I am desperately trying to get CAS to authenticate from our LDAP server and
I tried using the example you posted, modifying the values for our
environment. I seem to be having a lot of trouble with this portion of the
example:
<bean id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="cn">
<constructor-arg ref="authenticator" />
<property name="principalAttributeMap">
<map>
<entry key="mail" value="mail" />
<entry key="cn" value="cn" />
</map>
</property>
</bean>
The error message I get is:
INFO: Deploying web application directory /var/lib/tomcat7/webapps/ROOT
2015-01-06 14:57:38,344 ERROR
[org.springframework.web.context.ContextLoader] - <Context initialization
failed>
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line
79 in XML document from ServletContext resource
[/WEB-INF/deployerConfigContext.xml] is invalid; nested exception is
org.xml.sax.SAXParseException; lineNumber: 79; columnNumber: 19;
cvc-complex-type.2.3: Element 'map' cannot have character [children],
because the type's content type is element-only.
at
org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefi
nitions(XmlBeanDefinitionReader.java:396)
at
org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefini
tions(XmlBeanDefinitionReader.java:334)
at
org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefini
tions(XmlBeanDefinitionReader.java:302)
at
org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadB
eanDefinitions(AbstractBeanDefinitionReader.java:174)
at
org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadB
eanDefinitions(AbstractBeanDefinitionReader.java:209)
at
org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadB
eanDefinitions(AbstractBeanDefinitionReader.java:180)
at
org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDef
initions(XmlWebApplicationContext.java:125)
at
org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDef
initions(XmlWebApplicationContext.java:94)
at
org.springframework.context.support.AbstractRefreshableApplicationContext.re
freshBeanFactory(AbstractRefreshableApplicationContext.java:130)
at
org.springframework.context.support.AbstractApplicationContext.obtainFreshBe
anFactory(AbstractApplicationContext.java:537)
at
org.springframework.context.support.AbstractApplicationContext.refresh(Abstr
actApplicationContext.java:451)
at
org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicat
ionContext(ContextLoader.java:389)
at
org.springframework.web.context.ContextLoader.initWebApplicationContext(Cont
extLoader.java:294)
at
org.springframework.web.context.ContextLoaderListener.contextInitialized(Con
textLoaderListener.java:112)
at
org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized(SafeCont
extLoaderListener.java:75)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:
4779)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:
5273)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:8
95)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:871)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:615)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1095)
at
org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1
617)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:11
46)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:6
15)
at java.lang.Thread.run(Thread.java:701)
Caused by: org.xml.sax.SAXParseException; lineNumber: 79; columnNumber: 19;
cvc-complex-type.2.3: Element 'map' cannot have character [children],
because the type's content type is element-only.
at
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseEx
ception(ErrorHandlerWrapper.java:198)
at
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandl
erWrapper.java:134)
at
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErro
rReporter.java:387)
at
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErro
rReporter.java:321)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReport
er.reportError(XMLSchemaValidator.java:421)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaEr
ror(XMLSchemaValidator.java:3186)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.elementLocally
ValidComplexType(XMLSchemaValidator.java:3149)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.elementLocally
ValidType(XMLSchemaValidator.java:3109)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.processElement
Content(XMLSchemaValidator.java:3011)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleEndEleme
nt(XMLSchemaValidator.java:2154)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.endElement(XML
SchemaValidator.java:822)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanE
ndElement(XMLDocumentFragmentScannerImpl.java:1762)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$Fragm
entContentDriver.next(XMLDocumentFragmentScannerImpl.java:2937)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocum
entScannerImpl.java:625)
at
com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSD
ocumentScannerImpl.java:117)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanD
ocument(XMLDocumentFragmentScannerImpl.java:489)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Con
figuration.java:828)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Con
figuration.java:757)
at
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:13
3)
at
com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:24
0)
at
com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBu
ilderImpl.java:292)
at
org.springframework.beans.factory.xml.DefaultDocumentLoader.loadDocument(Def
aultDocumentLoader.java:75)
at
org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefi
nitions(XmlBeanDefinitionReader.java:388)
... 28 more
Anyone have any idea what I am doing wrong?
Thanks so much,
Kristen
On 11/12/14 8:43 AM, "Jason Whitener" <[email protected]> wrote:
> Someone requested that I post my ldap bind deployerConfigContext.xml. I
> haven't cleaned it up, but it works correctly to bind/search/authenticate
> against a non-ssl ldap. The cas was version 4.0.0 built using Maven.
