Can you share some specific details on what's not working for you? --Daniel Fisher
On Mon, Feb 23, 2015 at 2:49 PM, Jim Price <[email protected]> wrote: > Did you ever find a solution for this? > > On Friday, December 12, 2014 at 5:06:04 AM UTC-5, Antoine L wrote: >> >> I installed cas 4 with ldap ( I use AD), it works. Now I want add LPPE, >> it works for an account disabled or for invalid logon hours but not all >> regardings password. Everytime, I have invalid credentials. I followed the >> instruction from http://jasig.github.io/cas/4.0.0/installation/LDAP- >> Authentication.html.I found tutorials for lppe configuration only for >> cas 3.5 >> >> >> >> ========================================== log file >> ============================================================= >> >> 2014-12-12 09:30:40,220 INFO [org.ldaptive.auth.Authenticator] - >> <Authentication failed for dn: [email protected]> >> 2014-12-12 09:30:40,232 DEBUG [org.ldaptive.auth.Authenticator] - >> <authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@ >> 1841077166::connection=[org.ldaptive.DefaultConnectionFactory$ >> DefaultConnection@325586398::config=[org.ldaptive. >> ConnectionConfig@1213704814::ldapUrl=ldap://ad.test.local, >> connectTimeout=3000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl. >> SslConfig@1937129692::credentialConfig=[org.ldaptive.ssl. >> X509CredentialConfig@1821596917::trustCertificates=file:/etc/pki/certificate.pem, >> authenticationCertificate=null, authenticationKey=null], >> trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, >> handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, >> connectionInitializer=null], providerConnectionFactory=[ >> org.ldaptive.provider.jndi.JndiConnectionFactory@1650575248::connectionCount=1, >> environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, >> com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3}, >> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@24441190:: >> operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], >> properties={}, connectionStrategy=DEFAULT, environment=null, >> tracePackets=null, removeDnUrls=true, >> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, >> SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, >> hostnameVerifier=null, controlProcessor=org.ldaptive. >> provider.ControlProcessor@24946049]], providerConnection=org. >> ldaptive.provider.jndi.JndiConnection@93d6b62], result=false, >> resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: >> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: >> AcceptSecurityContext error, data 701, v2580], controls=null] for >> [email protected] with >> request=[org.ldaptive.auth.AuthenticationRequest@1733595237::user=bob, >> retAttrs=[sAMAccountName, displayName, sAMAccountName, >> eduPersonAffiliation, groupMembership]]> >> 2014-12-12 09:30:40,233 INFO [org.jasig.cas.authentication. >> PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler failed >> authenticating bob+password> >> 2014-12-12 09:30:40,242 INFO >> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] >> - <Audit trail record BEGIN >> >> >> ================================== deployerConfigContext >> ============================================ >> >> <?xml version="1.0" encoding="UTF-8"?> >> <!-- >> >> Licensed to Jasig under one or more contributor license >> agreements. See the NOTICE file distributed with this work >> for additional information regarding copyright ownership. >> Jasig licenses this file to you under the Apache License, >> Version 2.0 (the "License"); you may not use this file >> except in compliance with the License. You may obtain a >> copy of the License at the following location: >> >> http://www.apache.org/licenses/LICENSE-2.0 >> >> Unless required by applicable law or agreed to in writing, >> software distributed under the License is distributed on an >> "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY >> KIND, either express or implied. See the License for the >> specific language governing permissions and limitations >> under the License. >> >> --> >> <!