> After enabling SSL debugging, did you try authenticating again? Anything > useful in the logs? >
Yes i tried again and the only thing i see in the logs is: 2010-08-16 17:10:13,544 DEBUG [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - <Performing LDAP bind with credential: uid=joel,ou=People,dc=mydomain,dc=org> 2010-08-16 17:10:13,548 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to authenticate the user which provided the following credentials: [username: joel]> > Also, I don't know if its an issue but your username joell is different > from > the ldap uid joel > it was an error (i changed the real username by hand when copied it here). Marvin: the output that SSL debug options of setenv.sh generated is the one that i put in my last email, giving all the certificates that are into the keystore. > > > On Mon, Aug 16, 2010 at 2:17 PM, <[email protected]> wrote: > >> Hi, >> >> Yes, actually i changed the value 'ldap' to 'ldaps' in the >> deployerContextConfig.xml and added the certificates to the keystore. >> >> I already added org.jasig.cas.adaptors.ldap category to debug in my >> log4j.xml file but it doesn't give much more information than before, >> after >> a failed login attempt here is what it says: >> >> >> 2010-08-16 17:10:13,544 DEBUG >> [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - >> <Performing LDAP bind with credential: >> uid=joel,ou=People,dc=mydomain,dc=org> >> 2010-08-16 17:10:13,548 INFO >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> <AuthenticationHandler: >> org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to >> authenticate the user which provided the following credentials: >> [username: >> joell]> >> >> Scott: i read the link that you gave me ( >> https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide) >> and the only thing was that i was importing my certificates in PEM >> format >> instead of DER, so i delete my LDAP server cert and my cacert from the >> keystore converted them to DER and then added them again to the >> keystore, >> but still not working. >> >> I added this lines to the setenv.sh file: >> >> # Uncomment the next 4 lines for custom SSL keystore >> # used by all deployed applications >> KEYSTORE="/usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts" >> CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStore=$KEYSTORE" >> CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStoreType=BKS" >> CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStorePassword=changeit" >> >> # Uncomment the next 4 lines to allow custom SSL trust store >> # used by all deployed applications >> TRUSTSTORE="/usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts" >> CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStore=$TRUSTSTORE" >> CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStoreType=BKS" >> CATALINA_OPTS=$CATALINA_OPTS" >> -Djavax.net.ssl.trustStorePassword=changeit" >> >> # Uncomment the next line to print SSL debug trace in catalina.out >> CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.debug=ssl" >> >> export CATALINA_OPTS >> >> and when starting tomcat, it gives me: >> >> *** >> found key for : tomcat >> chain [0] = [ >> [ >> Version: V3 >> Subject: CN=anarchy.mydomain.org, OU=Engineering, O=My Company, >> L=Madrid, ST=Madrid, C=ES >> Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 >> >> Key: Sun RSA public key, 1024 bits >> modulus: >> 12429917734398243518800808265619280814716750420968419601771757790510823806987670798732881378060652289286981824141461030753004205618458414459411736262213365948359424037369540538035098119857266639254595546481328107025155708999410195469263713472820440725503744411023 >> public exponent: 65537 >> Validity: [From: Mon Aug 16 13:48:05 CEST 2010, >> To: Sun Nov 14 12:48:05 CET 2010] >> Issuer: CN=anarchy.mydomain.org, OU=Engineering, O=My Company, >> L=Madrid, >> ST=Madrid, C=ES >> SerialNumber: [ 4c692575] >> >> ] >> Algorithm: [SHA1withRSA] >> Signature: >> 0000: 2C 33 09 DE 3D 8E 98 92 5F 43 5D A4 FF 55 B6 D1 >> ,3..=..._C]..U.. >> 0010: CB 8A 1F 85 AC E2 75 09 73 BA BC B7 22 95 E5 14 >> ......u.s..."... >> 0020: 96 C8 80 F4 30 28 AD C9 FD FD BD 72 CC C7 AD 31 >> ....0(.....r...1 >> 0030: 2C 5B 88 8B AD FF 1A D1 AA 6C 7E 5E C0 44 6B 6D >> ,[.......l.^.Dkm >> 0040: DC 61 D1 E5 8D A2 1A FB EE AD 73 5E D8 70 A7 92 >> .a........s^.p.. >> 0050: 97 FA 50 2E 9F 11 A1 2D 6E 18 21 94 D4 E1 B8 82 >> ..P....-n.!..... >> 0060: 18 14 B6 F9 F3 BE 32 CC 83 15 0D 88 7E 7E 6A 6E >> ......2.......jn >> 0070: 84 EE A4 DA 6C 7E F4 FB 35 C9 B0 3F 98 B4 37 7C >> ....l...5..?..7. >> >> ] >> *** >> >> [...] >> >> adding as trusted cert: >> Subject: CN=anarchy.mydomain.org, OU=Engineering, O=My Company, >> L=Madrid, ST=Madrid, C=ES >> Issuer: CN=anarchy.mydomain.org, OU=Engineering, O=My Company, >> L=Madrid, ST=Madrid, C=ES >> Algorithm: RSA; Serial number: 0x4c692575 >> Valid from Mon Aug 16 13:48:05 CEST 2010 until Sun Nov 14 12:48:05 CET >> 2010 >> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this >> one >> is the server certificate for tomcat >> >> [...] >> >> adding as trusted cert: >> Subject: CN=Root CA, C=ES, ST=Madrid, L=Madrid, OU=Engineering, O=My >> Company >> Issuer: CN=Root CA, C=ES, ST=Madrid, L=Madrid, OU=Engineering, O=My >> Company >> Algorithm: RSA; Serial number: 0xa63c9b1583f12ee5 >> Valid from Thu Oct 01 10:06:14 CEST 2009 until Sun Sep 29 10:06:14 >> CEST >> 2019 >> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this is >> my >> cacert certificate >> >> [...] >> >> adding as