On Tue, Jul 02, 2013 at 10:55:41PM -0700, Misagh Moayyed wrote: > "data 52e", if I remember correctly, should indicate that there's a problem > with the account attempting to authenticate. Verify the account's > credentials.
It makes sense, as LDAP error code 49 stands for "bad credentials". > > > -----Original Message----- > > From: Seongheon Lee [mailto:seongheon....@tlc.edu] > > Sent: Tuesday, July 02, 2013 2:31 PM > > To: cas-user@lists.jasig.org > > Subject: [cas-user] LDAPS and FastBindLdapAuthenticationHandler > > > > I got a failed authentication error (as follows). It looks like that CAS > > cannot communicate with LDAPS server (FastBindLdapAuthenticationHandler). > > I > > list both error log and DeployerConfigContext.xml setup. I will > > appreciate > > your feedback. > > > > > > --------------------------- > > Error Log > > -------------------------- > > > > 2013-07-02 12:19:25,574 INFO > > [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - Failed > > to > > authenticate user seong.lee with error [LDAP: error code 49 - 80090308: > > LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, > > v1db1 > > > > 2013-07-02 12:19:25,574 INFO > > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > > org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed > > authenticating [username: seong.lee] > > 2013-07-02 12:19:25,575 INFO > > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > > trail record BEGIN > > ============================================================= > > WHO: [username: seong.lee] > > WHAT: supplied credentials: [username: seong.lee] > > ACTION: AUTHENTICATION_FAILED > > APPLICATION: CAS > > WHEN: Tue Jul 02 12:19:25 PDT 2013 > > CLIENT IP ADDRESS: 69.16.75.242 > > SERVER IP ADDRESS: 197.20.48.8 > > ============================================================= > > > > > > 2013-07-02 12:19:25,575 INFO > > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > > trail record BEGIN > > ============================================================= > > WHO: [username: seong.lee] > > WHAT: error.authentication.credentials.bad > > ACTION: TICKET_GRANTING_TICKET_NOT_CREATED > > APPLICATION: CAS > > WHEN: Tue Jul 02 12:19:25 PDT 2013 > > CLIENT IP ADDRESS: 69.16.75.242 > > SERVER IP ADDRESS: 197.20.48.8 > > ============================================================= > > > > -------------------------- > > DeployerConfigContext > > -------------------------- > > <bean id="authenticationManager" > > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > > > > <property name="credentialsToPrincipalResolvers"> > > <list> > > <bean > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPr > > incipalResolver" > > > <property name="attributeRepository" > > ref="attributeRepository" /> > > </bean> > > <bean > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPr > > incipalResolver" /> > > </list> > > </property> > > > > <property name="authenticationHandlers"> > > <list> > > <bean > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentia > > lsAuthenticationHandler" > > p:httpClient-ref="httpClient" /> > > <bean > > class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" > > p:filter="sAMAccountName=%u,ou=Student" After taking a look at LdapUtils.getFilterWithValues, I think this should read p:filter="sAMAccountName=%u,ou=Student,dc=TCLD,dc=local" > > p:contextSource-ref="contextSource" > > p:ignorePartialResultException="true"/> > > </list> > > </property> > > </bean> > > > > > > <sec:user-service id="userDetailsService"> > > <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" > > authorities="ROLE_ADMIN" /> > > </sec:user-service> > > > > > > <bean id="attributeRepository" > > class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> > > <property name="baseDN" value="ou=Student,dc=TCLD,dc=local"/> > > <property name="contextSource" ref="contextSource"/> <property > > name="requireAllQueryAttributes" value="true"/> <property > > name="queryAttributeMapping"> <map> <entry key="username" > > value="sAMAccountName"/> </map> </property> <property > > name="resultAttributeMapping"> <map> <entry key="cn" value="Name"/> </map> > > </property> > > </bean> > > > > <bean id="contextSource" > > class="org.springframework.ldap.core.support.LdapContextSource"> > > <property name="pooled" value="false"/> > > > > > > <property name="url" value="ldaps://69.164.175.242:636" /> > > > > <property name="baseEnvironmentProperties"> <map> <entry > > key="com.sun.jndi.ldap.connect.timeout" value="3000" /> <entry > > key="com.sun.jndi.ldap.read.timeout" value="3000" /> <entry > > key="java.naming.security.authentication" value="simple" /> </map> > > </property> </bean> > > > > > > <bean > > id="serviceRegistryDao" > > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> > > <property name="registeredServices"> > > <list> > > <bean > > class="org.jasig.cas.services.RegexRegisteredService"> > > <property name="id" value="0" /> > > <property name="name" value="HTTP and IMAP" /> > > <property name="description" value="Allows HTTP(S) > > and IMAP(S) protocols" /> > > <property name="serviceId" > > value="^(https?|imaps?)://.*" /> > > <property name="evaluationOrder" value="10000001" > > /> > > </bean> > > </list> > > </property> > > </bean> > > > > <bean id="auditTrailManager" > > class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> > > > > <bean id="healthCheckMonitor" > > class="org.jasig.cas.monitor.HealthCheckMonitor"> > > <property name="monitors"> > > <list> > > <bean class="org.jasig.cas.monitor.MemoryMonitor" > > p:freeMemoryWarnThreshold="10" /> > > <!-- > > NOTE > > The following ticket registries support SessionMonitor: > > * DefaultTicketRegistry > > * JpaTicketRegistry > > Remove this monitor if you use an unsupported registry. > > --> > > <bean class="org.jasig.cas.monitor.SessionMonitor" > > p:ticketRegistry-ref="ticketRegistry" > > p:serviceTicketCountWarnThreshold="5000" > > p:sessionCountWarnThreshold="100000" /> > > </list> > > </property> > > </bean> > > </beans> > > > > -- > > You are currently subscribed to cas-user@lists.jasig.org as: > > mmoay...@unicon.net To unsubscribe, change settings or access archives, > > see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: albe...@unex.es > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- ----------------------- Alberto Cabello Sánchez albe...@unex.es -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