-- >> | deployerConfigContext.xml centralizes into one file some of the >> declarative configuration that >> | all CAS deployers will need to modify. >> | >> | This file declares some of the Spring-managed JavaBeans that make up a >> CAS deployment. >> | The beans declared in this file are instantiated at context >> initialization time by the Spring >> | ContextLoaderListener declared in web.xml. It finds this file because >> this >> | file is among those declared in the context parameter >> "contextConfigLocation". >> | >> | By far the most common change you will need to make in this file is to >> change the last bean >> | declaration to replace the default authentication handler with >> | one implementing your approach for authenticating usernames and >> passwords. >> +--> >> >> <beans xmlns="http://www.springframework.org/schema/beans"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xmlns:p="http://www.springframework.org/schema/p"; >> xmlns:c="http://www.springframework.org/schema/c"; >> xmlns:tx="http://www.springframework.org/schema/tx"; >> xmlns:util="http://www.springframework.org/schema/util"; >> xmlns:sec="http://www.springframework.org/schema/security"; >> xmlns:context="http://www.springframework.org/schema/context"; >> xsi:schemaLocation="http://www.springframework.org/schema/beans >> http://www.springframework.org/schema/beans/spring-beans-3.2.xsd >> http://www.springframework.org/schema/tx >> http://www.springframework.org/schema/tx/spring-tx-3.2.xsd >> http://www.springframework.org/schema/security >> http://www.springframework.org/schema/security/spring-security-3.2.xsd >> http://www.springframework.org/schema/context >> http://www.springframework.org/schema/context/spring-context-3.0.xsd >> http://www.springframework.org/schema/util >> http://www.springframework.org/schema/util/spring-util.xsd";> >> <context:component-scan base-package="org.jasig.cas" /> >> <context:component-scan base-package="org.jasig.cas.authentication" >> /> >> >> >> <!-- >> | The authentication manager defines security policy for >> authentication by specifying at a minimum >> | the authentication handlers that will be used to authenticate >> credential. While the AuthenticationManager >> | interface supports plugging in another implementation, the >> default PolicyBasedAuthenticationManager should >> | be sufficient in most cases. >> +--> >> <bean id="authenticationManager" class="org.jasig.cas.authentication. >> PolicyBasedAuthenticationManager"> >> <constructor-arg> >> <map> >> <!-- >> | IMPORTANT >> | Every handler requires a unique name. >> | If more than one instance of the same handler class >> is configured, you must explicitly >> | set its name to something other than its default >> name (typically the simple class name). >> --> >> <entry key-ref="proxyAuthenticationHandler" >> value-ref="proxyPrincipalResolver" >> /> >> <entry key-ref="ldapAuthenticationHandler" >> value-ref="primaryPrincipalResolver" >> /> >> </map> >> </constructor-arg> >> >> >> <!-- Uncomment the metadata populator to allow clearpass to >> capture and cache the password >> This switch effectively will turn on clearpass.--> >> <property name="authenticationMetaDataPopulators"> >> <util:list> >> <bean class="org.jasig.cas.extension.clearpass. >> CacheCredentialsMetaDataPopulator" >> c:credentialCache-ref="encryptedMap" /> >> </util:list> >> </property> >> >> >> <!-- >> | Defines the security policy around authentication. Some >> alternative policies that ship with CAS: >> | >> | * NotPreventedAuthenticationPolicy - all credential must >> either pass or fail authentication >> | * AllAuthenticationPolicy - all presented credential must be >> authenticated successfully >> | * RequiredHandlerAuthenticationPolicy - specifies a handler >> that must authenticate its credential to pass >> --> >> <property name="authenticationPolicy"> >> <bean >> class="org.jasig.cas.authentication.AnyAuthenticationPolicy" >> /> >> </property> >> </bean> >> >> <!-- Required for proxy ticket mechanism. --> >> <bean id="proxyAuthenticationHandler" >> class="org.jasig.cas.authentication.handler.support. >> HttpBasedServiceCredentialsAuthenticationHandler" >> p:httpClient-ref="httpClient" /> >> >> <!