Hi Benito, When I remove the baseDN from my attributeRepository, CAS shows me an error saying:
CAS is Unavailable
There was an error trying to complete your request. Please notify your support
desk or try again.
My logs show there's a NameNotFoundException. When I have the baseDN in the
attribute repository, I don't get the exception and CAS redirects me back to my
client application successfully.
Here is the error I'm getting:
SEVERE: Servlet.service() for servlet [cas] in context with path [/cas] threw
exception [Request processing failed; nested exception is
org.springframework.webflow.execution.ActionExecutionException: Exception
thrown executing [AnnotatedAction@1e4e3e4 targetAction = [EvaluateAction@2dce4e
expression = authenticationViaFormAction.submit(flowRequestContext,
flowScope.credentials, messageContext), resultExpression = [null]], attributes
= map[[empty]]] in state 'realSubmit' of flow 'login' -- action execution
attributes were 'map[[empty]]'] with root cause
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr:
DSID-031001A8, problem 2001 (NO_OBJECT), data 0, best match of:
''
]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3066)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
at
org.springframework.ldap.core.LdapTemplate$4.executeSearch(LdapTemplate.java:253)
at
org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:293)
at
org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
at
org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:571)
at
org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:556)
at
org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao.getPeopleForQuery(LdapPersonAttributeDao.java:187)
at
org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao.getPeopleForQuery(LdapPersonAttributeDao.java:98)
at
org.jasig.services.persondir.support.AbstractQueryPersonAttributeDao.getPeopleWithMultivaluedAttributes(AbstractQueryPersonAttributeDao.java:192)
at
org.jasig.services.persondir.support.AbstractDefaultAttributePersonAttributeDao.getPerson(AbstractDefaultAttributePersonAttributeDao.java:63)
at
org.jasig.cas.authentication.principal.AbstractPersonDirectoryCredentialsToPrincipalResolver.resolvePrincipal_aroundBody0(AbstractPersonDirectoryCredentialsToPrincipalResolver.java:55)
at
org.jasig.cas.authentication.principal.AbstractPersonDirectoryCredentialsToPrincipalResolver.resolvePrincipal_aroundBody1$advice(AbstractPersonDirectoryCredentialsToPrincipalResolver.java:44)
at
org.jasig.cas.authentication.principal.AbstractPersonDirectoryCredentialsToPrincipalResolver.resolvePrincipal(AbstractPersonDirectoryCredentialsToPrincipalResolver.java:1)
at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticateAndObtainPrincipal(AuthenticationManagerImpl.java:114)
at
org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody0(AbstractAuthenticationManager.java:42)
at
org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody1$advice(AbstractAuthenticationManager.java:44)
at
org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:1)
at
org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket_aroundBody10(CentralAuthenticationServiceImpl.java:413)
at
org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket_aroundBody11$advice(CentralAuthenticationServiceImpl.java:44)
at
org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket(CentralAuthenticationServiceImpl.java:1)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at
org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
at
org.perf4j.aop.AbstractTimingAspect.doPerfLogging(AbstractTimingAspect.java:71)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
at
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
at
org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy22.createTicketGrantingTicket(Unknown Source)
at
org.jasig.cas.web.flow.AuthenticationViaFormAction.submit_aroundBody2(AuthenticationViaFormAction.java:85)
at
org.jasig.cas.web.flow.AuthenticationViaFormAction.submit_aroundBody3$advice(AuthenticationViaFormAction.java:44)
at
org.jasig.cas.web.flow.AuthenticationViaFormAction.submit(AuthenticationViaFormAction.java:1)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:830)
at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1253)
at ognl.ObjectMethodAccessor.callMethod(ObjectMethodAccessor.java:68)
at ognl.OgnlRuntime.callMethod(OgnlRuntime.java:1329)
at ognl.ASTMethod.getValueBody(ASTMethod.java:90)
at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)
at ognl.SimpleNode.getValue(SimpleNode.java:258)
at ognl.ASTChain.getValueBody(ASTChain.java:141)
at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)
at ognl.SimpleNode.getValue(SimpleNode.java:258)
at ognl.Ognl.getValue(Ognl.java:494)
at
org.springframework.binding.expression.ognl.OgnlExpression.getValue(OgnlExpression.java:85)
at
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:75)
at
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at
org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
at
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at
org.springframework.webflow.engine.Transition.execute(Transition.java:227)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:391)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
at
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:119)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:555)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:386)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
at
org.springframework.webflow.engine.ViewState.handleEvent(ViewState.java:254)
at
org.springframework.webflow.engine.ViewState.resume(ViewState.java:218)
at org.springframework.webflow.engine.Flow.resume(Flow.java:545)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:259)
at
org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
at
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:183)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:560)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(SafeDispatcherServlet.java:115)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advice(SafeDispatcherServlet.java:44)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:1)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:306)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:46)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:244)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:244)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:550)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:380)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:243)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:288)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
-----Original Message-----
From: Benito J. Gonzalez [mailto:[email protected]]
Sent: Wed 2/23/2011 4:28 PM
To: [email protected]
Subject: Re: [cas-user] Getting Ldap attributes
Try removing the baseDN property from the attributeRepository entry.
Seems that setting that in the context and the attributeRepository
causes issues.
Benito J. Gonzalez
Manager, Enterprise Web Application Development
Information Technology Department
University of California, Merced
Desk: 209.228.2974
Cell: 209.201.5052
Email: [email protected]
On 02/22/11 15:18, Laura Griffel wrote:
>
> Hello everyone,
>
> I'm trying to get CAS up and running. Authentication works fine, but
> my client application needs to get a user's ldap groups. I added a
> CredentialsToLDAPAttributePrincipalResolver to my authentication
> manager, and on the client side I added the
> Saml11TicketValidationFilter. It looks like cas is querying for my
> attributes. tcpdump shows that the cas server is contacting my ldap
> server and getting attributes properly. But on the client side, the
> map returned by the getAttributes() is empty. Can anyone see where I'm
> going wrong?
