Hello, I change those values before I added files to my mail. Actually while doing mvn package it connects to ldap and confirms the credential and other stuff. I can send those log if you want.
Regards On Thu, Oct 29, 2015 at 4:47 PM, Christopher Myers <cmy...@mail.millikin.edu > wrote: > It looks like you might have just copied the config from the examples > without modifying it to fit your environment; for example, the > cas.properties file says that your LDAP server is > > ldap.url=ldap://localhost:389 > > and the deployerConfigContext file says that your base DN is > p:baseDn="ou=users,dc=example,dc=com" > > with bind credentials of > ldap.authn.baseDn=ou=Users,dc=example,dc=com > ldap.authn.managerDN=cn=admin,dc=example,dc=com > ldap.authn.managerPassword=qwerty123 > > so you might want to review the settings and make sure that they've been > tweaked for your environment. > > Chris > > > > > >>> Lutfi Oduncuoglu <lutfioduncuo...@gmail.com> 10/29/15 8:34 AM >>> > > Hello, > > I have just started to use CAS and I want to authenticate users over my > local ldap server. I did the exact configuration at > http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html. I > added that parts to deployerconfig.xml and cas.properties. Tomcat running > in ssl mode, so I connect CAS via https. > > However when I try to login CAS does not connect ldap. As you can see from > catalina.out > > 2015-10-29 15:31:20,466 INFO > [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - > <AcceptUsersAuthenticationHandler failed authenticating deneme+password> > 2015-10-29 15:31:20,466 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: supplied credentials: [test+password] > ACTION: AUTHENTICATION_FAILED > APPLICATION: CAS > WHEN: Thu Oct 29 15:31:20 EET 2015 > CLIENT IP ADDRESS: 10.6.16.15 > SERVER IP ADDRESS: 10.6.16.16 > ============================================================= > > > > 2015-10-29 15:31:20,467 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: 1 errors, 0 successes > ACTION: TICKET_GRANTING_TICKET_NOT_CREATED > APPLICATION: CAS > WHEN: Thu Oct 29 15:31:20 EET 2015 > CLIENT IP ADDRESS: 10.6.16.15 > SERVER IP ADDRESS: 10.6.16.16 > ============================================================= > > > > 2015-10-29 15:31:21,039 INFO > [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered > services.> > 2015-10-29 15:31:21,039 INFO > [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 1 services.> > > > My xml files are below. > > Thank you very much for help > > > pom.xml > > > <!-- > ~ Licensed to Jasig under one or more contributor license > ~ agreements. See the NOTICE file distributed with this work > ~ for additional information regarding copyright ownership. > ~ Jasig licenses this file to you under the Apache License, > ~ Version 2.0 (the "License"); you may not use this file > ~ except in compliance with the License. You may obtain a > ~ copy of the License at the following location: > ~ > ~ http://www.apache.org/licenses/LICENSE-2.0 > ~ > ~ Unless required by applicable law or agreed to in writing, > ~ software distributed under the License is distributed on an > ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY > ~ KIND, either express or implied. See the License for the > ~ specific language governing permissions and limitations > ~ under the License. > --> > > <project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation=" > http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd > "> > <parent> > <groupId>org.jasig.cas</groupId> > <artifactId>cas-server</artifactId> > <version>4.0.0</version> > </parent> > <modelVersion>4.0.0</modelVersion> > <artifactId>cas-server-webapp</artifactId> > <packaging>war</packaging> > <name>Jasig CAS Web Application</name> > <dependencies> > <dependency> > <groupId>org.jasig.cas</groupId> > <artifactId>cas-server-webapp-support</artifactId> > <version>${project.version}</version> > <scope>compile</scope> > </dependency> > <dependency> > <groupId>org.springframework</groupId> > <artifactId>spring-expression</artifactId> > <version>${spring.version}</version> > <scope>runtime</scope> > </dependency> > <dependency> > <groupId>javax.servlet</groupId> > <artifactId>jstl</artifactId> > <version>1.1.2</version> > <type>jar</type> > <scope>runtime</scope> > </dependency> > <dependency> > <groupId>taglibs</groupId> > <artifactId>standard</artifactId> > <version>1.1.2</version> > <type>jar</type> > <scope>runtime</scope> > </dependency> > <dependency> > <groupId>org.jasig.cas</groupId> > <artifactId>cas-server-support-ldap</artifactId> > <version>4.0.0</version> > </dependency> > </dependencies> > > <build> > <plugins> > <plugin> > <groupId>org.apache.maven.plugins</groupId> > <artifactId>maven-war-plugin</artifactId> > <configuration> > <warName>cas</warName> > <webResources> > <resource> > <directory>${basedir}/src/main/webapp/WEB-INF</directory> > <filtering>true</filtering> > <targetPath>WEB-INF</targetPath> > <includes> > <include>**/web.xml</include> > </includes> > </resource> > </webResources> > </configuration> > </plugin> > </plugins> > </build> > > <properties> > <cs.dir>${project.parent.basedir}</cs.dir> > </properties> > </project> > > deployerConfigContext.xml > > > <?xml version="1.0" encoding="UTF-8"?