Current state, with ldaptive debug on There are no errors displayed in any logs. Log portion for log-in is available here 'http://pastebin.com/4U85FfEs'.
Logs show 'resultCode=SUCCESS' for all following * 'org.ldaptive.SearchOperation', * 'org.ldaptive.BindOperation', * 'org.ldaptive.auth.PooledBindAuthenticationHandler', * '*org.ldaptive.auth.Authenticator*'. Then just prints > > *2016-04-06 06:46:40,298 INFO > [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - > <LdapAuthenticationHandler failed authenticating someUser>* I'm stuck now, as there are no errors/sever/warn in logs to go after. I've attached current updated state of modified files (deployConfigContext.xml, cas.properties, pom.xml) from Maven Overlay. *there might be 's/tyops/typos/g' in mail, multi-tasking hazards* Regards, Abhishek Kumar ( *http://abhishekkr.github.io/ <http://abhishekkr.github.io/> )* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~=ABK=~ On Tue, Apr 5, 2016 at 6:41 PM, Abhishek [ABK] Kumar <[email protected] > wrote: > Hi, > > I did a little tweak with 'deployerConfigContext.xml' regarding 'bind' from > > >> >> >> >> *... p:connectionInitializer-ref="fastBindConnectionInitializer" >> /> <bean id="fastBindConnectionInitializer" >> >> class="org.ldaptive.ad.extended.FastBindOperation.FastBindConnectionInitializer">...* > > > to > > >> >> >> >> >> >> >> >> >> >> * ... p:connectionInitializer-ref="bindConnectionInitializer" >> /><bean id="bindConnectionInitializer" >> class="org.ldaptive.BindConnectionInitializer" >> p:bindDn="${ldap.authn.managerDN}"> <property name="bindCredential"> >> <bean class="org.ldaptive.Credential" >> c:password="${ldap.authn.managerPassword}" /> </property></bean> ....* > > > > > And now the bind error has been replaced by > > > * 'problem 2006 (BAD_NAME), data 8350' > >> >> *016-04-05 13:02:47,089 DEBUG [org.ldaptive.auth.Authenticator] - <entry >> resolution failed for >> resolver=[org.ldaptive.auth.SearchEntryResolver@76445512::factory=null, >> baseDn=, userFilter=null, userFilterParameters=null, >> allowMultipleEntries=false, subtreeSearch=false, derefAliases=null, >> referralHandler=null, searchEntryHandlers=null]>org.ldaptive.LdapException: >> javax.naming.InvalidNameException: [email protected]: >> [LDAP: error code 34 - 0000208F: NameErr: DSID-03100225, problem 2006 >> (BAD_NAME), data 8350, best match of: >> '[email protected]']; remaining name >> '[email protected]' at >> org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55) >> ~[ldaptive-1.1.0.jar:?]s* > > > > Other 2 success logs and then auth failure is still same. > > > > > > *there might be 's/tyops/typos/g' in mail, multi-tasking hazards* > > Regards, > Abhishek Kumar ( *http://abhishekkr.github.io/ > <http://abhishekkr.github.io/> )* > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~=ABK=~ > > On Tue, Apr 5, 2016 at 5:22 PM, Abhishek [ABK] Kumar < > [email protected]> wrote: > >> adding correct CAS community group id >> >> On Tue, Apr 5, 2016 at 5:13 PM, Abhishek [ABK] Kumar < >> [email protected]> wrote: >> >>> Hi Vallee, >>> >>> I've attached the current set of 'deployConfigContext.xml' and >>> 'cas.properties' . >>> >>> Log can be viewed at >>> http://pastebin.com/fMRJ6Gug >>> >>> The seemingly interesting portion from it are (not exactly sure what or >>> why) >>> >>> * 'successful bind must be completed on the connection' >>> >>>> >>>> >>>> >>>> *[org.ldaptive.auth.Authenticator] - <entry resolution failed for >>>> resolver=[org.ldaptive.auth.SearchEntryResolver@499577695::factory=null, >>>> baseDn=, userFilter=null, userFilterParameters=null, >>>> allowMultipleEntries=false, subtreeSearch=false, derefAliases=null, >>>> referralHandler=null, searchEntryHandlers=null]>org.ldaptive.LdapException: >>>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: >>>> DSID-0C090748, comment: In order to perform this operation a successful >>>> bind must be completed on the connection., data 0, v2580]; remaining name >>>> '[email protected]' at >>>> org.ldaptive.provider.ProviderUtils.throwOperationException* >>> >>> >>> Here values (of