I'm not an LDAP expert by any means, but this property on your LDAP bind Authentication Handler looks a little suspect
<property name="searchBase" value="CN=joemsucas,OU=ServiceAccounts,DC=morgan,DC=edu"/> I don't think you want the CN in there and probably not the OU=ServiceAccounts Thanks, Eric On Thu, Aug 18, 2011 at 6:39 PM, Alexandre Adao <[email protected]> wrote: > I am trying to configure CAS 3.4.8 to authenticate against my LDAP server. > When I insert my credentials, the login page displays that "The > credentials you provided cannot be determined to be authentic." > My credential is valid but CAS does not accept. Looking at the Tomcat > Java console, I have the following information below. > > I see the communication traffic betten CA and LDAP server on port 389, > which means cas is talking to LDAP. > > Please any help will be very thanfull > > --- > INFO: Server startup in 6313 ms > 2011-08-18 15:03:18,036 INFO > [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for > cookies to: /cas> > Aug 18, 2011 3:03:18 PM org.apache.jasper.compiler.TldLocationsCache > tldScanJar > INFO: At least one JAR was scanned for TLDs yet contained no TLDs. > Enable debug logging for this logger for a complete list of JARs that > were scanned > but no TLDs were found in them. Skipping unneeded JARs during scanning > can improve startup time and JSP compilation time. > 2011-08-18 15:03:27,481 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > <Beginning ticket cleanup.> > 2011-08-18 15:03:27,481 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > <0 tickets found to be removed.> > 2011-08-18 15:03:27,481 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > <Finished ticket cleanup.> > 2011-08-18 15:03:36,795 INFO > [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Search > for uid=alexandre.adao returned 0 results.> > 2011-08-18 15:03:36,796 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAu > thenticationHandler failed to authenticate the user which provided the > following credentials: [username: alex.adao]> > 2011-08-18 15:03:36,799 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > <Audit trail record BEGIN > ============================================================= > WHO: [username: alex.adao] > WHAT: supplied credentials: [username: alex.adao] > ACTION: AUTHENTICATION_FAILED > APPLICATION: CAS > WHEN: Thu Aug 18 15:03:36 EDT 2011 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ============================================================= > > > This if my deployerConfigContext.xml > > > <?xml version="1.0" encoding="UTF-8"?> > <!-- > | deployerConfigContext.xml centralizes into one file some of the > declarative configuration that > | all CAS deployers will need to modify. > | > | This file declares some of the Spring-managed JavaBeans that make > up a CAS deployment. > | The beans declared in this file are instantiated at context > initialization time by the Spring > | ContextLoaderListener declared in web.xml. It finds this file > because this > | file is among those declared in the context parameter > "contextConfigLocation". > | > | By far the most common change you will need to make in this file is > to change the last bean > | declaration to replace the default > SimpleTestUsernamePasswordAuthenticationHandler with > | one implementing your approach for authenticating usernames and > passwords. > +--> > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xmlns:sec="http://www.springframework.org/schema/security"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-3.0.xsd > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security-3.0.xsd";> > <!-- > | This bean declares our AuthenticationManager. The > CentralAuthenticationService service bean > | declared in applicationContext.xml picks up this > AuthenticationManager by reference to its id, > | "authenticationManager". Most deployers will be able to use > the > default AuthenticationManager > | implementation and so do not need to change the class of this > bean. We include the whole > | AuthenticationManager here in the userConfigContext.xml so > that > you can see the things you will > | need to change in context. > +--> > <bean id="LDAPcontextSource" > class="org.springframework.ldap.core.support.LdapContextSource"> > <property name="pooled" value="false"/> > <property name="urls"> > <list> > <value>ldap://ldap.morgan.edu:389</value> > </list> > </property> > <property name="userDn" > value="cn=joecas,OU=ServiceAccounts,DC=morgan,DC=edu"/> > <property name="password" value="Bind)(*&"/> > <property name="baseEnvironmentProperties"> > <map> > <entry> > <key> > <value>java.naming.security.authentication</value> > </key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > <bean id="authenticationManager" > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > <!-- > | This is the List of CredentialToPrincipalResolvers > that identify > what Principal is trying to authenticate. > | The AuthenticationManagerImpl considers them in > order, finding a > CredentialToPrincipalResolver which > | supports the presented credentials. > | > | AuthenticationManagerImpl uses these resolvers for > two purposes. > First, it uses them to identify the Principal > | attempting to authenticate to CAS /login . In the > default > configuration, it is the DefaultCredentialsToPrincipalResolver > | that fills this role. If you are using some other > kind of > credentials than UsernamePasswordCredentials, you will need to replace > | DefaultCredentialsToPrincipalResolver with a > CredentialsToPrincipalResolver that supports the credentials you are > | using. > | > | Second, AuthenticationManagerImpl uses these > resolvers to > identify a service requesting a proxy granting ticket. > | In the default configuration, it is the > HttpBasedServiceCredentialsToPrincipalResolver that serves this > purpose. > | You will need to change this list if you are > identifying services > by something more or other than their callback URL. > +--> > <property name="credentialsToPrincipalResolvers"> > <list> > <!