Seems I found out how to fix it. I was doing the configuration from
scratch and in first place I configured the LDAP authentication without
configuring the SAML protocol [1]. Once done, the authentication started
to work:
2015-09-20 11:04:22,773 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<LdapAuthenticationHandler successfully authenticated myuser+password>
2015-09-20 11:04:22,775 DEBUG
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <No
resolver configured for LdapAuthenticationHandler. Falling back to
handler principal myuser>
2015-09-20 11:04:22,797 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<Authenticated myuser with credentials [myuser+password].>
2015-09-20 11:04:22,801 DEBUG
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<Attribute map for myuser: {[email protected], displayName=Nicolás}>
Hope this helps.
Regards,
Nicolás.
[1]: http://jasig.github.io/cas/4.1.x/protocol/SAML-Protocol.html
El 20/09/15 a las 03:38, Guillaume Chéramy escribió:
> Hello,
>
> I have exactly the same problem. See my precedent post "Aperao CAS
> 4.1.0-RC2 with LDAP backend : Invalid Credential"
>
> Sincerely
>
> Le 19/09/2015 15:29, Nicolás a écrit :
>> Hi,
>>
>> I'm having some issue configuring LDAP authentication on CAS 4.1.0. I
>> must say I had this configuration working on 4.0.4 but for some
>> reason, even when successfully authenticating vs. LDAP, CAS says the
>> credentials are not right.
>>
>> This is what I did:
>>
>> 1) deployerConfigContext.xml: Inside the authenticationManager bean,
>> this is the map defined:
>> <constructor-arg>
>> <map>
>> <entry key-ref="proxyAuthenticationHandler"
>> value-ref="proxyPrincipalResolver" />
>> <entry key-ref="ldapAuthenticationHandler" value="#{null}" />
>> </map>
>> </constructor-arg>
>>
>> 2) deployerConfigContext.xml: Copied and pasted the LDAP support
>> direct bind
>> (http://jasig.github.io/cas/4.1.x/installation/LDAP-Authentication.html#ldap-supporting-direct-bind)
>>
>> config, except that I removed the p:sslConfig-ref="sslConfig" part
>> and the corresponding sslConfig bean, because I'm not using SSL over
>> LDAP.
>>
>> 3) pom.xml: Added the corresponding dependency:
>> <dependency>
>> <groupId>org.jasig.cas</groupId>
>> <artifactId>cas-server-support-ldap</artifactId>
>> <version>${cas.version}</version>
>> </dependency>
>>
>> 4) cas.properties: I customized any needed properties, as I had it in
>> my 4.0.4 working configuration.
>>
>> Now, I access /cas and authenticate, and CAS says the credentials are
>> not right. I had a look at the authentication log and I found the
>> binding be successfull as far as LDAP goes as you can see here:
>>
>> Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 BIND
>> anonymous mech=implicit ssf=0
>> Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 BIND
>> dn="uid=myuser,cn=...,dc=...,dc=..." method=128
>> Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 BIND
>> dn="uid=myuser,cn=...,dc=...,dc=..." mech=SIMPLE ssf=0
>> Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 RESULT
>> tag=97 err=0 text=
>>
>> I decide to activate the debugging as mentioned in the
>> Troubleshooting page of the LDAP configuration, and I see the following:
>>
>> 2015-09-19 14:07:15,636 DEBUG
>> [org.ldaptive.auth.FormatDnResolver] - <Formatting DN for myuser
>> with uid=%s,cn=...,dc=...,dc=...>
>> 2015-09-19 14:07:15,637 DEBUG [org.ldaptive.auth.Authenticator] -
>> <authenticate dn=uid=myuser,cn=...,dc=...,dc=... with
>> request=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
>> retAttrs=[1.1]]>
>> 2015-09-19 14:07:15,637 DEBUG
>> [org.ldaptive.auth.PooledBindAuthenticationHandler] -
>> <authenticate
>>
>> criteria=[org.ldaptive.auth.AuthenticationCriteria@1404709825::dn=uid=myuser,cn=...,dc=...,dc=...,
>>
>> authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
>> retAttrs=[1.1]]]>
>> 2015-09-19 14:07:15,639 DEBUG [org.ldaptive.BindOperation] -
>> <execute
>>
>> request=[org.ldaptive.BindRequest@1670297304::bindDn=uid=myuser,cn=...,dc=...,dc=...,
>> saslConfig=null, controls=null] with
>>
>> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
>> connectTimeout=3000, responseTimeout=-1, sslConfig=null,
>> useSSL=false, useStartTLS=false, connectionInitializer=null],
>>
>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
>> count=1],
>>
>> environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>> com.sun.jndi.ldap.connect.timeout=3000,
>> java.naming.ldap.version=3},
>>
>> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
>> SERVER_DOWN], properties={},
>>
>> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
>> controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
>> environment=null, tracePackets=null, removeDnUrls=true,
>> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED,
>> SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null,
>> hostnameVerifier=null]],
>> providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0]>
>> 2015-09-19 14:07:15,643 DEBUG [org.ldaptive.BindOperation] -
>> <execute response=[org.ldaptive.Response@1182007988::result=null,
>> resultCode=SUCCESS, message=null, matchedDn=null,
>> responseControls=null, referralURLs=null, messageId=-1] for
>>
>> request=[org.ldaptive.BindRequest@1670297304::bindDn=uid=myuser,cn=...,dc=...,dc=...,
