-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To make things even more fun, the instance I have with LdapBind and an attempt at the ldap-pwd module is letting locked users log in, but an instance with FastBind is not.
I most definitely have something broken. Jeff Jeff Chapin wrote: > I know I am grave digging, but I am working on getting this module > working still. > > I have gotten LdapBind working, and I have the password working > information getting initialized: > > This is from catalina.out: > > 2010-04-06 16:42:18,580 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <LDAP Search > Base: 'cn=Users,dc=Collab,dc=uni,dc=edu'> > 2010-04-06 16:42:18,597 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Search Filter: > 'cn=%u'> > 2010-04-06 16:42:18,597 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <warnAll: 'true'> > 2010-04-06 16:42:18,597 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date format: > 'yyyyMMddHHmmss'z''> > 2010-04-06 16:42:18,597 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - > <warningCheckType: 'change'> > 2010-04-06 16:42:18,597 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date > Attribute: 'pwdchangedtime'> > 2010-04-06 16:42:18,597 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Warning Days > Attribute: 'passwordwarningdays'> > 2010-04-06 16:42:18,597 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Valid Days > Attribute: 'passwordexpiredays'> > 2010-04-06 16:42:18,598 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Default > Warning Days: '300'> > 2010-04-06 16:42:18,598 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Password Max > Age (in days): '1'> > > > Those are the correct values I entered -- but that is the last sign I > see of the module being run. Nothing is logged, nor am I warned that I > need to change my password -- even though I have warn set to true. > > I followed the guide here: > > http://www.ja-sig.org/wiki/display/CASUM/LDAP+Password+Policy+Enforcement > > and I made the following changes to my default_view, as advised on this > thread: > ## Expired Password Error message > casExpiredPassView.(class)=org.springframework.web.servlet.view.JstlView > casExpiredPassView.url=/WEB-INF/view/jsp/default/ui/casExpiredPassView.jsp > > ### Locked Account Error message > casAccountLockedView.(class)=org.springframework.web.servlet.view.JstlView > casAccountLockedView.url=/WEB-INF/view/jsp/default/ui/casAccountLockedView.jsp > > ### Disabled Account Error message > casAccountDisabledView.(class)=org.springframework.web.servlet.view.JstlView > casAccountDisabledView.url=/WEB-INF/view/jsp/default/ui/casAccountDisabledView.jsp > > ### Password Expiration Warning message (logged in, > PasswordWarningCheck=true) > casWarnPassView.(class)=org.springframework.web.servlet.view.JstlView > casWarnPassView.url=/WEB-INF/view/jsp/default/ui/casWarnPassView.jsp > > > I *am* getting the following error when I try to log into /cas/services > to test: > > 2010-04-06 16:43:08,245 DEBUG > [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - > <Performing LDAP bind with credential: > cn=chapinj,cn=Users,dc=collab,dc=uni,dc=edu> > Exception in thread "Thread-14" java.security.ProviderException: > update() failed > 2010-04-06 16:43:08,299 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully > authenticated the user which provided the following credentials: > [username: chapinj]> > at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:557) > at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:457) > at javax.crypto.Cipher.update(DashoA13*..) > at > com.sun.net.ssl.internal.ssl.CipherBox.encrypt(CipherBox.java:141) > at > com.sun.net.ssl.internal.ssl.OutputRecord.encrypt(OutputRecord.java:197) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecordInternal(SSLSocketImpl.java:733) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:722) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.sendAlert(SSLSocketImpl.java:1720) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1606) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1574) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1538) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1483) > at > com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:86) > at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) > at java.io.BufferedInputStream.read1(BufferedInputStream.java:258) > at java.io.BufferedInputStream.read(BufferedInputStream.java:317) > at com.sun.jndi.ldap.Connection.run(Connection.java:805) > at java.lang.Thread.run(Thread.java:619) > Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: > CKR_OPERATION_NOT_INITIALIZED > at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method) > at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:510) > ... 17 more > > - From googling, this appears to be an issue with encryption -- but I am > not sure where I went wrong or managed to break things. > > This is java 1.6.0, cas 3.3.5, and Solaris 10. > > Any suggestions before I go bald? > > Thanks, > > Jeff > > > Jeff Chapin wrote: >> I had actually been barking up that tree -- using BindLdap, and not >> FastBind, but had to move in different directions. I will try to >> replicate your results in the morning and see what I can come up with. > >> Thanks for the pointers! > >> Jeff > >> Vitty, Paul wrote: >>> Jeff/Ahsan, >>> I've been working on this issue this evening and have gotten to the point >>> where I am seeing the output you expect to see. >>> I'm not sure, maybe you know this already, but the password about to expire >>> message is only shown when you request a service ticket, it's not shown >>> when only a ticket granting ticket is requested. >>> Another thing I worked out is that you need to use the >>> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler for your LDAP >>> authentication handler in