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <beans xmlns="http://www.springframework.org/schema/beans";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:p="http://www.springframework.org/schema/p";
> xmlns:c="http://www.springframework.org/schema/c";
> xmlns:tx="http://www.springframework.org/schema/tx";
> xmlns:util="http://www.springframework.org/schema/util";
> xmlns:sec="http://www.springframework.org/schema/security";
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
> http://www.springframework.org/schema/tx
> http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
> http://www.springframework.org/schema/security
> http://www.springframework.org/schema/security/spring-security-3.2.xsd
> http://www.springframework.org/schema/util
> http://www.springframework.org/schema/util/spring-util.xsd";>
>
>
> <bean id="authenticationManager"
> class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
> <constructor-arg>
> <map>
> <entry key-ref="ldapAuthenticationHandler"
> value-ref="usernamePasswordCredentialsResolver" />
>
> </map>
> </constructor-arg>
> </bean>
>
> <bean id="ldapAuthenticationHandler"
> class="org.jasig.cas.authentication.LdapAuthenticationHandler"
> p:principalIdAttribute="change-theLoginAttribute">
> <constructor-arg ref="authenticator" />
> <property name="principalAttributeMap">
> <map>
> <entry key="mail" value="mail" />
> <entry key="cn" value="cn" />
> </map>
> </property>
> </bean>
>
> <bean id="authenticator" class="org.ldaptive.auth.Authenticator"
> c:resolver-ref="pooledSearchDnResolver"
> c:handler-ref="pooledBindHandler" />
>
> <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig"
> p:ldapUrl="ldap://change-ldapServer:ldapPort";
> p:connectTimeout="3000"
> p:useStartTLS="false"
> p:connectionInitializer-ref="bindConnectionInitializer"/>
>
> <bean id="bindConnectionInitializer"
> class="org.ldaptive.BindConnectionInitializer"
> p:bindDn="change-bindAccount">
> <property name="bindCredential">
> <bean class="org.ldaptive.Credential"
> c:password="change-bindPassword" />
> </property>
> </bean>
>
> <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
> p:minPoolSize="3"
> p:maxPoolSize="10"
> p:validateOnCheckOut="true"
> p:validatePeriodically="false"
> p:validatePeriod="300" />
>
> <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
> p:prunePeriod="300"
> p:idleTime="600" />
>
> <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
>
> <bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool"
> init-method="initialize"
> p:poolConfig-ref="ldapPoolConfig"
> p:blockWaitTime="3000"
> p:validator-ref="searchValidator"
> p:pruneStrategy-ref="pruneStrategy"
> p:connectionFactory-ref="connectionFactory"/>
>
> <bean id="pooledSearchDnResolver"
> class="org.ldaptive.auth.PooledSearchDnResolver"
> p:baseDn="ou=People,o=pcc.edu <http://pcc.edu> ,o=cp"
> p:allowMultipleDns="false"
> p:connectionFactory-ref="pooledConnectionFactory"
> p:userFilter="pdsLoginId={user}" />
>
> <bean id="pooledBindHandler"
> class="org.ldaptive.auth.PooledBindAuthenticationHandler"
> p:connectionFactory-ref="pooledConnectionFactory" />
>
> <bean id="connectionFactory" class="org.ldaptive.DefaultConnectionFactory"
> p:connectionConfig-ref="connectionConfig" />
>
> <bean id="pooledConnectionFactory"
> class="org.ldaptive.pool.PooledConnectionFactory"
> p:connectionPool-ref="connectionPool" />
>
> <!--
> | Credential-to-principal resolver beans
> -->
> <bean id="usernamePasswordCredentialsResolver"
>
> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
>
> <bean id="httpBasedCredentialsResolver"
>
> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
>
> <!-- Required for proxy ticket mechanism. -->
> <bean id="proxyAuthenticationHandler"
>
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredential
> sAuthenticationHandler"
> p:httpClient-ref="httpClient" />
>
>
> <bean id="primaryAuthenticationHandler"
>
> class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
> <property name="users">
> <map>
> <entry key="casuser" value="Mellon"/>
> </map>
> </property>
> </bean>
>
> <!-- Required for proxy ticket mechanism -->
> <bean id="proxyPrincipalResolver"
>
> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
>
> <!--
> | Resolves a principal from a credential using an attribute repository
> that is configured to resolve
> | against a deployer-specific store (e.g. LDAP).
> -->
> <bean id="primaryPrincipalResolver"
>
> class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver
> " >
> <property name="attributeRepository" ref="attributeRepository" />
> </bean>
>
> <!--
> Bean that defines the attributes that a service may return. This example
> uses the Stub/Mock version. A real implementation
> may go against a database or LDAP server. The id should remain
> "attributeRepository" though.
> +-->
> <bean id="attributeRepository"
> class="org.jasig.services.persondir.support.StubPersonAttributeDao"
> p:backingMap-ref="attrRepoBackingMap" />
>
> <util:map id="attrRepoBackingMap">
> <entry key="uid" value="uid" />
> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
> <entry key="groupMembership" value="groupMembership" />
> </util:map>
>
> <!--
> Sample, in-memory data store for the ServiceRegistry. A real
> implementation
> would probably want to replace this with the JPA-backed ServiceRegistry
> DAO
> The name of this bean should remain "serviceRegistryDao".
