Thank you Mihai and John. I will try those things first thing in the morning and get back to you with all the additional logs and details.
Mike On Tue, Jun 30, 2015 at 3:22 PM, John Ryan <[email protected]> wrote: > Mike, > > I think Daniel is on to something: we see no indication whatsoever in your > log output that LDAP authentication is even being attempted. In your > log4j.xml please dial way back everything (most especially > org.springframework) to WARN except org.jasig and org.ldaptive (set both > to TRACE). After you attempt to hit a CAS-ified application, we should > then see a rich set of detail about CAS placing a service in FlowScope, > generating a login ticket, etc. > > If everything is OK up to that point, we'll see an "Attempting LDAP > authentication" message from > org.jasig.cas.authentication.LdapAuthenticationHandler, followed by rich > detail from org.ldaptive components as they interact with AD. > > FYI we're using CAS 4.0 with AD and it is working fine. The only > differences that jump out to me from our configuration is that we don't use > any of the ldap.authn properties at all, as we want to use the user's > sAMAccountName. > > Also, one departure from the deployerConfigContext.xml at > http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication > is that we do not use an sslConfig bean. We use ldaps, the cert for our AD > server is in the JVM's keystore, and things seem to work just fine without > the sslConfig bean. > > But again, we see no indication an attempt at LDAP authentication is even > being attempted. Updating log4j.xml with the suggested changes should at > least make that clear. > > On 6/29/2015 9:26 PM, Daniel Fisher wrote: > > On Mon, Jun 29, 2015 at 1:28 PM, Mike Seiler <[email protected]> > wrote: > >> Any further suggestions on what might be causing the system to fail to >> authenticate users? >> >> Bind with manager password works. Certificates validate. sAMAccountName >> is set as the search filter. >> >> Any suggestions would be appreciated. >> > > I didn't see the LDAP authentication component being exercised. Your > LDAP pools initialize correctly, but the authentication handler does not > appear to use them. I don't know enough about the v4 config to say what's > wrong, but I would look for something fundamental in the authentication > wiring, not in the LDAP config. > > --Daniel Fisher > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > John Ryan / Senior Software Engineer / RedZone Software > [email protected] / www.redzone.co > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > This transmission contains confidential information intended solely for > the party identified above. If you receive this message in error, you must > not use it or convey it to others. Please destroy it immediately and > contact the sender at (303) 386-3955 or by return e-mail to the sender. -- *Michael Seiler* -------------------------------------------------- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 [email protected] *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