-- >> | Change principalIdAttribute to use another directory attribute, >> | e.g. userPrincipalName, for the NetID >> --> >> <bean id="ldapAuthenticationHandler" >> class="org.jasig.cas.authentication.LdapAuthenticationHandler" >> p:principalIdAttribute="sAMAccountName" >> c:authenticator-ref="authenticator" >> p:passwordPolicyConfiguration-ref="passwordPolicy" > >> <property name="principalAttributeMap"> >> <map> >> <!-- >> | This map provides a simple attribute resolution >> mechanism. >> | Keys are LDAP attribute names, values are CAS attribute >> names. >> | Use this facility instead of a PrincipalResolver if LDAP >> is >> | the only attribute source. >> --> >> <entry key="displayName" value="displayName" /> >> <entry key="sAMAccountName" value="sAMAccountName" /> >> <entry key="eduPersonAffiliation" >> value="eduPersonAffiliation" /> >> <entry key="groupMembership" value="groupMembership" /> >> </map> >> </property> >> </bean> >> >> <bean id="authenticator" class="org.ldaptive.auth.Authenticator" >> c:resolver-ref="dnResolver" >> c:handler-ref="authHandler" >> p:entryResolver-ref="entryResolver" > >> <property name="authenticationResponseHandlers"> >> <util:list> >> <bean class="org.ldaptive.auth.ext. >> ActiveDirectoryAuthenticationResponseHandler" /> >> </util:list> >> </property> >> </bean> >> >> >> <!-- Active Directory UPN format. --> >> <bean id="dnResolver" >> class="org.ldaptive.auth.FormatDnResolver" >> c:format="%s@${ldap.domain}" /> >> >> <bean id="authHandler" class="org.ldaptive.auth. >> PooledBindAuthenticationHandler" >> p:connectionFactory-ref="pooledLdapConnectionFactory" /> >> >> <bean id="pooledLdapConnectionFactory" class="org.ldaptive.pool. >> PooledConnectionFactory" >> p:connectionPool-ref="connectionPool" /> >> >> <bean id="connectionPool" class="org.ldaptive.pool. >> BlockingConnectionPool" >> init-method="initialize" >> p:poolConfig-ref="ldapPoolConfig" >> p:blockWaitTime="${ldap.pool.blockWaitTime}" >> p:validator-ref="searchValidator" >> p:pruneStrategy-ref="pruneStrategy" >> p:connectionFactory-ref="connectionFactory" /> >> >> <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig" >> p:minPoolSize="${ldap.pool.minSize}" >> p:maxPoolSize="${ldap.pool.maxSize}" >> p:validateOnCheckOut="${ldap.pool.validateOnCheckout}" >> p:validatePeriodically="${ldap.pool.validatePeriodically}" >> p:validatePeriod="${ldap.pool.validatePeriod}" /> >> >> <bean id="connectionFactory" class="org.ldaptive. >> DefaultConnectionFactory" >> p:connectionConfig-ref="connectionConfig" /> >> >> <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" >> p:ldapUrl="${ldap.url}" >> p:connectTimeout="${ldap.connectTimeout}" >> p:useStartTLS="${ldap.useStartTLS}" >> p:sslConfig-ref="sslConfig"/> >> >> <bean id="sslConfig" class="org.ldaptive.ssl.SslConfig"> >> <property name="credentialConfig"> >> <bean class="org.ldaptive.ssl.X509CredentialConfig" >> p:trustCertificates="${ldap.trustedCert}" /> >> </property> >> </bean> >> >> <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy" >> p:prunePeriod="${ldap.pool.prunePeriod}" >> p:idleTime="${ldap.pool.idleTime}" /> >> >> <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" >> /> >> >> <bean id="entryResolver" class="org.jasig.cas.authentication.support. >> UpnSearchEntryResolver" >> p:baseDn="${ldap.authn.baseDn}" /> >> >> <!-- >> | TODO: Replace this component with one suitable for your >> enviroment. >> | >> | This component provides authentication for the kind of >> credential used in your environment. In most cases >> | credential is a username/password pair that lives in a system of >> record like an LDAP directory. >> | The most common authentication handler beans: >> | >> | * org.jasig.cas.authentication.LdapAuthenticationHandler >> | * org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler >> | * org.jasig.cas.adaptors.x509.authentication.handler.support. >> X509CredentialsAuthenticationHandler >> | * org.jasig.cas.support.spnego.authentication.handler.support. >> JCIFSSpnegoAuthenticationHandler >> --> >> <!-- <bean id="primaryAuthenticationHandler" >> class="org.jasig.cas.authentication. >> AcceptUsersAuthenticationHandler"> >> <property name="users"> >> <map> >> <entry key="casuser" value="Mellon"/> >> </map> >> </property> >> </bean>--> >> >> <!