>> saslConfig=null, controls=null] with
>>
>> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
>> connectTimeout=3000, responseTimeout=-1, sslConfig=null,
>> useSSL=false, useStartTLS=false, connectionInitializer=null],
>>
>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
>> count=1],
>>
>> environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>> com.sun.jndi.ldap.connect.timeout=3000,
>> java.naming.ldap.version=3},
>>
>> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
>> SERVER_DOWN], properties={},
>>
>> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
>> controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
>> environment=null, tracePackets=null, removeDnUrls=true,
>> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED,
>> SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null,
>> hostnameVerifier=null]],
>> providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0]>
>> 2015-09-19 14:07:15,645 DEBUG
>> [org.ldaptive.auth.PooledBindAuthenticationHandler] -
>> <authenticate
>>
>> response=[org.ldaptive.auth.AuthenticationHandlerResponse@1784519566::connection=[org.ldaptive.Defa<authenticate
>>
>> response=[org.ldaptive.auth.AuthenticationHandlerResponse@1784519566::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
>> connectTimeout=3000, responseTimeout=-1, sslConfig=null,
>> useSSL=false, useStartTLS=false, connectionInitializer=null],
>>
>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
>> count=1],
>>
>> environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>> com.sun.jndi.ldap.connect.timeout=3000,
>> java.naming.ldap.version=3},
>>
>> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
>> SERVER_DOWN], properties={},
>>
>> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
>> controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
>> environment=null, tracePackets=null, removeDnUrls=true,
>> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED,
>> SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null,
>> hostnameVerifier=null]],
>> providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0],
>> result=true, resultCode=SUCCESS, message=null, controls=null] for
>>
>> criteria=[org.ldaptive.auth.AuthenticationCriteria@1404709825::dn=uid=myuser,cn=...,dc=...,dc=...,
>>
>> authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
>> retAttrs=[1.1]]]>
>> 2015-09-19 14:07:15,660 INFO [org.ldaptive.auth.Authenticator] -
>> <Authentication succeeded for dn: uid=myuser,cn=...,dc=...,dc=...>
>> 2015-09-19 14:07:15,662 DEBUG [org.ldaptive.auth.Authenticator] -
>> <authenticate
>>
>> response=[org.ldaptive.auth.AuthenticationHandlerResponse@1784519566::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
>> connectTimeout=3000, responseTimeout=-1, sslConfig=null,
>> useSSL=false, useStartTLS=false, connectionInitializer=null],
>>
>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
>> count=1],
>>
>> environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>> com.sun.jndi.ldap.connect.timeout=3000,
>> java.naming.ldap.version=3},
>>
>> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
>> SERVER_DOWN], properties={},
>>
>> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
>> controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
>> environment=null, tracePackets=null, removeDnUrls=true,
>> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED,
>> SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null,
>> hostnameVerifier=null]],
>> providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0],
>> result=true, resultCode=SUCCESS, message=null, controls=null] for
>> dn=uid=myuser,cn=...,dc=...,dc=... with
>> request=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
>> retAttrs=[1.1]]>
>> 2015-09-19 14:07:15,664 INFO
>> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
>> <LdapAuthenticationHandler failed authenticating myuser+password>
>> 2015-09-19 14:07:15,665 INFO
>> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager]
>> - <Audit trail record BEGIN
>> =============================================================
>> WHO: myuser+password
>> WHAT: supplied credentials: [myuser+password]
>> ACTION: AUTHENTICATION_FAILED
>> APPLICATION: CAS
>> WHEN: Sat Sep 19 14:07:15 WEST 2015
>> CLIENT IP ADDRESS: 192.168.1.X
>> SERVER IP ADDRESS: 192.168.1.X
>> =============================================================
>>
>> >
>> 2015-09-19 14:07:15,667 INFO
>> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager]
>> - <Audit trail record BEGIN
>> =============================================================
>> WHO: myuser+password
>> WHAT: 1 errors, 0 successes
>> ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
>> APPLICATION: CAS
>> WHEN: Sat Sep 19 14:07:15 WEST 2015
>> CLIENT IP ADDRESS: 192.168.1.X
>> SERVER IP ADDRESS: 192.168.1.X
>> =============================================================
>>
>>
>> So if CAS says that the authentication succeeded at first, why
>> LdapAuthenticationHandler fails? Any hint will be very appreciated
>> since I'm a bit lost right now.
>>
>> Thanks,
>>
>> Nicolás
>> --
>> You are currently subscribed [email protected]
>> as:[email protected]
>> To unsubscribe, change settings or access archives,
>> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
