Tomcat 6 webapp authentication against AD


Tested on RHEL6

Add the following in /etc/tomcat6/server.xml (before the ending host tag) :

<realm userbase="ou=users,dc=intranet,dc=example,dc=org" referrals="follow" connectionpassword="password" usersubtree="true" connectionurl="ldap://" rolebase="ou=users,dc=intranet,dc=example,dc=org" classname="org.apache.catalina.realm.JNDIRealm" rolesubtree="true" authentication="simple" usersearch="(sAMAccountName={0})" connectionname="username" debug="99" rolename="cn" rolesearch="(member={0})"></realm>

Add your users to the group (role in Tomcat terms, which we’ll call “myapplication” in this example) in AD.

Now edit /etc/tomcat6/tomcat-users.xml with the users :

<user name="user01" roles="myapplication"></user>

So here we have a group “myapplication” (matching query ‘roleName=cn’) with member=user01

You webapp must be configured to require auth and define which roles are allowed, this is an example :

WEB-INF/web.xml :

      <web-resource-name>Entire Application</web-resource-name>


      The role allowed in the app

Thanks for reading this post!

If you found an issue in this article, you can create an issue on Github.

If you have a comment or question, please drop me a line below!