Did you ever find a solution for this?
On Friday, December 12, 2014 at 5:06:04 AM UTC-5, Antoine L wrote: > > I installed cas 4 with ldap ( I use AD), it works. Now I want add LPPE, it > works for an account disabled or for invalid logon hours but not all > regardings password. Everytime, I have invalid credentials. I followed the > instruction from > http://jasig.github.io/cas/4.0.0/installation/LDAP-Authentication.html.I > found tutorials for lppe configuration only for cas 3.5 > > > > ========================================== log file > ============================================================= > > 2014-12-12 09:30:40,220 INFO [org.ldaptive.auth.Authenticator] - > <Authentication failed for dn: [email protected]> > 2014-12-12 09:30:40,232 DEBUG [org.ldaptive.auth.Authenticator] - > <authenticate > response=[org.ldaptive.auth.AuthenticationHandlerResponse@1841077166::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@325586398::config=[org.ldaptive.ConnectionConfig@1213704814::ldapUrl=ldap://ad.test.local, > > connectTimeout=3000, responseTimeout=-1, > sslConfig=[org.ldaptive.ssl.SslConfig@1937129692::credentialConfig=[org.ldaptive.ssl.X509CredentialConfig@1821596917::trustCertificates=file:/etc/pki/certificate.pem, > > authenticationCertificate=null, authenticationKey=null], > trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, > handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, > connectionInitializer=null], > providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@1650575248::connectionCount=1, > > environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, > com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3}, > providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@24441190::operationExceptionResultCodes=[PROTOCOL_ERROR, > > SERVER_DOWN], properties={}, connectionStrategy=DEFAULT, environment=null, > tracePackets=null, removeDnUrls=true, > searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, > PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null, > controlProcessor=org.ldaptive.provider.ControlProcessor@24946049]], > providerConnection=org.ldaptive.provider.jndi.JndiConnection@93d6b62], > result=false, resultCode=INVALID_CREDENTIALS, > message=javax.naming.AuthenticationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, > data 701, v2580], controls=null] for [email protected] with > request=[org.ldaptive.auth.AuthenticationRequest@1733595237::user=bob, > retAttrs=[sAMAccountName, displayName, sAMAccountName, > eduPersonAffiliation, groupMembership]]> > 2014-12-12 09:30:40,233 INFO > [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - > <LdapAuthenticationHandler failed authenticating bob+password> > 2014-12-12 09:30:40,242 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > > > ================================== deployerConfigContext > ============================================ > > <?xml version="1.0" encoding="UTF-8"?> > <!-- > > Licensed to Jasig under one or more contributor license > agreements. See the NOTICE file distributed with this work > for additional information regarding copyright ownership. > Jasig licenses this file to you under the Apache License, > Version 2.0 (the "License"); you may not use this file > except in compliance with the License. You may obtain a > copy of the License at the following location: > > http://www.apache.org/licenses/LICENSE-2.0 > > Unless required by applicable law or agreed to in writing, > software distributed under the License is distributed on an > "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY > KIND, either express or implied. See the License for the > specific language governing permissions and limitations > under the License. > > --> > <!-- > | deployerConfigContext.xml centralizes into one file some of the > declarative configuration that > | all CAS deployers will need to modify. > | > | This file declares some of the Spring-managed JavaBeans that make up a > CAS deployment. > | The beans declared in this file are instantiated at context > initialization time by the Spring > | ContextLoaderListener declared in web.xml. It finds this file because > this > | file is among those declared in the context parameter > "contextConfigLocation". > | > | By far the most common change you will need to make in this file is to > change the last bean > | declaration to replace the default authentication handler with > | one implementing your approach for authenticating usernames and > passwords. > +--> > > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xmlns:c="http://www.springframework.org/schema/c"; > xmlns:tx="http://www.springframework.org/schema/tx"; > xmlns:util="http://www.springframework.org/schema/util"; > xmlns:sec="http://www.springframework.org/schema/security"; > xmlns:context="http://www.springframework.org/schema/context"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-3.2.xsd > http://www.springframework.org/schema/tx > http://www.springframework.org/schema/tx/spring-tx-3.2.xsd > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security-3.2.xsd > http://www.springframework.org/schema/context > http://www.springframework.org/schema/context/spring-context-3.0.xsd > http://www.springframework.org/schema/util > http://www.springframework.org/schema/util/spring-util.xsd";> > <context:component-scan base-package="org.jasig.cas" /> > <context:component-scan base-package="org.jasig.cas.authentication" > /> > > > <!