Hello,

I tried asking this a few months ago, but did not receive any feedback or
suggestions re the query. It remains an open issue for us, so I thought
I'd try one more time. (Would it be better perhaps if I filed a bug
report?)

We have a reproducible situation where, if our MySQL-based service
registry database is unavailable, our LDAP binds for AuthN fail with an
"Invalid Credentials" error.

This caught us by surprise, since I expected CAS to use an in-memory copy
of the service registry as needed based on the feature described here:

<https://wiki.jasig.org/display/CASUM/Configuring#Configuring-NotesontheavailabilityofServicesManagementApplicationDatabase>

Does anyone have any theories as to why our LDAP bind would fail when our
service registry database is unavailable? I mean, I know it says "Invalid
Credentials", but I don't understand this dependency on the database.

===
DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not 
generate service.
DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not 
generate service.
DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing 
LDAP bind with credential: [... elided ...],ou=People,dc=hawaii,dc=edu
DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - [LDAP: 
error code 49 - Invalid Credentials]; nested exception is 
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid 
Credentials]
org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 
Invalid Credentials]; nested exception is javax.naming.AuthenticationException: 
[LDAP: error code 49 - Invalid Credentials]
===

I think these are the relevant config from deployerConfigContext.xml:

===

    <bean id="authenticationManager"
        class="org.jasig.cas.authentication.AuthenticationManagerImpl">
        <property name="credentialsToPrincipalResolvers">
            <list>
                <bean
                    
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
                    <!-- The Principal resolver form the credentials -->
                    <property name="credentialsToPrincipalResolver">
                        <bean
                              
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
 />
                    </property>
                    <!--
                    The query made to find the Principal ID.
                    "%u" will be replaced by the resolved Principal
                    -->
                    <property name="filter" value="(uid=%u)" />

                    <!-- The attribute used to define the new Principal ID -->

                    <property name="principalAttributeName" value="uid" />

                    <property name="searchBase" value="${ldap.searchBase}" />
                    <property name="contextSource" ref="contextSource" />

                    <property name="attributeRepository">
                        <ref bean="attributeRepository" />
                    </property>
                </bean>

                <bean
                    
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
 />

                <bean
                    
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
 />
            </list>
        </property>


        <property name="authenticationHandlers">
            <list>
                <bean 
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
                    p:httpClient-ref="httpClient" />

                <bean 
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
                    p:filter="uid=%u"
                    p:searchBase="${ldap.searchBase}"
                    p:contextSource-ref="contextSource"
                    p:searchContextSource-ref="pooledContextSource" />

            </list>
        </property>
    </bean>
===

If relevant, our service registry configs are:

===

deployerConfigContext.xml: 

    <!--
        Define the Service Registry
    -->
    <bean id="serviceRegistryDao" 
class="org.jasig.cas.services.JpaServiceRegistryDaoImpl"
        p:entityManagerFactory-ref="entityManagerFactory" />

        <!-- Persistent Service Registry: mysql -->
        <!-- This is the EntityManagerFactory configuration for Hibernate -->
        <bean id="entityManagerFactory" 
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
            <property name="dataSource" ref="dataSource"/>
            <property name="jpaVendorAdapter">
                <bean 
class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
                    <property name="generateDdl" value="true"/>
                    <property name="showSql"     value="true" />
                </bean>
            </property>
            <property name="jpaProperties">
                <props>
                    <prop 
key="hibernate.dialect">${database.hibernate.dialect}</prop>
                    <prop key="hibernate.hbm2ddl.auto">update</prop>
                </props>
            </property>
        </bean>

        <bean id="transactionManager" 
class="org.springframework.orm.jpa.JpaTransactionManager">
            <property name="entityManagerFactory" ref="entityManagerFactory"/>
        </bean>

        <tx:annotation-driven transaction-manager="transactionManager"/>

        <bean
            id="dataSource"
            class="org.apache.commons.dbcp.BasicDataSource"
            p:driverClassName="com.mysql.jdbc.Driver"
            p:url="${service.registry.url}"
            p:username="${service.registry.username}"
            p:password="${service.registry.password}" />

=== 

${database.hibernate.dialect} is defined in cas.properties as: 
database.hibernate.dialect=org.hibernate.dialect.MySQLDialect 

and pom.xml contains: 

=== 
        <!-- Dependencies for database classes -->
        <!--
            Apache Commons DBCP
        -->
        <dependency>
            <groupId>commons-dbcp</groupId>
            <artifactId>commons-dbcp</artifactId>
            <version>1.4</version>
            <scope>runtime</scope>
        </dependency>

        <!--
            Hibernate Entities
        -->
        <dependency>
            <groupId>org.hibernate</groupId>
            <artifactId>hibernate-entitymanager</artifactId>
            <version>3.5.0-CR-2</version>
        </dependency>

        <!--
            MySQL Connector
        -->
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.1.20</version>
        </dependency>

    <!-- End Dependencies for database jars -->
=== 

Any help or suggestions would really be most appreciated.

-baron
-- 
Baron Fujimoto <[email protected]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to