> > <!-- > > Licensed to Jasig under one or more contributor license > agreements. See the NOTICE file distributed with this work > for additional information regarding copyright ownership. > Jasig licenses this file to you under the Apache License, > Version 2.0 (the "License"); you may not use this file > except in compliance with the License. You may obtain a > copy of the License at the following location: > > http://www.apache.org/licenses/LICENSE-2.0 > > Unless required by applicable law or agreed to in writing, > software distributed under the License is distributed on an > "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY > KIND, either express or implied. See the License for the > specific language governing permissions and limitations > under the License. > > --> > <!-- > | deployerConfigContext.xml centralizes into one file some of the > declarative configuration that > | all CAS deployers will need to modify. > | > | This file declares some of the Spring-managed JavaBeans that make up a > CAS deployment. > | The beans declared in this file are instantiated at context > initialization time by the Spring > | ContextLoaderListener declared in web.xml. It finds this file because > this > | file is among those declared in the context parameter > "contextConfigLocation". > | > | By far the most common change you will need to make in this file is to > change the last bean > | declaration to replace the default authentication handler with > | one implementing your approach for authenticating usernames and > passwords. > +--> > > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xmlns:c="http://www.springframework.org/schema/c"; > xmlns:tx="http://www.springframework.org/schema/tx"; > xmlns:util="http://www.springframework.org/schema/util"; > xmlns:sec="http://www.springframework.org/schema/security"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-3.2.xsd > http://www.springframework.org/schema/tx > http://www.springframework.org/schema/tx/spring-tx-3.2.xsd > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security-3.2.xsd > http://www.springframework.org/schema/util > http://www.springframework.org/schema/util/spring-util.xsd";> > > <!-- > | The authentication manager defines security policy for > authentication by specifying at a minimum > | the authentication handlers that will be used to authenticate > credential. While the AuthenticationManager > | interface supports plugging in another implementation, the > default PolicyBasedAuthenticationManager should > | be sufficient in most cases. > +--> > <bean id="authenticationManager" > class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> > <constructor-arg> > <map> > <!-- > | IMPORTANT > | Every handler requires a unique name. > | If more than one instance of the same handler class > is configured, you must explicitly > | set its name to something other than its default name > (typically the simple class name). > --> > <entry key-ref="proxyAuthenticationHandler" > value-ref="proxyPrincipalResolver" /> > <entry key-ref="primaryAuthenticationHandler" > value-ref="primaryPrincipalResolver" /> > <entry key-ref="ldapAuthenticationHandler" value="#{null}" > /> > </map> > </constructor-arg> > > <!-- Uncomment the metadata populator to allow clearpass to > capture and cache the password > This switch effectively will turn on clearpass. > <property name="authenticationMetaDataPopulators"> > <util:list> > <bean > class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator" > c:credentialCache-ref="encryptedMap" /> > </util:list> > </property> > --> > > <!-- > | Defines the security policy around authentication. Some > alternative policies that ship with CAS: > | > | * NotPreventedAuthenticationPolicy - all credential must > either pass or fail authentication > | * AllAuthenticationPolicy - all presented credential must be > authenticated successfully > | * RequiredHandlerAuthenticationPolicy - specifies a handler > that must authenticate its credential to pass > --> > <property name="authenticationPolicy"> > <bean > class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> > </property> > </bean> > > <!