Marianne, I'm not sure how you capture the data, but this is how we do it. On the linux server running CAS, as root, run
tcpdump -i any -s 0 -w dumpfile.pcap this will capture all interfaces, and write to a file. You can then do your authentication, and later open this file with wireshark. I am attaching our deploy.xml, minus passwords and oother identifying info, so you can see how we have things working. You'll see that do a normal bind, and that we allow login based on sAMAccountName (set to the student id), and a custom ldap attribute named 'WebLoginAlias' We also map one attribute to the CAS principal (tbird-LifetimeEmailAddress); this is our Google Apps account name, which is freely chosen by the user. There is an additional xml mapping to give this attribute to Google during SAML login. I have modified all ldap to be plain, but you can simply replace all occurances with ldaps to get secure connections once you have configured your AD servers. Let me know if I you have other questions. Johan ----- Original Message ----- From: Tromp,Marianne To: [email protected] Sent: Tuesday, January 26, 2010 11:49 AM Subject: Re: [cas-user] FastBind failure Johan, Thanks for pointing me to Wireshark. It uncovered an error I had in the string for the MS-AD server. It turns out that I did not need the domain information. Now I see handshaking between the two machines but no data being transferred between them. That seems odd. Could there be some protocol settings that I need to activate. I thought that capturing TCP would be sufficient for me to view the interactions between the two machines. Any thoughts where I might look? Thanks, Marianne ----- Original Message ----- From: "Johan Reinalda" <[email protected]> To: [email protected] Sent: Tuesday, January 26, 2010 7:25:25 AM Subject: Re: [cas-user] FastBind failure >> Also, I was wondering which registry parameters to set on the Microsoft >> AD >> Server so that I can see what the Active Directory is seeing during the >> transaction? What we did during our debugging phase was to setup the CAS -> AD link to a single AD server, with ldap in clear text (ie. not ldaps). Then we used packet captures on the Linux box running CAS and looked at the ldap connections to our AD server with Wireshark...(you could also do this on the AD server if you're more comfortable there) Once we got everything working we installed an ssl cert on the AD servers, reconfigured the CAS ldap context source beans to use ldaps, and now our ldap binds and queries are secured. Johan ----- Original Message ----- From: "Marvin Addison" <[email protected]> To: <[email protected]> Sent: Tuesday, January 26, 2010 7:05 AM Subject: Re: [cas-user] FastBind failure >> 2010-01-25 13:16:11,994 DEBUG >> [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - >> Performing >> LDAP bind with credential: sAMAccountName=mtromp, >> cn=Users,dc=ci,dc=ventura,dc=ca,dc=us > > I noted there is a space in the DN above. Could you change the filter > property of the fast bind handler such that there are no spaces and > try again? > >> Also, I was wondering which registry parameters to set on the Microsoft >> AD >> Server so that I can see what the Active Directory is seeing during the >> transaction? > > I asked our Microsoft domain admins and they said there is an "audit > failed authentication" security policy you can enable to see more > detail in the security log. I believe > http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html > shows a screenshot. They claimed that failures include an error code > that you can search for that will indicate the exact cause of failure. > I don't know whether those code are LDAP error codes or not > (http://support.microsoft.com/kb/218185); if they are LDAP codes I > would expect one of the following: > > - 0x31 (49) - Bad credential (wrong password) > - 0x20 (32) - Object not found (can't find the DN you provided) > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
deployerConfigContext.xml.example
Description: Binary data