trusted cert: >> Subject: CN=ldap.mydomain.org, OU=Engineering, O=My Company, C=ES, >> ST=Madrid, L=Madrid >> Issuer: CN=Root CA, C=ES, ST=Madrid, L=Madrid, OU=Engineering, O=My >> Company >> Algorithm: RSA; Serial number: 0x1c >> Valid from Wed Dec 02 16:52:41 CET 2009 until Fri Dec 02 16:52:41 CET >> 2011 >> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ and >> this is my ldap server certificate >> >> >> Any ideas? >> >> >> >> >> >> > Just to confirm (for my sanity). You took the configuration you used >> for >> > connecting to LDAP over a non-secure port, and merely changed it to >> > connect >> > over a secure-port (and then added the certs you needed) and it >> stopped >> > working? >> > >> > On this page, there are some tips for adding additional DEBUG logging >> for >> > SSL issues: >> > >> https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide >> > >> > It may help to determine what's going on if it is an SSL issue. >> > >> > >> > On Mon, Aug 16, 2010 at 9:00 AM, Joel Rosental R. >> > <[email protected]>wrote: >> > >> >> Hi, >> >> >> >> I'm new to CAS and want to set it up (latest version 3.4.2.1 with >> tomcat >> >> 6) under a >> Debian GNU/Linux Lenny environment. Until now, i've been able >> >> to configure the CAS Server using a LDAP backend, however, i would >> want >> >> to use ldaps rather than plain ldap, and i've done everything that is >> in >> >> the "official documentation" but it is still not working. This is >> what >> >> i've done so far: >> >> >> >> I have my own PKI environment in another machine which i use for >> several >> >> services, so i copied ldap server certificates along with cacert.pem. >> >> >> >> Imported them into the keystore ($JAVA_HOME/jre/lib/security/cacerts) >> >> like this: >> >> >> >> keytool -import -alias rootca -file cacert.pem >> >> -keystore /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts >> >> -trustcacerts >> >> >> >> Then, i imported ldapcert.pem (LDAP's server cert): >> >> >> >> keytool -import -alias ldapcert -file ldapcert.pem >> >> -keystore /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts. >> >> >> >> Once this is done, i verify they're included in the keystore by >> >> examining output of: keytool -l -keystore >> >> $JAVA_HOME/jre/lib/security/cacerts and both of them appear as >> >> "trustedCertEntry". >> >> >> >> After this, i modify my deployerConfigContext.xml and it is like >> this: >> >> >> >> <property name="authenticationHandlers"> >> >> <list> >> >> <!-- >> >> | This is the authentication >> >> handler that authenticates services by means of callback via SSL, >> >> thereby validating >> >> | a server side SSL certificate. >> >> +--> >> >> <bean >> >> >> >> >> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" >> >> p:httpClient-ref="httpClient" /> >> >> <!-- >> >> | This is the authentication >> >> handler declaration that every CAS deployer will need to change >> before >> >> deploying CAS >> >> | into production. The default >> >> SimpleTestUsernamePasswordAuthenticationHandler authenticates >> >> UsernamePasswordCredentials >> >> | where the username equals the >> >> password. You will need to replace this with an AuthenticationHandler >> >> that implements your >> >> | local authentication strategy. >> >> You might accomplish this by coding a new such handler and declaring >> >> | >> >> edu.someschool.its.cas.MySpecialHandler here, or you might use one of >> >> the handlers provided in the adaptors modules. >> >> +--> >> >> >> >> <bean >> >> class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >> > >> >> <property name="filter" >> >> value="uid=% >> >> u,ou=People,dc=mydomain,dc=org" /> >> >> <property name="contextSource" >> >> ref="contextSource" /> >> >> </bean> >> >> </list> >> >> </property> >> >> >> >> <bean id="contextSource" >> >> class="org.springframework.ldap.core.support.LdapContextSource"> >> >> <property name="urls"> >> >> <list> >> >> <value>ldaps://ldap.mydomain.org</value> >> >> </list> >> >> </property> >> >> <property name="userDn" >> >> value="uid=myuser,ou=People,dc=mydomain,dc=org"/> >> >> <property name="password" value="xxx"/> >> >> <property name="baseEnvironmentProperties"> >> >> <map> >> >> <entry> >> >> <key> >> >> <value>java.naming.security.authentication</value> >> >> </key> >> >> <value>simple</value> >> >> </entry> >> >> </map> >> >> </property> >> >> </bean> >> >> >> >> Then restart tomcat and when i try to login in the log file it says: >> >> >> >> 2010-08-16 14:49:26,629 INFO >> >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> >> <AuthenticationHandler: >> >> org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed >> to >> >> authenticate the user which provided the following credentials: >> >> [username: myuser]> >> >> >> >> And nothing else. >> >> >> >> I've followed https://wiki.jasig.org/display/CASUM/LDAP to setup the >> >> ldap backend, and there it says: "Please note that the JVM needs to >> >> trust the certificate of your SSL enabled LDAP server, else CAS will >> >> refuse to connect to your LDAP server. You can add the LDAP server's >> >> certificate to the JVM trust store >> ($JAVA_HOME/jre/lib/security/cacerts) >> >> to solve that issue." and i already did that, so don't know why is it >> >> still failing? >> >> >> >> Thanks in advance by your help. >> >> >> > >> > -- >> >> > You are currently subscribed to [email protected] as: >> > [email protected] >> >> > To unsubscribe, change settings or access archives, see >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
