Just to confirm (for my sanity). You took the configuration you used for connecting to LDAP over a non-secure port, and merely changed it to connect over a secure-port (and then added the certs you needed) and it stopped working?
On this page, there are some tips for adding additional DEBUG logging for SSL issues: https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide It may help to determine what's going on if it is an SSL issue. On Mon, Aug 16, 2010 at 9:00 AM, Joel Rosental R. <[email protected]>wrote: > Hi, > > I'm new to CAS and want to set it up (latest version 3.4.2.1 with tomcat > 6) under a Debian GNU/Linux Lenny environment. Until now, i've been able > to configure the CAS Server using a LDAP backend, however, i would want > to use ldaps rather than plain ldap, and i've done everything that is in > the "official documentation" but it is still not working. This is what > i've done so far: > > I have my own PKI environment in another machine which i use for several > services, so i copied ldap server certificates along with cacert.pem. > > Imported them into the keystore ($JAVA_HOME/jre/lib/security/cacerts) > like this: > > keytool -import -alias rootca -file cacert.pem > -keystore /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts > -trustcacerts > > Then, i imported ldapcert.pem (LDAP's server cert): > > keytool -import -alias ldapcert -file ldapcert.pem > -keystore /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts. > > Once this is done, i verify they're included in the keystore by > examining output of: keytool -l -keystore > $JAVA_HOME/jre/lib/security/cacerts and both of them appear as > "trustedCertEntry". > > After this, i modify my deployerConfigContext.xml and it is like this: > > <property name="authenticationHandlers"> > <list> > <!-- > | This is the authentication > handler that authenticates services by means of callback via SSL, > thereby validating > | a server side SSL certificate. > +--> > <bean > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > p:httpClient-ref="httpClient" /> > <!-- > | This is the authentication > handler declaration that every CAS deployer will need to change before > deploying CAS > | into production. The default > SimpleTestUsernamePasswordAuthenticationHandler authenticates > UsernamePasswordCredentials > | where the username equals the > password. You will need to replace this with an AuthenticationHandler > that implements your > | local authentication strategy. > You might accomplish this by coding a new such handler and declaring > | > edu.someschool.its.cas.MySpecialHandler here, or you might use one of > the handlers provided in the adaptors modules. > +--> > > <bean > class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" > > <property name="filter" value="uid=% > u,ou=People,dc=mydomain,dc=org" /> > <property name="contextSource" > ref="contextSource" /> > </bean> > </list> > </property> > > <bean id="contextSource" > class="org.springframework.ldap.core.support.LdapContextSource"> > <property name="urls"> > <list> > <value>ldaps://ldap.mydomain.org</value> > </list> > </property> > <property name="userDn" > value="uid=myuser,ou=People,dc=mydomain,dc=org"/> > <property name="password" value="xxx"/> > <property name="baseEnvironmentProperties"> > <map> > <entry> > <key> > <value>java.naming.security.authentication</value> > </key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > > Then restart tomcat and when i try to login in the log file it says: > > 2010-08-16 14:49:26,629 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to > authenticate the user which provided the following credentials: > [username: myuser]> > > And nothing else. > > I've followed https://wiki.jasig.org/display/CASUM/LDAP to setup the > ldap backend, and there it says: "Please note that the JVM needs to > trust the certificate of your SSL enabled LDAP server, else CAS will > refuse to connect to your LDAP server. You can add the LDAP server's > certificate to the JVM trust store ($JAVA_HOME/jre/lib/security/cacerts) > to solve that issue." and i already did that, so don't know why is it > still failing? > > Thanks in advance by your help. > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
