Hi Adam - Thanks!! I got it to work! You were right on the money, it took both changes to make it work. I changed:
uid=%u to sAMAccountName=%u (I think maybe the AD server is not 2003 but Win 2000) and anonymousReadOnly = false Thank you so much for the advice! Jin Adam Rybicki wrote: > > > > > > > > > Jin, > > Your contextSource bean is configured with the anonymousReadOnly > property set to true. I think this means that the LDAP search will > be > performed "anonymously" without using the username and password > properties that you have also provided. Can you try to set > anonymousReadOnly to false and test again? Also, your LDAP search is > for the "uid" attribute. Can you make sure that this is the correct > attribute to search for? I am asking because I am not sure that AD > has > that attribute populated by default. > > Adam > > auron wrote: > > Hi Andrew, > > Thanks for the reply. Here is my latest deployerConfigContext: > > <?xml version="1.0" encoding="UTF-8"?> > <!-- > | deployerConfigContext.xml centralizes into one file some of the > declarative configuration that > | all CAS deployers will need to modify. > | > | This file declares some of the Spring-managed JavaBeans that make up a > CAS deployment. > | The beans declared in this file are instantiated at context > initialization time by the Spring > | ContextLoaderListener declared in web.xml. It finds this file because > this > | file is among those declared in the context parameter > "contextConfigLocation". > | > | By far the most common change you will need to make in this file is to > change the last bean > | declaration to replace the default > SimpleTestUsernamePasswordAuthenticationHandler with > | one implementing your approach for authenticating usernames and > passwords. > +--> > <beans xmlns= "http://www.springframework.org/schema/beans"; > xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p= "http://www.springframework.org/schema/p"; > xsi:schemaLocation= "http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd"; > > <!-- > | This bean declares our AuthenticationManager. The > CentralAuthenticationService service bean > | declared in applicationContext.xml picks up this > AuthenticationManager > by reference to its id, > | "authenticationManager". Most deployers will be able to use > the > default > AuthenticationManager > | implementation and so do not need to change the class of this > bean. > We > include the whole > | AuthenticationManager here in the userConfigContext.xml so > that you > can > see the things you will > | need to change in context. > +--> > <bean id="authenticationManager" > > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > <!-- > | This is the List of CredentialToPrincipalResolvers > that identify what > Principal is trying to authenticate. > | The AuthenticationManagerImpl considers them in > order, finding a > CredentialToPrincipalResolver which > | supports the presented credentials. > | > | AuthenticationManagerImpl uses these resolvers for > two purposes. > First, it uses them to identify the Principal > | attempting to authenticate to CAS /login . In the > default > configuration, it is the DefaultCredentialsToPrincipalResolver > | that fills this role. If you are using some other > kind of > credentials > than UsernamePasswordCredentials, you will need to replace > | DefaultCredentialsToPrincipalResolver with a > CredentialsToPrincipalResolver that supports the credentials you are > | using. > | > | Second, AuthenticationManagerImpl uses these > resolvers to identify a > service requesting a proxy granting ticket. > | In the default configuration, it is the > HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. > | You will need to change this list if you are > identifying services by > something more or other than their callback URL. > +--> > <property name="credentialsToPrincipalResolvers"> > <list> > <!-- > | > UsernamePasswordCredentialsToPrincipalResolver supports the > UsernamePasswordCredentials that we use for /login > | by default and produces > SimplePrincipal instances conveying the > username from the credentials. > | > | If you've changed your > LoginFormAction to use credentials other > than > UsernamePasswordCredentials then you will also > | need to change this bean declaration > (or add additional > declarations) > to declare a CredentialsToPrincipalResolver that supports the > | Credentials you are using. > +--> > <bean > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > /> > <!-- > | > HttpBasedServiceCredentialsToPrincipalResolver supports > HttpBasedCredentials. It supports the CAS 2.0 approach of > | authenticating services by SSL > callback, extracting the callback > URL > from the Credentials and representing it as a > | SimpleService identified by that > callback URL. > | > | If you are representing services by > something more or other than an > HTTPS URL whereat they are able to > | receive a proxy callback, you will > need to change this bean > declaration (or add additional declarations). > +--> > <bean > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > /> > </list> > </property> > > <!-- > | Whereas CredentialsToPrincipalResolvers identify who > it is some > Credentials might authenticate, > | AuthenticationHandlers actually authenticate > credentials. Here we > declare the AuthenticationHandlers that > | authenticate the Principals that the > CredentialsToPrincipalResolvers > identified. CAS will try these handlers in turn > | until it finds one that both supports the Credentials > presented and > succeeds in authenticating. > +--> > <property name="authenticationHandlers"> > <list> > <!-- > | This is the authentication handler > that authenticates services by > means of callback via SSL, thereby validating > | a server side SSL certificate. > +--> > <bean > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > p:httpClient-ref="httpClient" /> > <!