> +-->
> <bean id="serviceRegistryDao"
> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
> p:registeredServices-ref="registeredServicesList" />
>
> <util:list id="registeredServicesList">
> <bean class="org.jasig.cas.services.RegexRegisteredService"
> p:id="0" p:name="HTTP and IMAP" p:description="Allows HTTP(S)
> and IMAP(S) protocols"
> p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001"
> />
> <!--
> Use the following definition instead of the above to further restrict
> access
> to services within your domain (including sub domains).
> Note that example.com <http://example.com> must be replaced with the
> domain you wish to permit.
> This example also demonstrates the configuration of an attribute
> filter
> that only allows for attributes whose length is 3.
> -->
> <!--
> <bean class="org.jasig.cas.services.RegexRegisteredService">
> <property name="id" value="1" />
> <property name="name" value="HTTP and IMAP on example.com
> <http://example.com> " />
> <property name="description" value="Allows HTTP(S) and IMAP(S)
> protocols on example.com <http://example.com> " />
> <property name="serviceId"
> value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" />
> <property name="evaluationOrder" value="0" />
> <property name="attributeFilter">
> <bean
> class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter"
> c:regex="^\w{3}$" />
> </property>
> </bean>
> -->
> </util:list>
>
> <bean id="auditTrailManager"
> class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
>
> <bean id="healthCheckMonitor"
> class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList"
> />
>
> <util:list id="monitorsList">
> <bean class="org.jasig.cas.monitor.MemoryMonitor"
> p:freeMemoryWarnThreshold="10" />
> <!--
> NOTE
> The following ticket registries support SessionMonitor:
> * DefaultTicketRegistry
> * JpaTicketRegistry
> Remove this monitor if you use an unsupported registry.
> -->
> <bean class="org.jasig.cas.monitor.SessionMonitor"
> p:ticketRegistry-ref="ticketRegistry"
> p:serviceTicketCountWarnThreshold="5000"
> p:sessionCountWarnThreshold="100000" />
> </util:list>
> </beans>
>
> On Mon, Nov 10, 2014 at 11:31 AM, Jason Whitener <[email protected]> wrote:
>> Hi Alberto/Unicon,
>>
>> Thanks. I was able to get everything to work.
>>
>> If anyone wants a non-ssl ldap deployerConfig using bind credentials, let me
>> know and I'll post it.
>>
>> Jason
>>
>>
>>
>>
>> On Mon, Nov 10, 2014 at 1:17 AM, Alberto Cabello Sánchez <[email protected]>
>> wrote:
>>> On Fri, 07 Nov 2014 16:24:13 -0800
>>> Jason Whitener <[email protected]> wrote:
>>>
>>>> > Would anyone share a complete deployerConfigContext.xml that
>>>> authenticates
>>>> > users against LDAP by means of an authenticated search?
>>>> >
>>>> > I see the documentation here:
>>>> > https://jasig.github.io/cas/4.0.0/installation/LDAP-Authentication.html
>>>
>>> I have LDAP with direct bind. FWIW, following the aforementioned doc was
>>> rather
>>> confusing to me (too much information at the same time) so I tried to
>>> understand
>>> the meaning of it and started from the basic config that you can find at
>>>
>>> https://github.com/UniconLabs/simple-cas-overlay-template/blob/master/src/ma
>>> in/webapp/WEB-INF/deployerConfigContext.xml
>>>
>>> tweaking just a thing at each step.
>>>
>>>> > But when I try to put the chain of beans, under the "LDAP Requiring
>>>> > Authenticated Search" in my new deployerConfigContext.xml (created using
>>>> > maven), I get a bunch of errors.
>>>
>>> Maybe it would be helpful to see that errors.
>>>
>>>> > Based on this thread:
>>>> > https://groups.google.com/forum/#!topic/jasig-cas-user/2G85KtZTL1c , It
>>>> > looks like the bean with id 'authenticationManager' needs to have a entry
>>>> > key-ref value of ldapAuthenticationHandler.
>>>
>>> Actually, it needs a list of AuthenticationHandlers:
>>>
>>> "AuthenticationManager - Entry point into authentication subsystem. It
>>> accepts
>>> one or more credentials and delegates authentication to configured
>>> AuthenticationHandler components. It collects the results of each attempt
>>> and
>>> determines effective security policy."
>>>
>>> https://github.com/Jasig/cas/wiki/Configuring-Authentication-Components
>>>
>>>
>>>
>>> --
>>> Alberto Cabello Sánchez
>>> <[email protected]>
>>>
>>> --
>>> You are currently subscribed to [email protected] as:
>>> [email protected]
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>
>>
>
--
Kristen Walker
Digital Media Resources Developer
Educational Technology Services
Santa Barbara County Education Office
(805) 964-4711 x 5244
Twitter: @kwalkersb
[email protected]
http://www.sbceoportal.org
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
