Hi,
Yes, actually i changed the value 'ldap' to 'ldaps' in the deployerContextConfig.xml and added the certificates to the keystore. I already added org.jasig.cas.adaptors.ldap category to debug in my log4j.xml file but it doesn't give much more information than before, after a failed login attempt here is what it says: 2010-08-16 17:10:13,544 DEBUG [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - <Performing LDAP bind with credential: uid=joel,ou=People,dc=mydomain,dc=org> 2010-08-16 17:10:13,548 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to authenticate the user which provided the following credentials: [username: joell]> Scott: i read the link that you gave me (https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide) and the only thing was that i was importing my certificates in PEM format instead of DER, so i delete my LDAP server cert and my cacert from the keystore converted them to DER and then added them again to the keystore, but still not working. I added this lines to the setenv.sh file: # Uncomment the next 4 lines for custom SSL keystore # used by all deployed applications KEYSTORE="/usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts" CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStore=$KEYSTORE" CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStoreType=BKS" CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStorePassword=changeit" # Uncomment the next 4 lines to allow custom SSL trust store # used by all deployed applications TRUSTSTORE="/usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts" CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStore=$TRUSTSTORE" CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStoreType=BKS" CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStorePassword=changeit" # Uncomment the next line to print SSL debug trace in catalina.out CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.debug=ssl" export CATALINA_OPTS and when starting tomcat, it gives me: *** found key for : tomcat chain [0] = [ [ Version: V3 Subject: CN=anarchy.mydomain.org, OU=Engineering, O=My Company, L=Madrid, ST=Madrid, C=ES Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 12429917734398243518800808265619280814716750420968419601771757790510823806987670798732881378060652289286981824141461030753004205618458414459411736262213365948359424037369540538035098119857266639254595546481328107025155708999410195469263713472820440725503744411023 public exponent: 65537 Validity: [From: Mon Aug 16 13:48:05 CEST 2010, To: Sun Nov 14 12:48:05 CET 2010] Issuer: CN=anarchy.mydomain.org, OU=Engineering, O=My Company, L=Madrid, ST=Madrid, C=ES SerialNumber: [ 4c692575] ] Algorithm: [SHA1withRSA] Signature: 0000: 2C 33 09 DE 3D 8E 98 92 5F 43 5D A4 FF 55 B6 D1 ,3..=..._C]..U.. 0010: CB 8A 1F 85 AC E2 75 09 73 BA BC B7 22 95 E5 14 ......u.s..."... 0020: 96 C8 80 F4 30 28 AD C9 FD FD BD 72 CC C7 AD 31 ....0(.....r...1 0030: 2C 5B 88 8B AD FF 1A D1 AA 6C 7E 5E C0 44 6B 6D ,[.......l.^.Dkm 0040: DC 61 D1 E5 8D A2 1A FB EE AD 73 5E D8 70 A7 92 .a........s^.p.. 0050: 97 FA 50 2E 9F 11 A1 2D 6E 18 21 94 D4 E1 B8 82 ..P....-n.!..... 0060: 18 14 B6 F9 F3 BE 32 CC 83 15 0D 88 7E 7E 6A 6E ......2.......jn 0070: 84 EE A4 DA 6C 7E F4 FB 35 C9 B0 3F 98 B4 37 7C ....l...5..?..7. ] *** [...] adding as trusted cert: Subject: CN=anarchy.mydomain.org, OU=Engineering, O=My Company, L=Madrid, ST=Madrid, C=ES Issuer: CN=anarchy.mydomain.org, OU=Engineering, O=My Company, L=Madrid, ST=Madrid, C=ES Algorithm: RSA; Serial number: 0x4c692575 Valid from Mon Aug 16 13:48:05 CEST 2010 until Sun Nov 14 12:48:05 CET 2010 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this one is the server certificate for tomcat [...] adding as trusted cert: Subject: CN=Root CA, C=ES, ST=Madrid, L=Madrid, OU=Engineering, O=My Company Issuer: CN=Root CA, C=ES, ST=Madrid, L=Madrid, OU=Engineering, O=My Company Algorithm: RSA; Serial number: 0xa63c9b1583f12ee5 Valid from Thu Oct 01 10:06:14 CEST 2009 until Sun Sep 29 10:06:14 CEST 2019 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this is my cacert certificate [...] adding as trusted cert: Subject: CN=ldap.mydomain.org, OU=Engineering, O=My Company, C=ES, ST=Madrid, L=Madrid Issuer: CN=Root CA, C=ES, ST=Madrid, L=Madrid, OU=Engineering, O=My Company Algorithm: RSA; Serial number: 0x1c Valid from Wed Dec 02 16:52:41 CET 2009 until Fri Dec 02 16:52:41 CET 2011 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ and this is my ldap server certificate