-- > | The authentication manager defines security policy for > authentication by specifying at a minimum > | the authentication handlers that will be used to authenticate > credential. While the AuthenticationManager > | interface supports plugging in another implementation, the > default PolicyBasedAuthenticationManager should > | be sufficient in most cases. > +--> > <bean id="authenticationManager" > class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> > <constructor-arg> > <map> > <!-- > | IMPORTANT > | Every handler requires a unique name. > | If more than one instance of the same handler class > is configured, you must explicitly > | set its name to something other than its default name > (typically the simple class name). > --> > <entry key-ref="proxyAuthenticationHandler" > value-ref="proxyPrincipalResolver" /> > <entry key-ref="ldapAuthenticationHandler" > value-ref="primaryPrincipalResolver" /> > </map> > </constructor-arg> > > > <!-- Uncomment the metadata populator to allow clearpass to > capture and cache the password > This switch effectively will turn on clearpass.--> > <property name="authenticationMetaDataPopulators"> > <util:list> > <bean > class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator" > c:credentialCache-ref="encryptedMap" /> > </util:list> > </property> > > > <!-- > | Defines the security policy around authentication. Some > alternative policies that ship with CAS: > | > | * NotPreventedAuthenticationPolicy - all credential must > either pass or fail authentication > | * AllAuthenticationPolicy - all presented credential must be > authenticated successfully > | * RequiredHandlerAuthenticationPolicy - specifies a handler > that must authenticate its credential to pass > --> > <property name="authenticationPolicy"> > <bean > class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> > </property> > </bean> > > <!-- Required for proxy ticket mechanism. --> > <bean id="proxyAuthenticationHandler" > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > p:httpClient-ref="httpClient" /> > > <!-- > | Change principalIdAttribute to use another directory attribute, > | e.g. userPrincipalName, for the NetID > --> > <bean id="ldapAuthenticationHandler" > class="org.jasig.cas.authentication.LdapAuthenticationHandler" > p:principalIdAttribute="sAMAccountName" > c:authenticator-ref="authenticator" > p:passwordPolicyConfiguration-ref="passwordPolicy" > > <property name="principalAttributeMap"> > <map> > <!-- > | This map provides a simple attribute resolution mechanism. > | Keys are LDAP attribute names, values are CAS attribute > names. > | Use this facility instead of a PrincipalResolver if LDAP > is > | the only attribute source. > --> > <entry key="displayName" value="displayName" /> > <entry key="sAMAccountName" value="sAMAccountName" /> > <entry key="eduPersonAffiliation" value="eduPersonAffiliation" > /> > <entry key="groupMembership" value="groupMembership" /> > </map> > </property> > </bean> > > <bean id="authenticator" class="org.ldaptive.auth.Authenticator" > c:resolver-ref="dnResolver" > c:handler-ref="authHandler" > p:entryResolver-ref="entryResolver" > > <property name="authenticationResponseHandlers"> > <util:list> > <bean > class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" > /> > </util:list> > </property> > </bean> > > > <!-- Active Directory UPN format. --> > <bean id="dnResolver" > class="org.ldaptive.auth.FormatDnResolver" > c:format="%s@${ldap.domain}" /> > > <bean id="authHandler" > class="org.ldaptive.auth.PooledBindAuthenticationHandler" > p:connectionFactory-ref="pooledLdapConnectionFactory" /> > > <bean id="pooledLdapConnectionFactory" > class="org.ldaptive.pool.PooledConnectionFactory" > p:connectionPool-ref="connectionPool" /> > > <bean id="connectionPool" > class="org.ldaptive.pool.BlockingConnectionPool" > init-method="initialize" > p:poolConfig-ref="ldapPoolConfig" > p:blockWaitTime="${ldap.pool.blockWaitTime}" > p:validator-ref="searchValidator" > p:pruneStrategy-ref="pruneStrategy" > p:connectionFactory-ref="connectionFactory" /> > > <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig" > p:minPoolSize="${ldap.pool.minSize}" > p:maxPoolSize="${ldap.pool.maxSize}" > p:validateOnCheckOut="${ldap.pool.validateOnCheckout}" > p:validatePeriodically="${ldap.pool.validatePeriodically}" > p:validatePeriod="${ldap.pool.validatePeriod}" /> > > <bean id="connectionFactory" > class="org.ldaptive.DefaultConnectionFactory" > p:connectionConfig-ref="connectionConfig" /> > > <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" > p:ldapUrl="${ldap.url}" > p:connectTimeout="${ldap.connectTimeout}" > p:useStartTLS="${ldap.useStartTLS}" > p:sslConfig-ref="sslConfig"/> > > <bean id="sslConfig" class="org.ldaptive.ssl.SslConfig"> > <property name="credentialConfig"> > <bean class="org.ldaptive.ssl.X509CredentialConfig" > p:trustCertificates="${ldap.trustedCert}" /> > </property> > </bean> > > <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy" > p:prunePeriod="${ldap.pool.prunePeriod}" > p:idleTime="${ldap.pool.idleTime}" /> > > <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" /> > > <bean id="entryResolver" > class="org.jasig.cas.authentication.support.UpnSearchEntryResolver" > p:baseDn="${ldap.authn.baseDn}" /> > > <!