-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, we are using a maven overlay.
I will see if I can figure out a way to run a debugger on this. I don't do much java development, and the fact that this is on a unix host, combined with the ACLs we have in place to protect some of the resources might make debugging an interesting challenge. Thanks for the advice. Jeff Ahsan Imam wrote: > Hi Jeff, > > I am not sure if this will help but you can start tomcat in debug mode > and then attach a debugger (I used eclipse) to see what is happening. > When I was having issues I set my debug statement > (LdapPasswordWarningCheck.java) in the method getPasswordWarning. Some > other keys files to look through are > > PasswordWarningCheckAction.java > PasswordWarningDynamicViewSelector.java (webflow) > AuthenticationViaFormAction.java > > Stepping through the code gave me pretty good indication of what was > happening. Debugging prompted to modify properties files which I > neglected to update. Also we made some modifications to add more > functionality if a users password expired. > > Also are you using cas maven overlay method? > > > Ahsan > > > On Wed, Apr 7, 2010 at 12:09 PM, Jeff Chapin <jeff.cha...@uni.edu > <mailto:jeff.cha...@uni.edu>> wrote: > > To make things even more fun, the instance I have with LdapBind and an > attempt at the ldap-pwd module is letting locked users log in, but an > instance with FastBind is not. > > I most definitely have something broken. > > Jeff > > > Jeff Chapin wrote: >> I know I am grave digging, but I am working on getting this module >> working still. > >> I have gotten LdapBind working, and I have the password working >> information getting initialized: > >> This is from catalina.out: > >> 2010-04-06 16:42:18,580 INFO >> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <LDAP Search >> Base: 'cn=Users,dc=Collab,dc=uni,dc=edu'> >> 2010-04-06 16:42:18,597 INFO >> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Search > Filter: >> 'cn=%u'> >> 2010-04-06 16:42:18,597 INFO >> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <warnAll: > 'true'> >> 2010-04-06 16:42:18,597 INFO >> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date format: >> 'yyyyMMddHHmmss'z''> >> 2010-04-06 16:42:18,597 INFO >> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - >> <warningCheckType: 'change'> >> 2010-04-06 16:42:18,597 INFO >> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date >> Attribute: 'pwdchangedtime'> >> 2010-04-06 16:42:18,597 INFO >> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Warning Days >> Attribute: 'passwordwarningdays'> >> 2010-04-06 16:42:18,597 INFO >> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Valid Days >> Attribute: 'passwordexpiredays'> >> 2010-04-06 16:42:18,598 INFO >> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Default >> Warning Days: '300'> >> 2010-04-06 16:42:18,598 INFO >> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Password Max >> Age (in days): '1'> > > >> Those are the correct values I entered -- but that is the last sign I >> see of the module being run. Nothing is logged, nor am I warned that I >> need to change my password -- even though I have warn set to true. > >> I followed the guide here: > > > http://www.ja-sig.org/wiki/display/CASUM/LDAP+Password+Policy+Enforcement > >> and I made the following changes to my default_view, as advised on > this >> thread: >> ## Expired Password Error message > > casExpiredPassView.(class)=org.springframework.web.servlet.view.JstlView > > casExpiredPassView.url=/WEB-INF/view/jsp/default/ui/casExpiredPassView.jsp > >> ### Locked Account Error message > > casAccountLockedView.(class)=org.springframework.web.servlet.view.JstlView > > casAccountLockedView.url=/WEB-INF/view/jsp/default/ui/casAccountLockedView.jsp > >> ### Disabled Account Error message > > casAccountDisabledView.(class)=org.springframework.web.servlet.view.JstlView > > casAccountDisabledView.url=/WEB-INF/view/jsp/default/ui/casAccountDisabledView.jsp > >> ### Password Expiration Warning message (logged in, >> PasswordWarningCheck=true) >> casWarnPassView.