9/15/2009 11:17:47 AM permalink
DuncanIdaho Posts 6	I've followed the instructions for TypingMaserIntra3 to authenticate to a child domain in our Active Directory forest. I am getting an error that suggests, according to the white paper, that the username I'm using is not correct. I've checked this with other ldap browsing tools and find that it does indeed connect. Do I use just the username or the conical name? Here is the server.xml file I'm using: <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionName="ldapuser" connectionPassword="XXX" connectionURL="ldap://student-dc1.students.wlcs.local:389" alternateURL="ldap://student-dc2.students.wlcs.local:389" userBase="dc=students,dc=wlcs,dc=local" userSearch="(sAMAccountName={0})" userSubtree="true" roleBase="dc=students,dc=wlcs,dc=local" roleName="cn" roleSearch="(member={0})" roleSubtree="true" referrals="follow" /> I've also used IP addresses for the connectionURL. Any ideas?
	9/15/2009 12:05:51 PM permalink
DuncanIdaho Posts 6	Corrected this issue by using ldapuser@students.wlcs.local instead of just the samacountname. However, now I'm getting an Apache error: HTTP Status 403 - Access to the requested resource has been denied
	9/16/2009 12:01:14 AM permalink
TypingMaster Posts 85	Hello DuncanIdaho, Which Windows Server do you use? Which link are you navigating to when 403 occurs? Are you entering AD user name that belongs to a group called "typingmaster" (did you create a new user group to AD ?) If you are not member of chosen group (role-name) you will get access denied message. (please see page 6 of http://www.typingmaster.com/support/intra/TMIntra3LDAP.pdf ) If problem continues, please post here the corresponding rows from Catalina_log.timestamp.log -- Best Regards, TypingMaster, Inc. www.TypingMaster.com
	9/16/2009 4:36:31 AM permalink
DuncanIdaho Posts 6	That was indeed the problem, the security group that is. However, I want all of the students in our students domain access to the site. I've tried replacing the words "typingmaster" with "domain users" in the web.xml, but I still get a 403. How do I allow all the users in the domain access to the site?
	9/16/2009 4:49:02 AM permalink
TypingMaster Posts 85	Did you notice the role-name is in two places (see page 6) ? If this does not help, you could try also AD "member of" feature -- Best Regards, TypingMaster, Inc. www.TypingMaster.com
	9/16/2009 6:04:31 AM permalink
DuncanIdaho Posts 6	Here is the relevant portion of my web.xml: <auth-constraint> <!-- Roles that have access --> <role-name>Domain Users</role-name> </auth-constraint> </security-constraint> <!-- BASIC authentication --> <login-config> <auth-method> BASIC </auth-method> <realm-name>Enter your domain user name and password</realm-name> </login-config> <!-- Define security roles --> <security-role> <description> TM Intra admin </description> <role-name> tmadmin </role-name> </security-role> <security-role> <description>LDAP Login</description> <role-name>Domain Users</role-name> </security-role> I'm not familiar with the "member of" feature. Can you point me to where I can implement it?
	9/17/2009 5:17:31 AM permalink
TypingMaster Posts 85	Hello, I just tested your configuration and indeed value "Domain Users" is not working well, problem is that the domain users is the primary group for users in AD and these groups memberships are not visable via LDAP as a "memberOf" user atribute. Solution is to change primary group setting of the users or create a new security group where all the domain users are member of. Also it seems that Tomcat does not support groups within the other. Here is more information about this: http://forums.juniper.net/jnet/board/message?board.id=SSL_VPN&message.id=2330 Would you have an option to set up an AD group name "students" that you could use? edited by TypingMaster on 9/17/2009 -- Best Regards, TypingMaster, Inc. www.TypingMaster.com
	9/17/2009 7:27:47 AM permalink
DuncanIdaho Posts 6	Did the following posts make any sense to you? you can also add the attribute "513" which specifies the "domain users" in the LDAP server catalog. this would be the best way of mapping the "domain users" If you make a Role Mapping rule under - Users -> User Realms -> (pick a realm) -> Role Mapping Under the Role Mapping screen, Choose Attribute: primaryGroupID choose: is and then in the free text field: 513 Then assign the role you want I think this has to do with the web.xml file. Can you shed any light? Why it's important to utilize "Domain Users", is that every student is automatically a member. We have over 15,000 students and the logistics of managing the grades that use TypingMaster would be very difficult. I think that this is key feature for your product and hope you can resolve it.
	9/21/2009 2:39:27 AM permalink
TypingMaster Posts 85	Hi, I think the key question here is how to edit the following XML LINE: roleSearch="(member={0})" If we can adjust it somehow to accept any role (group) then tomcat just confirms the user name is OK. Another path could be to use field "userRoleName" to make role mapped to primaryGroupID somehow, perhaps something like this: roleSearch="(primaryGroupID=513)" edited by TypingMaster on 9/28/2009 -- Best Regards, TypingMaster, Inc. www.TypingMaster.com
	9/28/2009 12:44:48 AM permalink
TypingMaster Posts 85	PROBLEM SOLVED: Here is the small trick how to allow all domain users to access TypingMaster Intra without first being member of any specific group: edit tomcat server.xml and replace the "rolesearch" row with this one: userRoleName="PrimaryGroupID" --- Role names may also be held as the values of an attribute in the user's directory entry. Use userRoleName to specify the name of this attribute. --- Edit web.xml and change two role-name entries like this: < role-name >513< /role-name > You can use the attached tool to view attributes in default installations of AD like this: Tool: http://www.rlmueller.net/Document%20Attributes.htm Cmd line: cscript //nologo view-ad-attribs.vbs "WinNT://domain/user" You can decide to use any other field that is common to all your users such as LoginScript = ntlogin.bat -- Best Regards, TypingMaster, Inc. www.TypingMaster.com
	9/28/2009 9:51:53 AM permalink
DuncanIdaho Posts 6	That did it! I would recommend including that in the documentation. Now, I don't have to manage specific users in the typingmaster security group. This saves us a great deal of time and administration. Way to go!!!!!
pages: 1

|