-- > | This is the authentication handler > declaration that every CAS > deployer will need to change before deploying CAS > | into production. The default > SimpleTestUsernamePasswordAuthenticationHandler authenticates > UsernamePasswordCredentials > | where the username equals the > password. You will need to replace > this with an AuthenticationHandler that implements your > | local authentication strategy. You > might accomplish this by coding > a > new such handler and declaring > | > edu.someschool.its.cas.MySpecialHandler here, or you might use one > of > the handlers provided in the adaptors modules. > +--> > <bean > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > <property name="filter" > value="uid=%u"/> > <property name="searchBase" > value="ou=[removed],dc=[removed],dc=[removed],dc=[removed]"/> > <property name="contextSource" > ref="contextSource"/> > </bean> > </list> > </property> > </bean> > <bean id="contextSource" > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > <property name="anonymousReadOnly" value="true"/> > <property name="pooled" value="true"/> > <property name="urls"> > <list> > <value> ldap:// > [removed]:389</value> > </list> > </property> > <property name="userName" > value="cn=[removed],cn=Users,dc=[removed],dc=[removed]"/> > <property name="password" value="[removed]"/> > <property name="baseEnvironmentProperties"> > <map> > <entry> > <key> > > <value>java.naming.security.authentication</value> > </key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > <!-- > This bean defines the security roles for the Services Management > application. Simple deployments can use the in-memory version. > More robust deployments will want to use another option, such as the > Jdbc > version. > > The name of this should remain "userDetailsService" in order for Acegi > to > find it. > > To use this, you should add an entry similar to the following between > the > two value tags: > battags=notused,ROLE_ADMIN > > where battags is the username you want to grant access to. You can put > one > entry per line. > --> > <bean id="userDetailsService" > class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> > <property name="userMap"> > <value> > </value> > </property> > </bean> > > <!-- > Bean that defines the attributes that a service may return. This > example > uses the Stub/Mock version. A real implementation > may go against a database or LDAP server. The id should remain > "attributeRepository" though. > --> > <bean id="attributeRepository" > > class="org.jasig.services.persondir.support.StubPersonAttributeDao"> > <property name="backingMap"> > <map> > <entry key="uid" value="uid" /> > </map> > </property> > </bean> > <!-- > Sample, in-memory data store for the ServiceRegistry. A real > implementation > would probably want to replace this with the JPA-backed ServiceRegistry > DAO > The name of this bean should remain "serviceRegistryDao". > --> > <bean > id="serviceRegistryDao" > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" > /> > </beans> > > > Thanks again for any insight, > Jin Lee > > > > Andrew R Feller wrote: > > > Please post your deployerContext.xml file. > > > > Andrew R Feller, Analyst > > University Information Systems > > 200 Fred Frey Building > > Louisiana State University > > Baton Rouge, LA, 70803 > > (225) 578-3737 (office) > > ________________________________ > > From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED] ] > On Behalf Of Jin Lee > Sent: Monday, December 10, 2007 1:04 PM > To: [email protected] > Subject: LDAP not working, please advise > > > > Hello everyone, > > First off, thank you for the hard work in writing and maintaining CAS. > From > what I have seen so far it looks great. I have been trying to get CAS > and > LDAP working together but after 6 days of being stuck, I am hoping > someone > here can provide me with some insight. > > I am in a Windows 2003 environment, Java 6 Update 3, Tomcat 5.5. > > I've setup Tomcat w/ SSL using the self signed cert (keytool), and > verified > tomcat is up w/ SSL > I've included the ldap jar dependency in my pom and built the cas war. > Copied the war into tomcat/webapps and did a test deployment (verified > the > SimpleUsernamePassword to be working) > Modified the deployerConfigContext to use LDAP (note: I've tried both > FastBind and regular Bind and both have the same problem, defined below) > > The problem I am experiencing is well, aside from a brief message saying > that CAS could not validate, I don't get much else. I've checked my > tomcat > logs, changed the logger to DEBUG, and I can't seem to get any > significant > messages indicating whether the LDAP server connection was successful. > This > is leading me to believe I am doing something wrong outside of LDAP, but > I > don't know what it is. > > Here is the log file output: > > 2007-12-10 10:47:01,611 DEBUG > [org.jasig.cas.web.flow.Initial > > FlowSetupAction] - <Action > 'InitialFlowSetupAction' beginning execution> > 2007-12-10 10:47:01,611 INFO > [org.jasig.cas.web.flow.InitialFlowSetupAction] > - <Setting ContextPath for cookies to: /cas> > 2007-12-10 10:47:01,627 DEBUG > [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Action > 'InitialFlowSetupAction' completed execution; result is 'success'> > 2007-12-10 10:47:01,642 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action > 'AuthenticationViaFormAction' beginning execution> > 2007-12-10 10:47:01,642 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Executing > setupForm> > 2007-12-10 10:47:01,642 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Creating new > form > object with name 'credentials'> > 2007-12-10 10:47:01,642 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Creating new > instance of form object class [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials ]> > 2007-12-10 10:47:01,642 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Putting form > object > of type [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in > scope > Flow with name 'credentials'> > 2007-12-10 10:47:01,642 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Creating new > form > errors for object with name 'credentials'> > 2007-12-10 10:47:01,658 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <No property > editor > registrar set, no custom editors to register> > 2007-12-10 10:47:01,658 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <Putting form > errors > instance in scope Flash> > 2007-12-10 10:47:01,658 