Nicolás you're the best :-)
But now I don't understand why It's necessary to activate saml support.
Thanks for you're debug
Guidtz
Le 20/09/2015 12:10, Nicolás a écrit :
> Seems I found out how to fix it. I was doing the configuration from
> scratch and in first place I configured the LDAP authentication
> without configuring the SAML protocol [1]. Once done, the
> authentication started to work:
>
> 2015-09-20 11:04:22,773 INFO
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
> <LdapAuthenticationHandler successfully authenticated myuser+password>
> 2015-09-20 11:04:22,775 DEBUG
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <No
> resolver configured for LdapAuthenticationHandler. Falling back to
> handler principal myuser>
> 2015-09-20 11:04:22,797 INFO
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
> <Authenticated myuser with credentials [myuser+password].>
> 2015-09-20 11:04:22,801 DEBUG
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
> <Attribute map for myuser: {[email protected], displayName=Nicolás}>
>
> Hope this helps.
>
> Regards,
>
> Nicolás.
>
> [1]: http://jasig.github.io/cas/4.1.x/protocol/SAML-Protocol.html
>
> El 20/09/15 a las 03:38, Guillaume Chéramy escribió:
>> Hello,
>>
>> I have exactly the same problem. See my precedent post "Aperao
>> CAS 4.1.0-RC2 with LDAP backend : Invalid Credential"
>>
>> Sincerely
>>
>> Le 19/09/2015 15:29, Nicolás a écrit :
>>> Hi,
>>>
>>> I'm having some issue configuring LDAP authentication on CAS 4.1.0.
>>> I must say I had this configuration working on 4.0.4 but for some
>>> reason, even when successfully authenticating vs. LDAP, CAS says the
>>> credentials are not right.
>>>
>>> This is what I did:
>>>
>>> 1) deployerConfigContext.xml: Inside the authenticationManager bean,
>>> this is the map defined:
>>> <constructor-arg>
>>> <map>
>>> <entry key-ref="proxyAuthenticationHandler"
>>> value-ref="proxyPrincipalResolver" />
>>> <entry key-ref="ldapAuthenticationHandler" value="#{null}" />
>>> </map>
>>> </constructor-arg>
>>>
>>> 2) deployerConfigContext.xml: Copied and pasted the LDAP support
>>> direct bind
>>> (http://jasig.github.io/cas/4.1.x/installation/LDAP-Authentication.html#ldap-supporting-direct-bind)
>>> config, except that I removed the p:sslConfig-ref="sslConfig" part
>>> and the corresponding sslConfig bean, because I'm not using SSL over
>>> LDAP.
>>>
>>> 3) pom.xml: Added the corresponding dependency:
>>> <dependency>
>>> <groupId>org.jasig.cas</groupId>
>>> <artifactId>cas-server-support-ldap</artifactId>
>>> <version>${cas.version}</version>
>>> </dependency>
>>>
>>> 4) cas.properties: I customized any needed properties, as I had it
>>> in my 4.0.4 working configuration.
>>>
>>> Now, I access /cas and authenticate, and CAS says the credentials
>>> are not right. I had a look at the authentication log and I found
>>> the binding be successfull as far as LDAP goes as you can see here:
>>>
>>> Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 BIND
>>> anonymous mech=implicit ssf=0
>>> Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 BIND
>>> dn="uid=myuser,cn=...,dc=...,dc=..." method=128
>>> Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 BIND
>>> dn="uid=myuser,cn=...,dc=...,dc=..." mech=SIMPLE ssf=0
>>> Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 RESULT
>>> tag=97 err=0 text=
>>>
>>> I decide to activate the debugging as mentioned in the
>>> Troubleshooting page of the LDAP configuration, and I see the following:
>>>
>>> 2015-09-19 14:07:15,636 DEBUG
>>> [org.ldaptive.auth.FormatDnResolver] - <Formatting DN for myuser
>>> with uid=%s,cn=...,dc=...,dc=...>
>>> 2015-09-19 14:07:15,637 DEBUG [org.ldaptive.auth.Authenticator]
>>> - <authenticate dn=uid=myuser,cn=...,dc=...,dc=... with
>>> request=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
>>> retAttrs=[1.1]]>
>>> 2015-09-19 14:07:15,637 DEBUG
>>> [org.ldaptive.auth.PooledBindAuthenticationHandler] -
>>> <authenticate
>>>
>>> criteria=[org.ldaptive.auth.AuthenticationCriteria@1404709825::dn=uid=myuser,cn=...,dc=...,dc=...,
>>>
>>> authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
>>> retAttrs=[1.1]]]>
>>> 2015-09-19 14:07:15,639 DEBUG [org.ldaptive.BindOperation] -
>>> <execute
>>>
>>> request=[org.ldaptive.BindRequest@1670297304::bindDn=uid=myuser,cn=...,dc=...,dc=...,
>>> saslConfig=null, controls=null] with
>>>
>>> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
>>> connectTimeout=3000, responseTimeout=-1, sslConfig=null,
>>> useSSL=false, useStartTLS=false, connectionInitializer=null],
>>>
>>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
>>> count=1],
>>>
>>> environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>>> com.sun.jndi.ldap.connect.timeout=3000,
>>> java.naming.ldap.version=3},
>>>
>>> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
>>> SERVER_DOWN], properties={},
>>>
>>> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
>>> controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
>>> environment=null,
>>> tracePackets=null, removeDnUrls=true,
>>> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED,
>>> SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null,
>>> hostnameVerifier=null]],
>>> providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0]>
>>> 2015-09-19 14:07:15,643 DEBUG [org.ldaptive.BindOperation] -
>>> <execute
>>> response=[org.ldaptive.Response@1182007988::result=null,
>>> resultCode=SUCCESS, message=null, matchedDn=null,
