I am attempting to do LDAP authentication using CAS 3.4.3.1. I only need authentication, authorisation will be done with another application.
Everything seems to be set up correct, using the information provided here - https://wiki.jasig.org/display/CASUM/LDAP When trying to authenticate with correct username and password I get the 'CAS is Unavailble' page, which I am assuming is the generic could not complete successfully screen. When trying to authenticate with bogus details - ie. user known to not be in AD - I get a 'The credentials you provided cannot be determined to be authentic.' showing that I am searching AD correctly, as indicated by my wireshark trace. My cas server log set to TRACE level and can be seen on this gist - https://gist.github.com/772104. Strangely showing no errors. When doing a trace using Wireshark I can see that the LDAP service account is successfully looking up and finding my user account. This is also supported by the failure when using the bogus user details. My Wireshark log file is attached for referrence. For those not bothered to open it - can't really blame you :) - it shows the following sequence: LDAPMessage bindRequest(1) "cn=svc-apcrowd,ou=service accounts,ou=it,dc=apactest" simple LDAPMessage bindResponse(1) success LDAPMessage searchRequest(2) "ou=Sydney,ou=Australia,ou=Standard,ou=Standard Users,dc=apactest" wholeSubtree LDAPMessage searchResEntry(2) "CN=masong,OU=Sydney,OU=Australia,OU=Standard,OU=Standard Users,DC=apactest" [1 result] LDAPMessage unbindRequest(3) Looking at this sequence I am expecting that after this first bind using the service account for lookup I should have another bind request, this time with my username to authenticate using my password. According to Wireshark and all the evidence collected this is not happening. Why is CAS not doing a second bind with my user details to authenticate my account? This is my deployerConfigContext.xml file for reference: <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"; xmlns:p=" http://www.springframework.org/schema/p"; xmlns:sec=" http://www.springframework.org/schema/security"; xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd";> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"/> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" > <property name="filter" value="cn=%u" /> <property name="scope" value="2" /> <property name="searchBase" value="ou=Sydney,ou=Australia,ou=Standard,ou=Standard Users,dc=apactest" /> <property name="contextSource" ref="ldapContextSource" /> <property name="ignorePartialResultException" value="yes" /> <property name="allowMultipleAccounts" value="yes" /> </bean> </list> </property> </bean> <sec:user-service id="userDetailsService"> <sec:user name="adminadmin" password="notused" authorities="ROLE_ADMIN"/> </sec:user-service> <bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="contextSource" ref="ldapContextSource" /> <property name="baseDN" value="DC=apactest" /> <property name="requireAllQueryAttributes" value="false" /> <property name="queryAttributeMapping"> <map> <entry key="username" value="cn" /> </map> </property> <property name="resultAttributeMapping"> <map> <!-- Mapping beetween LDAP entry attributes (key) and Principal's (value) --> <entry key="cn" value="Name"/> </map> </property> </bean> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="0"/> <property name="name" value="HTTP"/> <property name="description" value="Only Allows HTTP Urls"/> <property name="serviceId" value=" http://**"/> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="1"/> <property name="name" value="HTTPS"/> <property name="description" value="Only Allows HTTPS Urls"/> <property name="serviceId" value=" https://**"/> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="2"/> <property name="name" value="IMAPS"/> <property name="description" value="Only Allows HTTPS Urls"/> <property name="serviceId" value="imaps://**"/> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="3"/> <property name="name" value="IMAP"/> <property name="description" value="Only Allows IMAP Urls"/> <property name="serviceId" value="imap://**"/> </bean> </list> </property> </bean> <bean id="ldapContextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="pooled" value="false"/> <property name="urls"> <list> <value>ldap://AUTSTADCIDC01.APACTEST:389/</value> </list> </property> <property name="userDn" value="cn=svc-apcrowd,ou=service accounts,ou=it,dc=apactest"/> <property name="password" value="PASSSWORD"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property> </bean> </beans> Please help. I need to get this AD authentication working ASAP. Many thanks. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
ldap_wshark.pcap
Description: Binary data
