I think I can write a document on how to set up a development environment with FedoraCore+CAS+OpenLDAP+openssl. Which catalog in the wiki should I put it into?
Regards, Shi Yusen/Beijing Langhua Ltd. 在 2008-01-14一的 23:16 -0800,Sara_Abasi写道: > Hi Scott, > > thanks for your help. The certificate is not signed commercially and I have > added the certificate to my JVM's cacerts file according to > http://www.ja-sig.org/wiki/display/CASUM/Demo > > keytool -import -file server.crt -keypass changeit -keystore > ..\jre\lib\security\cacerts > > My ldap server is actually a Microsoft Active Directory (WIndows 2003 > Server). It accepts connections on port 389 and 636 (tested with telnet). > But actually I'm not sure if ssl is really supported, so I tried connecting > to it without ssl but I got following exception: > > 2008-01-15 10:26:52,582 ERROR > [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cas].[cas]] > - <Servlet.service() for servlet cas threw exception> > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: > LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece > > This is my configuration without the ssl option: > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" > "http://www.springframework.org/dtd/spring-beans.dtd";> > <beans> > <bean id="authenticationManager" > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > <property name="credentialsToPrincipalResolvers"> > <list> > <bean > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > /> > <bean > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > /> > </list> > </property> > <property name="authenticationHandlers"> > <list> > <bean > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> > <property > name="httpClient" > ref="httpClient" /> > </bean> > <bean > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > <property name="filter" value="uid=%u" > /> > <property name="searchBase" > value="cn=Users,dc=test,dc=net" /> > <property name="contextSource" > ref="contextSource" /> > <property name="ignorePartialResultException" > value="yes" /> > </bean> > </list> > </property> > </bean> > <bean id="contextSource" > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > <property name="password" value="{123}"/> > <property name="pooled" value="true" /> > <property name="urls"> > <list> > <value>ldap://test.net:389/</value> > </list> > </property> > <property name="userName" value="{cn=myuser,cn=Users,dc=test,dc=net}"/> > <property name="baseEnvironmentProperties"> > <map> > <entry> > <key> > <value>java.naming.security.authentication</value> > </key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > </beans> > > > Thanks for your help, > > Sarah > > > > > scott_battaglia wrote: > > > > Sarah, > > > > Is it a commercially signed certificate? If not, make sure its in the > > JVM's > > cacerts file so that it can trust it. Also, make sure your LDAP server is > > accepting SSL connections. > > > > -Scott > > > > On Jan 14, 2008 6:41 AM, Sara_Abasi <[EMAIL PROTECTED]> wrote: > > > >> > >> Hi > >> i`m newbie in LDAP with SLL. > >> My problem is, i connect in server LDAP from my web application and do > >> the > >> authentication by LDAP with SSL. > >> when i enter user name and password throws this exception: > >> > >> 2008-01-14 15:04:52,074 ERROR > >> [org.apache.catalina.core.ContainerBase > >> .[Catalina].[localhost].[/cas].[cas]] > >> - <Servlet.service() for servlet cas threw exception> > >> java.io.EOFException: SSL peer shut down incorrectly > >> at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java > >> :333) > >> at > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java > >> :723) > >> at > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake( > >> SSLSocketImpl.java:1030) > >> at > >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java > >> :622) > >> at > >> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java > >> :59) > >> at java.io.BufferedOutputStream.flushBuffer( > >> BufferedOutputStream.java:65) > >> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java > >> :123) > >> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:390) > >> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334) > >> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192) > >> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637) > >> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283) > >> at > >> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java > >> :175) > >> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs( > >> LdapCtxFactory.java:193) > >> at > >> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java > >> :136) > >> at > >> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) > >> at javax.naming.spi.NamingManager.getInitialContext( > >> NamingManager.java:667) > >> at javax.naming.InitialContext.getDefaultInitCtx( > >> InitialContext.java:247) > >> at javax.naming.InitialContext.init(InitialContext.java:223) > >> at javax.naming.ldap.InitialLdapContext.