-- Required for proxy ticket mechanism. --> > <bean id="proxyAuthenticationHandler" > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > p:httpClient-ref="httpClient" /> > > <!-- > | TODO: Replace this component with one suitable for your > enviroment. > | > | This component provides authentication for the kind of credential > used in your environment. In most cases > | credential is a username/password pair that lives in a system of > record like an LDAP directory. > | The most common authentication handler beans: > | > | * org.jasig.cas.authentication.LdapAuthenticationHandler > | * org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler > | * > org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler > | * > org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler > --> > <bean id="ldapAuthenticationHandler" > class="org.jasig.cas.authentication.LdapAuthenticationHandler" > p:principalIdAttribute="cn" > c:authenticator-ref="authenticator"> > <property name="principalAttributeMap"> > <map> > <!-- > | This map provides a simple attribute resolution mechanism. > | Keys are LDAP attribute names, values are CAS attribute > names. > | Use this facility instead of a PrincipalResolver if LDAP > is > | the only attribute source. > --> > <entry key="cn" value="cn" /> > </map> > </property> > </bean> > > <bean id="authenticator" class="org.ldaptive.auth.Authenticator" > c:resolver-ref="dnResolver" > c:handler-ref="authHandler" /> > > <bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver" > p:baseDn="ou=users,dc=example,dc=com" > p:subtreeSearch="true" > p:allowMultipleDns="false" > p:connectionFactory-ref="searchPooledLdapConnectionFactory" > p:userFilter="uid={user}" /> > > <bean id="searchPooledLdapConnectionFactory" > class="org.ldaptive.pool.PooledConnectionFactory" > p:connectionPool-ref="searchConnectionPool" /> > > <bean id="searchConnectionPool" parent="abstractConnectionPool" > p:connectionFactory-ref="searchConnectionFactory" /> > > <bean id="searchConnectionFactory" > class="org.ldaptive.DefaultConnectionFactory" > p:connectionConfig-ref="searchConnectionConfig" /> > > <bean id="searchConnectionConfig" parent="abstractConnectionConfig" > p:connectionInitializer-ref="bindConnectionInitializer" /> > > <bean id="bindConnectionInitializer" > class="org.ldaptive.BindConnectionInitializer" > p:bindDn="cn=admin,dc=example,dc=com"> > <property name="bindCredential"> > <bean class="org.ldaptive.Credential" > c:password="password" /> > </property> > </bean> > > <bean id="abstractConnectionPool" abstract="true" > class="org.ldaptive.pool.BlockingConnectionPool" > init-method="initialize" > p:poolConfig-ref="ldapPoolConfig" > p:blockWaitTime="3000" > p:validator-ref="searchValidator" > p:pruneStrategy-ref="pruneStrategy" /> > > <bean id="abstractConnectionConfig" abstract="true" > class="org.ldaptive.ConnectionConfig" > p:ldapUrl="ldap://localhost:389"; > p:connectTimeout="3000" > p:useStartTLS="false"/> > <!--p:sslConfig-ref="sslConfig" /--> > > <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig" > p:minPoolSize="3" > p:maxPoolSize="10" > p:validateOnCheckOut="false" > p:validatePeriodically="true" > p:validatePeriod="300" /> > > <!--bean id="sslConfig" class="org.ldaptive.ssl.SslConfig"> > <property name="credentialConfig"> > <bean class="org.ldaptive.ssl.X509CredentialConfig" > p:trustCertificates="${ldap.trustedCert}" /> > </property> > </bean--> > > <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy" > p:prunePeriod="300" > p:idleTime="600" /> > > <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" /> > > <bean id="authHandler" > class="org.ldaptive.auth.PooledBindAuthenticationHandler" > p:connectionFactory-ref="bindPooledLdapConnectionFactory" /> > > <bean id="bindPooledLdapConnectionFactory" > class="org.ldaptive.pool.PooledConnectionFactory" > p:connectionPool-ref="bindConnectionPool" /> > > <bean id="bindConnectionPool" parent="abstractConnectionPool" > p:connectionFactory-ref="bindConnectionFactory" /> > > <bean id="bindConnectionFactory" > class="org.ldaptive.DefaultConnectionFactory" > p:connectionConfig-ref="bindConnectionConfig" /> > > <bean id="bindConnectionConfig" parent="abstractConnectionConfig" /> > > <bean id="primaryAuthenticationHandler" > > class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler"> > <property name="users"> > <map> > <entry key="casuser" value="Mellon"/> > </map> > </property> > </bean> > > <!-- Required for proxy ticket mechanism --> > <bean id="proxyPrincipalResolver" > > class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> > > <!