In our current production version of CAS (v3.0), we have the same set of
users in both our LDAP system (provided by Ellucian Luminis) and our
Kerberos system. The LDAP system is using a "fake" password for each user
as we are relying on Kerberos for the "real" one. Thus, when a user logs in
to CAS, I see the following in cas.log:
2014-06-12 13:32:07,445 INFO [http-8443-Processor116]
org.jasig.cas.authentication.AuthenticationManagerImpl
AuthenticationHandler:
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to
authenticate the user which provided the following credentials: XXXXXX
2014-06-12 13:32:07,466 INFO [http-8443-Processor116]
org.jasig.cas.authentication.AuthenticationManagerImpl
AuthenticationHandler:
org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler
successfully authenticated the user which provided the following
credentials: XXXXXX
2014-06-12 13:32:07,469 WARN [http-8443-Processor116]
org.jasig.services.persondir.support.ldap.PersonAttributesMapper Converting
value 0 of LDAP attribute 'uid' from byte[] to String
2014-06-12 13:32:07,469 WARN [http-8443-Processor116]
org.jasig.services.persondir.support.ldap.PersonAttributesMapper Converting
value 0 of LDAP attribute 'mail' from byte[] to String
2014-06-12 13:32:07,469 WARN [http-8443-Processor116]
org.jasig.services.persondir.support.ldap.PersonAttributesMapper Converting
value 0 of LDAP attribute 'cn' from byte[] to String
2014-06-12 13:32:07,469 WARN [http-8443-Processor116]
org.jasig.services.persondir.support.ldap.PersonAttributesMapper Converting
value 0 of LDAP attribute 'givenname' from byte[] to String
2014-06-12 13:32:07,469 WARN [http-8443-Processor116]
org.jasig.services.persondir.support.ldap.PersonAttributesMapper Converting
value 0 of LDAP attribute 'udcid' from byte[] to String
...
I'm trying to reproduce this in my test instance of CAS (v3.5.2.1) but it
does not seem to work. It fails on the "fake" password in LDAP and does not
try to use JAAS:
2014-06-12 13:27:27,495 DEBUG
[org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing
LDAP bind with credential: uid=XXXXXX
2014-06-12 13:27:27,495 DEBUG
[org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing
LDAP bind with credential: uid=XXXXXX
2014-06-12 13:27:27,529 INFO
[org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Failed to
authenticate user XXXXXX with error [LDAP: error code 49 - Invalid
Credentials]; nested exception is javax.naming.AuthenticationException:
[LDAP: error code 49 - Invalid Credentials]
2014-06-12 13:27:27,529 INFO
[org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Failed to
authenticate user XXXXXX with error [LDAP: error code 49 - Invalid
Credentials]; nested exception is javax.naming.AuthenticationException:
[LDAP: error code 49 - Invalid Credentials]
2014-06-12 13:27:27,530 DEBUG
[org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - No error
definitions are defined. Throwing error [LDAP: error code 49 - Invalid
Credentials]; nested exception is javax.naming.AuthenticationException:
[LDAP: error code 49 - Invalid Credentials]
2014-06-12 13:27:27,530 DEBUG
[org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - No error
definitions are defined. Throwing error [LDAP: error code 49 - Invalid
Credentials]; nested exception is javax.naming.AuthenticationException:
[LDAP: error code 49 - Invalid Credentials]
2014-06-12 13:27:27,532 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed
authenticating [username: XXXXXX]
2014-06-12 13:27:27,532 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed
authenticating [username: XXXXXX]
2014-06-12 13:27:27,533 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit
trail record BEGIN
...