-- > | > UsernamePasswordCredentialsToPrincipalResolver supports the > UsernamePasswordCredentials that we use for /login > | by default and produces > SimplePrincipal instances conveying the > username from the credentials. > | > | If you've changed your > LoginFormAction to use credentials other > than UsernamePasswordCredentials then you will also > | need to change this bean declaration > (or add additional > declarations) to declare a CredentialsToPrincipalResolver that > supports the > | Credentials you are using. > +--> > <bean > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/> > <!-- > | > HttpBasedServiceCredentialsToPrincipalResolver supports > HttpBasedCredentials. It supports the CAS 2.0 approach of > | authenticating services by SSL > callback, extracting the > callback URL from the Credentials and representing it as a > | SimpleService identified by that > callback URL. > | > | If you are representing services by > something more or other > than an HTTPS URL whereat they are able to > | receive a proxy callback, you will > need to change this bean > declaration (or add additional declarations). > +--> > <bean > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"/> > </list> > </property> > <!-- > | Whereas CredentialsToPrincipalResolvers identify who > it is some > Credentials might authenticate, > | AuthenticationHandlers actually authenticate > credentials. Here > we declare the AuthenticationHandlers that > | authenticate the Principals that the > CredentialsToPrincipalResolvers identified. CAS will try these > handlers in turn > | until it finds one that both supports the > Credentials presented > and succeeds in authenticating. > +--> > <property name="authenticationHandlers"> > <list> > <!-- > | This is the authentication handler > that authenticates services > by means of callback via SSL, thereby validating > | a server side SSL certificate. > +--> > <bean > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > p:httpClient-ref="httpClient"/> > <!-- > | This is the authentication handler > declaration that every CAS > deployer will need to change before deploying CAS > | into production. The default > SimpleTestUsernamePasswordAuthenticationHandler authenticates > UsernamePasswordCredentials > | where the username equals the > password. You will need to > replace this with an AuthenticationHandler that implements your > | local authentication strategy. You > might accomplish this by > coding a new such handler and declaring > | > edu.someschool.its.cas.MySpecialHandler here, or you might use > one of the handlers provided in the adaptors modules. > +--> > > <!-- LDAP bind Authentication Handler --> > <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > <property name="filter" value="uid=%u"/> > <property name="searchBase" > value="CN=joemsucas,OU=ServiceAccounts,DC=morgan,DC=edu"/> > <property name="contextSource" ref="LDAPcontextSource"/> > <property name="ignorePartialResultException" value="yes"/> > <!-- fix because of how AD returns results --> > </bean> > </list> > </property> > </bean> > <!-- > This bean defines the security roles for the Services Management > application. Simple deployments can use the in-memory version. > More robust deployments will want to use another option, such as the > Jdbc version. > > The name of this should remain "userDetailsService" in order for > Spring Security to find it. > --> > <!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" > authorities="ROLE_ADMIN" />--> > <sec:user-service id="userDetailsService"> > <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" > authorities="ROLE_ADMIN"/> > </sec:user-service> > > <!-- > Bean that defines the attributes that a service may return. This > example uses the Stub/Mock version. A real implementation > may go against a database or LDAP server. The id should remain > "attributeRepository" though. > --> > <bean id="attributeRepository" > class="org.jasig.services.persondir.support.StubPersonAttributeDao"> > <property name="backingMap"> > <map> > <entry key="uid" value="uid"/> > <entry key="eduPersonAffiliation" value="eduPersonAffiliation"/> > <entry key="groupMembership" value="groupMembership"/> > </map> > </property> > </bean> > <!-- > Sample, in-memory data store for the ServiceRegistry. A real > implementation > would probably want to replace this with the JPA-backed > ServiceRegistry DAO > The name of this bean should remain "serviceRegistryDao". > --> > <bean id="serviceRegistryDao" > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> > <property name="registeredServices"> > <list> > <bean class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="0"/> > <property name="name" value="HTTP"/> > <property name="description" value="Only Allows HTTP Urls"/> > <property name="serviceId" value="http://**"/> > </bean> > <bean class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="1"/> > <property name="name" value="HTTPS"/> > <property name="description" value="Only Allows HTTPS Urls"/> > <property name="serviceId" value="https://**"/> > </bean> > <bean class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="2"/> > <property name="name" value="IMAPS"/> > <property name="description" value="Only Allows HTTPS Urls"/> > <property name="serviceId" value="imaps://**"/> > </bean> > <bean class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="3"/> > <property name="name" value="IMAP"/> > <property name="description" value="Only Allows IMAP Urls"/> > <property name="serviceId" value="imap://**"/> > </bean> > </list> > </property> > </bean> > <bean id="auditTrailManager" > class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager"/> > </beans> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