(class)=org.springframework.web.servlet.view.JstlView >> casWarnPassView.url=/WEB-INF/view/jsp/default/ui/casWarnPassView.jsp > > >> I *am* getting the following error when I try to log into > /cas/services >> to test: > >> 2010-04-06 16:43:08,245 DEBUG >> [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - >> <Performing LDAP bind with credential: >> cn=chapinj,cn=Users,dc=collab,dc=uni,dc=edu> >> Exception in thread "Thread-14" java.security.ProviderException: >> update() failed >> 2010-04-06 16:43:08,299 INFO >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> <AuthenticationHandler: >> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully >> authenticated the user which provided the following credentials: >> [username: chapinj]> >> at > sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:557) >> at > sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:457) >> at javax.crypto.Cipher.update(DashoA13*..) >> at >> com.sun.net.ssl.internal.ssl.CipherBox.encrypt(CipherBox.java:141) >> at > > com.sun.net.ssl.internal.ssl.OutputRecord.encrypt(OutputRecord.java:197) >> at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecordInternal(SSLSocketImpl.java:733) >> at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:722) >> at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.sendAlert(SSLSocketImpl.java:1720) >> at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1606) >> at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1574) >> at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1538) >> at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1483) >> at > > com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:86) >> at > java.io.BufferedInputStream.fill(BufferedInputStream.java:218) >> at > java.io.BufferedInputStream.read1(BufferedInputStream.java:258) >> at > java.io.BufferedInputStream.read(BufferedInputStream.java:317) >> at com.sun.jndi.ldap.Connection.run(Connection.java:805) >> at java.lang.Thread.run(Thread.java:619) >> Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: >> CKR_OPERATION_NOT_INITIALIZED >> at > sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method) >> at > sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:510) >> ... 17 more > >> - From googling, this appears to be an issue with encryption -- > but I am >> not sure where I went wrong or managed to break things. > >> This is java 1.6.0, cas 3.3.5, and Solaris 10. > >> Any suggestions before I go bald? > >> Thanks, > >> Jeff > > >> Jeff Chapin wrote: >>> I had actually been barking up that tree -- using BindLdap, and not >>> FastBind, but had to move in different directions. I will try to >>> replicate your results in the morning and see what I can come up > with. > >>> Thanks for the pointers! > >>> Jeff > >>> Vitty, Paul wrote: >>>> Jeff/Ahsan, >>>> I've been working on this issue this evening and have gotten to > the point where I am seeing the output you expect to see. >>>> I'm not sure, maybe you know this already, but the password > about to expire message is only shown when you request a service > ticket, it's not shown when only a ticket granting ticket is requested. >>>> Another thing I worked out is that you need to use the > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler for your > LDAP authentication handler in deployerConfigContext.xml, where as > before we were using the Fast Bind class. Not sure if that helps you > out, but it's got me this far. >>>> Paul >>>> On 15 Feb 2010, at 22:16, Jeff Chapin wrote: >>>> No, I have not got this to work yet. >>>> I moved focus to other issues on my plate. I will look into this > again >>>> further tomorrow, but this appears to be the *EXACT* same > experience I >>>> am having -- so we appear to be on the same page, at least. >>>> Jeff >>>> Ahsan Imam wrote: >>>>>>> Jeff, >>>>>>> >>>>>>> Did you ever get the module to work? Are you still have > issues? After >>>>>>> the documentation was updated on Feb 10, I changed my > configuration >>>>>>> setting specified for passwordWarningcheck.xml. I am getting > no warning >>>>>>> message and there is nothing in the logs. Logging is set to: >>>>>>> >>>>>>> log4j.logger.org.jasig.cas.services=INFO >>>>>>> log4j.logger.org.jasig.cas.web.flow=DEBUG >>>>>>> > log4j.logger.org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck=DEBUG >>>>>>> log4j.logger.org.jasig.cas.adaptors=DEBUG >>>>>>> >>>>>>> >>>>>>> I set warnAll to true and I should see a message "Show > Warning (WarnALL >>>>>>> is TRUE!) -- The password for " + userID + " will expire in " + >>>>>>> Math.round(DateDiff / Timer.ONE_DAY) + " days" based on the > code. I do >>>>>>> not see and message in the browser or the logs. >>>>>>> >>>>>>> I wonder if I am missing something.... >>>>>>> >>>>>>> Sincerely, >>>>>>> Ahsan >>>>>>> >>>>>>> >>>>>>> On Fri, Feb 12, 2010 at 7:55 AM, Jeff Chapin > <jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu> >>>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>>> wrote: >>>>>>> >>>>>>> You guys rock! >>>>>>> >>>>>>> Only problem I have is I am still not seeing anything new in > my logs. I >>>>>>> am seeing the same behavior as with the last version. >>>>>>> >>>>>>> Thank you so much for the assistance. >>>>>>> >>>>>>> Jeff >>>>>>> >>>>>>> Scott Battaglia wrote: >>>>>>>> I think Eric made an update to the page. Not sure if that will >>>>>>> help or not. >>>>>>> >>>>>>> >>>>>>>> On