Below are the authenticationManager sections:
Production: CAS v3.0 WORKING
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<!-- bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/ -->
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<!-- The Principal resolver form the credentials -->
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<!-- The query made to find the Principal ID. "%u" will be
replaced by the resolved Principal -->
<property name="filter" value="(uid=%u)" />
<!-- The attribute used to define the new Principal ID -->
<property name="principalAttributeName" value="uid" />
<property name="searchBase" value="ou=People,o=cp" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="searchBase" value="ou=People,o=cp" />
<property name="filter" value="uid=%u" />
<property name="contextSource" ref="contextSource" />
</bean>
<bean
class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler"
/>
</list>
</property>
<property name="authenticationMetaDataPopulators">
<list>
<bean
class="com.sghe.cas.extension.UDCIDAuthenticationMetaDataPopulator">
<property name="template" ref="LdapTemplate"/>
<property name="netIdAttr" value="uid" />
<property name="baseDN" value="ou=People,o=cp"/>
<property name="casTokenAttributes">
<map>
<entry>
<key>
<value>udcid</value>
</key>
<value>UDC_IDENTIFIER</value>
</entry>
</map>
</property>
</bean>
</list>
</property>
</bean>
Test: CAS v3.5.2.1 NOT WORKING
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<!-- <bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
-->
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"
p:filter="(uid=%u)"
p:principalAttributeName="uid"
p:searchBase="ou=People,o=Luminis,dc=tc,dc=columbia,dc=edu"
p:contextSource-ref="pooledContextSource"
p:attributeRepository-ref="attributeRepository">
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
</property>
</bean>
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"/>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient"/>
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:searchBase="ou=People,o=Luminis,dc=tc,dc=columbia,dc=edu"
p:filter="uid=%u"
p:contextSource-ref="contextSource"
p:searchContextSource-ref="pooledContextSource"/>
<bean
class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler"/>
</list>
</property>
<property name="authenticationMetaDataPopulators">
<list>
<bean
class="org.jasig.cas.authentication.SamlAuthenticationMetaDataPopulator"/>
</list>
</property>
</bean>
Any help would be appreciated as I've been hitting my head against this
issue for quite a while already.
Thank you,
Teddy
On Thu, Jun 12, 2014 at 12:42 PM, Sacilowski, Tadeusz <
[email protected]> wrote:
> Some more information regarding my previous question:
>
> - If I switch around the LDAP and Jaas handlers, fall through works
> correctly... If the user is not in Kerberos but is in LDAP, authentication
> will succeed. However, the reverse doesn't work (and this is the order that
> I need it to check in: LDAP > Kerberos)
> - I'm using CAS 3.5.2.1
>
> Thank you,
> Teddy
>
>
> On Wed, Jun 11, 2014 at 1:43 PM, Sacilowski, Tadeusz <
> [email protected]> wrote:
>
>> Hello,
>>
>> I'm trying to set up my institution's CAS to authenticate using LDAP and
>> Kerberos. The goal is to have CAS check LDAP for the user first, and if not
>> found, to try to authenticate in Kerberos.
>>
>> Here is the authentication handler section in my
>> deployerConfigContext.xml file:
>>
>> <property name="authenticationHandlers">
>> <list>
>> <bean
>> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
>> p:httpClient-ref="httpClient" />
>>
>> <bean
>>
>> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
>> p:filter="uid=%u"
>> p:searchBase="XXXXXX"
>> p:contextSource-ref="contextSource"
>> p:searchContextSource-ref="pooledContextSource" />
>>
>> <bean
>> class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler"
>> />
>> </list>
>> </property>
>>
>> If I leave this section as is, I can only authenticate if the user exists
>> in LDAP. If the user doesn't exist in LDAP, but does exist in Kerberos,
>> authentication fails. If I comment out the LDAP authentication handler,
>> leaving only JAAS, I can authenticate properly.
>>
>> I'm new to setting up CAS so I apologize if I've missed anything obvious.
>>
>> Thank you!
>>
>> --
>> *Tadeusz Sacilowski*
>> *Manager, Portal & Mobile Development*
>> Teachers College, Columbia University
>> [email protected]
>>
>
>
>
> --
> *Tadeusz Sacilowski*
> *Manager, Portal & Mobile Development*
> Teachers College, Columbia University
> [email protected]
>
--
*Tadeusz Sacilowski*
*Manager, Portal & Mobile Development*
Teachers College, Columbia University
[email protected]
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
