Hi,
I'm having some issue configuring LDAP authentication on CAS 4.1.0. I
must say I had this configuration working on 4.0.4 but for some reason,
even when successfully authenticating vs. LDAP, CAS says the credentials
are not right.
This is what I did:
1) deployerConfigContext.xml: Inside the authenticationManager bean,
this is the map defined:
<constructor-arg>
<map>
<entry key-ref="proxyAuthenticationHandler"
value-ref="proxyPrincipalResolver" />
<entry key-ref="ldapAuthenticationHandler" value="#{null}" />
</map>
</constructor-arg>
2) deployerConfigContext.xml: Copied and pasted the LDAP support direct
bind
(http://jasig.github.io/cas/4.1.x/installation/LDAP-Authentication.html#ldap-supporting-direct-bind)
config, except that I removed the p:sslConfig-ref="sslConfig" part and
the corresponding sslConfig bean, because I'm not using SSL over LDAP.
3) pom.xml: Added the corresponding dependency:
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
4) cas.properties: I customized any needed properties, as I had it in my
4.0.4 working configuration.
Now, I access /cas and authenticate, and CAS says the credentials are
not right. I had a look at the authentication log and I found the
binding be successfull as far as LDAP goes as you can see here:
Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 BIND anonymous
mech=implicit ssf=0
Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 BIND
dn="uid=myuser,cn=...,dc=...,dc=..." method=128
Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 BIND
dn="uid=myuser,cn=...,dc=...,dc=..." mech=SIMPLE ssf=0
Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 RESULT tag=97
err=0 text=
I decide to activate the debugging as mentioned in the Troubleshooting
page of the LDAP configuration, and I see the following:
2015-09-19 14:07:15,636 DEBUG [org.ldaptive.auth.FormatDnResolver] -
<Formatting DN for myuser with uid=%s,cn=...,dc=...,dc=...>
2015-09-19 14:07:15,637 DEBUG [org.ldaptive.auth.Authenticator] -
<authenticate dn=uid=myuser,cn=...,dc=...,dc=... with
request=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
retAttrs=[1.1]]>
2015-09-19 14:07:15,637 DEBUG
[org.ldaptive.auth.PooledBindAuthenticationHandler] - <authenticate
criteria=[org.ldaptive.auth.AuthenticationCriteria@1404709825::dn=uid=myuser,cn=...,dc=...,dc=...,
authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
retAttrs=[1.1]]]>
2015-09-19 14:07:15,639 DEBUG [org.ldaptive.BindOperation] -
<execute
request=[org.ldaptive.BindRequest@1670297304::bindDn=uid=myuser,cn=...,dc=...,dc=...,
saslConfig=null, controls=null] with
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
connectTimeout=3000, responseTimeout=-1, sslConfig=null,
useSSL=false, useStartTLS=false, connectionInitializer=null],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
count=1],
environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0]>
2015-09-19 14:07:15,643 DEBUG [org.ldaptive.BindOperation] -
<execute response=[org.ldaptive.Response@1182007988::result=null,
resultCode=SUCCESS, message=null, matchedDn=null,
responseControls=null, referralURLs=null, messageId=-1] for
request=[org.ldaptive.BindRequest@1670297304::bindDn=uid=myuser,cn=...,dc=...,dc=...,
saslConfig=null, controls=null] with
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
connectTimeout=3000, responseTimeout=-1, sslConfig=null,
useSSL=false, useStartTLS=false, connectionInitializer=null],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
count=1],
environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0]>
2015-09-19 14:07:15,645 DEBUG
[org.ldaptive.auth.PooledBindAuthenticationHandler] - <authenticate
response=[org.ldaptive.auth.AuthenticationHandlerResponse@1784519566::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
connectTimeout=3000, responseTimeout=-1, sslConfig=null,
useSSL=false, useStartTLS=false, connectionInitializer=null],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
count=1],
environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0],
result=true, resultCode=SUCCESS, message=null, controls=null] for
criteria=[org.ldaptive.auth.AuthenticationCriteria@1404709825::dn=uid=myuser,cn=...,dc=...,dc=...,
authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
retAttrs=[1.1]]]>
2015-09-19 14:07:15,660 INFO [org.ldaptive.auth.Authenticator] -
<Authentication succeeded for dn: uid=myuser,cn=...,dc=...,dc=...>
2015-09-19 14:07:15,662 DEBUG [org.ldaptive.auth.Authenticator] -
<authenticate
response=[org.ldaptive.auth.AuthenticationHandlerResponse@1784519566::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
connectTimeout=3000, responseTimeout=-1, sslConfig=null,
useSSL=false, useStartTLS=false, connectionInitializer=null],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
count=1],
environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0],
result=true, resultCode=SUCCESS, message=null, controls=null] for
dn=uid=myuser,cn=...,dc=...,dc=... with
request=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
retAttrs=[1.1]]>
2015-09-19 14:07:15,664 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<LdapAuthenticationHandler failed authenticating myuser+password>
2015-09-19 14:07:15,665 INFO
[org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN
=============================================================
WHO: myuser+password
WHAT: supplied credentials: [myuser+password]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Sat Sep 19 14:07:15 WEST 2015
CLIENT IP ADDRESS: 192.168.1.X
SERVER IP ADDRESS: 192.168.1.X
=============================================================
>
2015-09-19 14:07:15,667 INFO
[org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN
=============================================================
WHO: myuser+password
WHAT: 1 errors, 0 successes
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Sat Sep 19 14:07:15 WEST 2015
CLIENT IP ADDRESS: 192.168.1.X
SERVER IP ADDRESS: 192.168.1.X
=============================================================
So if CAS says that the authentication succeeded at first, why
LdapAuthenticationHandler fails? Any hint will be very appreciated since
I'm a bit lost right now.
Thanks,
Nicolás
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