Thu, Feb 11, 2010 at 10:29 AM, Jeff Chapin > <jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu> >>>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>> >>>>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu> > <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>>>> wrote: >>>>>>>> I believe that log line came from this bean: >>>>>>>> <bean id="PasswordWarningCheckAction" >>>>>>>> class="org.jasig.cas.web.flow.PasswordWarningCheckAction"> >>>>>>>> <property name="passwordWarningCheck" >>>>>>>> ref="passwordWarningCheck" /> >>>>>>>> </bean> >>>>>>>> This was documented in the link below. Am I off base? I am still >>>>>>>> learning how this setup works and feeling my way around. >>>>>>>> Jeff >>>>>>>> Scott Battaglia wrote: >>>>>>>>> I don't know much about it but there's no reason it shouldn't >>>>>>>> work. It >>>>>>>>> doesn't look like there any instructions to tell you to add > it to the >>>>>>>>> web flow though. >>>>>>>>> On Wed, Feb 10, 2010 at 12:03 PM, Jeff Chapin >>>>>>> <jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu> > <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>> >>>>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu> > <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>>> >>>>>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu> > <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>> >>>>>>> <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu> > <mailto:jeff.cha...@uni.edu <mailto:jeff.cha...@uni.edu>>>>> wrote: >>>>>>> >>>>>>>>> Hello, >>>>>>>>> I am using CAS 3.3.5, and I have tried to get LDAP password > policy >>>>>>>>> enforcement running, as per >>>>>>> > http://www.ja-sig.org/wiki/display/CASUM/LDAP+Password+Policy+Enforcement. >>>>>>> >>>>>>>>> I have cranked logging as follows: >>>>>>>>> log4j.logger.org.jasig.cas.services=INFO >>>>>>>>> log4j.logger.org.jasig.cas.web.flow=DEBUG >>>>>>> > log4j.logger.org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck=DEBUG >>>>>>>>> log4j.logger.org.jasig.cas.adaptors=DEBUG >>>>>>>>> , other than that, the logging is identical to the Logging > page on >>>>>>>>> the wiki. >>>>>>>>> Here are the only logs that are currently appearing: >>>>>>>>> 2010-02-10 10:58:58,550 INFO >>>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - > <Search >>>>>>>> Filter: >>>>>>>>> 'cn=%u'> >>>>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - > <Expire Date >>>>>>>>> Attribute: 'pwdchangedtime'> >>>>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - > <Warning >>>>>>> Days >>>>>>>>> Attribute: 'passwordwarningdays'> >>>>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - > <Default >>>>>>>>> Warning Days: '-1'> >>>>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date >>>>>>> format: >>>>>>>>> 'yyyyMMddHHmmss'z''> >>>>>>>>> 2010-02-10 10:58:58,551 INFO >>>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - > <LDAP Search >>>>>>>>> Base: 'cn=Users,dc=collab,dc=uni,dc=edu'> >>>>>>>>> 2010-02-10 10:58:58,553 DEBUG >>>>>>>>> [org.jasig.cas.web.flow.PasswordWarningCheckAction] - > <inited with >>>>>>> > passwordWarningChecker='org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck'> >>>>>>> >>>>>>>>> As well as a mention to the bean in the following line. >>>>>>>>> 2010-02-10 10:58:58,771 INFO >>>>>>> > [org.springframework.beans.factory.support.DefaultListableBeanFactory] - >>>>>>>>> <Pre-instantiating singletons in >>>>>>> > org.springframework.beans.factory.support.defaultlistablebeanfact...@3052ce: >>>>>>> >>>>>>>>> It appears to me that the PasswordWarningCheck is not even > firing >>>>>>> -- I >>>>>>>>> would expect much more logging output that this. >>>>>>>>> As an aside, I put -1 as the Warning days, as out LDAP > server (Oracle >>>>>>>>> OID) currently only reports the time the password was last >>>>>>>> changed, not >>>>>>>>> when it expires. I have tried positive values with no > difference >>>>>>>> in the >>>>>>>>> results. >>>>>>>>> Am I missing something, or is this code simply incompatible > with the >>>>>>>>> current CAS version? >>>>>>>>> Thanks, >>>>>>>>> Jeff > > - -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: efere...@gmail.com <mailto:efere...@gmail.com> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > s/Ahsan/?/g > -- > You are currently subscribed to cas-user@lists.jasig.org as: > jeff.cha...@uni.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user - -- Jeff Chapin, Assistant Systems/Applications Administrator ITS-IS, University of Northern Iowa Phone: 319-273-3162 Email: jeff.cha...@uni.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAku97JAACgkQQiaEUfQoY7QJ2QCeJEsIZ+DkV+vmS7eMA/KTkdnJ lswAnRkavAVJ9rTc0m2RFGjnUBNyS2RV =ucpK -----END PGP SIGNATURE----- -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user