Other than the typo I also had to add the
ActiveDirectoryAuthenticationResponseHandler as below to be able to parse
AD response.
<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
c:resolver-ref="dnResolver"
c:handler-ref="authHandler">
<property name="authenticationResponseHandlers">
<list>
<bean
class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler"
/>
</list>
</property>
</bean>
On Saturday, July 19, 2014 3:08:30 AM UTC+5, Raymond Drew Walker wrote:
>
> I ran across this issue as well (with Oracle DS LDAP as backend.)
>
> Once the typo was resolved, even with an extended number of warning days
> AND warnAll set to true in config, there is no modification of behavior for
> any type of account state.
>
> Are the github.io docs missing a lot of material, or are the old wiki
> docs still relevant for 4.x? (ie. Should I be adding ldapErrorDefinitions
> and modifying login-webflow.xml etc?) via:
> https://wiki.jasig.org/pages/viewpage.action?pageId=26149328
>
> Thanks much for any info.
> —
> Raymond Walker
> Software Systems Engineer StSp.
> ITS - Northern Arizona University
>
> From: wa <[email protected] <javascript:>>
> Reply-To: "[email protected] <javascript:>" <[email protected]
> <javascript:>>
> Date: Monday, July 14, 2014 at 11:21 AM
> To: "[email protected] <javascript:>" <[email protected]
> <javascript:>>
> Cc: "[email protected] <javascript:>" <[email protected]
> <javascript:>>, "[email protected] <javascript:>" <
> [email protected] <javascript:>>, "[email protected] <javascript:>" <
> [email protected] <javascript:>>
> Subject: Re: [cas-user] CAS 4 LPPE Configuration
>
> There is a typo in the documentation.
>
> <bean id="accountStateHandler"
> class="org.jasig.cas.authentication.support.DefaultAccountStateHander" />
> should be
>
> <bean id="accountStateHandler"
> class="org.jasig.cas.authentication.support.DefaultAccountStateHandler" />
>
> There is a missing 'l' in handler.
>
> On Wednesday, July 9, 2014 10:52:39 PM UTC+5, Daniel Fisher wrote:
>>
>> Marvin offered to update the documentation once you confirmed the fix.
>> Thank you for closing the loop on this.
>>
>> --Daniel Fisher
>>
>> On Wed, Jul 9, 2014 at 1:36 PM, wa <[email protected]> wrote:
>> > BTW this should be updated in the documentation at
>> > http://jasig.github.io/cas/4.0.0/installation/LDAP-Authentication.html
>> >
>> >
>> > On Wednesday, July 9, 2014 10:34:15 PM UTC+5, wa wrote:
>> >>
>> >> Figured it out. Had to add the
>> >> ActiveDirectoryAuthenticationResponseHandler as below to be able to
>> parse AD
>> >> response.
>> >>
>> >>
>> >> <bean id="authenticator" class="org.ldaptive.auth.Authenticator"
>> >> c:resolver-ref="dnResolver"
>> >> c:handler-ref="authHandler">
>> >> <property name="authenticationResponseHandlers">
>> >> <list>
>> >> <bean
>> >>
>> class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler"
>> >> />
>> >> </list>
>> >> </property>
>> >> </bean>
>> >>
>> >>
>> >> On Monday, July 7, 2014 6:56:40 PM UTC+5, wa wrote:
>> >>>
>> >>> Active Directory is running on Windows 2008 Server
>> >>>
>> >>> On Monday, July 7, 2014 11:46:53 AM UTC+5, wa wrote:
>> >>>>
>> >>>> LPPE configuration is as below
>> >>>>
>> >>>> <bean id="ldapAuthenticationHandler"
>> >>>> class="org.jasig.cas.authentication.LdapAuthenticationHandler"
>> >>>> p:principalIdAttribute="sAMAccountName"
>> >>>> c:authenticator-ref="authenticator"
>> >>>> p:passwordPolicyConfiguration-ref="passwordPolicy">
>> >>>> <property name="principalAttributeMap">
>> >>>> <map>
>> >>>> <!--
>> >>>> | This map provides a simple attribute resolution
>> >>>> mechanism.
>> >>>> | Keys are LDAP attribute names, values are CAS
>> attribute
>> >>>> names.
