To an extent, figured out what is going on. If your password expires in the timeframe window, it lets you in. (in our case, 30 days) if it is outside that window, it doesn't let you in at all.
On Tuesday, August 26, 2014 11:45:27 AM UTC-4, Christopher Sterling wrote: > > So, I have some good news and some bad news that is a little strange and I > hope you can help me. > > > It works. It lets users login, notifies them of when their password will > expire, and then logs them in. The issue, I have 2 LDAP accounts tied to my > name. If I try to login with the account with the expired password, I get > the notification like expected. If I login with my other account, (without > an expired password) CAS thinks and thinks and thinks and then returns the > error: "CAS is Unavailable > There was an error trying to complete your request. Please notify your > support desk or try again." Any thoughts? > > I'm trying to get a log of why it fails for me, it just takes a while to > fail. > > Also, thank you so much for your help. We've had three of us looking at > this and it was because of one line that it wasn't working correctly. I > probably never would have seen that problem. > > > On Tuesday, August 26, 2014 10:49:31 AM UTC-4, Misagh Moayyed wrote: > > So, that’s not actually doing anything for you because the block in > between “HttpBasedServiceCredentialsAuthenticationHandler” and > “lppeEnabledLdapAuthenticationHandler” is taking over the authentication. > You want to have one authentication handler, and in your case that would be > the LPPE-enabled one. So remove the block in between and try again. > > > > *From:* Christopher Sterling [mailto:[email protected]] > *Sent:* Tuesday, August 26, 2014 7:45 AM > *To:* [email protected] > *Cc:* [email protected]; [email protected]; [email protected] > *Subject:* Re: [cas-user] Help configuring LPPE in CAS 3.5.2.1 > > > > Yep. It's presently located under the authenticationHandlers property. > > > > <property name="authenticationHandlers"> > > <list> > > <!-- > > | This is the authentication handler that > authenticates services by means of callback via SSL, thereby validating > > | a server side SSL certificate. > > +--> > > <bean > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > > p:httpClient-ref="httpClient" /> > > > > > > <bean > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" > > p:filter="sAMAccountName=%u" > > p:ignorePartialResultException="true" > > > p:searchBase="DC=ad,DC=georgiasouthern,DC=edu" > > p:contextSource-ref="contextSource" /> > > > > > > <!-- > > | This is the authentication handler > declaration that every CAS deployer will need to change before deploying > CAS > > | into production. The default > SimpleTestUsernamePasswordAuthenticationHandler authenticates > UsernamePasswordCredentials > > | where the username equals the password. > You will need to replace this with an AuthenticationHandler that > implements your > > | local authentication strategy. You might > accomplish this by coding a new such handler and declaring > > | edu.someschool.its.cas.MySpecialHandler > here, or you might use one of the handlers provided in the adaptors modules. > > +--> > > > > <ref > bean="lppeEnabledLdapAuthenticationHandler" /> > > </list> > > </property> > > > > > > On Tuesday, August 26, 2014 10:43:12 AM UTC-4, Misagh Moayyed wrote: > > …and is your LPPE handler referenced in your authentication manager? In > your deployerContextConfig.xml? > > > > *From:* Christopher Sterling [mailto:[email protected]] > *Sent:* Tuesday, August 26, 2014 6:58 AM > *To:* [email protected] > *Cc:* [email protected]; [email protected]; [email protected] > *Subject:* Re: [cas-user] Help configuring LPPE in CAS 3.5.2.1 > > > > Yep, got DEBUG turned on. What exactly should I be looking for? It's ~4100 > lines. I can put it on pastebin if needed. > > > > I did find this when looking through the log. > > > > 2014-08-26 09:32:48,278 DEBUG > [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Performing > LDAP bind with credential: CN=Christopher Wyatt > Sterling,OU=Students,DC=ad,DC=georgiasouthern,DC=edu> > > 2014-08-26 09:32:48,536 INFO > [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Failed to > authenticate user cs02357 with error [LDAP: error code 49 - 80090308: > LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, > v1db1 ]; nested exception is javax.naming.AuthenticationException: [LDAP: > error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: > AcceptSecurityContext error, data 773, v1db1 ]> > > 2014-08-26 09:32:48,536 DEBUG > [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <*No error > definitions are defined*. Throwing error [LDAP: error code 49 - 80090308: > LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, > v1db1 ]; nested exception is javax.naming.AuthenticationException: [LDAP: > error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: > AcceptSecurityContext error, data 773, v1db1 ]> > > > > > On Tuesday, August 26, 2014 2:31:12 AM UTC-4, Misagh Moayyed wrote: > > Would you be able to turn on DEBUG in your logs? > > > > *From:* Christopher Sterling [mailto:[email protected]] > *Sent:* Monday, August 25, 2014 2:06 PM > *To:* [email protected] > *Subject:* [cas-user] Help configuring LPPE in CAS 3.5.2.1 > > > > So, We need some help trying to configure the LPPE module in CAS 3.5.2.1 > and I'm wondering if I can get some help. > > > > We followed the directions here: > https://wiki.jasig.org/pages/viewpage.action?pageId=26149328 > > > > Our pom.xml file: http://ss.chrissterling.me/2014-08-25_1650.png > > > > In the deployerConfigContext.xml file, we added the ref > bean="lppeEnabledLdapAuthenticationHandler" />: > http://ss.chrissterling.me/2014-08-25_1653.png > > > > For the lppe-configuration file, we took the one in the > WEB-INF/unused-spring-configuration/lppe-configuration.xml and moved it to > WEB-INF/spring-configuration/lppe-configuration.xml > > > > In lppe-configuration.xml, we added the error code block to the following > code: > > > > <bean id="lppeEnabledLdapAuthenticationHandler" > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" > > p:filter="${ldap.authentication.filter}" > > p:searchBase="${ldap.authentication.basedn}" > > p:contextSource-ref="contextSource" > > p:searchContextSource-ref="pooledContextSource" > > > > p:ignorePartialResultException="${ldap.authentication.ignorePartialResultException}"> > > <property name="ldapErrorDefinitions"> > > <list> > > <bean class="org.jasig.cas.adaptors.ldap.LdapErrorDefinition" > > p:ldapPattern="data 530" > > p:type="badHours" /> > > > > <bean class="org.jasig.cas.adaptors.ldap.LdapErrorDefinition" > > p:ldapPattern="data 533" > > p:type="accountDisabled" /> > > > > <bean class="org.jasig.cas.adaptors.ldap.LdapErrorDefinition" > > p:ldapPattern="data 773" > > p:type="mustChangePassword" /> > > > > <bean class="org.jasig.cas.adaptors.ldap.LdapErrorDefinition" > > p:ldapPattern="data 775" > > p:type="accountLocked" /> > > > > <bean class="org.jasig.cas.adaptors.ldap.LdapErrorDefinition" > > p:ldapPattern="data 531" > > p:type="badWorkstation" /> > > > > <bean class="org.jasig.cas.adaptors.ldap.LdapErrorDefinition" > > p:ldapPattern="data (701|532)" > > p:type="passwordExpired" /> > > </list> > > </property> > > </bean> > > > In the cas.properties we have the following settings: > http://ss.chrissterling.me/2014-08-25_1655.png > > > > In the login-webflow.xml we put this in there: > http://ss.chrissterling.me/2014-08-25_1658.png > > > > We haven't done the second replace, but will if suggested. > > > > When a user with an expired password tries to login, they get the > following message: The credentials you provided cannot be determined to be > authentic. > > > > And in the tomcat log, we get the following: > > > > 2014-08-25 14:14:59,317 INFO > [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Failed to > authenticate user cs02357 with error [LDAP: error code 49 - 80090308: > LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, > v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: > error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: > AcceptSecurityContext error, data 773, v1db1]> > > 2014-08-25 14:14:59,317 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed > authenticating [username: cs02357]> > > 2014-08-25 14:14:59,318 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > > ============================================================= > > WHO: [username: cs02357] > > WHAT: supplied credentials: [username: cs02357] > > ACTION: AUTHENTICATION_FAILED > > APPLICATION: CAS > > WHEN: Mon Aug 25 14:14:59 EDT 2014 > > CLIENT IP ADDRESS: 141.165.2.185 > > SERVER IP ADDRESS: 141.165.6.22 > > ============================================================= > > > > > > > > > Now, I did notice, in our log, we do have these NUL values coming back as > well: http://ss.chrissterling.me/2014-08-25_1704.png (note the arrows) > > > > Does anybody have any suggestions as to what we can do to see if we can > get this fixed and working? Do you guys need anything else from me in the > way of debugging? > > > > > > -- > > You are currently subscribed to [email protected] as: [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [email protected] as: [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see <a > href="http://www.ja-sig.org/wiki/display/JSG/cas-user"; targe > > ... -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
