This is a guess, but your dnFormat doesn't look very AD-ish to me. I note
that you have an "ou=Users" in the commented-out bindDn; shouldn't you have
that in dnFormat as well?
If you can, bring up one of the AD tools (under Windows) and look yourself
up, and copy the DN string exactly.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
[image: The New School]
On Tue, May 15, 2018 at 1:31 PM, Jennifer LaVoie <nixgeekg...@gmail.com>
wrote:
> Thanks Dave...I had to format my ldap stuff in the cas.properties
> differently
>
> It now looks like this
>
> cas.authn.ldap[0].order: 0
> cas.authn.ldap[0].name: Active Directory
> cas.authn.ldap[0].type: AD
> cas.authn.ldap[0].ldapUrl: ldaps://xxx.campus.bridgew.edu:636
> cas.authn.ldap[0].validatePeriod: 270
> cas.authn.ldap[0].poolPassivator: NONE
> cas.authn.ldap[0].userFilter: sAMAccountName={user}
> cas.authn.ldap[0].baseDn: dc=campus,dc=bridgew,dc=edu
> #cas.authn.ldap[0].bindDn: cn=cas5,ou=Users,dc=campus,
> dc=bridgew,dc=edu
> #cas.authn.ldap[0].bindCredential: xxxx
> cas.authn.ldap[0].dnFormat: cn=%s,dc=campus,dc=bridgew,dc=edu
>
> and now the page loads, but I still can't log in
>
> When I netstat -anop | grep java
>
> [root@cas3-dev bin]# netstat -anop |grep java
> tcp 0 0 127.0.0.1:8005 0.0.0.0:*
> LISTEN 1795/java off (0.00/0/0)
> tcp 0 0 0.0.0.0:8009 0.0.0.0:*
> LISTEN 1795/java off (0.00/0/0)
> tcp 0 0 0.0.0.0:8443 0.0.0.0:*
> LISTEN 1795/java off (0.00/0/0)
> tcp 0 0 10.20.32.131:48450 10.20.16.65:636
> ESTABLISHED 1795/java off (0.00/0/0)
> tcp 0 0 10.20.32.131:48452 10.20.16.65:636
> ESTABLISHED 1795/java off (0.00/0/0)
> tcp 0 0 10.20.32.131:48446 10.20.16.65:636
> ESTABLISHED 1795/java off (0.00/0/0)
> tcp 0 0 10.20.32.131:48448 10.20.16.65:636
> ESTABLISHED 1795/java off (0.00/0/0)
> tcp 0 0 10.20.32.131:48456 10.20.16.65:636
> ESTABLISHED 1795/java off (0.00/0/0)
> tcp 0 0 10.20.32.131:48454 10.20.16.65:636
> ESTABLISHED 1795/java off (0.00/0/0)
> unix 3 [ ] STREAM CONNECTED 31497 1795/java
>
> unix 2 [ ] STREAM CONNECTED 31408 1795/java
>
> unix 3 [ ] STREAM CONNECTED 31498 1795/java
>
> unix 3 [ ] STREAM CONNECTED 30719 1795/java
>
> unix 3 [ ] STREAM CONNECTED 30720 1795/java
>
> unix 2 [ ] STREAM CONNECTED 31781 1795/java
>
> so things seem to be bound correctly
>
> Here is my catalina.out grepping for jennifer.lavoie (username)
>
> 2018-05-15 13:27:45,866 DEBUG [org.apereo.cas.authentication.handler.
> support.AbstractUsernamePasswordAuthenticationHandler] - <Examining
> credential [jennifer.lavoie] eligibility for authentication handler [Active
> Directory]>
> 2018-05-15 13:27:45,867 DEBUG [org.apereo.cas.authentication.handler.
> support.AbstractUsernamePasswordAuthenticationHandler] - <Credential
> [jennifer.lavoie] eligibility is [Active Directory] for authentication
> handler [true]>
> 2018-05-15 13:27:45,868 DEBUG [org.apereo.cas.authentication.handler.
> support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting to
> encode credential password via [org.springframework.security.
> crypto.password.NoOpPasswordEncoder] for [jennifer.lavoie]>
> 2018-05-15 13:27:45,868 DEBUG [org.apereo.cas.authentication.handler.
> support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting
> authentication internally for transformed credential [jennifer.lavoie]>
> 2018-05-15 13:27:45,869 DEBUG
> [org.apereo.cas.authentication.LdapAuthenticationHandler]
> - <Attempting LDAP authentication for [jennifer.lavoie]. Authenticator
> pre-configured attributes are [null], additional requested attributes for
> this authentication request are [[]]>
> 2018-05-15 13:27:45,869 DEBUG [org.ldaptive.auth.FormatDnResolver] -
> <Formatting DN for jennifer.lavoie with cn=%s,dc=campus,dc=bridgew,dc=edu>
> 2018-05-15 13:27:45,869 DEBUG [org.ldaptive.auth.Authenticator] -
> <authenticate dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu with
> request=[org.ldaptive.auth.AuthenticationRequest@1995766693::user=[org.
