If you are running on port 636, that typically is ldaps. The initial tcp
connection is encrypted using SSL/TLS and you would use STARTTLS=false and
USETLS=true.
The url scheme is "ldaps://host:port/basedn" for many ldap libraries (not
sure about this one).
Carl Waldbieser
On Jun 23, 2015 6:33 PM, "Mike Seiler" <michaelsei...@fuller.edu> wrote:
> Daniel,
>
> Thanks. I turned on the debug for Ldaptive, and got multiple lines of
> DEBUG, but none seems to indicate a full error that I can see.
>
> In catalina.out there are a few lines about ldaptive that show the
> following:
> useSSL=false, useStartTLS=false,... etc.
>
> If I set the ldap.useStartTLS=true in my cas.properties, the application
> fails to load and tells me that "TLS or SSL already in effect" and then
> there's a cascading set of errors concerning initializing authentication
> handlers.
>
> If I set ldap.useStartTLS=false, then the application loads fine, but
> catalina.out shows that useSSL=false as well.
>
> If I manually set useSSL to true (in deployerConfigContext), the
> application initializes fine and cas.log still shows "authentication
> failed" but there are no other errors to indicate that something is wrong
> either in catalina.out or cas.log.
>
> The following is from catalina.out which tells me SSL is loading properly:
> -------------------------------------------------------
> 2015-06-23 15:12:46,290 DEBUG [org.ldaptive.ssl.AggregateTrustManager] -
> <checkServerTrusted for sun.security.ssl.X509TrustManagerImpl@23802df5
> succeeded>
> 2015-06-23 15:12:46,290 DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier] -
> <verifying hostname=id.fuller.edu against cert=>
> 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier] -
> <verifyDNS using subjectAltNames=[id-dc2.id.fuller.edu, id.fuller.edu,
> ID]>
> 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier] -
> <verifyDNS found hostname match: id.fuller.edu>
> 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.AggregateTrustManager] -
> <checkServerTrusted for
> org.ldaptive.ssl.HostnameVerifyingTrustManager@126d0169 succeeded>
> 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.AggregateTrustManager] -
> <invoking getAcceptedIssuers invoked for
> sun.security.ssl.X509TrustManagerImpl@23802df5>
> 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.AggregateTrustManager] -
> <invoking getAcceptedIssuers invoked for
> org.ldaptive.ssl.HostnameVerifyingTrustManager@126d0169>
>
> The lines containing the useSSL and useStartTLS:
> -----------------------------------------------
> 2015-06-23 15:12:46,814 DEBUG [org.ldaptive.pool.BlockingConnectionPool] -
> <initialized available queue:
> [org.ldaptive.pool.Queue@458045035::queueType=LIFO,
> queue=[org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@6a3096d4,
> org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@630eaf38,
> org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@2021f8cc
> ]]>
> 2015-06-23 15:12:46,820 DEBUG [org.ldaptive.pool.BlockingConnectionPool] -
> <prune pool task scheduled for
> [org.ldaptive.pool.BlockingConnectionPool@1188516673::name=null,
> poolConfig=[org.ldaptive.pool.PoolConfig@1654322364::minPoolSize=3,
> maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false,
> validatePeriodically=true, validatePeriod=300], activator=null,
> passivator=null, validator=[org.ldaptive.pool.SearchValidator@725194039
> ::searchRequest=[org.ldaptive.SearchRequest@88681342::*baseDn=,
> searchFilter=*[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*),
> parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=0,
> sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null,
> sortBehavior=UNORDERED, searchEntryHandlers=null,
> searchReferenceHandlers=null, controls=null, followReferrals=false,
> intermediateResponseHandlers=null]]
> pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@397920599::prunePeriod=300,
> idleTime=600], connectOnCreate=true,
> connectionFactory=[org.ldaptive.DefaultConnectionFactory@587430635
> ::provider=org.ldaptive.provider.jndi.JndiProvider@397aec42,
> config=[org.ldaptive.ConnectionConfig@892141193::ldapUrl=ldap://
> id.fuller.edu:636, connectTimeout=3000, responseTimeout=-1,
> sslConfig=[org.ldaptive.ssl.SslConfig@486207397
> ::credentialConfig=[org.ldaptive.ssl.X509CredentialConfig@1427787790::trustCertificates=file:/etc/cas/id_app.pem,
> authenticationCertificate=null, authenticationKey=null],
> trustManagers=null, enabledCipherSuites=null, enabledProtocols=null,
> handshakeCompletedListeners=null], *useSSL=true, useStartTLS=false*,
> connectionInitializer=null]], initialized=false, availableCount=3,
> activeCount=0]>
>
> I notice that the baseDN is empty, though I have that set in my
> cas.properties file as per the file sample on the Active Directory
> Installation page.
>
> Just to verify my credentials, I logged in on our current CAS 3.5.2 server
> using the same credentials I am trying on the new 4.0 server - both CAS
> servers access the same Active Directory.
>
> Thanks,
>
> Mike
>
> On Tue, Jun 23, 2015 at 12:33 PM, Daniel Fisher <dfis...@vt.edu> wrote:
>
>> On Tue, Jun 23, 2015 at 12:01 PM, Mike Seiler <michaelsei...@fuller.edu>
>> wrote:
>>
>>> Hello all,
>>>
>>> I'm running into problems authenticating with Active Directory in CAS
>>> 4.0. What I've done so far:
>>> 1) set up the CAS server using this documentation:
>>> http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication
>>> 2) Installed secure certificates in Tomcat for both SSL (on 8443) and
>>> the AD certificate
>>> 3) Installed the certs in the default Java Keystore as well - when
>>> things didn't work with only Tomcat certs
>>> 4) Updated my cas.properties file with the appropriate credentials and
>>> attributes.
>>>
>>> *The Problem:*
>>> CAS loads, but returns with "Invalid Credentials" for every attempt to
>>> log in (even though I can query the AD from the command line):
>>>
>>
>> Put the org.ldaptive package in debug. That may shed some light on the
>> problem.
>>
>> --Daniel Fisher
>>
>> --
>> You are currently subscribed to cas-user@lists.jasig.org as:
>> michaelsei...@fuller.edu
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>
>
> --
> *Michael Seiler*
> --------------------------------------------------
> Systems Integration Engineer
> Fuller Theological Seminary
> Phone: (970) 306-6105
> michaelsei...@fuller.edu
>
> *Please NOTE:*
> I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more
> immediate help, please contact TSS (626.584.5675) and they can route the
> issue to the appropriate person. If this is a business process life or
> death emergency, you may call me at the above number.
>
>
> --
> You are currently subscribed to cas-user@lists.jasig.org as:
> cwaldbie...@gmail.com
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