-- > | TODO: Replace this component with one suitable for your > enviroment. > | > | This component provides authentication for the kind of credential > used in your environment. In most cases > | credential is a username/password pair that lives in a system of > record like an LDAP directory. > | The most common authentication handler beans: > | > | * org.jasig.cas.authentication.LdapAuthenticationHandler > | * org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler > | * > org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler > | * > org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler > --> > <!-- <bean id="primaryAuthenticationHandler" > > class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler"> > <property name="users"> > <map> > <entry key="casuser" value="Mellon"/> > </map> > </property> > </bean>--> > > <!-- Required for proxy ticket mechanism --> > <bean id="proxyPrincipalResolver" > class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> > > <!-- > | Resolves a principal from a credential using an attribute > repository that is configured to resolve > | against a deployer-specific store (e.g. LDAP). > --> > <bean id="primaryPrincipalResolver" > class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" > > > > <property name="attributeRepository" ref="attributeRepository" /> > </bean> > > <!-- > Bean that defines the attributes that a service may return. This > example uses the Stub/Mock version. A real implementation > may go against a database or LDAP server. The id should remain > "attributeRepository" though. > +--> > <bean id="attributeRepository" > class="org.jasig.services.persondir.support.StubPersonAttributeDao" > p:backingMap-ref="attrRepoBackingMap" /> > > <util:map id="attrRepoBackingMap"> > <entry key="displayName" value="displayName" /> > <entry key="sAMAccountName" value="sAMAccountName" /> > <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> > <entry key="groupMembership" value="groupMembership" /> > </util:map> > > <!-- > Sample, in-memory data store for the ServiceRegistry. A real > implementation > would probably want to replace this with the JPA-backed > ServiceRegistry DAO > The name of this bean should remain "serviceRegistryDao". > +--> > <bean id="serviceRegistryDao" > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" > p:registeredServices-ref="registeredServicesList" /> > > <util:list id="registeredServicesList"> > > <bean class="org.jasig.cas.services.RegexRegisteredService" > p:id="0" p:name="HTTP and IMAP" p:description="Allows > HTTP(S) and IMAP(S) protocols" > p:serviceId="^(https?|imaps?)://.*" > p:evaluationOrder="10000001" > p:allowedToProxy="true" /> > > </util:list> > > <bean id="auditTrailManager" > class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> > > <bean id="healthCheckMonitor" > class="org.jasig.cas.monitor.HealthCheckMonitor" > p:monitors-ref="monitorsList" /> > > <util:list id="monitorsList"> > <bean class="org.jasig.cas.monitor.MemoryMonitor" > p:freeMemoryWarnThreshold="10" /> > <!-- > NOTE > The following ticket registries support SessionMonitor: > * DefaultTicketRegistry > * JpaTicketRegistry > Remove this monitor if you use an unsupported registry. > --> > <bean class="org.jasig.cas.monitor.SessionMonitor" > p:ticketRegistry-ref="ticketRegistry" > p:serviceTicketCountWarnThreshold="5000" > p:sessionCountWarnThreshold="100000" /> > </util:list> > > > </beans> > > > ================================== lppe-configuration > ================================================ > > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans.xsd";> > > <!-- > | Sample LDAP password policy configuration. > | There are notable configuration requirements for LDAP components > required for password policy > | depending on the directory (Active Directory, OpenLDAP, etc). > | See CAS documentation for more information. > --> > <bean id="passwordPolicy" > class="org.jasig.cas.authentication.support.LdapPasswordPolicyConfiguration" > > p:alwaysDisplayPasswordExpirationWarning="${password.policy.warnAll}" > p:passwordWarningNumberOfDays="${password.policy.warningDays}" > p:passwordPolicyUrl="${password.policy.url}" > p:accountStateHandler-ref="accountStateHandler" /> > > <!-- This component is suitable for most cases but can be replaced with > a custom component for special cases. --> > <bean id="accountStateHandler" > class="org.jasig.cas.authentication.support.DefaultAccountStateHandler" /> > > </beans> > > > > > Thanks for any time spent for help me > > Antoine > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
