Hi all, we want to deploy a CAS 5.1 server with the Maven Overlay method under Cent OS7, Java 1.8.0 and Tomcat 8.0. Currently I am trying to set up authentication against LDAP.
The configuration I am using is fairly simple: cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].ldapUrl=ldap://...:3890 cas.authn.ldap[0].bindDn=cn=manager,dc=example,dc=org cas.authn.ldap[0].bindCredential=secret cas.authn.ldap[0].baseDn=dc=example,dc=org cas.authn.ldap[0].userFilter=uid={user} cas.authn.ldap[0].subtreeSearch=true During start up of Tomcat the CAS server initializes a connection pool. In the log there are three consecutive beginning pool initialization... ... execute request=[org.ldaptive.BindRequest@261320823... execute response=[org.ldaptive.Response@753570317... [request and response happens 2 more times here] added available connection: org.ldaptive.pool.AbstractConnectionPool So in total there are 9 BindRequests+Responses during initialization. When looking at the LDAP server's logs I can also verify 9 BIND requests. So everything works as expected. Fast forward to authentication. There is a timeout when reading the LDAP response. So essentially there never is a response. See the log below for this part: 2017-06-22 15:07:13,564 DEBUG [org.ldaptive.SearchOperation] - <execute request=[org.ldaptive.SearchRequest@1990922963::baseDn=dc=example,dc=org, searchFilter=[org.ldaptive.SearchFilter@538592870::filter=uid={user}, parameters={context=null, user=t.benutzer}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1341165364::config=[org.ldaptive.ConnectionConfig@1707652548::ldapUrl=ldap://openldap-1.daasi.prj:3890, connectTimeout=PT5S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@215657008::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@983570221::bindDn=cn=manager,dc=example,dc=org, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@36e4c967], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@1968431256::metadata=[ldapUrl=ldap://openldap-1.daasi.prj:3890, count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1701617828::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@622e959f, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@296c3fc1]> 2017-06-22 15:07:18,748 DEBUG [org.ldaptive.provider.jndi.NamingExceptionUtils] - <naming exception class javax.naming.NamingException is ambiguous, maps to multiple result codes: [OPERATIONS_ERROR, ALIAS_PROBLEM, ALIAS_DEREFERENCING_PROBLEM, LOOP_DETECT, AFFECTS_MULTIPLE_DSAS, OTHER]> 2017-06-22 15:07:18,760 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[LdapAuthenticationHandler]: [Unexpected LDAP error] (Details: [javax.naming.NamingException: LDAP response read timed out, timeout used:5000ms.; remaining name 'dc=example,dc=org'])> 2017-06-22 15:07:18,761 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [t.benutzer] of type [UsernamePasswordCredential], which suggests a configuration problem.> When looking at the LDAP server's logs I also do not see anything. It's like the request never leaves the server that is running CAS. Now the funny thing is: when I restart the LDAP server now and try to login again it does work! Another bind occurs, since the connection is no longer available and I get a response to the SearchRequest. Obviously the LDAP server log does also reflect this and shows the search operation: execute request=[org.ldaptive.SearchRequest@128569139 Operation exception encountered, reopening connection ... execute request=[org.ldaptive.BindRequest@1701619972 execute response=[org.ldaptive.Response@844611484 execute response=[org.ldaptive.Response@430713277::result=[org.ldaptive.SearchResult Authentication succeeded for dn: uid=t.benutzer,ou=people,dc=example,dc=org I pretty much tried every timeout setting that is documented in https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html and also played around with the Passivator settings. When I set up an validator the same thing happens: there is no Response to the SearchRequests and in fact the LDAP server is never receiving any requests. Any input on this is very much appreciated! -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/590d9fc7-7f70-4a56-88c2-f17d94b90abd%40apereo.org.
