-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I know I am grave digging, but I am working on getting this module working still.
I have gotten LdapBind working, and I have the password working information getting initialized: This is from catalina.out: 2010-04-06 16:42:18,580 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <LDAP Search Base: 'cn=Users,dc=Collab,dc=uni,dc=edu'> 2010-04-06 16:42:18,597 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Search Filter: 'cn=%u'> 2010-04-06 16:42:18,597 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <warnAll: 'true'> 2010-04-06 16:42:18,597 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date format: 'yyyyMMddHHmmss'z''> 2010-04-06 16:42:18,597 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <warningCheckType: 'change'> 2010-04-06 16:42:18,597 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date Attribute: 'pwdchangedtime'> 2010-04-06 16:42:18,597 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Warning Days Attribute: 'passwordwarningdays'> 2010-04-06 16:42:18,597 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Valid Days Attribute: 'passwordexpiredays'> 2010-04-06 16:42:18,598 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Default Warning Days: '300'> 2010-04-06 16:42:18,598 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Password Max Age (in days): '1'> Those are the correct values I entered -- but that is the last sign I see of the module being run. Nothing is logged, nor am I warned that I need to change my password -- even though I have warn set to true. I followed the guide here: http://www.ja-sig.org/wiki/display/CASUM/LDAP+Password+Policy+Enforcement and I made the following changes to my default_view, as advised on this thread: ## Expired Password Error message casExpiredPassView.(class)=org.springframework.web.servlet.view.JstlView casExpiredPassView.url=/WEB-INF/view/jsp/default/ui/casExpiredPassView.jsp ### Locked Account Error message casAccountLockedView.(class)=org.springframework.web.servlet.view.JstlView casAccountLockedView.url=/WEB-INF/view/jsp/default/ui/casAccountLockedView.jsp ### Disabled Account Error message casAccountDisabledView.(class)=org.springframework.web.servlet.view.JstlView casAccountDisabledView.url=/WEB-INF/view/jsp/default/ui/casAccountDisabledView.jsp ### Password Expiration Warning message (logged in, PasswordWarningCheck=true) casWarnPassView.(class)=org.springframework.web.servlet.view.JstlView casWarnPassView.url=/WEB-INF/view/jsp/default/ui/casWarnPassView.jsp I *am* getting the following error when I try to log into /cas/services to test: 2010-04-06 16:43:08,245 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Performing LDAP bind with credential: cn=chapinj,cn=Users,dc=collab,dc=uni,dc=edu> Exception in thread "Thread-14" java.security.ProviderException: update() failed 2010-04-06 16:43:08,299 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: chapinj]> at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:557) at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:457) at javax.crypto.Cipher.update(DashoA13*..) at com.sun.net.ssl.internal.ssl.CipherBox.encrypt(CipherBox.java:141) at com.sun.net.ssl.internal.ssl.OutputRecord.encrypt(OutputRecord.java:197) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecordInternal(SSLSocketImpl.java:733) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:722) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.sendAlert(SSLSocketImpl.java:1720) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1606) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1574) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1538) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1483) at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:86) at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) at java.io.BufferedInputStream.read1(BufferedInputStream.java:258) at java.io.BufferedInputStream.read(BufferedInputStream.java:317) at com.sun.jndi.ldap.Connection.run(Connection.java:805) at java.lang.Thread.run(Thread.java:619) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_OPERATION_NOT_INITIALIZED at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method) at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:510) ... 17 more - From googling, this appears to be an issue with encryption -- but I am not sure where I went wrong or managed to break things. This is java 1.6.0, cas 3.3.5, and Solaris 10. Any suggestions before I go bald? Thanks, Jeff Jeff Chapin wrote: > I had actually been barking up that tree -- using BindLdap, and not > FastBind, but had to move in different directions. I will try to > replicate your results in the morning and see what I can come up with. > > Thanks for the pointers! > > Jeff > > Vitty, Paul wrote: >> Jeff/Ahsan, > >> I've been working on this issue this evening and have gotten to the point >> where I am seeing the output you expect to see. > >> I'm not sure, maybe you know this already, but the password about to expire >> message is only shown when you request a service ticket, it's not shown when >> only a ticket granting ticket is requested. > >> Another thing I worked out is that you need to use the >> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler for your LDAP >> authentication handler in deployerConfigContext.xml, where as before we were >> using the Fast Bind class. Not sure if that helps you out, but it's got me >> this far. > >> Paul > >> On 15 Feb 2010, at 22:16, Jeff Chapin wrote: > >> No, I have not