We have been using CAS (3.0.7) since September. We have plans to upgrade to 3.2.1 later this summer. Our implementation is using the LDAP authentication handler against our Active Directory and has been working great until this problem cropped up yesterday.
We have a handful of users that consistently fail to authenticate. When they do, we see an error in CAS.LOG like: 2008-05-07 09:15:37,285 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to authenticate the user which provided the following credentials: mbarton A sample of the DN that fails is: CN=mbarton,OU=Special Facilities - Jadwin/Fine,OU=People,DC=pu,DC=win,DC=princeton,DC=edu Testing a hunch we renamed the OU the account resides in, removing the "/" character in the OU=Special Facilities - Jadwin/Fine portion of the DN. When we do this the user CAN authenticate. We tested user accounts in 3 other OUs, each of which have one or more "/" characters in the name and in each case the user fails to authenticate. Has anyone else seen and/or resolved this error? Has the problem been corrected in CAS 3.2.1? This appears to be a DN parsing error, but I don't know if it is in the base CAS code or somewhere in the Spring framework (we are using version 1.12 with CAS 3.0.7). When set logging to DEBUG, I see "org.springframework.validation.BindException" errors in the CAS.log Thanks in advance for any help/insight. deployerConfigContext.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd";> <beans> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToP rincipalResolver" /> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToP rincipalResolver" /> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti alsAuthenticationHandler"> <property name="httpClient" ref="httpClient" /> </bean> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="sAMAccountName=%u" /> <property name="searchBase" value="ou=People,dc=pu,dc=win,dc=princeton,dc=edu" /> <property name="contextSource" ref="contextSource" /> </bean> </list> </property> </bean> <bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> <property name="password" value="XXXXXXXXXX"> <property name="pooled" value="true" /> <property name="urls"> <list> <value>ldaps://pu.win.princeton.edu/</value> </list> </property> <property name="userName" value="cn=XXXXXXX,ou=XXXXXXXX,ou=XXXXXX,dc=pu,dc=win,dc=princeton,dc=edu" /> <property name="baseEnvironmentProperties"> <map> <entry> <key><value>java.naming.security.protocol</value></key> <value>ssl</value> </entry> <entry> <key><value>java.naming.security.authentication</value></key> <value>simple</value> </entry> </map> </property> </bean> </beans>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