> ldaptive.auth.User@720667905::identifier=jennifer.lavoie, context=null],
> returnAttributes=[], controls=null]>
> 2018-05-15 13:27:45,869 DEBUG [org.ldaptive.auth.
> PooledBindAuthenticationHandler] - <authenticate
> criteria=[org.ldaptive.auth.AuthenticationCriteria@
> 157874454::dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu,
> authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@
> 1995766693::user=[org.ldaptive.auth.User@720667905::identifier=jennifer.lavoie,
> context=null], returnAttributes=[], controls=null]]>
> 2018-05-15 13:27:45,873 DEBUG [org.ldaptive.BindOperation] - <execute
> request=[org.ldaptive.BindRequest@632797964::bindDn=
> cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, saslConfig=null,
> controls=[[org.ldaptive.control.PasswordPolicyControl@-350057371::criticality=false,
> timeBeforeExpiration=0, graceAuthNsRemaining=0, error=null]],
> referralHandler=null, intermediateResponseHandlers=null] with
> connection=[org.ldaptive.DefaultConnectionFactory$
> DefaultConnection@588723547::config=[org.ldaptive.
> ConnectionConfig@1903426706::ldapUrl=ldaps://boydendc-prd.
> campus.bridgew.edu:636, connectTimeout=PT5S, responseTimeout=PT5S,
> sslConfig=[org.ldaptive.ssl.SslConfig@744860926::credentialConfig=null,
> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null,
> enabledCipherSuites=null, enabledProtocols=null,
> handshakeCompletedListeners=null], useSSL=true, useStartTLS=false,
> connectionInitializer=null, connectionStrategy=org.ldaptive.
> DefaultConnectionStrategy@dd9392c], providerConnectionFactory=[
> org.ldaptive.provider.jndi.JndiConnectionFactory@
> 601538727::metadata=[ldapUrl=ldaps://boydendc-prd.campus.bridgew.edu:636,
> count=1],
> environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
> com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000},
> classLoader=null, providerConfig=[org.ldaptive.provider.jndi.
> JndiProviderConfig@947873970::operationExceptionResultCodes=[PROTOCOL_ERROR,
> SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.
> provider.ControlProcessor@3dd40ce0, environment=null, tracePackets=null,
> removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED,
> SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null,
> sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.
> ldaptive.provider.jndi.JndiConnection@c44eb3]>
> 2018-05-15 13:27:45,874 DEBUG [org.ldaptive.auth.
> PooledBindAuthenticationHandler] - <authenticate
> response=[org.ldaptive.auth.AuthenticationHandlerResponse@
> 728104502::connection=[org.ldaptive.DefaultConnectionFactory$
> DefaultConnection@588723547::config=[org.ldaptive.
> ConnectionConfig@1903426706::ldapUrl=ldaps://boydendc-prd.
> campus.bridgew.edu:636, connectTimeout=PT5S, responseTimeout=PT5S,
> sslConfig=[org.ldaptive.ssl.SslConfig@744860926::credentialConfig=null,
> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null,
> enabledCipherSuites=null, enabledProtocols=null,
> handshakeCompletedListeners=null], useSSL=true, useStartTLS=false,
> connectionInitializer=null, connectionStrategy=org.ldaptive.
> DefaultConnectionStrategy@dd9392c], providerConnectionFactory=[
> org.ldaptive.provider.jndi.JndiConnectionFactory@
> 601538727::metadata=[ldapUrl=ldaps://boydendc-prd.campus.bridgew.edu:636,
> count=1],
> environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
> com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000},
> classLoader=null, providerConfig=[org.ldaptive.provider.jndi.
> JndiProviderConfig@947873970::operationExceptionResultCodes=[PROTOCOL_ERROR,
> SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.
> provider.ControlProcessor@3dd40ce0, environment=null, tracePackets=null,
> removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED,
> SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null,
> sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.
> ldaptive.provider.jndi.JndiConnection@c44eb3], result=false,
> resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException:
> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment:
> AcceptSecurityContext error, data 52e, v2580], controls=null] for
> criteria=[org.ldaptive.auth.AuthenticationCriteria@
> 157874454::dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu,
> authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@
> 1995766693::user=[org.ldaptive.auth.User@720667905::identifier=jennifer.lavoie,
> context=null], returnAttributes=[], controls=null]]>
> 2018-05-15 13:27:45,874 INFO [org.ldaptive.auth.Authenticator] -
> <Authentication failed for dn: cn=jennifer.lavoie,dc=campus,
> dc=bridgew,dc=edu>
> 2018-05-15 13:27:45,874 DEBUG [org.ldaptive.auth.Authenticator] -
> <authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@
> 728104502::connection=[org.ldaptive.DefaultConnectionFactory$
> DefaultConnection@588723547::config=[org.ldaptive.
> ConnectionConfig@1903426706::ldapUrl=ldaps://boydendc-prd.
> campus.bridgew.edu:636, connectTimeout=PT5S, responseTimeout=PT5S,
> sslConfig=[org.ldaptive.ssl.SslConfig@744860926::credentialConfig=null,
> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null,
> enabledCipherSuites=null, enabledProtocols=null,
> handshakeCompletedListeners=null], useSSL=true, useStartTLS=false,
> connectionInitializer=null, connectionStrategy=org.ldaptive.
