Michael, Here are a few thoughts as nothing jumps out at me:
1. Try specifying ³scope² of 2 within the BindLdapAuthenticationHandler 2. Try specifying ³timeout² of some amount of time in seconds; e.g. 120 being 2 minutes 3. Confirm whether your AD server is setup to use LDAPS rather than LDAP (should switch to it anyways as it is more secure) 4. Try ³userName² instead of ³userDn² on the contextsource Hope something comes together for you but honestly we switched from using LDAP for AD to Kerberos, which I think is what AD typically prefers. Anyhow try it and see what happens. Cheers, A -- Andrew Feller, Analyst LSU University Information Services 200 Frey Computing Services Center Baton Rouge, LA 70803 Office: 225.578.3737 Fax: 225.578.6400 On 5/22/09 8:06 AM, "Michael A Jones" <[email protected]> wrote: > Hi there, > > I am having communication problems with my Active Directory and CAS. My AD > machine is called idm-dc1 and my domain is ExampleOrganization.local. At > present, when I try to login to CAS I am getting an error message from CAS > saying ³The credentials you provided cannot be determined to be authentic². > I am logging in as one of my users as below and their account details in AD > are included for reference. My users are held in an ou called Identities: > > [email protected] > Password=apassword > > Ldif for this user in AD: > > dn: [email protected],OU=Identities,DC=ExampleOrganization,DC=local > changetype: add > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: [email protected] > sn: MELDRUM > title: MS > givenName: LAURA > distinguishedName: > [email protected],OU=Identities,DC=ExampleOrganization,DC=local > instanceType: 4 > whenCreated: 20090508082512.0Z > whenChanged: 20090508082512.0Z > uSNCreated: 15381 > uSNChanged: 15394 > name: [email protected] > objectGUID:: z0FREwjkVkiMPl67khJCYQ== > userAccountControl: 512 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > pwdLastSet: 128862447125126250 > primaryGroupID: 513 > objectSid:: ZHUAAAAAAAUVAAAAtGO > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: $Z21000-CA6B2SF9KI > sAMAccountType: 805306368 > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=ExampleOrganization,DC=local > mail: [email protected] > > > My relevant segment of my deploycontextconfig.xml settings is as follows: > > <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > <property name="filter" value="sAMAccountName=%u" > /> > <property name="searchBase" > value="ou=Identities,dc=ExampleOrganization,dc=local" /> > <property name="contextSource" ref="contextSource" > /> > <property name="ignorePartialResultException" > value="yes" /> > </bean> > </list> > </property> > </bean> > > <bean id="contextSource" > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > <property name="urls"> > <list> > <value>ldap://194.168.0.2</value> <!ip address of my AD > machine --> > </list> > </property> > <property name="userDn" > value="CN=Administrator,CN=Users,DC=ExampleOrganization,DC=local"/> > <property name="password" value="password"/> > <property name="baseEnvironmentProperties"> > <map> > <entry> > <key> > <value>java.naming.security.authentication</value> > </key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > > Can anyone offer advice on where I am going wrong? I have followed the info on > settings for communicating with AD and would appreciate advice off someone who > is successfully communicating with CAS and AD just using the LDAP method. > > > Regards > > Mike Jones > > Identity Management Systems Administrator > IT Systems > University of Hull > > Tel: 01482 465549 > Email: [email protected] > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