baseDn, userFilter, subtreeSearch) are not what I >>> provided in cas.properties and inferred in XML. I have used different names >>> but I tried it with default names as from doc and logs had same symptoms. >>> >>> * the above log is followed by '*Authentication succeeded for dn: >>> [email protected]*' >>> >>> Now this is confusing, it did but it don't. Even the 'authenticate >>> response' log later has tokens 'result=true, resultCode=SUCCESS'. >>> >>> >>> * then again the old log appears 'LdapAuthenticationHandler failed >>> authenticating someuser' >>> >>> and the log-in fails on CAS Web-UI. >>> >>> >>> >>> >>> *there might be 's/tyops/typos/g' in mail, multi-tasking hazards* >>> >>> Regards, >>> Abhishek Kumar ( *http://abhishekkr.github.io/ >>> <http://abhishekkr.github.io/> )* >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> ~=ABK=~ >>> >>> On Tue, Apr 5, 2016 at 4:02 PM, Vallee Romain <[email protected]> >>> wrote: >>> >>>> Can you turn debug on ? >>>> >>>> >>>> Le lundi 4 avril 2016 14:24:14 UTC+2, Abhishek Kumar a écrit : >>>>> >>>>> Hi, >>>>> >>>>> I'm new to Jasig CAS setup. >>>>> I'm trying to get CAS setup with ActiveDirectory over LDAP (plan is >>>>> for LDAPS but need to get the first step done first), CAS deployed over >>>>> Tomcat-8. >>>>> >>>>> I'm using Maven Overlay for (master branch of >>>>> https://github.com/Jasig/cas-overlay-template.git) with modified >>>>> 'pom.xml', 'etc/cas.properties' and >>>>> 'src/main/webapp/WEB-INF/deployerConfigContext.xml'. I've attached here >>>>> the >>>>> three modified files. >>>>> >>>>> This setup is starting CAS without any errors, I can open login page >>>>> on browser. But when I try to authenticate using one of the *existing* >>>>> credentials from AD. The log-in attempt fails with the very normal message >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> *2016-04-04 11:22:42,277 INFO >>>>>> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - >>>>>> <LdapAuthenticationHandler failed authenticating anotherUser>2016-04-04 >>>>>> 11:22:42,288 INFO >>>>>> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>>>>> trail record >>>>>> BEGIN=============================================================WHO: >>>>>> anotherUserWHAT: Supplied credentials: [anotherUser]ACTION: >>>>>> AUTHENTICATION_FAILEDAPPLICATION: CASWHEN: Mon Apr 04 11:22:42 UTC >>>>>> 2016CLIENT IP ADDRESS: XX.ABC.P.LMNSERVER IP ADDRESS: >>>>>> XX.ABC.Q.GHI=============================================================* >>>>> >>>>> >>>>> >>>>> My guess is one of the 'cas.properties' configuration or >>>>> 'deployerConfigContext.xml' attributes are messy and I'm not able to >>>>> identify them due to my incomplete knowledge on topic. >>>>> >>>>> Any pointers or trial guidelines will be helpful. >>>>> >>>>> Also in general critic of what is extra or missing from a good >>>>> configuration front would be helpful as well. Thanks >>>>> >>>>> Regards, >>>>> AbhishekKr >>>>> >>>> >>> >> > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKijsPOa%3D%2B4sLX5yb1MezBV2%2BPqWN7Nobo3%3DC1Y1T_5QQyXbtw%40mail.gmail.com. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:p="http://www.springframework.org/schema/p"; xmlns:c="http://www.springframework.org/schema/c"; xmlns:tx="http://www.springframework.org/schema/tx"; xmlns:util="http://www.springframework.org/schema/util"; xmlns:sec="http://www.springframework.org/schema/security"; xmlns:context="http://www.springframework.org/schema/context"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd";> <util:map id="authenticationHandlersResolvers"> <entry key-ref="ldapAuthenticationHandler" value="#{null}" /> </util:map> <util:list id="authenticationMetadataPopulators"> <ref bean="successfulHandlerMetaDataPopulator" /> <ref bean="rememberMeAuthenticationMetaDataPopulator" /> </util:list> <context:annotation-config/> <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> <constructor-arg> <map> <entry key-ref="ldapAuthenticationHandler" value="#{null}" /> </map> </constructor-arg> <property