'Re: LDAP authentication for Tomcat's webapp 'Opengrok''

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: LDAP authentication for Tomcat's webapp 'Opengrok'
From:       Christopher Schultz <chris () christopherschultz ! net>
Date:       2017-03-30 19:38:42
Message-ID: 68449f2b-fdb4-b004-2e71-03a92ac110da () christopherschultz ! net
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Alfie,

On 3/27/17 7:07 AM, Alfie Patolilic wrote:
>> Tomcat Version : 6.0.36

You need to upgrade. Current 6.0.x version if 6.0.51. Current stable
version is (IMO) 8.0.42.

>> I have a question on how I am able to set the following,
>> regarding the web application that runs under Apache Tomcat,
>> 'Opengrok'. The idea is to set a hostname for
>> 'localhost:8080/grok', so when users try and access the page via
>> the hostname, they are prompted for authentication of their
>> username and password.
>> 
>> I have currently configured the server.xml to connect to LDAP. I
>>  have added below the configuration on my server.xml. I am unsure
>> as to where to go from here, how I will be able to link the
>> hostname. I have changed some values in the information given for
>> security purposes.
>> 
>> <!-- Adding the following for OpenGrok --> <Realm
>> className="org.apache.catalina.realm.LockOutRealm"> <Realm
>> className="org.apache.catalina.realm.UserDatabaseRealm"
>> resourceName="UserDatabase"/> <Realm
>> className="org.apache.catalina.realm.JNDIRealm" debug="99" 
>> connectionURL="ldap://<host> " connectionName="ldap@company " 
>> connectionPassword="password" referrals="follow" 
>> userBase="DC=<company>" userSearch="(sAMAccountName={0})" 
>> userSubtree="true" roleBase="DC=<company>" roleName="cn" 
>> roleSubtree="true" roleSearch="(member={0})" 
>> allRolesMode="strictAuthOnly" /> </Realm>

Does the application understand anything about LDAP authentication, or
are you asking how Tomcat can be configured to request the username
and password for the user?

The LDAP backend is just the way that the authentication and
authorization is performed. Credential-gathering is typically
performed using one of the following:

1. HTTP Basic "authentication"
2. HTTP Digest "authentication"
3. FORM login (username/password in a web form)
4. SSL/TLS client certificate

Which of the above did you have in mind? If you are just slapping
authentication on top of an existing application that doesn't have its
own login process, then I would recommend using HTTP Basic
"authentication" (I use parens around "authentication" because it's
not authenticating at all... it's just providing credentials that the
server can use for authentication). When using HTTP Basic
"authentication" it is absolutely required that you use TLS to encrypt
the channel.

>> I have checked the web for blogs and asked other tomcat groups
>> but was not able to get any answers.
>> 
>> I am aware that the version of Apache Tomcat I am using is 
>> outdated and has reached its end of life. Though necessary, I 
>> cannot update to a newer version of the application due to some 
>> issues.

You need to resolve those issues. Any software product that has
security components cannot be trusted after it reaches end-of-life.
Any EOL'd product should be considered known-vulnerable as soon as
that EOL date arrives.

> I meant that currently, I can access opengrok via
> localhost:8080/grok.
> 
> I am planning on configuring a hostname called 'grok.company.com' 
> which redirects to localhost:8080/grok.

Redirects or proxies? Adding a redirect will only work for users who
are sitting at your actual computer (localhost).

> When they access grok using grok.company.com, they will be
> prompted with a userid and password using LDAP.

Is there a reason not to require a username and password for all
users, regardless of the hostname they use to access the application?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY3V7CAAoJEBzwKT+lPKRYtIIQAKyR04cPJRlHbAj98YHfNmht
0OONt5mOyTsvtrK5qQ/SCpYBVaSQc36/lZuzStjVM45VLleKa7zjRhz8Rru6zywp
nOGF0UySkI+/gAUIQVPeySx5e7JhvTDbcjvVyPV8kO2vWn3+XJb0wTmIwdwslNLo
sshP0vJBqq9YkgnzGm97GfKNhw5ZsHlV+HZqx/ASynEn4vQ4saSFjkFFin2naogy
TNilBBGnVBErVyvf4oPgMQRaqDyt70hME5e02EyZWCsijYYKl1/aQZDIFrTvVDQD
sCc4EM5/0RUp3JUAhgz4klPUhCEmTXikonliqQOWoz5vIm7rZTkcP1CMlIbXrBST
BvSZh23HNqmrUsgfqdoN05xOJ0vFjeB02ezDwWBpl7pxJ9kB0WCJYdusy94p4ixN
XJZic8sBQA7ijSRBGy4MgynPPQ4lnX94vR6eu0tcqZd/QUOXI75d3FoXpDiyrFci
2q51wv/4rHKFeLzg1GO6XmMdqBMcEkt6u9TX0QZSKxXV6mFsUIzG4EPk+8xcbsNM
SRGy91sRtUWgFdpJyov/QsSpxXLaLISsLuR3gW5kX6v5IBpFA0aWLBvYsLUhCZR5
NMEULjea6kSppTVE2CqHHJykmDQcYSK+YCuW/0XNkbuf/AVqb1WJhBdM1GowT4NN
Ivxb5EnyXg/9XeI09It+
=WjqC
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic