Hi, and thanks for the suggestion, we tried it but it didn't solve the
problem.
In case there a dependency missing from our system, it was built from Maven
and in the POM file with the following dependencies
<dependencies>
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-webapp</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>${servlet.version}</version>
<scope>provided</scope>
</dependency>
</dependencies>
The first post to the group has a copy of the deployerConfigContext.xml so
that you can see the beans that are being called.
Additional configuration goes into the cas.properties file.
For the basic LDAP authentication there is an LDAP.properties file used.
We had experimented with a separate LPPE-configuration xml file in the
...\webapps\cas\WEB-INF\spring-configuration folder but we deleted it as
we could not get it to work that way either.
Has anyone got LPPE to work with CAS 4.2.1?
On Tuesday, March 13, 2018 at 4:00:42 PM UTC, casconfiguration
casconfiguration wrote:
>
> Trying to get CAS version 4.2.1 to recognise and respond correctly to
> messages from an AD server (LPPE)such as the password must change or the
> account is locked.
>
> From the CAS log file it is reporting the error 773 for changing a
> password but it interprets it as an invalid authentication and presents the
> user with an Invalid Credentials message.
>
> The complete deployerConfigContext.xml file and cas.log are attached
>
>
> =========================
> deployerConfigContext.xml
> =========================
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> | deployerConfigContext.xml centralizes into one file some of the
> declarative configuration that
> | all CAS deployers will need to modify.
> |
> | This file declares some of the Spring-managed JavaBeans that make up a
> CAS deployment.
> | The beans declared in this file are instantiated at context
> initialization time by the Spring
> | ContextLoaderListener declared in web.xml. It finds this file because
> this
> | file is among those declared in the context parameter
> "contextConfigLocation".
> |
> | By far the most common change you will need to make in this file is to
> change the last bean
> | declaration to replace the default authentication handler with
> | one implementing your approach for authenticating usernames and
> passwords.
> +-->
>
> <beans xmlns="http://www.springframework.org/schema/beans";
> xmlns:ldaptive="http://www.ldaptive.org/schema/spring-ext";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:context="http://www.springframework.org/schema/context";
> xmlns:p="http://www.springframework.org/schema/p";
> xmlns:c="http://www.springframework.org/schema/c";
> xmlns:aop="http://www.springframework.org/schema/aop";
> xmlns:tx="http://www.springframework.org/schema/tx";
> xmlns:util="http://www.springframework.org/schema/util";
> xmlns:sec="http://www.springframework.org/schema/security";
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
> http://www.springframework.org/schema/tx
> http://www.springframework.org/schema/tx/spring-tx.xsd
> http://www.springframework.org/schema/aop
> http://www.springframework.org/schema/aop/spring-aop.xsd
> http://www.springframework.org/schema/context
> http://www.springframework.org/schema/context/spring-context.xsd
> http://www.springframework.org/schema/security
> http://www.springframework.org/schema/security/spring-security.xsd
> http://www.springframework.org/schema/util
> http://www.springframework.org/schema/util/spring-util.xsd
> http://www.ldaptive.org/schema/spring-ext
> http://www.ldaptive.org/schema/spring-ext.xsd";>
>
>
> <util:map id="authenticationHandlersResolvers">
> <entry key-ref="proxyAuthenticationHandler"
> value-ref="proxyPrincipalResolver" />
> <entry key-ref="primaryAuthenticationHandler"
> value-ref="primaryPrincipalResolver" />
> <entry key-ref="ldapAuthenticationHandler"
> value-ref="primaryPrincipalResolver" />
> </util:map>
>
> <util:list id="authenticationMetadataPopulators">
> <ref bean="successfulHandlerMetaDataPopulator" />
> <ref bean="rememberMeAuthenticationMetaDataPopulator" />
> </util:list>
>
> <bean id="ldapAuthenticationHandler"
> class="org.jasig.cas.authentication.LdapAuthenticationHandler"
> p:principalIdAttribute="sAMAccountName"
> c:authenticator-ref="authenticator"
> p:passwordPolicyConfiguration-ref="passwordPolicyConfiguration">
> </bean>
>
> <ldaptive:ad-authenticator id="authenticator"
> ldapUrl="${ldap.url}"
> userFilter="${ldap.authn.searchFilter}"
> bindDn="${ldap.managerDn}"
> bindCredential="${ldap.managerPassword}"
> allowMultipleDns="${ldap.allowMultipleDns:false}"
> connectTimeout="${ldap.connectTimeout}"
> validateOnCheckOut="${ldap.pool.validateOnCheckout}"
> failFastInitialize="true"
> blockWaitTime="${ldap.pool.blockWaitTime}"
> idleTime="${ldap.pool.idleTime}"
> baseDn="${ldap.baseDn}"
> maxPoolSize="${ldap.pool.maxSize}"
> minPoolSize="${ldap.pool.minSize}"
> validatePeriodically="${ldap.pool.validatePeriodically}"
> validatePeriod="${ldap.pool.validatePeriod}"
> prunePeriod="${ldap.pool.prunePeriod}"
> useSSL="${ldap.use.ssl:false}"
> subtreeSearch="${ldap.subtree.search:true}"
> useStartTLS="${ldap.useStartTLS}" />
>
> <bean id="attributeRepository"
> class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
> p:backingMap-ref="attrRepoBackingMap" />
>
> <util:map id="attrRepoBackingMap">
> <entry key="uid" value="uid" />
> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
> <entry key="groupMembership" value="groupMembership" />
> <entry>
> <key><value>memberOf</value></key>
> <list>
> <value>faculty</value>
> <value>staff</value>
> <value>org</value>
> </list>
> </entry>
> </util:map>
>
> <alias name="acceptUsersAuthenticationHandler"
> alias="primaryAuthenticationHandler" />
> <alias name="personDirectoryPrincipalResolver"
> alias="primaryPrincipalResolver" />
> <alias name="ldapPasswordPolicyConfiguration"
> alias="passwordPolicyConfiguration" />
>
> <alias name="serviceThemeResolver" alias="themeResolver" />
>
> <alias name="jsonServiceRegistryDao" alias="serviceRegistryDao" />
>
> <alias name="defaultTicketRegistry" alias="ticketRegistry" />
>
> <alias name="ticketGrantingTicketExpirationPolicy"
> alias="grantingTicketExpirationPolicy" />
> <alias name="multiTimeUseOrTimeoutExpirationPolicy"
> alias="serviceTicketExpirationPolicy" />
>
> <alias name="anyAuthenticationPolicy" alias="authenticationPolicy" />
> <alias name="acceptAnyAuthenticationPolicyFactory"
> alias="authenticationPolicyFactory" />
>
> <bean id="auditTrailManager"
>
> class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager"
> p:entrySeparator="${cas.audit.singleline.separator:|}"
> p:useSingleLine="${cas.audit.singleline:false}"/>
>
> <alias name="neverThrottle" alias="authenticationThrottle" />
>
> <util:list id="monitorsList">
> <ref bean="memoryMonitor" />
> <ref bean="sessionMonitor" />
> </util:list>
>
> <alias name="defaultPrincipalFactory" alias="principalFactory" />
> <alias name="defaultAuthenticationTransactionManager"
> alias="authenticationTransactionManager" />
> <alias name="defaultPrincipalElectionStrategy"
> alias="principalElectionStrategy" />
> <alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" />
> </beans>
>
>
>
>
>
>
> ===============
> CAS.LOG
> ===============
> 2018-03-13 15:12:52,101 DEBUG
> [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response:
> [org.ldaptive.auth.AuthenticationResponse@250697538::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
>
> resolvedDn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local,
> ldapEntry=[dn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local[]],
>
> accountState=[org.ldaptive.auth.ext.ActiveDirectoryAccountState@1840498349::accountWarnings=null,
>
> accountErrors=[PASSWORD_MUST_CHANGE]], result=false,
> resultCode=INVALID_CREDENTIALS,
> message=javax.naming.AuthenticationException: [LDAP: error code 49 -
> 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error,
> data 773, v2580 ], controls=null]
> 2018-03-13 15:12:52,101 DEBUG
> [org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying
> password policy to
> [org.ldaptive.auth.AuthenticationResponse@250697538::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
>
> resolvedDn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local,
> ldapEntry=[dn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local[]],
>
> accountState=[org.ldaptive.auth.ext.ActiveDirectoryAccountState@1840498349::accountWarnings=null,
>
> accountErrors=[PASSWORD_MUST_CHANGE]], result=false,
> resultCode=INVALID_CREDENTIALS,
> message=javax.naming.AuthenticationException: [LDAP: error code 49 -
> 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error,
> data 773, v2580 ], controls=null]
> 2018-03-13 15:12:52,116 DEBUG
> [org.jasig.cas.authentication.support.DefaultAccountStateHandler] -
> Handling error PASSWORD_MUST_CHANGE
> 2018-03-13 15:12:52,116 INFO
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
> LdapAuthenticationHandler failed authenticating user1@*****.com
> 2018-03-13 15:12:52,116 DEBUG
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
> LdapAuthenticationHandler exception details: null
> 2018-03-13 15:12:52,116 DEBUG
> [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving
> argument [AuthenticationTransaction] for audit
> 2018-03-13 15:12:52,116 DEBUG
> [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving
> argument [UsernamePasswordCredential] for audit
> 2018-03-13 15:12:52,116 INFO
> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit
> trail record BEGIN
> =============================================================
> WHO: user1@*****.com
> WHAT: Supplied credentials: [user1@*****.com]
> ACTION: AUTHENTICATION_FAILED
> APPLICATION: CAS
> WHEN: Tue Mar 13 15:12:52 UTC 2018
> CLIENT IP ADDRESS: 192.168.0.152
> SERVER IP ADDRESS: 192.168.0.11
> =============================================================
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6b475fd-9b68-4691-91c8-cadeba8afbc7%40apereo.org.
