Welcome, Guest Login

Rundeck Enterprise Support Center

Authentication with AD or LDAP on Tomcat

Last Updated: Aug 16, 2017 06:00AM PDT

Configure Active Directory (AD) or LDAP Authentication on Tomcat


Edit $CATALINA_BASE\conf\server.xml and add the following realm definition.

Replace the "@token@" strings with values corresponding to your Active Directory/LDAP  structure.

 

         <Realm className="org.apache.catalina.realm.JNDIRealm"

                          connectionName="@jndi_connectionName@"

                          connectionPassword="@jndi_connectionPassword@"

                          connectionURL="@jndi_connectionURL@"

                          referrals="follow"

                          userBase="@jndi_userBase@"

                          userSearch="(sAMAccountName={0})"

                          userSubtree="true"

                          roleBase="@jndi_roleBase@"

                          roleName="cn"

                          roleSearch="(member={0})"

                          roleSubtree="true"

                          roleNested="true"

                          commonRole="user"

                  />

 



Here are the descriptions for each attribute:
  • connectionName: The account bind name (eg, cn=user,ou=blah,dc=example,dc=com or eg, Administrator@sops.local)
  • connectionPassword: the connection user's password (eg 'password')
  • connectionURL: the URL to the ldap server (eg, 'ldap://192.168.50.11:389' )
  • userBase: Base for finding users. (eg, 'dc=example,dc=com')             
                or userPattern: Pattern for finding users. (eg, 'cn={0},dc=example,dc=com')
  • userSearch: Filter use to find the user. (eg: (sAMAccountName={0}) or (name={0})
  • roleBase: Base for finding roles (eg 'OU=Rundeck,dc=example,dc=com' )

To use both authentication methods, AD/LDAP plus the default users file (conf/tomcat-users.xml), use CombinedRealm:


         <Realm className="org.apache.catalina.realm.CombinedRealm">

                 <Realm className="org.apache.catalina.realm.UserDatabaseRealm"

                         resourceName="UserDatabase"/>

 

                 <Realm className="org.apache.catalina.realm.JNDIRealm"

                          connectionName="CN=Administrator,CN=Users,DC=Example,DC=local"

                          connectionPassword="password"

                          connectionURL="ldap://server:389"

                          referrals="follow"

                          userBase="CN=Users,DC=Domain,DC=local"

                          userSearch="(sAMAccountName={0})"

                          userSubtree="true"

                          roleBase="CN=Roles,DC=Example,DC=local"

                          roleName="cn"

                          roleSearch="(member={0})"

                          roleSubtree="true"

                          roleNested="true"

                          commonRole="user"

                  />

 

           </Realm>


 

Further information about Realm authentication:
 

Enable logging debug for tomcat authentication 


Edit the file $CATALINA_BASE/conf/logging.properties and add the following entries:
 
  • Modify the FileHandler.level from FINE to ALL

     29 2localhost.org.apache.juli.FileHandler.level = ALL^M

     30 2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs^M

     31 2localhost.org.apache.juli.FileHandler.prefix = localhost.^M

  • Add the following lines at the end of the file

     60 org.apache.catalina.core.ContainerBase.[Catalina].level = ALL

     61 org.apache.catalina.core.ContainerBase.[Catalina].handlers = 2localhost.org.apache.juli.FileHandler


The log will be enable on localhost.YYYY-MM-DD.log file on $CATALINA_BASE/logs folder
 

 

1fb43f9155a47800b95738aff7e657fc@rundeck.desk-mail.com
http://assets1.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete