Well, your logs show that the bind request never completes. A request goes out, but a response never comes back. Daniel might be able to read ldaptive logs better than I can; other options would be to post the issue to ldaptive mailing lists and see what you might find, or stepping through the code. I can tell you the version of ldaptive that 4.0.4 uses is the same as 4.1.0, so chances are it's an issue with configuration somewhere.
From: Abhijit Gaikwad [mailto:agaik...@fit.edu] Sent: Thursday, September 24, 2015 2:21 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS 4.1 LDAP Authentication failed with lppe Hi Misagh, Thanks for the reply. In terms of configuring password policy I have only followed the LDAP lppe section. I have only enabled "PasswordPolicyAuthenticationResponseHandler" I know IBM DS supports those controls and I have confirmed this control is available via my LDAP: 1.3.6.1.4.1.42.2.27.8.5.1 Is there something else I should be looking at to confirm this on the LDAP side? On the LDAP side there are no errors and this configuration worked fine with CAS 4.0.4 though. <property name="authenticationResponseHandlers"> <util:list> <bean class="org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler" /> </util:list> </property> I have attached the full logs (clean out identity info) and the entire deployerconfigcontext.xml. I haven't made any changes to the lppe-configuration.xml. Log snippet: 2015-09-24 16:42:23,424 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolved dn=<<USER_DN>> for <<USER>>> 2015-09-24 16:42:23,424 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate dn=<<USER_DN>> with request=[org.ldaptive.auth.AuthenticationRequest@175166021::<<USER>>, retAttrs=[uid, mail, displayName, ibm-allgroups]]> 2015-09-24 16:42:23,425 DEBUG [org.ldaptive.auth.PooledBindAuthenticationHandler] - <authenticate criteria=[org.ldaptive.auth.AuthenticationCriteria@2128062242::dn=<<USER_D N>>, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@175166021:: <<USER>>, retAttrs=[uid, mail, displayName, ibm-allgroups]]]> 2015-09-24 16:42:23,425 TRACE [org.ldaptive.pool.BlockingConnectionPool] - <waiting on pool lock for check out 0> 2015-09-24 16:42:23,425 TRACE [org.ldaptive.pool.BlockingConnectionPool] - <retrieve available connection from pool of size 3> 2015-09-24 16:42:23,425 TRACE [org.ldaptive.pool.BlockingConnectionPool] - <waiting on pool lock for retrieve available 0> 2015-09-24 16:42:23,425 TRACE [org.ldaptive.pool.BlockingConnectionPool] - <retrieved available connection: org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@29a4 faef <mailto:org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionPr oxy@29a4faef> > 2015-09-24 16:42:23,425 TRACE [org.ldaptive.pool.BlockingConnectionPool] - <no activator configured> 2015-09-24 16:42:23,427 DEBUG [org.ldaptive.BindOperation] - <execute request=[org.ldaptive.BindRequest@1923049081::bindDn=<<USER_DN>>, saslConfig=null, controls=[[org.ldaptive.control.PasswordPolicyControl@-350057371::critical ity=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=null]]] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@698621 160::config=[org.ldaptive.ConnectionConfig@72285845::ldapUrl=ldap://<<LDAP _SERVER>>, connectTimeout=5000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@1338240604::credentialConfig=[org.ld aptive.ssl.X509CredentialConfig@1493022739::trustCertificates=${ldap.trust edCert}, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=null], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactor y@551317208::metadata=[ldapUrl=ldap://<<LDAP_SERVER>>, count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@415524842::o perationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConne ctionStrategy@4c4fb0f5 <mailto:connectionStrategy=org.ldaptive.provider.ConnectionStrategies$Defa ultConnectionStrategy@4c4fb0f5> , controlProcessor=org.ldaptive.provider.ControlProcessor@74d8ab53 <mailto:controlProcessor=org.ldaptive.provider.ControlProcessor@74d8ab53> , environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@45070d5 <mailto:providerConnection=org.ldaptive.provider.jndi.JndiConnection@45070 d5> ]> 2015-09-24 16:42:23,427 TRACE [org.ldaptive.provider.ControlProcessor] - <processing request controls: [Lorg.ldaptive.control.RequestControl;@4fe93f85> 2015-09-24 16:42:23,427 TRACE [org.ldaptive.provider.ControlProcessor] - <produced provider request controls: [javax.naming.ldap.BasicControl@2ffdb2ea]> 2015-09-24 16:42:23,432 TRACE [org.ldaptive.pool.BlockingConnectionPool] - <no passivator configured> 2015-09-24 16:42:23,432 TRACE [org.ldaptive.pool.BlockingConnectionPool] - <waiting on pool lock for check in 0> 2015-09-24 16:42:23,432 TRACE [org.ldaptive.pool.BlockingConnectionPool] - <returned active connection: org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@29a4 faef <mailto:org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionPr oxy@29a4faef> > 