Re: [cas-user] LDAP BindPassivator needed for pooled DirectBind connections where LDAP denies anonymous search

[Jérôme Nenert]

Ben Howell-Thomas <ben.howell-tho...@northgateps.com> a écrit :
Thanks for confirming I'm not the only one who had that issue.

I hadn't got around to raising an issue so I thought I was going crazy when
I saw this in the CAS docs :

# cas.authn.ldap[0].poolPassivator=NONE|CLOSE|BIND


but it looks like Misagh's added it, presumably to 5.1 RC2.  Ah yes, I
think I've connected the dots, the release announcement has :


   - Removed the need to re-create LDAP connection pools during LDAP
   authentication for entry resolution, etc.

That'll be it - Thanks Misagh :)


We are currently on the 5.0.x branch. It looks like it's mandatory to  
migrate 5.1 RC2 to fix this issue ?


Ben

On 24 February 2017 at 23:59, Tom Poage <tfpo...@ucdavis.edu> wrote:

This issue looks to have just bit us with 4.2.x, as well.

A network configuration error led to losing two of our four CAS servers at
a busy time of day. Some fraction of the users needed to re-login, so there
was a natural increase in LDAP pool connections. Every time the validator
ran, each connection in the pool failed validation, forcing the creation of
a new set of connections. We didn't notice this behavior earlier but, now
that we look at it, it's been there all along.

Tom.


> On Feb 13, 2017, at 2:11 AM, Ben Howell-Thomas <ben.howell-thomas@
northgateps.com> wrote:
>
> Hi,
>
> I think I may have found an issue but per guidelines posting here first.
>
> When CAS is configured to authenticate with LDAP using Direct Bind and
LDAP is locked down to not allow anonymous binds/searches or for users to
see anything other than their own entry, then we get unexpected failures
trying to log in.
>
> For wrong passwords or locked accounts, every second attempt [with a
given Ldap connection from the pool] would fail.  Actually, it would also
fail for a valid account with the correct password if it was on the same
connection as a failed login attempt, and the regular connection validator
would similarly fail.
>
> What's happening in Ldaptive is as follows :
>       • Before a bind attempt, a SearchValidator checks the connection
is still valid
>       • To make the bind attempt,  
org.ldaptive.provider.jndi.JndiConnection
sets the principal and credentials on the connection's environment variable
>       • This connection is then returned to the pool, still containing
the principal and credentials from the previous attempt.
>       • Before the next login/bind attempt using that connection,
SearchValidator tries to validate the connection again but fails, because
it's no longer trying with the configured cas.properties
cas.authn.ldap.bindDn property but with whatever user DN was used in the
previous step
>       • Since the SearchValidator fails, the connection is closed and an
exception is returned, so CAS denies access by default (even if we should
show the Account Locked page).
> I asked the Ldaptive mailing list about this which put me on to the
org.ldaptive.pool.BindPassivator class which reconnects to LDAP with the
configured DN and credentials, effectively resetting the connection to what
it should be after each bind request.  That way the connection is returned
to the pool ready to be used again.
>
> Adding the following to our version of  
LdapAuthenticationConfiguration.getDirectBindAuthenticator()
implemented a BindPassivator to restore expected behaviour :
>
> /*
>  * Binding (which we do both when validating connections and
authenticating users) using pooled connections is "tricky"
>  * according to the Ldaptive mailing list.  The connection must be
returned to the pool ready for the next connection
>  * to use (ie not binded as the previous user). Set a BindPassivator to
clean the connection when it's returned to the pool.
>  */
> ConnectionPool cp = pooledBindAuthenticationHandle
r.getConnectionFactory().getConnectionPool();
> BindRequest br = new BindRequest(l.getBindDn(), new Credential(l.
getBindCredential()));
> cp.setPassivator(new BindPassivator(br));
>
> Another workaround of course would be to change the LDAP configuration.
>
> thanks,
>
> Ben
>
> # ps some relevant LDAP settings for reference
> cas.authn.ldap[0].type=DIRECT
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].subtreeSearch=false
> cas.authn.ldap[0].bindDn=uid=cas,ou=Administrators,dc=domain,dc=com
> cas.authn.ldap[0].bindCredential=password
> cas.authn.ldap[0].minPoolSize=3
> cas.authn.ldap[0].maxPoolSize=10
> cas.authn.ldap[0].validateOnCheckout=true
> cas.authn.ldap[0].validatePeriodically=true
> cas.authn.ldap[0].validatePeriod=600
> cas.authn.ldap[0].failFast=true
> cas.authn.ldap[0].idleTime=500
> cas.authn.ldap[0].prunePeriod=600
> cas.authn.ldap[0].blockWaitTime=5000
>
> This email is sent on behalf of Northgate Public Services (UK) Limited
and its associated companies including Rave Technologies (India) Pvt
Limited (together "Northgate Public Services") and is strictly confidential
and intended solely for the addressee(s).
> If you are not the intended recipient of this email you must: (i) not
disclose, copy or distribute its contents to any other person nor use its
contents in any way or you may be acting unlawfully;  (ii) contact
Northgate Public Services immediately on +44(0)1908 264500 quoting the
name of the sender and the addressee then delete it from your system.
> Northgate Public Services has taken reasonable precautions to ensure
that no viruses are contained in this email, but does not accept any
responsibility once this email has been transmitted.  You should scan
attachments (if any) for viruses.
>
> Northgate Public Services (UK) Limited, registered in England and Wales
under number 00968498 with a registered address of Peoplebuilding 2,
Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2
4NN.  Rave Technologies (India) Pvt Limited, registered in India under
number 117068 with a registered address of 2nd Floor, Ballard House, Adi
Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google
Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
apereo.org/d/msgid/cas-user/CAD0p8psvuk%2Br_kUnBhM4MP9sK8%
2Bm80VFGF5sqRNbzxYUn0Az1A%40mail.gmail.com.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/
Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/
apereo.org/d/msgid/cas-user/9BE363E2-1316-406C-A3EB-
D97AA60A3247%40ucdavis.edu.


--
This email is sent on behalf of Northgate Public Services (UK) Limited and
its associated companies including Rave Technologies (India) Pvt Limited
(together "Northgate Public Services") and is strictly confidential and
intended solely for the addressee(s).
If you are not the intended recipient of this email you must: (i) not
disclose, copy or distribute its contents to any other person nor use its
contents in any way or you may be acting unlawfully;  (ii) contact
Northgate Public Services immediately on +44(0)1908 264500 quoting the name
of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that
no viruses are contained in this email, but does not accept any
responsibility once this email has been transmitted.  You should scan
attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales
under number 00968498 with a registered address of Peoplebuilding 2,
Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2
4NN.  Rave Technologies (India) Pvt Limited, registered in India under
number 117068 with a registered address of 2nd Floor, Ballard House, Adi
Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines:  
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google  
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,  
send an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit  
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD0p8psqbteJVN6Vw5jL6Gm5JG-Ahq%2BYy%2BmTt%2Bckv99m2nm5gw%40mail.gmail.com.


--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20170315165350.Horde.VDzKC-q20etDC6rxCK6PjE2%40courriel.u-paris2.fr.