Any ideas? > Just to confirm (for my sanity). You took the configuration you used for > connecting to LDAP over a non-secure port, and merely changed it to > connect > over a secure-port (and then added the certs you needed) and it stopped > working? > > On this page, there are some tips for adding additional DEBUG logging for > SSL issues: > https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide > > It may help to determine what's going on if it is an SSL issue. > > > On Mon, Aug 16, 2010 at 9:00 AM, Joel Rosental R. > <[email protected]>wrote: > >> Hi, >> >> I'm new to CAS and want to set it up (latest version 3.4.2.1 with tomcat >> 6) under a Debian GNU/Linux Lenny environment. Until now, i've been able >> to configure the CAS Server using a LDAP backend, however, i would want >> to use ldaps rather than plain ldap, and i've done everything that is in >> the "official documentation" but it is still not working. This is what >> i've done so far: >> >> I have my own PKI environment in another machine which i use for several >> services, so i copied ldap server certificates along with cacert.pem. >> >> Imported them into the keystore ($JAVA_HOME/jre/lib/security/cacerts) >> like this: >> >> keytool -import -alias rootca -file cacert.pem >> -keystore /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts >> -trustcacerts >> >> Then, i imported ldapcert.pem (LDAP's server cert): >> >> keytool -import -alias ldapcert -file ldapcert.pem >> -keystore /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts. >> >> Once this is done, i verify they're included in the keystore by >> examining output of: keytool -l -keystore >> $JAVA_HOME/jre/lib/security/cacerts and both of them appear as >> "trustedCertEntry". >> >> After this, i modify my deployerConfigContext.xml and it is like this: >> >> <property name="authenticationHandlers"> >> <list> >> <!-- >> | This is the authentication >> handler that authenticates services by means of callback via SSL, >> thereby validating >> | a server side SSL certificate. >> +--> >> <bean >> >> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" >> p:httpClient-ref="httpClient" /> >> <!-- >> | This is the authentication >> handler declaration that every CAS deployer will need to change before >> deploying CAS >> | into production. The default >> SimpleTestUsernamePasswordAuthenticationHandler authenticates >> UsernamePasswordCredentials >> | where the username equals the >> password. You will need to replace this with an AuthenticationHandler >> that implements your >> | local authentication strategy. >> You might accomplish this by coding a new such handler and declaring >> | >> edu.someschool.its.cas.MySpecialHandler here, or you might use one of >> the handlers provided in the adaptors modules. >> +--> >> >> <bean >> class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" > >> <property name="filter" >> value="uid=% >> u,ou=People,dc=mydomain,dc=org" /> >> <property name="contextSource" >> ref="contextSource" /> >> </bean> >> </list> >> </property> >> >> <bean id="contextSource" >> class="org.springframework.ldap.core.support.LdapContextSource"> >> <property name="urls"> >> <list> >> <value>ldaps://ldap.mydomain.org</value> >> </list> >> </property> >> <property name="userDn" >> value="uid=myuser,ou=People,dc=mydomain,dc=org"/> >> <property name="password" value="xxx"/> >> <property name="baseEnvironmentProperties"> >> <map> >> <entry> >> <key> >> <value>java.naming.security.authentication</value> >> </key> >> <value>simple</value> >> </entry> >> </map> >> </property> >> </bean> >> >> Then restart tomcat and when i try to login in the log file it says: >> >> 2010-08-16 14:49:26,629 INFO >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> <AuthenticationHandler: >> org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to >> authenticate the user which provided the following credentials: >> [username: myuser]> >> >> And nothing else. >> >> I've followed https://wiki.jasig.org/display/CASUM/LDAP to setup the >> ldap backend, and there it says: "Please note that the JVM needs to >> trust the certificate of your SSL enabled LDAP server, else CAS will >> refuse to connect to your LDAP server. You can add the LDAP server's >> certificate to the JVM trust store ($JAVA_HOME/jre/lib/security/cacerts) >> to solve that issue." and i already did that, so don't know why is it >> still failing? >> >> Thanks in advance by your help. >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
