|
Jin, Your contextSource bean is configured with the anonymousReadOnly property set to true. I think this means that the LDAP search will be performed "anonymously" without using the username and password properties that you have also provided. Can you try to set anonymousReadOnly to false and test again? Also, your LDAP search is for the "uid" attribute. Can you make sure that this is the correct attribute to search for? I am asking because I am not sure that AD has that attribute populated by default. Adam auron wrote: Hi Andrew, Thanks for the reply. Here is my latest deployerConfigContext:<?xml version="1.0" encoding="UTF-8"?> <!-- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that | all CAS deployers will need to modify. | | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml. It finds this file because this | file is among those declared in the context parameter "contextConfigLocation". | | By far the most common change you will need to make in this file is to change the last bean | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with | one implementing your approach for authenticating usernames and passwords. +--> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd"> <!-- | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, | "authenticationManager". Most deployers will be able to use the default AuthenticationManager | implementation and so do not need to change the class of this bean. We include the whole | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will | need to change in context. +--> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <!-- | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate. | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which | supports the presented credentials. | | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are | using. | | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. | You will need to change this list if you are identifying services by something more or other than their callback URL. +--> <property name="credentialsToPrincipalResolvers"> <list> <!-- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login | by default and produces SimplePrincipal instances conveying the username from the credentials. | | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the | Credentials you are using. +--> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <!-- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a | SimpleService identified by that callback URL. | | If you are representing services by something more or other than an HTTPS URL whereat they are able to | receive a proxy callback, you will need to change this bean declaration (or add additional declarations). +--> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <!-- | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn | until it finds one that both supports the Credentials presented and succeeds in authenticating. +--> <property name="authenticationHandlers"> <list> <!-- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating | a server side SSL certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <!-- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your | local authentication strategy. You might accomplish this by coding a new such handler and declaring | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. +--> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="uid=%u"/> <property name="searchBase" value="ou=[removed],dc=[removed],dc=[removed],dc=[removed]"/> <property name="contextSource" ref="contextSource"/> </bean> </list> </property> </bean> <bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> <property name="anonymousReadOnly" value="true"/> <property name="pooled" value="true"/> <property name="urls"> <list> <value>ldap://[removed]:389</value> </list> </property> <property name="userName" value="cn=[removed],cn=Users,dc=[removed],dc=[removed]"/> <property name="password" value="[removed]"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property> </bean> <!-- This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version. More robust deployments will want to use another option, such as the Jdbc version. The name of this should remain "userDetailsService" in order for Acegi to find it. To use this, you should add an entry similar to the following between the two value tags: battags=notused,ROLE_ADMIN where battags is the username you want to grant access to. You can put one entry per line. --> <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> </value> </property> </bean> <!-- Bean that defines the attributes that a service may return. This example uses the Stub/Mock version. A real implementation may go against a database or LDAP server. The id should remain "attributeRepository" though. --> <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"> <property name="backingMap"> <map> <entry key="uid" value="uid" /> </map> </property> </bean> <!-- Sample, in-memory data store for the ServiceRegistry. A real implementation would probably want to replace this with the JPA-backed ServiceRegistry DAO The name of this bean should remain "serviceRegistryDao". --> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> </beans> Thanks again for any insight, Jin Lee Andrew R Feller wrote:Please post your deployerContext.xml file. Andrew R Feller, Analyst University Information Systems 200 Fred Frey Building Louisiana State University Baton Rouge, LA, 70803 (225) 578-3737 (office) ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jin Lee Sent: Monday, December 10, 2007 1:04 PM To: [email protected] Subject: LDAP not working, please advise Hello everyone, First off, thank you for the hard work in writing and maintaining CAS. From what I have seen so far it looks great. I have been trying to get CAS and LDAP working together but after 6 days of being stuck, I am hoping someone here can provide me with some insight. I am in a Windows 2003 environment, Java 6 Update 3, Tomcat 5.5. I've setup Tomcat w/ SSL using the self signed cert (keytool), and verified tomcat is up w/ SSL I've included the ldap jar dependency in my pom and built the cas war. Copied the war into tomcat/webapps and did a test deployment (verified the SimpleUsernamePassword to be working) Modified the deployerConfigContext to use LDAP (note: I've tried both FastBind and regular Bind and both have the same problem, defined below) The problem I am experiencing is well, aside from a brief message saying that CAS could not validate, I don't get much else. I've checked my tomcat logs, changed the logger to DEBUG, and I can't seem to get any significant messages indicating whether the LDAP server connection was successful. This is leading me to believe I am doing something wrong outside of LDAP, but I don't know what it is. Here is the log file output: 2007-12-10 10:47:01,611 DEBUG [org.jasig.cas.web.flow.Initial FlowSetupAction] - <Action 'InitialFlowSetupAction' beginning execution> 2007-12-10 10:47:01,611 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting ContextPath for cookies to: /cas> 2007-12-10 10:47:01,627 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Action 'InitialFlowSetupAction' completed execution; result is 'success'> 2007-12-10 10:47:01,642 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action 'AuthenticationViaFormAction' beginning execution> 2007-12-10 10:47:01,642 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Executing setupForm> 2007-12-10 10:47:01,642 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Creating new form object with name 'credentials'> 2007-12-10 10:47:01,642 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Creating new instance of form object class [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials ]> 2007-12-10 10:47:01,642 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Putting form object of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow with name 'credentials'> 2007-12-10 10:47:01,642 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Creating new form errors for object with name 'credentials'> 2007-12-10 10:47:01,658 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <No property editor registrar set, no custom editors to register> 2007-12-10 10:47:01,658 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <Putting form errors instance in scope Flash> 2007-12-10 10:47:01,658 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action 'AuthenticationViaFormAction' completed execution; result is 'success'> 2007-12-10 10:47:01,658 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action 'AuthenticationViaFormAction' beginning execution> 2007-12-10 10:47:01,658 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <Action 'AuthenticationViaFormAction' completed execution; result is 'success'> 2007-12-10 10:47:07,017 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action 'AuthenticationViaFormAction' beginning execution> 2007-12-10 10:47:07,017 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Executing bind> 2007-12-10 10:47:07,017 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Found existing form object with name 'credentials' of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow> 2007-12-10 10:47:07,017 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <No property editor registrar set, no custom editors to register> 2007-12-10 10:47:07,017 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Binding allowed request parameters in map['lt' -> '_cB59CE041-38DB-EFCE-F712-75D2FCEBE2C2_k31A0F302-F07F-C630-2113-C14D2C0 209F6', '_eventId' -> 'submit', 'null' -> '', 'password' -> 'testpass', 'submit' -> 'LOGIN', 'username' -> 'jlee'] to form object with name 'credentials', pre-bind formObject toString = null> 2007-12-10 10:47:07,017 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <(Any field is allowed)> 2007-12-10 10:47:07,033 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Binding completed for form object with name 'credentials', post-bind formObject toString = jlee> 2007-12-10 10:47:07,033 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <There are [0] errors, details: []> 2007-12-10 10:47:07,033 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <Executing validation> 2007-12-10 10:47:07,033 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Invoking validator [EMAIL PROTECTED] > 2007-12-10 10:47:07,033 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Validation completed for form object> 2007-12-10 10:47:07,033 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <There are [0] errors, details: []> 2007-12-10 10:47:07,033 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Putting form errors instance in scope Flash> 2007-12-10 10:47:07,033 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action 'AuthenticationViaFormAction' completed execution; result is 'success'> 2007-12-10 10:47:07,033 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <Action 'AuthenticationViaFormAction' beginning execution> 2007-12-10 10:47:07,033 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Found existing form object with name 'credentials' of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow> 2007-12-10 10:47:07,033 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Attempting to create TicketGrantingTicket for jlee> 2007-12-10 10:47:07,049 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to authenticate the user which provided the following credentials: jlee> 2007-12-10 10:47:07,049 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Found existing form object with name 'credentials' of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials ] in scope Flow> 2007-12-10 10:47:07,049 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <No property editor registrar set, no custom editors to register> 2007-12-10 10:47:07,049 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action 'AuthenticationViaFormAction' completed execution; result is 'error'> 2007-12-10 10:47:07,049 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <Action 'AuthenticationViaFormAction' beginning execution> 2007-12-10 10:47:07,049 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Executing setupForm> 2007-12-10 10:47:07,049 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Found existing form object with name 'credentials' of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow> 2007-12-10 10:47:07,049 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <No property editor registrar set, no custom editors to register> 2007-12-10 10:47:07,049 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <Action 'AuthenticationViaFormAction' completed execution; result is 'success'> 2007-12-10 10:47:07,049 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action 'AuthenticationViaFormAction' beginning execution> 2007-12-10 10:47:07,049 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action 'AuthenticationViaFormAction' completed execution; result is 'success'> 2007-12-10 10:47:16,143 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Starting cleaning of expired tickets from ticket registry at [Mon Dec 10 10:47:16 PST 2007]> 2007-12-10 10:47:16,158 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner ] - <0 found to be removed. Removing now.> 2007-12-10 10:47:16,158 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Finished cleaning of expired tickets from ticket registry at [Mon Dec 10 10:47:16 PST 2007]> If anyone can give me some sort of guidance or point me in the right directly, it would be greatly appreciated. Thank you very much, Jin Lee _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas |
begin:vcard fn:Adam Rybicki n:Rybicki;Adam org:Unicon, Inc.;Professional Services adr:Suite 113;;3140 North Arizona Avenue;Chandler;AZ;85225;United States email;internet:[EMAIL PROTECTED] tel;work:+1-480-558-2400 tel;home:+1-310-265-8286 tel;cell:+1-310-980-2758 x-mozilla-html:FALSE url:http://www.unicon.net/ version:2.1 end:vcard
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