-- Required for proxy ticket mechanism --> >> <bean id="proxyPrincipalResolver" class="org.jasig.cas. >> authentication.principal.BasicPrincipalResolver" /> >> >> <!-- >> | Resolves a principal from a credential using an attribute >> repository that is configured to resolve >> | against a deployer-specific store (e.g. LDAP). >> --> >> <bean id="primaryPrincipalResolver" class="org.jasig.cas. >> authentication.principal.PersonDirectoryPrincipalResolver" > >> <property name="attributeRepository" ref="attributeRepository" /> >> </bean> >> >> <!-- >> Bean that defines the attributes that a service may return. This >> example uses the Stub/Mock version. A real implementation >> may go against a database or LDAP server. The id should remain >> "attributeRepository" though. >> +--> >> <bean id="attributeRepository" class="org.jasig.services. >> persondir.support.StubPersonAttributeDao" >> p:backingMap-ref="attrRepoBackingMap" /> >> >> <util:map id="attrRepoBackingMap"> >> <entry key="displayName" value="displayName" /> >> <entry key="sAMAccountName" value="sAMAccountName" /> >> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> >> <entry key="groupMembership" value="groupMembership" /> >> </util:map> >> >> <!-- >> Sample, in-memory data store for the ServiceRegistry. A real >> implementation >> would probably want to replace this with the JPA-backed >> ServiceRegistry DAO >> The name of this bean should remain "serviceRegistryDao". >> +--> >> <bean id="serviceRegistryDao" class="org.jasig.cas.services. >> InMemoryServiceRegistryDaoImpl" >> p:registeredServices-ref="registeredServicesList" /> >> >> <util:list id="registeredServicesList"> >> >> <bean class="org.jasig.cas.services.RegexRegisteredService" >> p:id="0" p:name="HTTP and IMAP" p:description="Allows >> HTTP(S) and IMAP(S) protocols" >> p:serviceId="^(https?|imaps?)://.*" >> p:evaluationOrder="10000001" >> p:allowedToProxy="true" /> >> >> </util:list> >> >> <bean id="auditTrailManager" class="com.github.inspektr. >> audit.support.Slf4jLoggingAuditTrailManager" /> >> >> <bean id="healthCheckMonitor" >> class="org.jasig.cas.monitor.HealthCheckMonitor" >> p:monitors-ref="monitorsList" /> >> >> <util:list id="monitorsList"> >> <bean class="org.jasig.cas.monitor.MemoryMonitor" >> p:freeMemoryWarnThreshold="10" /> >> <!-- >> NOTE >> The following ticket registries support SessionMonitor: >> * DefaultTicketRegistry >> * JpaTicketRegistry >> Remove this monitor if you use an unsupported registry. >> --> >> <bean class="org.jasig.cas.monitor.SessionMonitor" >> p:ticketRegistry-ref="ticketRegistry" >> p:serviceTicketCountWarnThreshold="5000" >> p:sessionCountWarnThreshold="100000" /> >> </util:list> >> >> >> </beans> >> >> >> ================================== lppe-configuration >> ================================================ >> >> <beans xmlns="http://www.springframework.org/schema/beans"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xmlns:p="http://www.springframework.org/schema/p"; >> xsi:schemaLocation="http://www.springframework.org/schema/beans >> http://www.springframework.org/schema/beans/spring-beans.xsd";> >> >> <!-- >> | Sample LDAP password policy configuration. >> | There are notable configuration requirements for LDAP components >> required for password policy >> | depending on the directory (Active Directory, OpenLDAP, etc). >> | See CAS documentation for more information. >> --> >> <bean id="passwordPolicy" class="org.jasig.cas.authentication.support. >> LdapPasswordPolicyConfiguration" >> p:alwaysDisplayPasswordExpirationWarning="${password.policy. >> warnAll}" >> p:passwordWarningNumberOfDays="${password.policy.warningDays}" >> p:passwordPolicyUrl="${password.policy.url}" >> p:accountStateHandler-ref="accountStateHandler" /> >> >> <!-- This component is suitable for most cases but can be replaced with >> a custom component for special cases. --> >> <bean id="accountStateHandler" class="org.jasig.cas. >> authentication.support.DefaultAccountStateHandler" /> >> >> </beans> >> >> >> >> >> Thanks for any time spent for help me >> >> Antoine >> >> -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
