After enabling SSL debugging, did you try authenticating again? Anything useful in the logs?
Also, I don't know if its an issue but your username joell is different from the ldap uid joel On Mon, Aug 16, 2010 at 2:17 PM, <[email protected]> wrote: > Hi, > > Yes, actually i changed the value 'ldap' to 'ldaps' in the > deployerContextConfig.xml and added the certificates to the keystore. > > I already added org.jasig.cas.adaptors.ldap category to debug in my > log4j.xml file but it doesn't give much more information than before, after > a failed login attempt here is what it says: > > > 2010-08-16 17:10:13,544 DEBUG > [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - > <Performing LDAP bind with credential: > uid=joel,ou=People,dc=mydomain,dc=org> > 2010-08-16 17:10:13,548 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to > authenticate the user which provided the following credentials: [username: > joell]> > > Scott: i read the link that you gave me ( > https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide) > and the only thing was that i was importing my certificates in PEM format > instead of DER, so i delete my LDAP server cert and my cacert from the > keystore converted them to DER and then added them again to the keystore, > but still not working. > > I added this lines to the setenv.sh file: > > # Uncomment the next 4 lines for custom SSL keystore > # used by all deployed applications > KEYSTORE="/usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts" > CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStore=$KEYSTORE" > CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStoreType=BKS" > CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStorePassword=changeit" > > # Uncomment the next 4 lines to allow custom SSL trust store > # used by all deployed applications > TRUSTSTORE="/usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts" > CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStore=$TRUSTSTORE" > CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStoreType=BKS" > CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStorePassword=changeit" > > # Uncomment the next line to print SSL debug trace in catalina.out > CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.debug=ssl" > > export CATALINA_OPTS > > and when starting tomcat, it gives me: > > *** > found key for : tomcat > chain [0] = [ > [ > Version: V3 > Subject: CN=anarchy.mydomain.org, OU=Engineering, O=My Company, > L=Madrid, ST=Madrid, C=ES > Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 > > Key: Sun RSA public key, 1024 bits > modulus: > 12429917734398243518800808265619280814716750420968419601771757790510823806987670798732881378060652289286981824141461030753004205618458414459411736262213365948359424037369540538035098119857266639254595546481328107025155708999410195469263713472820440725503744411023 > public exponent: 65537 > Validity: [From: Mon Aug 16 13:48:05 CEST 2010, > To: Sun Nov 14 12:48:05 CET 2010] > Issuer: CN=anarchy.mydomain.org, OU=Engineering, O=My Company, L=Madrid, > ST=Madrid, C=ES > SerialNumber: [ 4c692575] > > ] > Algorithm: [SHA1withRSA] > Signature: > 0000: 2C 33 09 DE 3D 8E 98 92 5F 43 5D A4 FF 55 B6 D1 ,3..=..._C]..U.. > 0010: CB 8A 1F 85 AC E2 75 09 73 BA BC B7 22 95 E5 14 ......u.s..."... > 0020: 96 C8 80 F4 30 28 AD C9 FD FD BD 72 CC C7 AD 31 ....0(.....r...1 > 0030: 2C 5B 88 8B AD FF 1A D1 AA 6C 7E 5E C0 44 6B 6D ,[.......l.^.Dkm > 0040: DC 61 D1 E5 8D A2 1A FB EE AD 73 5E D8 70 A7 92 .a........s^.p.. > 0050: 97 FA 50 2E 9F 11 A1 2D 6E 18 21 94 D4 E1 B8 82 ..P....-n.!..... > 0060: 18 14 B6 F9 F3 BE 32 CC 83 15 0D 88 7E 7E 6A 6E ......2.......jn > 0070: 84 EE A4 DA 6C 7E F4 FB 35 C9 B0 3F 98 B4 37 7C ....l...5..?..7. > > ] > *** > > [...] > > adding as trusted cert: > Subject: CN=anarchy.mydomain.org, OU=Engineering, O=My Company, > L=Madrid, ST=Madrid, C=ES > Issuer: CN=anarchy.mydomain.org, OU=Engineering, O=My Company, > L=Madrid, ST=Madrid, C=ES > Algorithm: RSA; Serial number: 0x4c692575 > Valid from Mon Aug 16 13:48:05 CEST 2010 until Sun Nov 14 12:48:05 CET > 2010 > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this one > is the server certificate for tomcat > > [...] > > adding as trusted cert: > Subject: CN=Root CA, C=ES, ST=Madrid, L=Madrid, OU=Engineering, O=My > Company > Issuer: CN=Root CA, C=ES, ST=Madrid, L=Madrid, OU=Engineering, O=My > Company > Algorithm: RSA; Serial number: 0xa63c9b1583f12ee5 > Valid from Thu Oct 01 10:06:14 CEST 2009 until Sun Sep 29 10:06:14 CEST > 2019 > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this is my > cacert certificate > > [...] > > adding as trusted cert: > Subject: CN=ldap.mydomain.org, OU=Engineering, O=My Company, C=ES, > ST=Madrid, L=Madrid > Issuer: CN=Root CA, C=ES, ST=Madrid, L=Madrid, OU=Engineering, O=My > Company > Algorithm: RSA; Serial number: 0x1c > Valid from Wed Dec 02 16:52:41 CET 2009 until Fri Dec 02 16:52:41 CET > 2011 > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ and > this is my ldap server certificate > > > Any ideas? > > > > > > > Just to confirm (for my sanity). You took the configuration you used for > > connecting to LDAP over a non-secure port, and merely changed it to > > connect > > over a secure-port (and then added the certs you needed) and it stopped > > working? > > > > On this page, there are some tips for adding additional DEBUG logging for > > SSL issues: > > > https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide > > > > It may help to determine what's going on if it is an SSL issue. > > > > > > On Mon, Aug 16, 2010 at 9:00 AM, Joel Rosental R. > > <[email protected]>wrote: > > > >> Hi, > >> > >> I'm new to CAS and want to set it up (latest version 3.4.2.1 with tomcat > >> 6) under a > Debian GNU/Linux Lenny environment. Until now, i've been able > >> to configure the CAS Server using a LDAP backend, however, i would want > >> to use ldaps rather than plain ldap, and i've done everything that is in > >> the "official documentation" but it is still not working. This is what > >> i've done so far: > >> > >> I have my own PKI environment in another machine which i use for several > >> services, so i copied ldap server certificates along with cacert.pem. > >> > >> Imported them into the keystore ($JAVA_HOME/jre/lib/security/cacerts) > >> like this: > >> > >> keytool -import -alias rootca -file cacert.pem > >> -keystore /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts > >> -trustcacerts > >> > >> Then, i imported ldapcert.pem (LDAP's server cert): > >> > >> keytool -import -alias ldapcert -file ldapcert.pem > >> -keystore /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts. > >> > >> Once this is done, i verify they're included in the keystore by > >> examining output of: keytool -l -keystore > >> $JAVA_HOME/jre/lib/security/cacerts and both of them appear as > >> "trustedCertEntry". > >> > >> After this, i modify my deployerConfigContext.xml and it is like this: > >> > >> <property name="authenticationHandlers"> > >> <list> > >> <!-- > >> | This is the authentication > >> handler that authenticates services by means of callback via SSL, > >> thereby validating > >> | a server side SSL certificate. > >> +--> > >> <bean > >> > >> > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > >> p:httpClient-ref="httpClient" /> > >> <!-- > >> | This is the authentication > >> handler declaration that every CAS deployer will need to change before > >> deploying CAS > >> | into production. The default > >> SimpleTestUsernamePasswordAuthenticationHandler authenticates > >> UsernamePasswordCredentials > >> | where the username equals the > >> password. You will need to replace this with an AuthenticationHandler > >> that implements your > >> | local authentication strategy. > >> You might accomplish this by coding a new such handler and declaring > >> | > >> edu.someschool.its.cas.MySpecialHandler here, or you might use one of > >> the handlers provided in the adaptors modules. > >> +--> > >> > >> <bean > >> class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" > > >> <property name="filter" > >> value="uid=% > >> u,ou=People,dc=mydomain,dc=org" /> > >> <property name="contextSource" > >> ref="contextSource" /> > >> </bean> > >> </list> > >> </property> > >> > >> <bean id="contextSource" > >> class="org.springframework.ldap.core.support.LdapContextSource"> > >> <property name="urls"> > >> <list> > >> <value>ldaps://ldap.mydomain.org</value> > >> </list> > >> </property> > >> <property name="userDn" > >> value="uid=myuser,ou=People,dc=mydomain,dc=org"/> > >> <property name="password" value="xxx"/> > >> <property name="baseEnvironmentProperties"> > >> <map> > >> <entry> > >> <key> > >> <value>java.naming.security.authentication</value> > >> </key> > >> <value>simple</value> > >> </entry> > >> </map> > >> </property> > >> </bean> > >> > >> Then restart tomcat and when i try to login in the log file it says: > >> > >> 2010-08-16 14:49:26,629 INFO > >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - > >> <AuthenticationHandler: > >> org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to > >> authenticate the user which provided the following credentials: > >> [username: myuser]> > >> > >> And nothing else. > >> > >> I've followed https://wiki.jasig.org/display/CASUM/LDAP to setup the > >> ldap backend, and there it says: "Please note that the JVM needs to > >> trust the certificate of your SSL enabled LDAP server, else CAS will > >> refuse to connect to your LDAP server. You can add the LDAP server's > >> certificate to the JVM trust store ($JAVA_HOME/jre/lib/security/cacerts) > >> to solve that issue." and i already did that, so don't know why is it > >> still failing? > >> > >> Thanks in advance by your help. > >> > > > > -- > > > You are currently subscribed to [email protected] as: > > [email protected] > > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
