Assuming you have configured the passwordPolicy configuration of LPPE, your logs suggest that you are not actually and fully authenticating. There should be a full LDAP response in the logs retrieved by CAS. This is likely an issue with your PasswordPolicyControl setting that may not work well with IBM DS. Set your Ldaptive log level to TRACE and that should tell you what's happening. Are you sure your IBM DS is set up for password policy correctly?
P.S: Side issue and for the archives, SAML functionality has nothing to do with CAS. All you should have to do is to enable component scanning per the docs to get attributes working. From: Abhijit Gaikwad [mailto:agaik...@fit.edu] Sent: Thursday, September 24, 2015 11:42 AM To: cas-user@lists.jasig.org Subject: [cas-user] CAS 4.1 LDAP Authentication failed with lppe Hello, I am trying to get LDAP to work with LPPE but am having some issues. This was working fine with cas 4.0.4. If I enable just LDAP authentication it works fine, but If I follow the documentation to enable lppe, authentication in CAS stops working. If I type in a valid username I don't get any response back from the CAS server, the login page just reloads. If I enter an invalid username I get an Invalid credentials message. Running this against IBM DS. I followed the LDAP documentation from: http://jasig.github.io/cas/4.1.x/installation/LDAP-Authentication.html 1. deployerConfigContext.xml: AuthenticationManager: <constructor-arg> <map> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> <entry key-ref="ldapAuthenticationHandler" value="#{null}" /> <!-- <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" />--> </map> </constructor-arg> 2. deployerConfigContext.xml - Copied the entire LDAP authenticated search section. 3. Added pom.xml (Started with the Sample overlay from https://github.com/UniconLabs/simple-cas4-overlay-template) <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-ldap</artifactId> <version>${cas.version}</version> </dependency> 4. Added ldap.properties and appropriate entry in propertyFileConfigurer.xml (This was all working fine in 4.0.4) Without the lppe additions this all works. 5. deployerConfigContext.xml - Added the lppe section changes - (Authentication stops) On the LDAP side I can see a successful Bind operation. However CAS just reloads the login page. Get an ACTION: AUTHENTICATION_FAILED in the logs. It does not matter if I use LDAP or LDAPS, I get the same results. On another thread it was suggested that adding SAML support might help, tried it but no change for me.[ Re: [cas-user] LDAP authentication succeeded but CAS says it's not] Any help will be greatly appreciated. LDAP logs: AuditV3--2015-09-24-10:56:15.122-4:00DST--V3 Bind--bindDN: <<USER_DN>>--client: 163.118.181.135:65349--connectionID: 174417--received: 2015-09-24-10:56:15.118-4:00DST--Success controlType: 1.3.6.1.4.1.42.2.27.8.5.1 criticality: false name: <<USER_DN>> authenticationChoice: simple with SSL: AuditV3--2015-09-24-14:08:43.326-4:00DST--V3 SSL Bind--bindDN: <<USER_DN>>--client: 163.118.181.135:49485--connectionID: 177883--received: 2015-09-24-14:08:43.307-4:00DST--Success controlType: 1.3.6.1.4.1.42.2.27.8.5.1 criticality: false controlType: 1.3.18.0.2.10.19 criticality: false name: <<USER_DN>> authenticationChoice: simple Logs: 2015-09-24 13:55:41,739 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for <<USER>>+password> 2015-09-24 13:55:41,739 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolve user=<<USER>>> 2015-09-24 13:55:41,739 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <searching for DN using userFilter> 2015-09-24 13:55:41,740 DEBUG [org.ldaptive.SearchOperation] - <execute request=[org.ldaptive.SearchRequest@2082829999::baseDn=<<BASE_DN>>, searchFilter=[org.ldaptive.SearchFilter@-1184605399::filter=(&(uid={user}) (objectclass=<<USER_CLASS>>)), parameters={user=<<USER>>}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@350849 609::config=[org.ldaptive.ConnectionConfig@1514762349::ldapUrl=ldap://<<SE RVER>>, connectTimeout=5000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@40180104::credentialConfig=[org.ldap tive.ssl.X509CredentialConfig@537913944::trustCertificates=file:D:\<<PATH- TO-CERT>>\cert.cer, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@868634493::b indDn=<<ADMIN_USER_DN>>, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactor y@1990995933::metadata=[ldapUrl=ldap://<<SERVER>>, count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@843269638::o perationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConne ctionStrategy@40f30d43 <mailto:connectionStrategy=org.ldaptive.provider.ConnectionStrategies$Defa ultConnectionStrategy@40f30d43> , controlProcessor=org.ldaptive.provider.ControlProcessor@26f3c0c <mailto:controlProcessor=org.ldaptive.provider.ControlProcessor@26f3c0c> , environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@41c576b2 <mailto:providerConnection=org.ldaptive.provider.jndi.JndiConnection@41c57 6b2> ]> 2015-09-24 13:55:41,742 DEBUG [org.ldaptive.SearchOperation] - <execute response=[org.ldaptive.Response@1013188448::result=[org.ldaptive.SearchRes ult@-287860215::entries=[[dn=<<FULL_USER_DN>>[], responseControls=null, messageId=-1]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1] for request=[org.ldaptive.SearchRequest@2082829999::baseDn=<<BASE_DN>>, searchFilter=[org.ldaptive.SearchFilter@-1184605399::filter=(&(uid={user}) (objectclass=<<USER_CLASS>>)), parameters={user=<<USER>>}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@350849 609::config=[org.ldaptive.ConnectionConfig@1514762349::ldapUrl=ldap://<<SE RVER>>, connectTimeout=5000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@40180104::credentialConfig=[org.ldap tive.ssl.X509CredentialConfig@537913944::trustCertificates=file:D:\<<PATH- TO-CERT>>\cert.cer, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@868634493::b indDn=<<ADMIN_USER_DN>>, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactor y@1990995933::metadata=[ldapUrl=ldap://<<SERVER>>, count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@843269638::o perationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConne ctionStrategy@40f30d43 <mailto:connectionStrategy=org.ldaptive.provider.ConnectionStrategies$Defa ultConnectionStrategy@40f30d43> , controlProcessor=org.ldaptive.provider.ControlProcessor@26f3c0c <mailto:controlProcessor=org.ldaptive.provider.ControlProcessor@26f3c0c> , environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@41c576b2 <mailto:providerConnection=org.ldaptive.provider.jndi.JndiConnection@41c57 6b2> ]> 2015-09-24 13:55:41,742 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolved dn=<<FULL_USER_DN>> for user=<<USER>>> 2015-09-24 13:55:41,742 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate dn=<<FULL_USER_DN>> with request=[org.ldaptive.auth.AuthenticationRequest@2036768392::user=<<USER>> , retAttrs=[uid, mail, displayName, ibm-allgroups]]> 2015-09-24 13:55:41,742 DEBUG [org.ldaptive.auth.PooledBindAuthenticationHandler] - <authenticate criteria=[org.ldaptive.auth.AuthenticationCriteria@743412056::dn=<<FULL_US ER_DN>>, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@2036768392: :user=<<USER>>, retAttrs=[uid, mail, displayName, ibm-allgroups]]]> 2015-09-24 13:55:41,743 DEBUG [org.ldaptive.BindOperation] - <execute request=[org.ldaptive.BindRequest@1221944942::bindDn=<<FULL_USER_DN>>, saslConfig=null, controls=[[org.ldaptive.control.PasswordPolicyControl@-350057371::critical ity=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=null]]] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@375183 601::config=[org.ldaptive.ConnectionConfig@1368069874::ldapUrl=ldap://<<SE RVER>>, connectTimeout=5000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@40180104::credentialConfig=[org.ldap tive.ssl.X509CredentialConfig@537913944::trustCertificates=file:D:\<<PATH- TO-CERT>>\cert.cer, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=null], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactor y@49660921::metadata=[ldapUrl=ldap://<<SERVER>>, count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@151291549::o perationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConne ctionStrategy@40f30d43 <mailto:connectionStrategy=org.ldaptive.provider.ConnectionStrategies$Defa ultConnectionStrategy@40f30d43> , controlProcessor=org.ldaptive.provider.ControlProcessor@2e98becd <mailto:controlProcessor=org.ldaptive.provider.ControlProcessor@2e98becd> , environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@3d8099f1 <mailto:providerConnection=org.ldaptive.provider.jndi.JndiConnection@3d809 9f1> ]> 2015-09-24 13:55:41,749 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - <Resolving argument [UsernamePasswordCredential] for audit> 2015-09-24 13:55:41,750 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - <Resolving argument [UsernamePasswordCredential] for audit> 2015-09-24 13:55:41,750 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - <Generated login ticket LT-3-AbN2D2L0eIHxIvdOJeEYGPpuHSBeaN-cas4.<<DOMAIN>>> -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net <mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user