got this to work yet. > >> I moved focus to other issues on my plate. I will look into this again >> further tomorrow, but this appears to be the *EXACT* same experience I >> am having -- so we appear to be on the same page, at least. > >> Jeff > >> Ahsan Imam wrote: >>>>> Jeff, >>>>> >>>>> Did you ever get the module to work? Are you still have issues? After >>>>> the documentation was updated on Feb 10, I changed my configuration >>>>> setting specified for passwordWarningcheck.xml. I am getting no warning >>>>> message and there is nothing in the logs. Logging is set to: >>>>> >>>>> log4j.logger.org.jasig.cas.services=INFO >>>>> log4j.logger.org.jasig.cas.web.flow=DEBUG >>>>> log4j.logger.org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck=DEBUG >>>>> log4j.logger.org.jasig.cas.adaptors=DEBUG >>>>> >>>>> >>>>> I set warnAll to true and I should see a message "Show Warning (WarnALL >>>>> is TRUE!) -- The password for " + userID + " will expire in " + >>>>> Math.round(DateDiff / Timer.ONE_DAY) + " days" based on the code. I do >>>>> not see and message in the browser or the logs. >>>>> >>>>> I wonder if I am missing something.... >>>>> >>>>> Sincerely, >>>>> Ahsan >>>>> >>>>> >>>>> On Fri, Feb 12, 2010 at 7:55 AM, Jeff Chapin <jeff.cha...@uni.edu >>>>> <mailto:jeff.cha...@uni.edu>> wrote: >>>>> >>>>> You guys rock! >>>>> >>>>> Only problem I have is I am still not seeing anything new in my logs. I >>>>> am seeing the same behavior as with the last version. >>>>> >>>>> Thank you so much for the assistance. >>>>> >>>>> Jeff >>>>> >>>>> Scott Battaglia wrote: >>>>>> I think Eric made an update to the page. Not sure if that will >>>>> help or not. >>>>> >>>>> >>>>>> On Thu, Feb 11, 2010 at 10:29 AM, Jeff Chapin <jeff.cha...@uni.edu >>>>> <mailto:jeff.cha...@uni.edu> >>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>>> wrote: >>>>>> I believe that log line came from this bean: >>>>>> <bean id="PasswordWarningCheckAction" >>>>>> class="org.jasig.cas.web.flow.PasswordWarningCheckAction"> >>>>>> <property name="passwordWarningCheck" >>>>>> ref="passwordWarningCheck" /> >>>>>> </bean> >>>>>> This was documented in the link below. Am I off base? I am still >>>>>> learning how this setup works and feeling my way around. >>>>>> Jeff >>>>>> Scott Battaglia wrote: >>>>>>> I don't know much about it but there's no reason it shouldn't >>>>>> work. It >>>>>>> doesn't look like there any instructions to tell you to add it to the >>>>>>> web flow though. >>>>>>> On Wed, Feb 10, 2010 at 12:03 PM, Jeff Chapin >>>>> <jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu> >>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>> >>>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu> >>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>>>> wrote: >>>>> >>>>>>> Hello, >>>>>>> I am using CAS 3.3.5, and I have tried to get LDAP password policy >>>>>>> enforcement running, as per >>>>> http://www.ja-sig.org/wiki/display/CASUM/LDAP+Password+Policy+Enforcement. >>>>> >>>>>>> I have cranked logging as follows: >>>>>>> log4j.logger.org.jasig.cas.services=INFO >>>>>>> log4j.logger.org.jasig.cas.web.flow=DEBUG >>>>> log4j.logger.org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck=DEBUG >>>>>>> log4j.logger.org.jasig.cas.adaptors=DEBUG >>>>>>> , other than that, the logging is identical to the Logging page on >>>>>>> the wiki. >>>>>>> Here are the only logs that are currently appearing: >>>>>>> 2010-02-10 10:58:58,550 INFO >>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Search >>>>>> Filter: >>>>>>> 'cn=%u'> >>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Expire Date >>>>>>> Attribute: 'pwdchangedtime'> >>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Warning >>>>> Days >>>>>>> Attribute: 'passwordwarningdays'> >>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Default >>>>>>> Warning Days: '-1'> >>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date >>>>> format: >>>>>>> 'yyyyMMddHHmmss'z''> >>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <LDAP Search >>>>>>> Base: 'cn=Users,dc=collab,dc=uni,dc=edu'> >>>>>>> 2010-02-10 10:58:58,553 DEBUG >>>>>>> [org.jasig.cas.web.flow.PasswordWarningCheckAction] - <inited with >>>>> passwordWarningChecker='org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck'> >>>>> >>>>>>> As well as a mention to the bean in the following line. >>>>>>> 2010-02-10 10:58:58,771 INFO >>>>> [org.springframework.beans.factory.support.DefaultListableBeanFactory] - >>>>>>> <Pre-instantiating singletons in >>>>> org.springframework.beans.factory.support.defaultlistablebeanfact...@3052ce: >>>>> >>>>>>> It appears to me that the PasswordWarningCheck is not even firing >>>>> -- I >>>>>>> would expect much more logging output that this. >>>>>>> As an aside, I put -1 as the Warning days, as out LDAP server (Oracle >>>>>>> OID) currently only reports the time the password was last >>>>>> changed, not >>>>>>> when it expires. I have tried positive values with no difference >>>>>> in the >>>>>>> results. >>>>>>> Am I missing something, or is this code simply incompatible with the >>>>>>> current CAS version? >>>>>>> Thanks, >>>>>>> Jeff >>>>> - -- Jeff Chapin, Assistant Systems/Applications Administrator ITS-IS, University of Northern Iowa Phone: 319-273-3162 Email: jeff.cha...@uni.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAku7r3gACgkQQiaEUfQoY7RsMgCgxbgHuOJmN9d4L7kg+i2xj8eP BTcAoLB/uet4BPBDDqdtNoX3hAIZnS8L =BUqo -----END PGP SIGNATURE----- -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