<init>( > >> InitialLdapContext.java:134) > >> at > >> org.springframework.ldap.support.LdapContextSource.getDirContextInstance( > >> LdapContextSource.java:59) > >> at > >> org.springframework.ldap.support.AbstractContextSource.createContext( > >> AbstractContextSource.java:193) > >> at > >> org.springframework.ldap.support.AbstractContextSource.getReadOnlyContext( > >> AbstractContextSource.java:104) > >> at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java > >> :263) > >> at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java > >> :314) > >> at > >> > >> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal > >> (BindLdapAuthenticationHandler.java:70) > >> at > >> > >> org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.authenticate > >> (AbstractUsernamePasswordAuthenticationHandler.java:58) > >> at > >> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate( > >> AuthenticationManagerImpl.java:79) > >> at > >> org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket( > >> CentralAuthenticationServiceImpl.java:282) > >> at > >> org.jasig.cas.web.flow.AuthenticationViaFormAction.submit( > >> AuthenticationViaFormAction.java:116) > >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> at > >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java > >> :39) > >> at > >> sun.reflect.DelegatingMethodAccessorImpl.invoke( > >> DelegatingMethodAccessorImpl.java:25) > >> at java.lang.reflect.Method.invoke(Method.java:585) > >> at > >> org.springframework.webflow.util.DispatchMethodInvoker.invoke( > >> DispatchMethodInvoker.java:103) > >> at > >> org.springframework.webflow.action.MultiAction.doExecute(MultiAction.java > >> :136) > >> at > >> org.springframework.webflow.action.AbstractAction.execute( > >> AbstractAction.java:203) > >> at > >> org.springframework.webflow.engine.AnnotatedAction.execute( > >> AnnotatedAction.java:142) > >> at > >> org.springframework.webflow.engine.ActionExecutor.execute( > >> ActionExecutor.java:61) > >> at > >> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java > >> :180) > >> at org.springframework.webflow.engine.State.enter(State.java:200) > >> at > >> org.springframework.webflow.engine.Transition.execute(Transition.java:229) > >> at > >> org.springframework.webflow.engine.TransitionableState.onEvent( > >> TransitionableState.java:112) > >> at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572) > >> at > >> > >> org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent > >> (RequestControlContextImpl.java:207) > >> at > >> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java > >> :185) > >> at org.springframework.webflow.engine.State.enter(State.java:200) > >> at > >> org.springframework.webflow.engine.Transition.execute(Transition.java:229) > >> at > >> org.springframework.webflow.engine.TransitionableState.onEvent( > >> TransitionableState.java:112) > >> at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572) > >> at > >> > >> org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent > >> (RequestControlContextImpl.java:207) > >> at > >> org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent( > >> FlowExecutionImpl.java:214) > >> at > >> org.springframework.webflow.executor.FlowExecutorImpl.resume( > >> FlowExecutorImpl.java:238) > >> at > >> > >> org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest > >> (FlowRequestHandler.java:115) > >> at > >> > >> org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal > >> (FlowController.java:170) > >> at > >> org.springframework.web.servlet.mvc.AbstractController.handleRequest( > >> AbstractController.java:153) > >> at > >> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle( > >> SimpleControllerHandlerAdapter.java:48) > >> at > >> org.springframework.web.servlet.DispatcherServlet.doDispatch( > >> DispatcherServlet.java:819) > >> at > >> org.springframework.web.servlet.DispatcherServlet.doService( > >> DispatcherServlet.java:754) > >> at > >> org.springframework.web.servlet.FrameworkServlet.processRequest( > >> FrameworkServlet.java:399) > >> at > >> org.springframework.web.servlet.FrameworkServlet.doPost( > >> FrameworkServlet.java:364) > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > >> at > >> org.jasig.cas.web.init.SafeDispatcherServlet.service( > >> SafeDispatcherServlet.java:115) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > >> ApplicationFilterChain.java:269) > >> at > >> org.apache.catalina.core.ApplicationFilterChain.doFilter( > >> ApplicationFilterChain.java:188) > >> at > >> org.apache.catalina.core.StandardWrapperValve.invoke( > >> StandardWrapperValve.java:210) > >> at > >> org.apache.catalina.core.StandardContextValve.invoke( > >> StandardContextValve.java:174) > >> at > >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java > >> :127) > >> at > >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java > >> :117) > >> at > >> org.apache.catalina.core.StandardEngineValve.invoke( > >> StandardEngineValve.java:108) > >> at > >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java > >> :151) > >> at > >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870) > >> at > >> > >> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection > >> (Http11BaseProtocol.java:665) > >> at > >> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket( > >> PoolTcpEndpoint.java:528) > >> at > >> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt( > >> LeaderFollowerWorkerThread.java:81) > >> at > >> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( > >> ThreadPool.java:685) > >> at java.lang.Thread.run(Thread.java:595) > >> > >> this is my deployConfigContext.xml > >> > >> <?xml version="1.0" encoding="UTF-8"?> > >> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" > >> "http://www.springframework.org/dtd/spring-beans.dtd";> > >> <!-- > >> | deployerConfigContext.xml centralizes into one file some of the > >> declarative configuration that > >> | all CAS deployers will need to modify. > >> | > >> | This file declares some of the Spring-managed JavaBeans that > >> make > >> up a > >> CAS deployment. > >> | The beans declared in this file are instantiated at context > >> initialization time by the Spring > >> | ContextLoaderListener declared in web.xml. It finds this file > >> because > >> this > >> | file is among those declared in the context parameter > >> "contextConfigLocation". > >> | > >> | By far the most common change you will need to make in this file > >> is to > >> change the last bean > >> | declaration to replace the default > >> SimpleTestUsernamePasswordAuthenticationHandler with > >> | one implementing your approach for authenticating usernames and > >> passwords. > >> +--> > >> <beans> > >> > >> <!-- > >> | This bean declares our AuthenticationManager. The > >> CentralAuthenticationService service bean > >> | declared in applicationContext.xml picks up this > >> AuthenticationManager > >> by reference to its id, > >> | "authenticationManager". Most deployers will be able to > >> use the default > >> AuthenticationManager > >> | implementation and so do not need to change the class of > >> this bean. We > >> include the whole > >> | AuthenticationManager here in the > >> userConfigContext.xmlso that you can > >> see the things you will > >> | need to change in context. > >> +--> > >> <bean id="authenticationManager" > >> class=" > >> org.jasig.cas.authentication.AuthenticationManagerImpl"> > >> <!-- > >> | This is the List of > >> CredentialToPrincipalResolvers that identify what > >> Principal is trying to authenticate. > >> | The AuthenticationManagerImpl considers them in > >> order, finding a > >> CredentialToPrincipalResolver which > >> | supports the presented credentials. > >> | > >> | AuthenticationManagerImpl uses these resolvers > >> for two purposes. > >> First, it uses them to identify the Principal > >> | attempting to authenticate to CAS /login . In > >> the default > >> configuration, it is the DefaultCredentialsToPrincipalResolver > >> | that fills this role. If you are using some > >> other kind of credentials > >> than UsernamePasswordCredentials, you will need to replace > >> | DefaultCredentialsToPrincipalResolver with a > >> CredentialsToPrincipalResolver that supports the credentials you are > >> | using. > >> | > >> | Second, AuthenticationManagerImpl uses these > >> resolvers to identify a > >> service requesting a proxy granting ticket. > >> | In the default configuration, it is the > >> HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. > >> | You will need to change this list if you are > >> identifying services by > >> something more or other than their callback URL. > >> +--> > >> <property name="credentialsToPrincipalResolvers"> > >> <list> > >> <!