Mike, I think Daniel is on to something: we see no indication whatsoever in your log output that LDAP authentication is even being attempted. In your log4j.xml please dial way back everything (most especially org.springframework) to WARN except//org.jasig and org.ldaptive (set both to TRACE). After you attempt to hit a CAS-ified application, we should then see a rich set of detail about CAS placing a service in FlowScope, generating a login ticket, etc.
If everything is OK up to that point, we'll see an "Attempting LDAP authentication" message from org.jasig.cas.authentication.LdapAuthenticationHandler, followed by rich detail from org.ldaptive components as they interact with AD. FYI we're using CAS 4.0 with AD and it is working fine. The only differences that jump out to me from our configuration is that we don't use any of the ldap.authn properties at all, as we want to use the user's sAMAccountName. Also, one departure from the deployerConfigContext.xml at http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication is that we do not use an sslConfig bean. We use ldaps, the cert for our AD server is in the JVM's keystore, and things seem to work just fine without the sslConfig bean. But again, we see no indication an attempt at LDAP authentication is even being attempted. Updating log4j.xml with the suggested changes should at least make that clear. On 6/29/2015 9:26 PM, Daniel Fisher wrote: > On Mon, Jun 29, 2015 at 1:28 PM, Mike Seiler <[email protected] > <mailto:[email protected]>> wrote: > > Any further suggestions on what might be causing the system to > fail to authenticate users? > > Bind with manager password works. Certificates validate. > sAMAccountName is set as the search filter. > > Any suggestions would be appreciated. > > > I didn't see the LDAP authentication component being exercised. Your > LDAP pools initialize correctly, but the authentication handler does > not appear to use them. I don't know enough about the v4 config to say > what's wrong, but I would look for something fundamental in the > authentication wiring, not in the LDAP config. > > --Daniel Fisher > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- John Ryan / Senior Software Engineer / RedZone Software [email protected] <mailto:[email protected]> / www.redzone.co <http://www.redzone.co> -- This transmission contains confidential information intended solely for the party identified above. If you receive this message in error, you must not use it or convey it to others. Please destroy it immediately and contact the sender at (303) 386-3955 or by return e-mail to the sender. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