2015-09-24 16:42:23,433 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - <Resolving argument [UsernamePasswordCredential] for audit> I am not certain what I am missing here. It looks like lppe might be expecting something which it is not getting but I can't figure out what. -Abhijit From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: Thursday, September 24, 2015 3:07 PM To: cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> Subject: RE: [cas-user] CAS 4.1 LDAP Authentication failed with lppe Assuming you have configured the passwordPolicy configuration of LPPE, your logs suggest that you are not actually and fully authenticating. There should be a full LDAP response in the logs retrieved by CAS. This is likely an issue with your PasswordPolicyControl setting that may not work well with IBM DS. Set your Ldaptive log level to TRACE and that should tell you what's happening. Are you sure your IBM DS is set up for password policy correctly? P.S: Side issue and for the archives, SAML functionality has nothing to do with CAS. All you should have to do is to enable component scanning per the docs to get attributes working. From: Abhijit Gaikwad [mailto:agaik...@fit.edu] Sent: Thursday, September 24, 2015 11:42 AM To: cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> Subject: [cas-user] CAS 4.1 LDAP Authentication failed with lppe Hello, I am trying to get LDAP to work with LPPE but am having some issues. This was working fine with cas 4.0.4. If I enable just LDAP authentication it works fine, but If I follow the documentation to enable lppe, authentication in CAS stops working. If I type in a valid username I don't get any response back from the CAS server, the login page just reloads. If I enter an invalid username I get an Invalid credentials message. Running this against IBM DS. I followed the LDAP documentation from: http://jasig.github.io/cas/4.1.x/installation/LDAP-Authentication.html 1. deployerConfigContext.xml: AuthenticationManager: <constructor-arg> <map> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> <entry key-ref="ldapAuthenticationHandler" value="#{null}" /> <!-- <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" />--> </map> </constructor-arg> 2. deployerConfigContext.xml - Copied the entire LDAP authenticated search section. 3. Added pom.xml (Started with the Sample overlay from https://github.com/UniconLabs/simple-cas4-overlay-template) <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-ldap</artifactId> <version>${cas.version}</version> </dependency> 4. Added ldap.properties and appropriate entry in propertyFileConfigurer.xml (This was all working fine in 4.0.4) Without the lppe additions this all works. 5. deployerConfigContext.xml - Added the lppe section changes - (Authentication stops) On the LDAP side I can see a successful Bind operation. However CAS just reloads the login page. Get an ACTION: AUTHENTICATION_FAILED in the logs. It does not matter if I use LDAP or LDAPS, I get the same results. On another thread it was suggested that adding SAML support might help, tried it but no change for me.[ Re: [cas-user] LDAP authentication succeeded but CAS says it's not] Any help will be greatly appreciated. LDAP logs: AuditV3--2015-09-24-10:56:15.122-4:00DST--V3 Bind--bindDN: <<USER_DN>>--client: XXX:65349--connectionID: 174417--received: 2015-09-24-10:56:15.118-4:00DST--Success controlType: 1.3.6.1.4.1.42.2.27.8.5.1 criticality: false name: <<USER_DN>> authenticationChoice: simple with SSL: AuditV3--2015-09-24-14:08:43.326-4:00DST--V3 SSL Bind--bindDN: <<USER_DN>>--client: XXX:49485--connectionID: 177883--received: 2015-09-24-14:08:43.307-4:00DST--Success controlType: 1.3.6.1.4.1.42.2.27.8.5.1 criticality: false controlType: 1.3.18.0.2.10.19 criticality: false name: <<USER_DN>> authenticationChoice: simple Logs: 2015-09-24 13:55:41,739 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for <<USER>>+password> 2015-09-24 13:55:41,739 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolve user=<<USER>>> 2015-09-24 13:55:41,739 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <searching for DN using userFilter> 2015-09-24 13:55:41,740 DEBUG [org.ldaptive.SearchOperation] - <execute request=[org.ldaptive.SearchRequest@2082829999::baseDn=<<BASE_DN>>, searchFilter=[org.ldaptive.SearchFilter@-1184605399::filter=(&(uid={user}) (objectclass=<<USER_CLASS>>)), parameters={user=<<USER>>}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@350849 609::config=[org.ldaptive.ConnectionConfig@1514762349::ldapUrl=ldap://<<SE RVER>>, connectTimeout=5000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@40180104::credentialConfig=[org.ldap tive.ssl.X509CredentialConfig@537913944::trustCertificates=file:D:\<<PATH- TO-CERT>>\cert.cer, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@868634493::b indDn=<<ADMIN_USER_DN>>, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactor y@1990995933::metadata=[ldapUrl=ldap://<<SERVER>>, count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@843269638::o perationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConne ctionStrategy@40f30d43 <mailto:connectionStrategy=org.ldaptive.provider.ConnectionStrategies$Defa ultConnectionStrategy@40f30d43> , controlProcessor=org.ldaptive.provider.ControlProcessor@26f3c0c <mailto:controlProcessor=org.ldaptive.provider.ControlProcessor@26f3c0c> , environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@41c576b2 <mailto:providerConnection=org.ldaptive.provider.jndi.JndiConnection@41c57 6b2> ]> 2015-09-24 13:55:41,742 DEBUG [org.ldaptive.SearchOperation] - <execute response=[org.ldaptive.Response@1013188448::result=[org.ldaptive.SearchRes ult@-287860215::entries=[[dn=<<FULL_USER_DN>>[], responseControls=null, messageId=-1]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1] for request=[org.ldaptive.SearchRequest@2082829999::baseDn=<<BASE_DN>>, searchFilter=[org.ldaptive.SearchFilter@-1184605399::filter=(&(uid={user}) (objectclass=<<USER_CLASS>>)), parameters={user=<<USER>>}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@350849 609::config=[org.ldaptive.ConnectionConfig@1514762349::ldapUrl=ldap://<<SE RVER>>, connectTimeout=5000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@40180104::credentialConfig=[org.ldap tive.ssl.X509CredentialConfig@537913944::trustCertificates=file:D:\<<PATH- TO-CERT>>\cert.cer, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@868634493::b indDn=<<ADMIN_USER_DN>>, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactor y@1990995933::metadata=[ldapUrl=ldap://<<SERVER>>, count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@843269638::o perationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConne ctionStrategy@40f30d43 <mailto:connectionStrategy=org.ldaptive.provider.ConnectionStrategies$Defa ultConnectionStrategy@40f30d43> , controlProcessor=org.ldaptive.provider.ControlProcessor@26f3c0c <mailto:controlProcessor=org.ldaptive.provider.ControlProcessor@26f3c0c> , environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@41c576b2 <mailto:providerConnection=org.ldaptive.provider.jndi.JndiConnection@41c57 6b2> ]> 2015-09-24 13:55:41,742 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolved dn=<<FULL_USER_DN>> for user=<<USER>>> 2015-09-24 13:55:41,742 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate dn=<<FULL_USER_DN>> with request=[org.ldaptive.auth.AuthenticationRequest@2036768392::user=<<USER>> , retAttrs=[uid, mail, displayName, ibm-allgroups]]> 2015-09-24 13:55:41,742 DEBUG [org.ldaptive.auth.PooledBindAuthenticationHandler] - <authenticate criteria=[org.ldaptive.auth.AuthenticationCriteria@743412056::dn=<<FULL_US ER_DN>>, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@2036768392: :user=<<USER>>, retAttrs=[uid, mail, displayName, ibm-allgroups]]]> 2015-09-24 13:55:41,743 DEBUG [org.ldaptive.BindOperation] - <execute request=[org.ldaptive.BindRequest@1221944942::bindDn=<<FULL_USER_DN>>, saslConfig=null, controls=[[org.ldaptive.control.PasswordPolicyControl@-350057371::critical ity=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=null]]] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@375183 601::config=[org.ldaptive.ConnectionConfig@1368069874::ldapUrl=ldap://<<SE RVER>>, connectTimeout=5000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@40180104::credentialConfig=[org.ldap tive.ssl.X509CredentialConfig@537913944::trustCertificates=file:D:\<<PATH- TO-CERT>>\cert.cer, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=null], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactor y@49660921::metadata=[ldapUrl=ldap://<<SERVER>>, count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@151291549::o perationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConne ctionStrategy@40f30d43 <mailto:connectionStrategy=org.ldaptive.provider.ConnectionStrategies$Defa ultConnectionStrategy@40f30d43> , controlProcessor=org.ldaptive.provider.ControlProcessor@2e98becd <mailto:controlProcessor=org.ldaptive.provider.ControlProcessor@2e98becd> , environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@3d8099f1 <mailto:providerConnection=org.ldaptive.provider.jndi.JndiConnection@3d809 9f1> ]> 2015-09-24 13:55:41,749 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - <Resolving argument [UsernamePasswordCredential] for audit> 2015-09-24 13:55:41,750 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - <Resolving argument [UsernamePasswordCredential] for audit> 2015-09-24 13:55:41,750 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - <Generated login ticket LT-3-AbN2D2L0eIHxIvdOJeEYGPpuHSBeaN-cas4.<<DOMAIN>>> -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net <mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: agaik...@fit.edu <mailto:agaik...@fit.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net <mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user