-- > >> | > >> UsernamePasswordCredentialsToPrincipalResolver supports the > >> UsernamePasswordCredentials that we use for /login > >> | by default and produces > >> SimplePrincipal instances conveying the > >> username from the credentials. > >> | > >> | If you've changed your > >> LoginFormAction to use credentials other than > >> UsernamePasswordCredentials then you will also > >> | need to change this bean > >> declaration (or add additional declarations) > >> to declare a CredentialsToPrincipalResolver that supports the > >> | Credentials you are using. > >> +--> > >> <bean > >> > >> class=" > >> org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver > >> " > >> /> > >> <!-- > >> | > >> HttpBasedServiceCredentialsToPrincipalResolver supports > >> HttpBasedCredentials. It supports the CAS 2.0 approach of > >> | authenticating services by SSL > >> callback, extracting the callback URL > >> from the Credentials and representing it as a > >> | SimpleService identified by that > >> callback URL. > >> | > >> | If you are representing services > >> by something more or other than an > >> HTTPS URL whereat they are able to > >> | receive a proxy callback, you > >> will need to change this bean > >> declaration (or add additional declarations). > >> +--> > >> <bean > >> > >> class=" > >> org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver > >> " > >> /> > >> </list> > >> </property> > >> > >> <!-- > >> | Whereas CredentialsToPrincipalResolvers identify > >> who it is some > >> Credentials might authenticate, > >> | AuthenticationHandlers actually authenticate > >> credentials. Here we > >> declare the AuthenticationHandlers that > >> | authenticate the Principals that the > >> CredentialsToPrincipalResolvers > >> identified. CAS will try these handlers in turn > >> | until it finds one that both supports the > >> Credentials presented and > >> succeeds in authenticating. > >> +--> > >> <property name="authenticationHandlers"> > >> <list> > >> <!-- > >> | This is the authentication > >> handler that authenticates services by > >> means of callback via SSL, thereby validating > >> | a server side SSL certificate. > >> +--> > >> <bean > >> > >> class=" > >> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler > >> "> > >> <property > >> name="httpClient" > >> ref="httpClient" /> > >> </bean> > >> > >> <!-- > >> | This is the authentication > >> handler declaration that every CAS > >> deployer will need to change before deploying CAS > >> | into production. The default > >> SimpleTestUsernamePasswordAuthenticationHandler authenticates > >> UsernamePasswordCredentials > >> | where the username equals the > >> password. You will need to replace > >> this with an AuthenticationHandler that implements your > >> | local authentication strategy. > >> You might accomplish this by coding a > >> new such handler and declaring > >> | > >> edu.someschool.its.cas.MySpecialHandler here, or you might use one of > >> the handlers provided in the adaptors modules. > >> +--> > >> > >> > >> <bean > >> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > >> <property name="filter" > >> value="uid=%u" /> > >> <property name="searchBase" > >> value="cn=Users,dc=z,dc=z" /> > >> <property name="contextSource" > >> ref="contextSource" /> > >> <property name="ignorePartialResultException" > >> value="yes" /> > >> </bean> > >> </list> > >> </property> > >> </bean> > >> <bean id="contextSource" > >> class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > >> <property name="password" value="{11111}"/> > >> <property name="pooled" value="true" /> > >> <property name="urls"> > >> <list> > >> <value>ldaps://irisad.net/</value> > >> </list> > >> </property> > >> <property name="userName" value="{cn=aa,cn=Users,dc=z,dc=z}"/> > >> <property name="baseEnvironmentProperties"> > >> <map> > >> <entry> > >> <key> > >> <value>java.naming.security.protocol</value> > >> </key> > >> <value>ssl</value> > >> </entry> > >> <entry> > >> <key> > >> <value>java.naming.security.authentication</value> > >> </key> > >> <value>simple</value> > >> </entry> > >> <entry> > >> <key> > >> <value>java.naming.referral</value> > >> </key> > >> <value>follow</value> > >> </entry> > >> </map> > >> </property> > >> </bean> > >> </beans> > >> > >> thanks. > >> -- > >> View this message in context: > >> http://www.nabble.com/SSLHandshakeException-when-try-connect-LDAP-tp14799522p14799522.html > >> Sent from the CAS Users mailing list archive at Nabble.com. > >> > >> _______________________________________________ > >> Yale CAS mailing list > >> [email protected] > >> http://tp.its.yale.edu/mailman/listinfo/cas > >> > > > > > > > > -- > > -Scott Battaglia > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