>> >>>> | Use this facility instead of a PrincipalResolver if
>> >>>> LDAP is
>> >>>> | the only attribute source.
>> >>>> -->
>> >>>> <entry key="member" value="member" />
>> >>>> <entry key="mail" value="mail" />
>> >>>> <entry key="displayName" value="displayName" />
>> >>>> </map>
>> >>>> </property>
>> >>>> </bean>
>> >>>>
>> >>>> ***************lppe-configuration.xml***************
>> >>>>
>> >>>> <beans xmlns="http://www.springframework.org/schema/beans";
>> >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>> >>>> xmlns:p="http://www.springframework.org/schema/p";
>> >>>> xsi:schemaLocation="
>> http://www.springframework.org/schema/beans
>> >>>> http://www.springframework.org/schema/beans/spring-beans.xsd";>
>> >>>>
>> >>>> <!--
>> >>>> | Sample LDAP password policy configuration.
>> >>>> | There are notable configuration requirements for LDAP
>> components
>> >>>> required for password policy
>> >>>> | depending on the directory (Active Directory, OpenLDAP, etc).
>> >>>> | See CAS documentation for more information.
>> >>>> -->
>> >>>> <bean id="passwordPolicy"
>> >>>>
>> class="org.jasig.cas.authentication.support.LdapPasswordPolicyConfiguration"
>>
>> >>>>
>> >>>>
>> p:alwaysDisplayPasswordExpirationWarning="${password.policy.warnAll}"
>> >>>>
>> p:passwordWarningNumberOfDays="${password.policy.warningDays}"
>> >>>> p:passwordPolicyUrl="${password.policy.url}"
>> >>>> p:accountStateHandler-ref="accountStateHandler" />
>> >>>>
>> >>>> <!-- This component is suitable for most cases but can be replaced
>> >>>> with a custom component for special cases. -->
>> >>>> <bean id="accountStateHandler"
>> >>>>
>> class="org.jasig.cas.authentication.support.DefaultAccountStateHander" />
>> >>>>
>> >>>> </beans>
>> >>>>
>> >>>>
>> >>>> I will check and confirm the Windows server version. Thanks.
>> >>>>
>> >>>>
>> >>>> On Saturday, July 5, 2014 9:43:22 AM UTC+5, Daniel Fisher wrote:
>> >>>>>
>> >>>>> On Thu, Jun 26, 2014 at 7:59 AM, wa <[email protected]> wrote:
>> >>>>> > 2014-06-26 16:42:50,134 DEBUG
>> >>>>> > [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP
>> >>>>> > response:
>> >>>>> >
>> >>>>> >
>> [org.ldaptive.auth.AuthenticationResponse@1850787950::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
>>
>>
>> >>>>> > ldapEntry=[dn=CN=test8\, Bpo,OU=agent ou,OU=BPO test
>> >>>>> > OU,OU=Campaigns,OU=xxxx,OU=Sites,DC=xxxx,DC=com[]],
>> >>>>> > accountState=null,
>> >>>>> > result=false, resultCode=INVALID_CREDENTIALS,
>> >>>>> > message=javax.naming.AuthenticationException: [LDAP: error code
>> 49 -
>> >>>>> > 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext
>> >>>>> > error, data
>> >>>>> > 775, v1772\00], controls=null]
>> >>>>> >
>> >>>>>
>> >>>>> accountState is null, so either the authentication response handler
>> >>>>> failed to parse the response or it isn't configured correctly. What
>> >>>>> does your lppe configuration look like?
>> >>>>>
>> >>>>> --Daniel Fisher
>> >>>>>
>> >>>>> --
>> >>>>> You are currently subscribed to [email protected] as:
>> >>>>> [email protected]
>> >>>>> To unsubscribe, change settings or access archives, see
>> >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>> >>>>
>> >>>> --
>> >>>> You are currently subscribed to [email protected] as:
>> >>>> [email protected]
>> >>>> To unsubscribe, change settings or access archives, see
>> >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>> >>>
>> >>> --
>> >>> You are currently subscribed to [email protected] as:
>> >>> [email protected]
>> >>> To unsubscribe, change settings or access archives, see
>> >>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
> --
> You are currently subscribed to [email protected] <javascript:> as:
> [email protected] <javascript:>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] <javascript:> as:
> [email protected] <javascript:>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
