Any chance you have your BindLdapAuthenticationHandler and ContextSource config handy? I'm going to try a domain admin account.
James Winter 215.517.2588 From: Scott Battaglia [mailto:[email protected]] Sent: Wednesday, June 17, 2009 8:59 AM To: [email protected] Subject: Re: [cas-user] CAS and Active Directory FastBind is ignoring any credentials you set in the ContextSource, which means that the ones in the ContextSource are actually probably incorrect (or at least don't have the correct permissions to do stuff) Cheers, Scott On Wed, Jun 17, 2009 at 8:41 AM, Winter, James <[email protected]> wrote: Scott, Do you use the FastBindLdapAuthenticationHandler or the BindLdapAuthenticationHandler? I can get the fastbind to work using %[email protected] <mailto:%[email protected]> but I couldn't get the Bind to work using the same credentials that I have in the contextSource. James Winter 215.517.2588 From: Scott Battaglia [mailto:[email protected]] Sent: Tuesday, June 16, 2009 11:20 PM To: [email protected] Subject: Re: [cas-user] CAS and Active Directory You can use this simplified resolver: <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredential sToPrincipalResolver" p:attributeRepository-ref="attributeRepository" /> Example repository: <bean class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao" p:baseDN="ou=users,dc=school,dc=ad,dc=school,dc=edu" p:query="(sAMAccountName={0})" p:contextSource-ref="contextSource"> <property name="ldapAttributesToPortalAttributes"> <map> <entry key="givenName" value="givenName"/> <entry key="mail" value="mail" /> <entry key="employeeID" value="employeeID" /> <entry key="displayName" value="displayName" /> <entry key="sn" value="sn" /> </map> </property> </bean> On Tue, Jun 16, 2009 at 4:04 PM, Scott Battaglia <[email protected]> wrote: Just a note that you can simplify your configuration and apply the "attributeRepository" directly to the UsernamePasswrodCredentialsToPrincipalResolver. You usually only use the CredentialsToLdapAttributePrincipalResolver to map the username provided to something else. That said I don't see anything crazy off the top of my head, but I'll double check my AD config at home. Cheers, Scott On Tue, Jun 16, 2009 at 3:59 PM, Winter, James <[email protected]> wrote: Inside of credentialsToPrincipalResolvers: <bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttribute PrincipalResolver"> <property name="credentialsToPrincipalResolver"> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredential sToPrincipalResolver" /> </property> <property name="filter" value="(sAMAccountName=%u)" /> <property name="principalAttributeName" value="Name" /> <property name="searchBase" value="CN=Users,DC=school,DC=edu" /> <property name="contextSource" ref="contextSource" /> <property name="attributeRepository"> <ref bean="attributeRepository" /> </property> </bean> And the attributeRepository: <bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao" > <property name="baseDN" value="cn=Users,dc=school,dc=edu" /> <property name="query" value="(samAccountName={0})" /> <property name="contextSource" ref="contextSource" /> <property name="ldapAttributesToPortalAttributes"> <map> <entry key="samAccountName" value="Name" /> <entry value="mail" key="EmailAddress" /> </map> </property> </bean> This is the contextSource: <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="urls"> <list> <value>ldap://server.school.edu</value> </list> </property> <property name="userDn" value="{full DN for user}"/> <property name="password" value="{password}"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property> </bean> James Winter 215.517.2588 From: Scott Battaglia [mailto:[email protected]] Sent: Tuesday, June 16, 2009 3:41 PM To: [email protected] Subject: Re: [cas-user] CAS and Active Directory Can you post your config minus the password and any other incriminating evidence? Also, does the binding user have permission to see the attributes you're trying to retrieve? Cheers, Scott On Tue, Jun 16, 2009 at 3:40 PM, Winter, James <[email protected]> wrote: I am using the same contextSource, yes. James Winter 215.517.2588 From: Scott Battaglia [mailto:[email protected]] Sent: Tuesday, June 16, 2009 3:37 PM To: [email protected] Subject: Re: [cas-user] CAS and Active Directory According to my quick google search, that usually means an error in the username provided to bind. Are you using the same LdapContextSource for the bind authentication handler AND the attribute stuff? Cheers, Scott On Tue, Jun 16, 2009 at 3:18 PM, James Winter <[email protected]> wrote: I always get this error: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525 But again, the authentication itself works correctly, just not any of the attributes. I think I just need an example deployerConfigContext to get me started. I cobbled together some examples, but I didn't get very far. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
