A little update...
I managed to get something different using the BindLdap instead of the
FastBind.
What I get this time is:
2009-10-15 14:28:03,472 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully
authenticated the user which provided the following credentials:
[username: user]>
followed by an eternal sequence of:
2009-10-15 14:28:03,477 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-1-OVG5l4krlYLR9q0Xl5Jl-cas] for service
[https://moodle.sgul.ac.uk/devmoodle/login/index.php] for user [user]>
2009-10-15 14:28:04,229 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-2-RBc0et7WkjCTqduVaPcK-cas] for service
[https://moodle.sgul.ac.uk/devmoodle/login/index.php] for user [user]>
...
2009-10-15 14:28:16,812 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-31-y1i0RQ5mfqS2zOzokAtx-cas] for service
[https://moodle.sgul.ac.uk/devmoodle/login/index.php] for user [user]>
2009-10-15 14:28:17,231 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted ser...
...
(and counting :P)
I guess something is moving in the right direction but there are still
some issues?
Thanks for any help,
Giuseppe
Giuseppe Sollazzo wrote:
Hi Ryan,
yes the way I get it to work is by giving the fully qualified id
ldapsearch -H ldap://my.ldap.server -x -Z -b o=Y -D
"uid=user,ou=a,ou=b,ou=c,ou=X,o=Y,o=Z" -W uid=user
Here was my misunderstanding: there is a need for fully qualified
identifier for the user who binds, not for the one we're searching
(yep - I know it wouldn't make sense otherwise but it was not
extremely clear to me).
So, what happens now is that by adjusting the xml to look like
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="true"/>
<property name="urls">
<list>
<value>ldap://my.ldap.server</value>
</list>
</property>
<property name="userDn" value="uid=user,ou=a,ou=b,ou=c,ou=X,o=Y,o=Z"/>
<property name="password" value="pass"/>
<property name="baseEnvironmentProperties">
<map>
<entry key="java.naming.security.authentication"
value="simple" />
</map>
</property>
</bean>
and
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean
class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
<property name="filter" value="uid=%u,o=Y" />
<property name="contextSource" ref="contextSource" />
</bean>
</list>
</property>
is that I still get kicked out when I try to authenticate with CAS on
moodle. Just to summarize:
- I activated CAS in the Authentication settings
- I moved CAS on top of LDAP and Moodle Network Authentication
- Logged out
- clicked on Login, entered a username (in this case "user" itself, as
given the execution of ldapsearch it should work).
Any idea?
Thanks,
Giuseppe
Ryan Fox wrote:
Sorry... now that I've read more of the thread, I can offer more help. Funny
how that works.
The err=32 means that the dn you are binding with doesn't exist. If you look,
that is the uid=user,ou=X,o=Y,o=Z.
First of all, I discovered I was being silly, using a wrong user. Only
the Directory Manager is allowed to search ldap in my current
configuration, so I managed to get info for "username" running this
command:
You need
ldapsearch -H ldap://my.ldap.server -x -Z -b ou=X,o=Y,o=Z -D "uid=user,ou=X,o=Y,o=Z" -W uid=user
to succeed. I can't tell from your e-mail if it will or not, as I don't know
what ACL's you have on your ldap. The FastBindLdapAuthenticationHandler binds
to your ldap as the user, and uses the result (success/error) to judge the
validity of the credentials. The ldapsearch above is a good analogue for that.
Once that works, CAS auth should work (or at least progress farther). :)
Ryan
----- "Giuseppe Sollazzo" <[email protected]> wrote:
The ldapsearch tool (provided by ldap-utils package on Debian) is
invaluable for diagnosing LDAP bind problems. Execute the following
command which attempts to bind as the user above:
ldapsearch -H ldap://your.ldap.host -x -Z -b ou=X,o=Y,o=Z -D
uid=username,ou=X,o=Y,o=Z -W uid=user
Omit the -Z argument if you use an ldaps URL (SSL) to talk to your
LDAP host.
Hi Marvin,
your help is being amazingly invaluable!
First of all, I discovered I was being silly, using a wrong user. Only
the Directory Manager is allowed to search ldap in my current
configuration, so I managed to get info for "username" running this
command:
ldapsearch -H ldap://my.ldap.server -x -Z -b ou=X,o=Y,o=Z -D
"cn=Directory Manager" -W uid=user
So I adapted the deployerConfigContext.xml accordingly:
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="true"/>
<property name="urls">
<list>
<value>ldap://my.ldap.server</value>
</list>
</property>
<property name="userDn" value="cn=Directory Manager"/>
<property name="password" value="HISPASSWORD"/>
<property name="baseEnvironmentProperties">
<map>
<entry key="java.naming.security.authentication" value="simple" />
</map>
</property>
</bean> and
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
[...]
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean
class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"
<property name="filter" value="uid=%u,ou=X,o=Y,o=Z" /> // [I also
tried with username=%u, as it's called in our ldap]
<property name="contextSource" ref="contextSource" />
</bean>
</list>
</property>
[...]
</bind>
The result when I try to authenticate with username "user" is always
as follows:
[15/Oct/2009:10:43:11 +0100] conn=374073 op=0 msgId=1 - BIND
dn="username=user,ou=people,o=sghms.ac.uk,o=sghms.ac.uk" method=128
version=3
[15/Oct/2009:10:43:11 +0100] conn=374073 op=0 msgId=1 - RESULT err=32
tag=97 nentries=0 etime=0
(or uid=... in place of username)
I'm wondering if I'm getting something wrong elsewhere in the
deployerConfigContext.xml?
Thanks again for your help,
Giuseppe
--
Giuseppe Sollazzo
Systems Developer / Administrator
Computing Services
St. George's, University of London --
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
Giuseppe Sollazzo
Systems Developer / Administrator
Computing Services
St. George's, University of London
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
Giuseppe Sollazzo
Systems Developer / Administrator
Computing Services
St. George's, University of London
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