>
> Here's my deployerConfigContext.xml:
>
> <bean id="LdapCredentialtoPrincipalResolver"
> class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
> <property name="credentialsToPrincipalResolver">
> <bean
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
>
> />
> </property>
> <property name="filter" value="(mail=%u)" />
> <property name="principalAttributeName" value="sAMAccountName" />
> <property name="searchBase" value="CN=Users,DC=EmmiSolutions,DC=local" />
> <property name="contextSource" ref="contextSource" />
> <property name="attributeRepository" ref="attributeRepository" />
> </bean>
>
> <bean id="authenticationManager"
>
> class="org.jasig.cas.authentication.AuthenticationManagerImpl">
> <property name="credentialsToPrincipalResolvers">
> <list>
> <ref bean="LdapCredentialtoPrincipalResolver" />
> <bean
> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
>
> />
> </list>
> </property>
>
> <property name="authenticationHandlers">
> <list>
> <bean
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
> p:httpClient-ref="httpClient" />
> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
> <property name="filter" value="(proxyaddresses=SMTP:%u)" />
> <property name="searchBase" value="CN=Users,DC=EmmiSolutions,DC=local" />
> <property name="contextSource" ref="contextSource" />
> <property name="ignorePartialResultException" value="yes" />
> </bean>
>
> </list>
> </property>
> </bean>
>
> <bean id="attributeRepository"
> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
> <property name="baseDN" value="cn=Users,DC=EmmiSolutions,DC=local" />
> <property name="contextSource" ref="contextSource" />
> <property name="requireAllQueryAttributes" value="true" />
>
> <property name="queryAttributeMapping">
> <map>
> <entry key="username" value="sAMAccountName" />
> </map>
> </property>
>
> <property name="resultAttributeMapping">
> <map>
> <entry key="cn" value="Name"/>
> <entry value="memberOf" key="memberOf" />
> <entry value="mail" key="mail" />
> </map>
> </property>
>
> </bean>
>
> On the client side, my web.xml has the following:
>
> <filter>
> <filter-name>CAS Authentication Filter</filter-name>
> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
> <init-param>
> <param-name>casServerLoginUrl</param-name>
> <param-value>https://devcas1.emmisolutions.com:8443/cas/login</param-value>
> </init-param>
> <init-param>
> <param-name>serverName</param-name>
> <param-value>http://192.168.101.156:8080</param-value>
> </init-param>
> </filter>
>
> <filter>
> <filter-name>CAS Validation Filter</filter-name>
> <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
> <init-param>
> <param-name>casServerUrlPrefix</param-name>
> <param-value>https://devcas1.emmisolutions.com:8443/cas</param-value>
> </init-param>
> <init-param>
> <param-name>serverName</param-name>
> <param-value>http://192.168.101.156:8080</param-value>
> </init-param>
> <init-param>
> <param-name>redirectAfterValidation</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <!--
> Adjust to accommodate clock drift
> between client/server. Increasing
> tolerance has security consequences,
> so it is preferable to correct
> the source of clock drift instead.
> -->
> <param-name>tolerance</param-name>
> <param-value>5000</param-value>
> </init-param>
> </filter>
>
> <filter>
> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
> </filter>
> <filter>
> <filter-name>CAS Assertion Thread Local Filter</filter-name>
> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
> </filter>
>
> <filter-mapping>
> <filter-name>CAS Authentication Filter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>CAS Validation Filter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>CAS Assertion Thread Local Filter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> I don't see any issues in my logs:
>
> 2011-02-22 16:26:07,038 DEBUG
> [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] -
> <Performing LDAP bind with credential: CN=Laura
> Griffel,CN=Users,DC=EmmiSolution
> s,DC=local>
> 2011-02-22 16:26:07,040 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> <AuthenticationHandler:
> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler su
> ccessfully authenticated the user which provided the following
> credentials: [username: [email protected]]>
> 2011-02-22 16:26:07,040 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
>
> - <Attempting to resolve a principal...>
> 2011-02-22 16:26:07,040 DEBUG
> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
>
> - <Attempting to resolve a principal...>
> 2011-02-22 16:26:07,040 DEBUG
> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
>
> - <Creating SimplePrincipal for [lgriffel@emmisolution
> s.com]>
> 2011-02-22 16:26:07,042 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
>
> - <Resolved [email protected]. Trying LDAP resolve now...>
> 2011-02-22 16:26:07,042 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
>
> - <LDAP search with filter "([email protected])">
> 2011-02-22 16:26:07,042 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
>
> - <returning searchcontrols: scope=2; search base=CN=User
> s,DC=EmmiSolutions,DC=local; attributes=[sAMAccountName]; timeout=1000>
> 2011-02-22 16:26:07,047 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
>
> - <Resolved [email protected] to LGRIFFEL>
> 2011-02-22 16:26:07,047 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
>
> - <Creating SimplePrincipal for [LGRIFFEL]>
> 2011-02-22 16:26:07,047 DEBUG
> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
> <Created seed map='{username=[LGRIFFEL]}' for uid='LGRIFFEL'>
> 2011-02-22 16:26:07,048 DEBUG
> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
> <Adding attribute 'sAMAccountName' with value '[LGRIFFEL]' to query build
> er 'null'>
> 2011-02-22 16:26:07,051 DEBUG
> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
> <Generated query builder '(sAMAccountName=LGRIFFEL)' from query Map {user
> name=[LGRIFFEL]}.>
>
> So my logs look OK - any suggestions what is going on?
>
> Thanks,
> Laura
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user<<winmail.dat>>