-- > | Resolves a principal from a credential using an attribute > repository that is configured to resolve > | against a deployer-specific store (e.g. LDAP). > --> > <bean id="primaryPrincipalResolver" > > class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" > > > <property name="attributeRepository" ref="attributeRepository" /> > </bean> > > <!-- > Bean that defines the attributes that a service may return. This > example uses the Stub/Mock version. A real implementation > may go against a database or LDAP server. The id should remain > "attributeRepository" though. > +--> > <bean id="attributeRepository" > class="org.jasig.services.persondir.support.StubPersonAttributeDao" > p:backingMap-ref="attrRepoBackingMap" /> > > <util:map id="attrRepoBackingMap"> > <entry key="uid" value="uid" /> > <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> > <entry key="groupMembership" value="groupMembership" /> > </util:map> > > <!-- > Sample, in-memory data store for the ServiceRegistry. A real > implementation > would probably want to replace this with the JPA-backed > ServiceRegistry DAO > The name of this bean should remain "serviceRegistryDao". > +--> > <bean id="serviceRegistryDao" > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" > p:registeredServices-ref="registeredServicesList" /> > > <util:list id="registeredServicesList"> > <bean class="org.jasig.cas.services.RegexRegisteredService" > p:id="0" p:name="HTTP and IMAP" p:description="Allows > HTTP(S) and IMAP(S) protocols" > p:serviceId="^(https?|imaps?)://.*" > p:evaluationOrder="10000001" /> > <!-- > Use the following definition instead of the above to further > restrict access > to services within your domain (including sub domains). > Note that example.com must be replaced with the domain you wish > to permit. > This example also demonstrates the configuration of an attribute > filter > that only allows for attributes whose length is 3. > --> > <!-- > <bean class="org.jasig.cas.services.RegexRegisteredService"> > <property name="id" value="1" /> > <property name="name" value="HTTP and IMAP on example.com" /> > <property name="description" value="Allows HTTP(S) and IMAP(S) > protocols on example.com" /> > <property name="serviceId" > value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" /> > <property name="evaluationOrder" value="0" /> > <property name="attributeFilter"> > <bean > class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter" > c:regex="^\w{3}$" /> > </property> > </bean> > --> > </util:list> > > <bean id="auditTrailManager" > class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> > > <bean id="healthCheckMonitor" > class="org.jasig.cas.monitor.HealthCheckMonitor" > p:monitors-ref="monitorsList" /> > > <util:list id="monitorsList"> > <bean class="org.jasig.cas.monitor.MemoryMonitor" > p:freeMemoryWarnThreshold="10" /> > <!-- > NOTE > The following ticket registries support SessionMonitor: > * DefaultTicketRegistry > * JpaTicketRegistry > Remove this monitor if you use an unsupported registry. > --> > <bean class="org.jasig.cas.monitor.SessionMonitor" > p:ticketRegistry-ref="ticketRegistry" > p:serviceTicketCountWarnThreshold="5000" > p:sessionCountWarnThreshold="100000" /> > </util:list> > </beans> > > > and cas.properties file > > # > # Licensed to Jasig under one or more contributor license > # agreements. See the NOTICE file distributed with this work > # for additional information regarding copyright ownership. > # Jasig licenses this file to you under the Apache License, > # Version 2.0 (the "License"); you may not use this file > # except in compliance with the License. You may obtain a > # copy of the License at the following location: > # > # http://www.apache.org/licenses/LICENSE-2.0 > # > # Unless required by applicable law or agreed to in writing, > # software distributed under the License is distributed on an > # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY > # KIND, either express or implied. See the License for the > # specific language governing permissions and limitations > # under the License. > # > > server.name=http://localhost:8080 > server.prefix=${server.name}/cas > # IP address or CIDR subnet allowed to access the /status URI of CAS that > exposes health check information > cas.securityContext.status.allowedSubnet=127.0.0.1 > > > cas.themeResolver.defaultThemeName=cas-theme-default > cas.viewResolver.basename=default_views > > ## > # Unique CAS node name > # host.name is used to generate unique Service Ticket IDs and > SAMLArtifacts. This is usually set to the specific > # hostname of the machine running the CAS node, but it could be any label > so long as it is unique in the cluster. > host.name=cas01.example.org > > ## > # Database flavors for Hibernate > # > # One of these is needed if you are storing