Hi Ryan,
yes the way I get it to work is by giving the fully qualified id
ldapsearch -H ldap://my.ldap.server -x -Z -b o=Y -D
"uid=user,ou=a,ou=b,ou=c,ou=X,o=Y,o=Z" -W uid=user
Here was my misunderstanding: there is a need for fully qualified
identifier for the user who binds, not for the one we're searching (yep
- I know it wouldn't make sense otherwise but it was not extremely clear
to me).
So, what happens now is that by adjusting the xml to look like
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="true"/>
<property name="urls">
<list>
<value>ldap://my.ldap.server</value>
</list>
</property>
<property name="userDn" value="uid=user,ou=a,ou=b,ou=c,ou=X,o=Y,o=Z"/>
<property name="password" value="pass"/>
<property name="baseEnvironmentProperties">
<map>
<entry key="java.naming.security.authentication"
value="simple" />
</map>
</property>
</bean>
and
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean
class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
<property name="filter" value="uid=%u,o=Y" />
<property name="contextSource" ref="contextSource" />
</bean>
</list>
</property>
is that I still get kicked out when I try to authenticate with CAS on
moodle. Just to summarize:
- I activated CAS in the Authentication settings
- I moved CAS on top of LDAP and Moodle Network Authentication
- Logged out
- clicked on Login, entered a username (in this case "user" itself, as
given the execution of ldapsearch it should work).
Any idea?
Thanks,
Giuseppe
Ryan Fox wrote:
> Sorry... now that I've read more of the thread, I can offer more help. Funny
> how that works.
>
> The err=32 means that the dn you are binding with doesn't exist. If you
> look, that is the uid=user,ou=X,o=Y,o=Z.
>
>
>> First of all, I discovered I was being silly, using a wrong user. Only
>> the Directory Manager is allowed to search ldap in my current
>> configuration, so I managed to get info for "username" running this
>> command:
>>
>
> You need
> ldapsearch -H ldap://my.ldap.server -x -Z -b ou=X,o=Y,o=Z -D
> "uid=user,ou=X,o=Y,o=Z" -W uid=user
> to succeed. I can't tell from your e-mail if it will or not, as I don't know
> what ACL's you have on your ldap. The FastBindLdapAuthenticationHandler
> binds to your ldap as the user, and uses the result (success/error) to judge
> the validity of the credentials. The ldapsearch above is a good analogue for
> that. Once that works, CAS auth should work (or at least progress farther).
> :)
>
> Ryan
>
>
> ----- "Giuseppe Sollazzo" <[email protected]> wrote:
>
>
>> The ldapsearch tool (provided by ldap-utils package on Debian) is
>> invaluable for diagnosing LDAP bind problems. Execute the following
>> command which attempts to bind as the user above:
>>
>> ldapsearch -H ldap://your.ldap.host -x -Z -b ou=X,o=Y,o=Z -D
>> uid=username,ou=X,o=Y,o=Z -W uid=user
>>
>> Omit the -Z argument if you use an ldaps URL (SSL) to talk to your
>> LDAP host.
>> Hi Marvin,
>> your help is being amazingly invaluable!
>>
>> First of all, I discovered I was being silly, using a wrong user. Only
>> the Directory Manager is allowed to search ldap in my current
>> configuration, so I managed to get info for "username" running this
>> command:
>>
>> ldapsearch -H ldap://my.ldap.server -x -Z -b ou=X,o=Y,o=Z -D
>> "cn=Directory Manager" -W uid=user
>> So I adapted the deployerConfigContext.xml accordingly:
>>
>> <bean id="contextSource"
>> class="org.springframework.ldap.core.support.LdapContextSource">
>> <property name="pooled" value="true"/>
>> <property name="urls">
>> <list>
>> <value>ldap://my.ldap.server</value>
>> </list>
>> </property>
>> <property name="userDn" value="cn=Directory Manager"/>
>> <property name="password" value="HISPASSWORD"/>
>> <property name="baseEnvironmentProperties">
>> <map>
>> <entry key="java.naming.security.authentication" value="simple" />
>> </map>
>> </property>
>> </bean> and
>>
>> <bean id="authenticationManager"
>> class="org.jasig.cas.authentication.AuthenticationManagerImpl">
>> [...]
>> <property name="authenticationHandlers">
>> <list>
>> <bean
>> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
>> p:httpClient-ref="httpClient" />
>> <bean
>> class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"
>>
>> <property name="filter" value="uid=%u,ou=X,o=Y,o=Z" /> // [I also
>> tried with username=%u, as it's called in our ldap]
>> <property name="contextSource" ref="contextSource" />
>> </bean>
>>
>> </list>
>> </property>
>> [...]
>> </bind>
>>
>> The result when I try to authenticate with username "user" is always
>> as follows:
>>
>> [15/Oct/2009:10:43:11 +0100] conn=374073 op=0 msgId=1 - BIND
>> dn="username=user,ou=people,o=sghms.ac.uk,o=sghms.ac.uk" method=128
>> version=3
>> [15/Oct/2009:10:43:11 +0100] conn=374073 op=0 msgId=1 - RESULT err=32
>> tag=97 nentries=0 etime=0
>>
>> (or uid=... in place of username)
>>
>> I'm wondering if I'm getting something wrong elsewhere in the
>> deployerConfigContext.xml?
>>
>> Thanks again for your help,
>> Giuseppe
>>
>> --
>> Giuseppe Sollazzo
>> Systems Developer / Administrator
>>
>> Computing Services
>> St. George's, University of London --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>
>
--
Giuseppe Sollazzo
Systems Developer / Administrator
Computing Services
St. George's, University of London
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
