You don't need ssl for ldap authentication Try the following :
cas.authn.ldap[0].ldapUrl=ldap://yourldapurl cas.authn.ldap[0].useSsl=false And comment out the keystore configurations. On Tue, 27 Aug 2019, 5:48 pm tnbreitkreutz, <[email protected]> wrote: > cas.server.name=https://${serviceName}.${domain} > cas.server.prefix=${cas.server.name}/cas > logging.config: file:/etc/cas/config/log4j2.xml > # logging.level.org.apereo=DEBUG > cas.authn.accept.users= > # cas.authn.accept.name= > # cas.authn.accept.credentialCriteria= > > cas.view.defaultRedirectUrl=https://dashboard.${domain} > > ### CAS httpClient > cas.httpClient.connectionTimeout=5000 > cas.httpClient.asyncTimeout=5000 > cas.httpClient.readTimeout=5000 > cas.httpClient.hostNameVerifier=NONE > cas.httpClient.allowLocalLogoutUrls=false > cas.httpClient.truststore.psw=changeit > cas.httpClient.truststore.file=file:/etc/security/.truststore > > ### LDAP > cas.authn.ldap[0].name=${ldapDomain}01 > cas.authn.ldap[0].type=AD > cas.authn.ldap[0].ldapUrl=${ldapUrl} > cas.authn.ldap[0].baseDn=${ldapBaseDn} > cas.authn.ldap[0].minPoolSize=3 > cas.authn.ldap[0].maxPoolSize=10 > cas.authn.ldap[0].validateOnCheckout=false > cas.authn.ldap[0].validatePeriodically=true > cas.authn.ldap[0].validatePeriod=PT5M > cas.authn.ldap[0].failFast=true > cas.authn.ldap[0].idleTime=PT10M > cas.authn.ldap[0].prunePeriod=PT2M > cas.authn.ldap[0].blockWaitTime=PT3S > cas.authn.ldap[0].useStartTls=false > cas.authn.ldap[0].useSsl=true > cas.authn.ldap[0].searchFilter=(sAMAccountName={user}) > cas.authn.ldap[0].poolPassivator=NONE > cas.authn.ldap[0].providerClass > =org.ldaptive.provider.unboundid.UnboundIDProvider > cas.authn.ldap[0].connectTimeout=PT5S > cas.authn.ldap[0].subtreeSearch=true > cas.authn.ldap[0].dnFormat=CN=%s,OU=Users,${ldapBaseDn} > # cas.authn.ldap[0].trustCertificates= > cas.authn.ldap[0].keystore=file:/etc/security/.keystore > cas.authn.ldap[0].keystorePassword=changeit > cas.authn.ldap[0].keystoreType=PKCS12 > > ### JPA Ticket Registry > cas.ticket.registry.jpa.user=${databaseUser} > cas.ticket.registry.jpa.password=${databasePassword} > cas.ticket.registry.jpa.driverClass=com.mysql.cj.jdbc.Driver > cas.ticket.registry.jpa.url=jdbc:mysql://127.0.0.1:3306/${databaseName} > <http://127.0.0.1:3306/$%7BdatabaseName%7D> > cas.ticket.registry.jpa.dialect=org.hibernate.dialect.MySQL5InnoDBDialect > cas.ticket.registry.jpa.pool.suspension=false > cas.ticket.registry.jpa.pool.minSize=6 > cas.ticket.registry.jpa.pool.maxSize=18 > cas.ticket.registry.jpa.pool.maxWait=2000 > cas.ticket.registry.jpa.pool.timeoutMillis=1000 > cas.ticket.registry.jpa.healthQuery=select 1 > cas.ticket.registry.jpa.ticketLockType=NONE > cas.ticket.registry.jpa.jpaLockingTimeout=3600 > cas.ticket.registry.jpa.crypto.signing.key=mysupersecretsigningkey > cas.ticket.registry.jpa.crypto.signing.keySize=512 > cas.ticket.registry.jpa.crypto.encryption.key=mysupersecretencryptionkey > cas.ticket.registry.jpa.crypto.encryption.keySize=512 > cas.ticket.registry.jpa.crypto.alg=AES > cas.ticket.registry.jpa.crypto.enabled=false > > ### JPA Service Registry > cas.serviceRegistry.jpa.user=${databaseUser} > cas.serviceRegistry.jpa.password=${databasePassword} > cas.serviceRegistry.jpa.driverClass=com.mysql.cj.jdbc.Driver > cas.serviceRegistry.jpa.url=jdbc:mysql://127.0.0.1:3306/${databaseName} > <http://127.0.0.1:3306/$%7BdatabaseName%7D> > cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL5InnoDBDialect > cas.serviceRegistry.jpa.pool.suspension=false > cas.serviceRegistry.jpa.pool.minSize=6 > cas.serviceRegistry.jpa.pool.maxSize=18 > cas.serviceRegistry.jpa.pool.maxWait=2000 > cas.serviceRegistry.jpa.pool.timeoutMillis=1000 > cas.serviceRegistry.jpa.healthQuery=select 1 > > For ${ldapUrl} a *ldaps://*-adress-value is stored. Regular LDAP is > working fine.. But I have to connect via LDAPS. > > Am Dienstag, 27. August 2019 11:38:35 UTC+2 schrieb casuser: >> >> Can you please share your CAS properties? For ldap authentication you >> don't need to connect to ssl. >> >> On Tue, 27 Aug 2019, 5:00 pm tnbreitkreutz, <[email protected]> >> wrote: >> >>> Hello, >>> >>> still having some issues with my instance of CAS 6.0.4. After some time >>> it was possible to connect CAS to LDAP with the UnboundIdProvider and the >>> login works, but. >>> >>> I'm seeing an exception in Stackdriver, if I enable >>> *-Djavax.net.debug=ssl*. I enabled debugging as the container crashes >>> at some point... >>> >>> javax.net.ssl|WARNING|32|Connection reader for connection 2 to >>> active-directory.lan:636|2019-08-27 08:46:25.267 >>> UTC|SSLSocketImpl.java:1289|handling exception ( >>> "throwable" : { >>> java.net.SocketTimeoutException: Read timed out at java.base/ >>> java.net.SocketInputStream.socketRead0(Native Method) at java.base/ >>> java.net.SocketInputStream.socketRead(SocketInputStream.java:115) at >>> java.base/java.net.SocketInputStream.read(SocketInputStream.java:168) >>> at java.base/java.net.SocketInputStream.read(SocketInputStream.java:140) >>> at >>> java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:448) >>> at >>> java.base/sun.security.ssl.SSLSocketInputRecord.bytesInCompletePacket(SSLSocketInputRecord.java:68) >>> at >>> java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1104) >>> at >>> java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:823) >>> at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252) >>> at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:271) >>> at com.unboundid.asn1.ASN1StreamReader.read(ASN1StreamReader.java:1159) at >>> com.unboundid.asn1.ASN1StreamReader.readType(ASN1StreamReader.java:332) at >>> com.unboundid.asn1.ASN1StreamReader.beginSequence(ASN1StreamReader.java:1079) >>> at >>> com.unboundid.ldap.protocol.LDAPMessage.readLDAPResponseFrom(LDAPMessage.java:1151) >>> at >>> com.unboundid.ldap.sdk.LDAPConnectionReader.run(LDAPConnectionReader.java:225) >>> } >>> ) >>> >>> ConnectionTimeouts were increased. I tried to create a new >>> truststore/keystore and imported the necessary CA certificate, but that >>> didn't change a thing. >>> >>> What can I do here to get rid of this SocketTimeoutException? >>> >>> Best regards >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b59ae54-4155-4301-9676-14da47c56624%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b59ae54-4155-4301-9676-14da47c56624%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/068f6116-5da1-435b-a0a3-1746d4d2263e%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/068f6116-5da1-435b-a0a3-1746d4d2263e%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9J-Y32xkTpzfKLH1u87P9vBw9H_9-5oTMic1Esm%3D5Ljy1HfQ%40mail.gmail.com.