name="authenticationPolicy"> <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> </property> </bean> <bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:principalIdAttribute="sAMAccountName" c:authenticator-ref="authenticator"> <property name="principalAttributeMap"> <map> <entry key="displayName" value="displayName" /> <entry key="memberOf" value="memberOf" /> </map> </property> </bean> <bean id="authenticator" class="org.ldaptive.auth.Authenticator" c:resolver-ref="dnResolver" p:entryResolver-ref="entryResolver" c:handler-ref="authHandler" /> <bean id="dnResolver" class="org.ldaptive.auth.FormatDnResolver" c:format="${cas.ldap.authn.format}" /> <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler" p:connectionFactory-ref="pooledLdapConnectionFactory" /> <bean id="pooledLdapConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="connectionPool" /> <bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool" init-method="initialize" p:poolConfig-ref="ldapPoolConfig" p:blockWaitTime="${cas.ldap.pool.blockWaitTime}" p:validator-ref="searchValidator" p:pruneStrategy-ref="pruneStrategy" p:connectionFactory-ref="connectionFactory" p:failFastInitialize="false" /> <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig" p:minPoolSize="${cas.ldap.pool.minSize}" p:maxPoolSize="${cas.ldap.pool.maxSize}" p:validateOnCheckOut="${cas.ldap.pool.validateOnCheckout}" p:validatePeriodically="${cas.ldap.pool.validatePeriodically}" p:validatePeriod="${cas.ldap.pool.validatePeriod}" /> <bean id="connectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="connectionConfig" /> <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" p:ldapUrl="${cas.ldap.url}" p:connectTimeout="${cas.ldap.connectTimeout}" p:useStartTLS="${cas.ldap.useStartTLS}" p:connectionInitializer-ref="bindConnectionInitializer" /> <bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" p:bindDn="${ldap.authn.managerDN}"> <property name="bindCredential"> <bean class="org.ldaptive.Credential" c:password="${ldap.authn.managerPassword}" /> </property> </bean> <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy" p:prunePeriod="${cas.ldap.pool.prunePeriod}" p:idleTime="${cas.ldap.pool.idleTime}" /> <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" /> <bean id="entryResolver" class="org.ldaptive.auth.SearchEntryResolver" p:baseDn="${ldap.authn.baseDn}" p:userFilter="userPrincipalName={dn}" p:subtreeSearch="true" /> <!-- tried with same result p:userFilter="sAMAccountName={user}" p:userFilter="userPrincipalName={dn}" p:userFilter="sAMAccountName=%u" --> <bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao" p:backingMap-ref="attrRepoBackingMap" /> <util:map id="attrRepoBackingMap"> <entry key="uid" value="uid" /> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> <entry> <key><value>memberOf</value></key> <list> <value>faculty</value> <value>staff</value> <value>org</value> </list> </entry> </util:map> <alias name="serviceThemeResolver" alias="themeResolver" /> <alias name="defaultTicketRegistry" alias="ticketRegistry" /> <alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" /> <alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" /> <alias name="anyAuthenticationPolicy" alias="authenticationPolicy" /> <alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" /> <bean id="serviceRegistryDao" class="org.jasig.cas.services.JsonServiceRegistryDao" c:configDirectory="${service.registry.config.location:classpath:services}" /> <bean id="auditTrailManager" class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" /> <alias name="neverThrottle" alias="authenticationThrottle" /> <util:list id="monitorsList"> <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" /> <bean class="org.jasig.cas.monitor.SessionMonitor" p:ticketRegistry-ref="ticketRegistry" p:serviceTicketCountWarnThreshold="5000" p:sessionCountWarnThreshold="100000" /> </util:list> <alias name="defaultPrincipalFactory" alias="principalFactory" /> <alias name="defaultAuthenticationTransactionManager" alias="authenticationTransactionManager" /> <alias name="defaultPrincipalElectionStrategy" alias="principalElectionStrategy" /> </beans>
cas.properties
Description: Binary data