Services or Tickets in an > RDBMS via JPA. > # > # database.hibernate.dialect=org.hibernate.dialect.OracleDialect > # database.hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect > # database.hibernate.dialect=org.hibernate.dialect.HSQLDialect > > ## > # CAS Logout Behavior > # WEB-INF/cas-servlet.xml > # > # Specify whether CAS should redirect to the specified service parameter > on /logout requests > # cas.logout.followServiceRedirects=false > > ## > # Single Sign-On Session Timeouts > # Defaults sourced from > WEB-INF/spring-configuration/ticketExpirationPolices.xml > # > # Maximum session timeout - TGT will expire in maxTimeToLiveInSeconds > regardless of usage > # tgt.maxTimeToLiveInSeconds=28800 > # > # Idle session timeout - TGT will expire sooner than > maxTimeToLiveInSeconds if no further requests > # for STs occur within timeToKillInSeconds > # tgt.timeToKillInSeconds=7200 > > ## > # Service Ticket Timeout > # Default sourced from > WEB-INF/spring-configuration/ticketExpirationPolices.xml > # > # Service Ticket timeout - typically kept short as a control against > replay attacks, default is 10s. You'll want to > # increase this timeout if you are manually testing service ticket > creation/validation via tamperdata or similar tools > # st.timeToKillInSeconds=10 > > ## > # Single Logout Out Callbacks > # Default sourced from > WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml > # > # To turn off all back channel SLO requests set slo.disabled to true > # slo.callbacks.disabled=false > > ## > # Service Registry Periodic Reloading Scheduler > # Default sourced from WEB-INF/spring-configuration/applicationContext.xml > # > # Force a startup delay of 2 minutes. > # service.registry.quartz.reloader.startDelay=120000 > # > # Reload services every 2 minutes > # service.registry.quartz.reloader.repeatInterval=120000 > > ## > # Log4j > # Default sourced from WEB-INF/spring-configuration/log4jConfiguration.xml: > # > # It is often time helpful to externalize log4j.xml to a system path to > preserve settings between upgrades. > # e.g. log4j.config.location=/etc/cas/log4j.xml > # log4j.config.location=classpath:log4j.xml > # > # log4j refresh interval in millis > # log4j.refresh.interval=60000 > > ## > # Password Policy > # > # Warn all users of expiration date regardless of warningDays value. > password.policy.warnAll=false > > # Threshold number of days to begin displaying password expiration > warnings. > password.policy.warningDays=30 > > # URL to which the user will be redirected to change the passsword. > password.policy.url=https://password.example.edu/change > > #======================================== > # General properties > #======================================== > ldap.url=ldap://localhost:389 > > # LDAP connection timeout in milliseconds > ldap.connectTimeout=3000 > > # Whether to use StartTLS (probably needed if not SSL connection) > ldap.useStartTLS=true > > #======================================== > # LDAP connection pool configuration > #======================================== > ldap.pool.minSize=3 > ldap.pool.maxSize=10 > ldap.pool.validateOnCheckout=false > ldap.pool.validatePeriodically=true > > # Amount of time in milliseconds to block on pool exhausted condition > # before giving up. > ldap.pool.blockWaitTime=3000 > > # Frequency of connection validation in seconds > # Only applies if validatePeriodically=true > ldap.pool.validatePeriod=300 > > # Attempt to prune connections every N seconds > ldap.pool.prunePeriod=300 > > # Maximum amount of time an idle connection is allowed to be in > # pool before it is liable to be removed/destroyed > ldap.pool.idleTime=600 > > #======================================== > # Authentication > #======================================== > > # Base DN of users to be authenticated > ldap.authn.baseDn=ou=Users,dc=example,dc=com > > # Manager DN for authenticated searches > #ldap.authn.managerDN=uid=manager,ou=Users,dc=example,dc=org > ldap.authn.managerDN=cn=admin,dc=example,dc=com > > # Manager password for authenticated searches > ldap.authn.managerPassword=qwerty123 > > # Search filter used for configurations that require searching for DNs > #ldap.authn.searchFilter=(&(uid={user})(accountState=active)) > ldap.authn.searchFilter=(uid={user}) > > # Search filter used for configurations that require searching for DNs > #ldap.authn.format=uid=%s,ou=Users,dc=example,dc=org > ldap.authn.format=uid=%s,ou=users,dc=example,dc=com > #ldap.authn.format=%s...@example.com > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > cmy...@mail.millikin.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > lutfioduncuo...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
