Does anyone have any theories as to why our LDAP bind would fail when
our service registry database is unavailable? I mean, I know it says
"Invalid Credentials", but I don't understand this dependency on the
database.
-baron
On Mon, Jan 06, 2014 at 11:53:26AM -1000, Baron Fujimoto wrote:
>You're right, I overlooked the stack trace (mea culpa):
>
>===
>DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not
>generate service.
>DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not
>generate service.
>DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing
>LDAP bind with credential: [... elided ...],ou=People,dc=hawaii,dc=edu
>DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - [LDAP:
>error code 49 - Invalid Credentials]; nested exception is
>javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
>Credentials]
>org.springframework.ldap.AuthenticationException: [LDAP: error code 49 -
>Invalid Credentials]; nested exception is
>javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
>Credentials]
>===
>
>Though now the question is why does the LDAP bind fail only when the service
>registry database is unavailable?
>
>I think these are the relevant config from deployerConfigContext.xml:
>
>===
>
> <bean id="authenticationManager"
> class="org.jasig.cas.authentication.AuthenticationManagerImpl">
> <property name="credentialsToPrincipalResolvers">
> <list>
> <bean
>
> class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
> <!-- The Principal resolver form the credentials -->
> <property name="credentialsToPrincipalResolver">
> <bean
>
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> />
> </property>
> <!--
> The query made to find the Principal ID.
> "%u" will be replaced by the resolved Principal
> -->
> <property name="filter" value="(uid=%u)" />
>
> <!-- The attribute used to define the new Principal ID -->
>
> <property name="principalAttributeName" value="uid" />
>
> <!--
> <property name="searchBase"
> value="ou=people,dc=hawaii,dc=edu" />
> -->
> <property name="searchBase" value="${ldap.searchBase}" />
> <property name="contextSource" ref="contextSource" />
>
> <property name="attributeRepository">
> <ref bean="attributeRepository" />
> </property>
> </bean>
>
> <bean
>
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> />
>
> <bean
>
> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
> />
> </list>
> </property>
>
>
> <property name="authenticationHandlers">
> <list>
> <bean
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
> p:httpClient-ref="httpClient" />
>
> <bean
> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
> p:filter="uid=%u"
> p:searchBase="${ldap.searchBase}"
> p:contextSource-ref="contextSource"
> p:searchContextSource-ref="pooledContextSource" />
>
> </list>
> </property>
> </bean>
>===
>
>-baron
>
>
>On Tue, Dec 24, 2013 at 07:51:37AM -0700, Misagh Moayyed wrote:
>>The DEBUG entries are likely not the cause of error. There probably is a
>>stacktrace or another indicator in the logs as an ERROR that explains what
>>went wrong.
>>
>>----- Original Message -----
>>
>>From: "Baron Fujimoto" <[email protected]>
>>To: [email protected]
>>Sent: Monday, December 23, 2013 6:25:53 PM
>>Subject: [cas-user] CAS is Unavailable: Extractor did not generate service
>>
>>We have had CAS server 3.4.11 deployed for some time, and it seemed to be
>>working as expected. We recently encountered the following error in the
>>UI however when the MySQL database for our service registry was taken down
>>for maintenance:
>>
>>===
>>CAS is Unavailable
>>
>>There was an error trying to complete your request. Please notify your
>>support desk or try again.
>>===
>>
>>With the corresponding cas.log entries:
>>
>>===
>>DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not
>>generate service.
>>DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not
>>generate service.
>>===
>>
>>This caught us by surprise, since I expected CAS to keep going using its
>>in-memory copy of the service registry based on the feature described
>>here:
>>
>><https://wiki.jasig.org/display/CASUM/Configuring#Configuring-NotesontheavailabilityofServicesManagementApplicationDatabase>
>>
>>
>>I could have sworn I have previously tested this feature, though I am now
>>perhaps questioning my recollection based on current behaviour (though it
>>may have been an earlier version of CAS3).
>>
>>Any assistance or suggestions would be greatly appreciated.
>>
>>I believe this is the relevant configuration from
>>deployerConfigContext.xml:
>>
>><!--
>>Define the Service Registry
>>-->
>><bean id="serviceRegistryDao"
>>class="org.jasig.cas.services.JpaServiceRegistryDaoImpl"
>>p:entityManagerFactory-ref="entityManagerFactory" />
>>
>><!-- Persistent Service Registry: mysql -->
>><!-- This is the EntityManagerFactory configuration for Hibernate -->
>><bean id="entityManagerFactory"
>>class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
>><property name="dataSource" ref="dataSource"/>
>><property name="jpaVendorAdapter">
>><bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
>><property name="generateDdl" value="true"/>
>><property name="showSql" value="true" />
>></bean>
>></property>
>><property name="jpaProperties">
>><props>
>><prop key="hibernate.dialect">${database.hibernate.dialect}</prop>
>><prop key="hibernate.hbm2ddl.auto">update</prop>
>></props>
>></property>
>></bean>
>>
>><bean id="transactionManager"
>>class="org.springframework.orm.jpa.JpaTransactionManager">
>><property name="entityManagerFactory" ref="entityManagerFactory"/>
>></bean>
>>
>><tx:annotation-driven transaction-manager="transactionManager"/>
>>
>><bean
>>id="dataSource"
>>class="org.apache.commons.dbcp.BasicDataSource"
>>p:driverClassName="com.mysql.jdbc.Driver"
>>p:url="${service.registry.url}"
>>p:username="${service.registry.username}"
>>p:password="${service.registry.password}" />
>>===
>>
>>${database.hibernate.dialect} is defined in cas.properties as:
>>database.hibernate.dialect=org.hibernate.dialect.MySQLDialect
>>
>>and pom.xml contains:
>>
>>===
>><!-- Dependencies for database classes -->
>><!--
>>Apache Commons DBCP
>>-->
>><dependency>
>><groupId>commons-dbcp</groupId>
>><artifactId>commons-dbcp</artifactId>
>><version>1.4</version>
>><scope>runtime</scope>
>></dependency>
>>
>><!--
>>Hibernate Entities
>>-->
>><dependency>
>><groupId>org.hibernate</groupId>
>><artifactId>hibernate-entitymanager</artifactId>
>><version>3.5.0-CR-2</version>
>></dependency>
>>
>><!--
>>MySQL Connector
>>-->
>><dependency>
>><groupId>mysql</groupId>
>><artifactId>mysql-connector-java</artifactId>
>><version>5.1.20</version>
>></dependency>
>>
>><!-- End Dependencies for database jars -->
>>===
>
>--
>Baron Fujimoto <[email protected]> :: UH Information Technology Services
>minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>
>--
>You are currently subscribed to [email protected] as: [email protected]
>To unsubscribe, change settings or access archives, see
>http://www.ja-sig.org/wiki/display/JSG/cas-user
--
Baron Fujimoto <[email protected]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
