Hi Jeff, I am not sure if this will help but you can start tomcat in debug mode and then attach a debugger (I used eclipse) to see what is happening. When I was having issues I set my debug statement (LdapPasswordWarningCheck.java) in the method getPasswordWarning. Some other keys files to look through are
PasswordWarningCheckAction.java PasswordWarningDynamicViewSelector.java (webflow) AuthenticationViaFormAction.java Stepping through the code gave me pretty good indication of what was happening. Debugging prompted to modify properties files which I neglected to update. Also we made some modifications to add more functionality if a users password expired. Also are you using cas maven overlay method? Ahsan On Wed, Apr 7, 2010 at 12:09 PM, Jeff Chapin <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > To make things even more fun, the instance I have with LdapBind and an > attempt at the ldap-pwd module is letting locked users log in, but an > instance with FastBind is not. > > I most definitely have something broken. > > Jeff > > > Jeff Chapin wrote: > > I know I am grave digging, but I am working on getting this module > > working still. > > > > I have gotten LdapBind working, and I have the password working > > information getting initialized: > > > > This is from catalina.out: > > > > 2010-04-06 16:42:18,580 INFO > > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <LDAP Search > > Base: 'cn=Users,dc=Collab,dc=uni,dc=edu'> > > 2010-04-06 16:42:18,597 INFO > > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Search Filter: > > 'cn=%u'> > > 2010-04-06 16:42:18,597 INFO > > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <warnAll: > 'true'> > > 2010-04-06 16:42:18,597 INFO > > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date format: > > 'yyyyMMddHHmmss'z''> > > 2010-04-06 16:42:18,597 INFO > > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - > > <warningCheckType: 'change'> > > 2010-04-06 16:42:18,597 INFO > > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date > > Attribute: 'pwdchangedtime'> > > 2010-04-06 16:42:18,597 INFO > > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Warning Days > > Attribute: 'passwordwarningdays'> > > 2010-04-06 16:42:18,597 INFO > > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Valid Days > > Attribute: 'passwordexpiredays'> > > 2010-04-06 16:42:18,598 INFO > > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Default > > Warning Days: '300'> > > 2010-04-06 16:42:18,598 INFO > > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Password Max > > Age (in days): '1'> > > > > > > Those are the correct values I entered -- but that is the last sign I > > see of the module being run. Nothing is logged, nor am I warned that I > > need to change my password -- even though I have warn set to true. > > > > I followed the guide here: > > > > > http://www.ja-sig.org/wiki/display/CASUM/LDAP+Password+Policy+Enforcement > > > > and I made the following changes to my default_view, as advised on this > > thread: > > ## Expired Password Error message > > casExpiredPassView.(class)=org.springframework.web.servlet.view.JstlView > > > casExpiredPassView.url=/WEB-INF/view/jsp/default/ui/casExpiredPassView.jsp > > > > ### Locked Account Error message > > > casAccountLockedView.(class)=org.springframework.web.servlet.view.JstlView > > > casAccountLockedView.url=/WEB-INF/view/jsp/default/ui/casAccountLockedView.jsp > > > > ### Disabled Account Error message > > > casAccountDisabledView.(class)=org.springframework.web.servlet.view.JstlView > > > casAccountDisabledView.url=/WEB-INF/view/jsp/default/ui/casAccountDisabledView.jsp > > > > ### Password Expiration Warning message (logged in, > > PasswordWarningCheck=true) > > casWarnPassView.(class)=org.springframework.web.servlet.view.JstlView > > casWarnPassView.url=/WEB-INF/view/jsp/default/ui/casWarnPassView.jsp > > > > > > I *am* getting the following error when I try to log into /cas/services > > to test: > > > > 2010-04-06 16:43:08,245 DEBUG > > [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - > > <Performing LDAP bind with credential: > > cn=chapinj,cn=Users,dc=collab,dc=uni,dc=edu> > > Exception in thread "Thread-14" java.security.ProviderException: > > update() failed > > 2010-04-06 16:43:08,299 INFO > > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > > <AuthenticationHandler: > > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully > > authenticated the user which provided the following credentials: > > [username: chapinj]> > > at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:557) > > at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:457) > > at javax.crypto.Cipher.update(DashoA13*..) > > at > > com.sun.net.ssl.internal.ssl.CipherBox.encrypt(CipherBox.java:141) > > at > > com.sun.net.ssl.internal.ssl.OutputRecord.encrypt(OutputRecord.java:197) > > at > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecordInternal(SSLSocketImpl.java:733) > > at > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:722) > > at > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.sendAlert(SSLSocketImpl.java:1720) > > at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1606) > > at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1574) > > at > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1538) > > at > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1483) > > at > > com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:86) > > at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) > > at > java.io.BufferedInputStream.read1(BufferedInputStream.java:258) > > at java.io.BufferedInputStream.read(BufferedInputStream.java:317) > > at com.sun.jndi.ldap.Connection.run(Connection.java:805) > > at java.lang.Thread.run(Thread.java:619) > > Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: > > CKR_OPERATION_NOT_INITIALIZED > > at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native > Method) > > at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:510) > > ... 17 more > > > > - From googling, this appears to be an issue with encryption -- but I am > > not sure where I went wrong or managed to break things. > > > > This is java 1.6.0, cas 3.3.5, and Solaris 10. > > > > Any suggestions before I go bald? > > > > Thanks, > > > > Jeff > > > > > > Jeff Chapin wrote: > >> I had actually been barking up that tree -- using BindLdap, and not > >> FastBind, but had to move in different directions. I will try to > >> replicate your results in the morning and see what I can come up with. > > > >> Thanks for the pointers! > > > >> Jeff > > > >> Vitty, Paul wrote: > >>> Jeff/Ahsan, > >>> I've been working on this issue this evening and have gotten to the > point where I am seeing the output you expect to see. > >>> I'm not sure, maybe you know this already, but the password about to > expire message is only shown when you request a service ticket, it's not > shown when only a ticket granting ticket is requested. > >>> Another thing I worked out is that you need to use the > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler for your LDAP > authentication handler in deployerConfigContext.xml, where as before we were > using the Fast Bind class. Not sure if that helps you out, but it's got me > this far. > >>> Paul > >>> On 15 Feb 2010, at 22:16, Jeff Chapin wrote: > >>> No, I have not got this to work yet. > >>> I moved focus to other issues on my plate. I will look into this again > >>> further tomorrow, but this appears to be the *EXACT* same experience I > >>> am having -- so we appear to be on the same page, at least. > >>> Jeff > >>> Ahsan Imam wrote: > >>>>>> Jeff, > >>>>>> > >>>>>> Did you ever get the module to work? Are you still have issues? > After > >>>>>> the documentation was updated on Feb 10, I changed my configuration > >>>>>> setting specified for passwordWarningcheck.xml. I am getting no > warning > >>>>>> message and there is nothing in the logs. Logging is set to: > >>>>>> > >>>>>> log4j.logger.org.jasig.cas.services=INFO > >>>>>> log4j.logger.org.jasig.cas.web.flow=DEBUG > >>>>>> > log4j.logger.org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck=DEBUG > >>>>>> log4j.logger.org.jasig.cas.adaptors=DEBUG > >>>>>> > >>>>>> > >>>>>> I set warnAll to true and I should see a message "Show Warning > (WarnALL > >>>>>> is TRUE!) -- The password for " + userID + " will expire in " + > >>>>>> Math.round(DateDiff / Timer.ONE_DAY) + " days" based on the code. I > do > >>>>>> not see and message in the browser or the logs. > >>>>>> > >>>>>> I wonder if I am missing something.... > >>>>>> > >>>>>> Sincerely, > >>>>>> Ahsan > >>>>>> > >>>>>> > >>>>>> On Fri, Feb 12, 2010 at 7:55 AM, Jeff Chapin <[email protected] > >>>>>> <mailto:[email protected]>> wrote: > >>>>>> > >>>>>> You guys rock! > >>>>>> > >>>>>> Only problem I have is I am still not seeing anything new in my > logs. I > >>>>>> am seeing the same behavior as with the last version. > >>>>>> > >>>>>> Thank you so much for the assistance. > >>>>>> > >>>>>> Jeff > >>>>>> > >>>>>> Scott