tomcat to at least the latest version of 8.0 (8.0.48 at the time of posting). It's been a while since I made the upgrade from 7 to 8 but if memory serves it was pretty painless. This link should have everything you need to know about migrating up. Only thing that comes to mind that you'll really need to look out for is it requires java 7 or higher and even that shouldn't be a big issue unless you have a particularly particular setup going.
Tomcat 8.0.x Instructions Below
This is how I have mine set up and I cannot login by pasting my hashed password into the password field. I opted for sha-512 and arbitrarily picked 512 for my salt-length as well. You don't have to but why not?
Tomcat 8 - server.xml
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- Tomcat comment stuff trimmed out here -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="sha-512" saltLength="512" />
</Realm>
</Realm>
Tomcat 8 - tomcat-users.xml:
<role rolename="yourrolehere"/>
<user username="yourusername" password="yourhashedpasswordhere" roles="yourrolehere"/>
I'm sure you already know how to use digest.bat (or digest.sh if that's your thing) but for anyone else tuning in open a command prompt and navigate to your tomcat installation and into the bin directory. Then enter the following:
digest -a sha-512 -s 512 youRcl3artextpa$sword
This will produce a very long password hash in the format of:
youRcl3artextpa$sword:hashedpasswordforalongtime
Copy everything after the semi-colon and make sure it has no line breaks. (clean it up in notepad if you need to)
That's your new hashed password.
Tomcat 8 Digested Passwords Documentation
I'm trying to look on on the root of a AD server for users with tomcat5.5 and JNDIRealm, but it seems that there are several referrals to other locations in the whole AD structure and one of the referrals give a "connection refused" . With LDAP you can use the option referrals="ignore" but this doesn't work if you use AD so you must use referrals=follow otherwise you get a Unprocessed Continuation Reference(s) exception
Is there a way that I can ignore all referrals to other servers?
current config in a server.xml file:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionName="CN=root_user,OU= foo,OU= bar ,dc=example,dc=com"
connectionPassword="hideMe!"
connectionURL="ldap://****:389"
userBase="DC=example,DC=com"
userSearch="(&(objectClass=user)(sAMAccountName={0}))"
userSubtree="true"
roleBase="OU=rolles,dc=example,dc=com"
roleName="CN"
roleSearch="(member={0})"
roleSubtree="false"
/>
Exception:
It seems that the active directory was corrupt. There where broken referal links. So be sure that the servers are all up and running