>>> responseControls=null, referralURLs=null, messageId=-1] for
>>>
>>> request=[org.ldaptive.BindRequest@1670297304::bindDn=uid=myuser,cn=...,dc=...,dc=...,
>>> saslConfig=null, controls=null] with
>>>
>>> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
>>> connectTimeout=3000, responseTimeout=-1, sslConfig=null,
>>> useSSL=false, useStartTLS=false, connectionInitializer=null],
>>>
>>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
>>> count=1],
>>>
>>> environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>>> com.sun.jndi.ldap.connect.timeout=3000,
>>> java.naming.ldap.version=3},
>>>
>>> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
>>> SERVER_DOWN], properties={},
>>>
>>> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
>>> controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
>>> environment=null,
>>> tracePackets=null, removeDnUrls=true,
>>> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED,
>>> SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null,
>>> hostnameVerifier=null]],
>>> providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0]>
>>> 2015-09-19 14:07:15,645 DEBUG
>>> [org.ldaptive.auth.PooledBindAuthenticationHandler] -
>>> <authenticate
>>>
>>> response=[org.ldaptive.auth.AuthenticationHandlerResponse@1784519566::connection=[org.ldaptive.Defa<authenticate
>>>
>>> response=[org.ldaptive.auth.AuthenticationHandlerResponse@1784519566::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
>>> connectTimeout=3000, responseTimeout=-1, sslConfig=null,
>>> useSSL=false, useStartTLS=false, connectionInitializer=null],
>>>
>>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
>>> count=1],
>>>
>>> environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>>> com.sun.jndi.ldap.connect.timeout=3000,
>>> java.naming.ldap.version=3},
>>>
>>> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
>>> SERVER_DOWN], properties={},
>>>
>>> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
>>> controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
>>> environment=null,
>>> tracePackets=null, removeDnUrls=true,
>>> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED,
>>> SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null,
>>> hostnameVerifier=null]],
>>> providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0],
>>> result=true, resultCode=SUCCESS, message=null, controls=null]
>>> for
>>>
>>> criteria=[org.ldaptive.auth.AuthenticationCriteria@1404709825::dn=uid=myuser,cn=...,dc=...,dc=...,
>>>
>>> authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
>>> retAttrs=[1.1]]]>
>>> 2015-09-19 14:07:15,660 INFO [org.ldaptive.auth.Authenticator] -
>>> <Authentication succeeded for dn: uid=myuser,cn=...,dc=...,dc=...>
>>> 2015-09-19 14:07:15,662 DEBUG [org.ldaptive.auth.Authenticator]
>>> - <authenticate
>>>
>>> response=[org.ldaptive.auth.AuthenticationHandlerResponse@1784519566::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
>>> connectTimeout=3000, responseTimeout=-1, sslConfig=null,
>>> useSSL=false, useStartTLS=false, connectionInitializer=null],
>>>
>>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
>>> count=1],
>>>
>>> environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>>> com.sun.jndi.ldap.connect.timeout=3000,
>>> java.naming.ldap.version=3},
>>>
>>> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
>>> SERVER_DOWN], properties={},
>>>
>>> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
>>> controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
>>> environment=null,
>>> tracePackets=null, removeDnUrls=true,
>>> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED,
>>> SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null,
>>> hostnameVerifier=null]],
>>> providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0],
>>> result=true, resultCode=SUCCESS, message=null, controls=null]
>>> for dn=uid=myuser,cn=...,dc=...,dc=... with
>>> request=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
>>> retAttrs=[1.1]]>
>>> 2015-09-19 14:07:15,664 INFO
>>> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager]
>>> - <LdapAuthenticationHandler failed authenticating myuser+password>
>>> 2015-09-19 14:07:15,665 INFO
>>> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager]
>>> - <Audit trail record BEGIN
>>> =============================================================
>>> WHO: myuser+password
>>> WHAT: supplied credentials: [myuser+password]
>>> ACTION: AUTHENTICATION_FAILED
>>> APPLICATION: CAS
>>> WHEN: Sat Sep 19 14:07:15 WEST 2015
>>> CLIENT IP ADDRESS: 192.168.1.X
>>> SERVER IP ADDRESS: 192.168.1.X
>>> =============================================================
>>>
>>> >
>>> 2015-09-19 14:07:15,667 INFO
>>> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager]
>>> - <Audit trail record BEGIN
>>> =============================================================
>>> WHO: myuser+password
>>> WHAT: 1 errors, 0 successes
>>> ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
>>> APPLICATION: CAS
>>> WHEN: Sat Sep 19 14:07:15 WEST 2015
>>> CLIENT IP ADDRESS: 192.168.1.X
>>> SERVER IP ADDRESS: 192.168.1.X
>>> =============================================================
>>>
>>>
>>> So if CAS says that the authentication succeeded at first, why
>>> LdapAuthenticationHandler fails? Any hint will be very appreciated
>>> since I'm a bit lost right now.
>>>
>>> Thanks,
>>>
>>> Nicolás
>>> --
>>> You are currently subscribed to [email protected] as:
>>> [email protected]
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