Battaglia wrote: > >>>>>>> I think Eric made an update to the page. Not sure if that will > >>>>>> help or not. > >>>>>> > >>>>>> > >>>>>>> On Thu, Feb 11, 2010 at 10:29 AM, Jeff Chapin <[email protected] > >>>>>> <mailto:[email protected]> > >>>>>>> <mailto:[email protected] <mailto:[email protected]>>> wrote: > >>>>>>> I believe that log line came from this bean: > >>>>>>> <bean id="PasswordWarningCheckAction" > >>>>>>> class="org.jasig.cas.web.flow.PasswordWarningCheckAction"> > >>>>>>> <property name="passwordWarningCheck" > >>>>>>> ref="passwordWarningCheck" /> > >>>>>>> </bean> > >>>>>>> This was documented in the link below. Am I off base? I am still > >>>>>>> learning how this setup works and feeling my way around. > >>>>>>> Jeff > >>>>>>> Scott Battaglia wrote: > >>>>>>>> I don't know much about it but there's no reason it shouldn't > >>>>>>> work. It > >>>>>>>> doesn't look like there any instructions to tell you to add it to > the > >>>>>>>> web flow though. > >>>>>>>> On Wed, Feb 10, 2010 at 12:03 PM, Jeff Chapin > >>>>>> <[email protected] <mailto:[email protected]> > >>>>>>> <mailto:[email protected] <mailto:[email protected]>> > >>>>>>>> <mailto:[email protected] <mailto:[email protected]> > >>>>>> <mailto:[email protected] <mailto:[email protected]>>>> wrote: > >>>>>> > >>>>>>>> Hello, > >>>>>>>> I am using CAS 3.3.5, and I have tried to get LDAP password policy > >>>>>>>> enforcement running, as per > >>>>>> > http://www.ja-sig.org/wiki/display/CASUM/LDAP+Password+Policy+Enforcement. > >>>>>> > >>>>>>>> I have cranked logging as follows: > >>>>>>>> log4j.logger.org.jasig.cas.services=INFO > >>>>>>>> log4j.logger.org.jasig.cas.web.flow=DEBUG > >>>>>> > log4j.logger.org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck=DEBUG > >>>>>>>> log4j.logger.org.jasig.cas.adaptors=DEBUG > >>>>>>>> , other than that, the logging is identical to the Logging page on > >>>>>>>> the wiki. > >>>>>>>> Here are the only logs that are currently appearing: > >>>>>>>> 2010-02-10 10:58:58,550 INFO > >>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Search > >>>>>>> Filter: > >>>>>>>> 'cn=%u'> > >>>>>>>> 2010-02-10 10:58:58,551 INFO > >>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Expire > Date > >>>>>>>> Attribute: 'pwdchangedtime'> > >>>>>>>> 2010-02-10 10:58:58,551 INFO > >>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Warning > >>>>>> Days > >>>>>>>> Attribute: 'passwordwarningdays'> > >>>>>>>> 2010-02-10 10:58:58,551 INFO > >>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Default > >>>>>>>> Warning Days: '-1'> > >>>>>>>> 2010-02-10 10:58:58,551 INFO > >>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date > >>>>>> format: > >>>>>>>> 'yyyyMMddHHmmss'z''> > >>>>>>>> 2010-02-10 10:58:58,551 INFO > >>>>>>>> [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <LDAP > Search > >>>>>>>> Base: 'cn=Users,dc=collab,dc=uni,dc=edu'> > >>>>>>>> 2010-02-10 10:58:58,553 DEBUG > >>>>>>>> [org.jasig.cas.web.flow.PasswordWarningCheckAction] - <inited with > >>>>>> > passwordWarningChecker='org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck'> > >>>>>> > >>>>>>>> As well as a mention to the bean in the following line. > >>>>>>>> 2010-02-10 10:58:58,771 INFO > >>>>>> > [org.springframework.beans.factory.support.DefaultListableBeanFactory] - > >>>>>>>> <Pre-instantiating singletons in > >>>>>> > org.springframework.beans.factory.support.defaultlistablebeanfact...@3052ce > : > >>>>>> > >>>>>>>> It appears to me that the PasswordWarningCheck is not even firing > >>>>>> -- I > >>>>>>>> would expect much more logging output that this. > >>>>>>>> As an aside, I put -1 as the Warning days, as out LDAP server > (Oracle > >>>>>>>> OID) currently only reports the time the password was last > >>>>>>> changed, not > >>>>>>>> when it expires. I have tried positive values with no difference > >>>>>>> in the > >>>>>>>> results. > >>>>>>>> Am I missing something, or is this code simply incompatible with > the > >>>>>>>> current CAS version? > >>>>>>>> Thanks, > >>>>>>>> Jeff > > > > - -- > Jeff Chapin, > Assistant Systems/Applications Administrator > ITS-IS, University of Northern Iowa > Phone: 319-273-3162 Email: [email protected] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAku82HsACgkQQiaEUfQoY7REiACffN6ry8ZT6nOet6WqaNyvgzc9 > dCYAn1OnpmjOMVrpB7Oj3vnjNPw5LXEy > =KWSv > -----END PGP SIGNATURE----- > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- s/Ahsan/?/g -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