deployerConfigContext.xml, where as before we >>> were using the Fast Bind class. Not sure if that helps you out, but it's >>> got me this far. >>> Paul >>> On 15 Feb 2010, at 22:16, Jeff Chapin wrote: >>> No, I have not got this to work yet. >>> I moved focus to other issues on my plate. I will look into this again >>> further tomorrow, but this appears to be the *EXACT* same experience I >>> am having -- so we appear to be on the same page, at least. >>> Jeff >>> Ahsan Imam wrote: >>>>>> Jeff, >>>>>> >>>>>> Did you ever get the module to work? Are you still have issues? After >>>>>> the documentation was updated on Feb 10, I changed my configuration >>>>>> setting specified for passwordWarningcheck.xml. I am getting no warning >>>>>> message and there is nothing in the logs. Logging is set to: >>>>>> >>>>>> log4j.logger.org.jasig.cas.services=INFO >>>>>> log4j.logger.org.jasig.cas.web.flow=DEBUG >>>>>> log4j.logger.org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck=DEBUG >>>>>> log4j.logger.org.jasig.cas.adaptors=DEBUG >>>>>> >>>>>> >>>>>> I set warnAll to true and I should see a message "Show Warning (WarnALL >>>>>> is TRUE!) -- The password for " + userID + " will expire in " + >>>>>> Math.round(DateDiff / Timer.ONE_DAY) + " days" based on the code. I do >>>>>> not see and message in the browser or the logs. >>>>>> >>>>>> I wonder if I am missing something.... >>>>>> >>>>>> Sincerely, >>>>>> Ahsan >>>>>> >>>>>> >>>>>> On Fri, Feb 12, 2010 at 7:55 AM, Jeff Chapin <jeff.cha...@uni.edu >>>>>> <mailto:jeff.cha...@uni.edu>> wrote: >>>>>> >>>>>> You guys rock! >>>>>> >>>>>> Only problem I have is I am still not seeing anything new in my logs. I >>>>>> am seeing the same behavior as with the last version. >>>>>> >>>>>> Thank you so much for the assistance. >>>>>> >>>>>> Jeff >>>>>> >>>>>> Scott Battaglia wrote: >>>>>>> I think Eric made an update to the page. Not sure if that will >>>>>> help or not. >>>>>> >>>>>> >>>>>>> On Thu, Feb 11, 2010 at 10:29 AM, Jeff Chapin <jeff.cha...@uni.edu >>>>>> <mailto:jeff.cha...@uni.edu> >>>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>>> wrote: >>>>>>> I believe that log line came from this bean: >>>>>>> <bean id="PasswordWarningCheckAction" >>>>>>> class="org.jasig.cas.web.flow.PasswordWarningCheckAction"> >>>>>>> <property name="passwordWarningCheck" >>>>>>> ref="passwordWarningCheck" /> >>>>>>> </bean> >>>>>>> This was documented in the link below. Am I off base? I am still >>>>>>> learning how this setup works and feeling my way around. >>>>>>> Jeff >>>>>>> Scott Battaglia wrote: >>>>>>>> I don't know much about it but there's no reason it shouldn't >>>>>>> work. It >>>>>>>> doesn't look like there any instructions to tell you to add it to the >>>>>>>> web flow though. >>>>>>>> On Wed, Feb 10, 2010 at 12:03 PM, Jeff Chapin >>>>>> <jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu> >>>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>> >>>>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu> >>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>>>> wrote: >>>>>> >>>>>>>> Hello, >>>>>>>> I am using CAS 3.3.5, and I have tried to get LDAP password policy >>>>>>>> enforcement running, as per >>>>>> http://www.ja-sig.org/wiki/display/CASUM/LDAP+Password+Policy+Enforcement. >>>>>> >>>>>>>> I have cranked logging as follows: >>>>>>>> log4j.logger.org.jasig.cas.services=INFO >>>>>>>> log4j.logger.org.jasig.cas.web.flow=DEBUG >>>>>> log4j.logger.org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck=DEBUG >>>>>>>> log4j.logger.org.jasig.cas.adaptors=DEBUG >>>>>>>> , other than that, the logging is identical to the Logging page on >>>>>>>> the wiki. >>>>>>>> Here are the only logs that are currently appearing: >>>>>>>> 2010-02-10 10:58:58,550 INFO >>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Search >>>>>>> Filter: >>>>>>>> 'cn=%u'> >>>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Expire Date >>>>>>>> Attribute: 'pwdchangedtime'> >>>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Warning >>>>>> Days >>>>>>>> Attribute: 'passwordwarningdays'> >>>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Default >>>>>>>> Warning Days: '-1'> >>>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date >>>>>> format: >>>>>>>> 'yyyyMMddHHmmss'z''> >>>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <LDAP Search >>>>>>>> Base: 'cn=Users,dc=collab,dc=uni,dc=edu'> >>>>>>>> 2010-02-10 10:58:58,553 DEBUG >>>>>>>> [org.jasig.cas.web.flow.PasswordWarningCheckAction] - <inited with >>>>>> passwordWarningChecker='org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck'> >>>>>> >>>>>>>> As well as a mention to the bean in the following line. >>>>>>>> 2010-02-10 10:58:58,771 INFO >>>>>> [org.springframework.beans.factory.support.DefaultListableBeanFactory] - >>>>>>>> <Pre-instantiating singletons in >>>>>> org.springframework.beans.factory.support.defaultlistablebeanfact...@3052ce: >>>>>> >>>>>>>> It appears to me that the PasswordWarningCheck is not even firing >>>>>> -- I >>>>>>>> would expect much more logging output that this. >>>>>>>> As an aside, I put -1 as the Warning days, as out LDAP server (Oracle >>>>>>>> OID) currently only reports the time the password was last >>>>>>> changed, not >>>>>>>> when it expires. I have tried positive values with no difference >>>>>>> in the >>>>>>>> results. >>>>>>>> Am I missing something, or is this code simply incompatible with the >>>>>>>> current CAS version? >>>>>>>> Thanks, >>>>>>>> Jeff > - -- Jeff Chapin, Assistant Systems/Applications Administrator ITS-IS, University of Northern Iowa Phone: 319-273-3162 Email: jeff.cha...@uni.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAku82HsACgkQQiaEUfQoY7REiACffN6ry8ZT6nOet6WqaNyvgzc9 dCYAn1OnpmjOMVrpB7Oj3vnjNPw5LXEy =KWSv -----END PGP SIGNATURE----- -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
