Hello, I tried asking this a few months ago, but did not receive any feedback or suggestions re the query. It remains an open issue for us, so I thought I'd try one more time. (Would it be better perhaps if I filed a bug report?)
We have a reproducible situation where, if our MySQL-based service registry database is unavailable, our LDAP binds for AuthN fail with an "Invalid Credentials" error. This caught us by surprise, since I expected CAS to use an in-memory copy of the service registry as needed based on the feature described here: <https://wiki.jasig.org/display/CASUM/Configuring#Configuring-NotesontheavailabilityofServicesManagementApplicationDatabase> Does anyone have any theories as to why our LDAP bind would fail when our service registry database is unavailable? I mean, I know it says "Invalid Credentials", but I don't understand this dependency on the database. === DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not generate service. DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not generate service. DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing LDAP bind with credential: [... elided ...],ou=People,dc=hawaii,dc=edu DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] === I think these are the relevant config from deployerConfigContext.xml: === <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> <!-- The Principal resolver form the credentials --> <property name="credentialsToPrincipalResolver"> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> </property> <!-- The query made to find the Principal ID. "%u" will be replaced by the resolved Principal --> <property name="filter" value="(uid=%u)" /> <!-- The attribute used to define the new Principal ID --> <property name="principalAttributeName" value="uid" /> <property name="searchBase" value="${ldap.searchBase}" /> <property name="contextSource" ref="contextSource" /> <property name="attributeRepository"> <ref bean="attributeRepository" /> </property> </bean> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" p:filter="uid=%u" p:searchBase="${ldap.searchBase}" p:contextSource-ref="contextSource" p:searchContextSource-ref="pooledContextSource" /> </list> </property> </bean> === If relevant, our service registry configs are: === deployerConfigContext.xml: <!-- Define the Service Registry --> <bean id="serviceRegistryDao" class="org.jasig.cas.services.JpaServiceRegistryDaoImpl" p:entityManagerFactory-ref="entityManagerFactory" /> <!-- Persistent Service Registry: mysql --> <!-- This is the EntityManagerFactory configuration for Hibernate --> <bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> <property name="dataSource" ref="dataSource"/> <property name="jpaVendorAdapter"> <bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> <property name="generateDdl" value="true"/> <property name="showSql" value="true" /> </bean> </property> <property name="jpaProperties"> <props> <prop key="hibernate.dialect">${database.hibernate.dialect}</prop> <prop key="hibernate.hbm2ddl.auto">update</prop> </props> </property> </bean> <bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager"> <property name="entityManagerFactory" ref="entityManagerFactory"/> </bean> <tx:annotation-driven transaction-manager="transactionManager"/> <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="${service.registry.url}" p:username="${service.registry.username}" p:password="${service.registry.password}" /> === ${database.hibernate.dialect} is defined in cas.properties as: database.hibernate.dialect=org.hibernate.dialect.MySQLDialect and pom.xml contains: === <!-- Dependencies for database classes --> <!-- Apache Commons DBCP --> <dependency> <groupId>commons-dbcp</groupId> <artifactId>commons-dbcp</artifactId> <version>1.4</version> <scope>runtime</scope> </dependency> <!-- Hibernate Entities --> <dependency> <groupId>org.hibernate</groupId> <artifactId>hibernate-entitymanager</artifactId> <version>3.5.0-CR-2</version> </dependency> <!-- MySQL Connector --> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>5.1.20</version> </dependency> <!-- End Dependencies for database jars --> === Any help or suggestions would really be most appreciated. -baron -- Baron Fujimoto <[email protected]> :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
