Since I’m running Java with Tomcat6 as servlet container I found it appropriate to use the Tomcat JNDIRealm feature so that LDAP users can log into my site without any additional efforts. The LDAP server I’m using is OpenLDAP on Ubuntu.
On top of this I have the login page using form-based authentication over an https connection.
I found two very good examples of authentication users via LDAP, here and here, that both achieve what I feel I almost achieved. Why almost achieved?
When I attempt to login with the wrong credentials I’m appropriately sent to the <form-error-page>, login-failed.html in my case.
When my credentials are good and I authenticate successfully I start getting a 403 for all urls in the site. And I cannot remove the 403 error (not even for the login page!) unless I restart Tomcat.
I suspect the reason is because I don’t have roles in the realm or other config files set up correctly. For the sake of brevity I put the relevant config files excerpts on pastebin:
- Realm in Tomcat
server.xml - Relevant
tomcat-users.xmlpart - Relevant
web.xmlpart - Basic LDAP structure, dashes indicate tree structure
Note that Tomcat-based auth works perfectly since the role is easily attached to the user in the tomcat-users.xml. Therefore I believe it’s a problem in getting the role for an authenticated user from LDAP once it has been successfully been authenticated.
TL/DR
I have a config issue in connecting Tomcat to LDAP auth. User data fetched properly, but not the user’s role. LDAP log messages available on request 😉
UPDATE: I pasted the LDAP data here.
That is correct. Your LDAP roles aren’t being found by the JNDIRealm. You need to test your role search string outside Tomcat to ensure it yields what you think it should yield. As you haven’t provided any LDAP details it isn’t possible to comment further.
Putting a security-permission on the entire site with /* is a mistake. You need to exclude the login page and probably also the front page and the forgot-password page, maybe more, from requiring a role.