> DefaultConnectionStrategy@dd9392c], providerConnectionFactory=[
> org.ldaptive.provider.jndi.JndiConnectionFactory@
> 601538727::metadata=[ldapUrl=ldaps://boydendc-prd.campus.bridgew.edu:636,
> count=1],
> environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
> com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000},
> classLoader=null, providerConfig=[org.ldaptive.provider.jndi.
> JndiProviderConfig@947873970::operationExceptionResultCodes=[PROTOCOL_ERROR,
> SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.
> provider.ControlProcessor@3dd40ce0, environment=null, tracePackets=null,
> removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED,
> SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null,
> sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.
> ldaptive.provider.jndi.JndiConnection@c44eb3], result=false,
> resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException:
> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment:
> AcceptSecurityContext error, data 52e, v2580], controls=null] for
> dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu with
> request=[org.ldaptive.auth.AuthenticationRequest@1995766693::user=[org.
> ldaptive.auth.User@720667905::identifier=jennifer.lavoie, context=null],
> returnAttributes=[], controls=null]>
> 2018-05-15 13:27:45,874 DEBUG
> [org.apereo.cas.authentication.LdapAuthenticationHandler]
> - <LDAP response: [[org.ldaptive.auth.AuthenticationResponse@1798662416::
> authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
> resolvedDn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu,
> ldapEntry=[dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu[]],
> accountState=null, result=false, resultCode=INVALID_CREDENTIALS,
> message=javax.naming.AuthenticationException: [LDAP: error code 49 -
> 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error,
> data 52e, v2580], controls=null]]>
> 2018-05-15 13:27:45,875 DEBUG [org.apereo.cas.authentication.support.
> DefaultLdapPasswordPolicyHandlingStrategy] - <Applying password policy
> [[org.ldaptive.auth.AuthenticationResponse@1798662416::
> authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
> resolvedDn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu,
> ldapEntry=[dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu[]],
> accountState=null, result=false, resultCode=INVALID_CREDENTIALS,
> message=javax.naming.AuthenticationException: [LDAP: error code 49 -
> 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error,
> data 52e, v2580], controls=null]] to [org.apereo.cas.
> authentication.support.DefaultAccountStateHandler@42608b36]>
> 2018-05-15 13:27:45,876 DEBUG
> [org.apereo.cas.authentication.support.DefaultAccountStateHandler]
> - <Attempting to handle LDAP account state for [[org.ldaptive.auth.
> AuthenticationResponse@1798662416::authenticationResultCode=
> AUTHENTICATION_HANDLER_FAILURE,
> resolvedDn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu,
> ldapEntry=[dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu[]],
> accountState=null, result=false, resultCode=INVALID_CREDENTIALS,
> message=javax.naming.AuthenticationException: [LDAP: error code 49 -
> 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error,
> data 52e, v2580], controls=null]]>
> 2018-05-15 13:27:45,877 ERROR [org.apereo.cas.authentication.
> PolicyBasedAuthenticationManager] - <Authentication has failed.
> Credentials may be incorrect or CAS cannot find authentication handler that
> supports [jennifer.lavoie] of type [UsernamePasswordCredential]. Examine
> the configuration to ensure a method of authentication is defined and
> analyze CAS logs at DEBUG level to trace the authentication event.>
> WHO: jennifer.lavoie
> WHAT: Supplied credentials: [jennifer.lavoie]
> [root@cas3-dev bin]#
>
>
>
>
> On Tuesday, May 15, 2018 at 11:38:05 AM UTC-4, David Curry wrote:
>>
>> Looks like the CAS webapp isn't starting. catalina.out should tell you
>> what happened?
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Tue, May 15, 2018 at 11:35 AM, Jennifer LaVoie <nixge...@gmail.com>
>> wrote:
>>
>>> I updated my pom.xml last week to install LDAP, but I didn't redeploy
>>> the war file...so I did that today, but now I can't reach
>>> https://cas3.xxx.xxx/cas/login
>>>
>>> I can still see my self signed cert though, so I didn't wipe out my
>>> server.xml file...
>>>
>>> If i go to here
>>>
>>> https://cas3.xxx.xxx:8443/ I do see the default apache page is loading.
>>>
>>>
>>> HTTP Status 404 – Not Found
>>> ------------------------------
>>>
>>> *Type* Status Report
>>>
>>> *Message* /cas/login
>>>
>>> *Description* The origin server did not find a current representation
>>> for the target resource or is not willing to disclose that one exists.
>>> ------------------------------
>>> Apache Tomcat/9.0.7
>>>
>>> What did I break LOL
>>>
>>> Thank gods, I made a snapshot
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/a583b953-6589-40a2-a967-919c9dfca8
>>> 86%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a583b953-6589-40a2-a967-919c9dfca886%40apereo.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/a32cb4a3-5382-4f5e-a933-
> de38268b3d12%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a32cb4a3-5382-4f5e-a933-de38268b3d12%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPJV4r4cQGZz4FspGfgc5zGTU6KYR6D0C6uQ1H-7nnmBA%40mail.gmail.com.