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action > 'AuthenticationViaFormAction' completed execution; result is 'success'> > 2007-12-10 10:47:01,658 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action > 'AuthenticationViaFormAction' beginning execution> > 2007-12-10 10:47:01,658 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <Action > 'AuthenticationViaFormAction' completed execution; result is 'success'> > 2007-12-10 10:47:07,017 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action > 'AuthenticationViaFormAction' beginning execution> > 2007-12-10 10:47:07,017 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Executing > bind> > 2007-12-10 10:47:07,017 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Found existing > form > object with name 'credentials' of type [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in > scope > Flow> > 2007-12-10 10:47:07,017 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <No property > editor > registrar set, no custom editors to register> > 2007-12-10 10:47:07,017 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Binding allowed > request parameters in map['lt' -> > '_cB59CE041-38DB-EFCE-F712-75D2FCEBE2C2_k31A0F302-F07F-C630-2113-C14D2C0 > 209F6', > '_eventId' -> 'submit', 'null' -> '', 'password' -> 'testpass', > 'submit' > -> > 'LOGIN', 'username' -> 'jlee'] to form object with name 'credentials', > pre-bind formObject toString = null> > 2007-12-10 10:47:07,017 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <(Any field is > allowed)> > 2007-12-10 10:47:07,033 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Binding > completed > for form object with name 'credentials', post-bind formObject toString = > > jlee> > 2007-12-10 10:47:07,033 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <There are [0] > errors, details: []> > 2007-12-10 10:47:07,033 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <Executing > validation> > 2007-12-10 10:47:07,033 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Invoking > validator > [EMAIL PROTECTED] > > 2007-12-10 10:47:07,033 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Validation > completed > for form object> > 2007-12-10 10:47:07,033 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <There are [0] > errors, details: []> > 2007-12-10 10:47:07,033 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Putting form > errors > instance in scope Flash> > 2007-12-10 10:47:07,033 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action > 'AuthenticationViaFormAction' completed execution; result is 'success'> > 2007-12-10 10:47:07,033 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <Action > 'AuthenticationViaFormAction' beginning execution> > 2007-12-10 10:47:07,033 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Found existing > form > object with name 'credentials' of type [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in > scope > Flow> > 2007-12-10 10:47:07,033 DEBUG > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Attempting to > create > TicketGrantingTicket for jlee> > 2007-12-10 10:47:07,049 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to > authenticate the user which provided the following credentials: jlee> > 2007-12-10 10:47:07,049 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Found existing > form > object with name 'credentials' of type [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials ] in > scope > Flow> > 2007-12-10 10:47:07,049 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <No property > editor > registrar set, no custom editors to register> > 2007-12-10 10:47:07,049 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action > 'AuthenticationViaFormAction' completed execution; result is 'error'> > 2007-12-10 10:47:07,049 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <Action > 'AuthenticationViaFormAction' beginning execution> > 2007-12-10 10:47:07,049 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Executing > setupForm> > 2007-12-10 10:47:07,049 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Found existing > form > object with name 'credentials' of type [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in > scope > Flow> > 2007-12-10 10:47:07,049 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <No property > editor > registrar set, no custom editors to register> > 2007-12-10 10:47:07,049 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction ] - <Action > 'AuthenticationViaFormAction' completed execution; result is 'success'> > 2007-12-10 10:47:07,049 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action > 'AuthenticationViaFormAction' beginning execution> > 2007-12-10 10:47:07,049 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action > 'AuthenticationViaFormAction' completed execution; result is 'success'> > 2007-12-10 10:47:16,143 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > <Starting cleaning of expired tickets from ticket registry at [Mon Dec > 10 > 10:47:16 PST 2007]> > 2007-12-10 10:47:16,158 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner ] - > <0 > found to be removed. Removing now.> > 2007-12-10 10:47:16,158 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > <Finished cleaning of expired tickets from ticket registry at [Mon Dec > 10 > 10:47:16 PST 2007]> > > > > If anyone can give me some sort of guidance or point me in the right > directly, it would be greatly appreciated. Thank you very much, > > Jin Lee > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > > > > begin:vcard > fn:Adam Rybicki > n:Rybicki;Adam > org:Unicon, Inc.;Professional Services > adr:Suite 113;;3140 North Arizona Avenue;Chandler;AZ;85225;United States > email;internet:[EMAIL PROTECTED] > tel;work:+1-480-558-2400 > tel;home:+1-310-265-8286 > tel;cell:+1-310-980-2758 > x-mozilla-html:FALSE > url:http://www.unicon.net/ > version:2.1 > end:vcard > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- View this message in context: http://www.nabble.com/LDAP-not-working%2C-please-advise-tp14259540p14262492.html Sent from the CAS Users mailing list archive at Nabble.com. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
