Sorry, I meant its a banned character at Rutgers in our NetIds so I can't create a test account with it ;-)
-Scott On Thu, May 8, 2008 at 10:02 AM, Michael J. Barton <[EMAIL PROTECTED]> wrote: > Scott, > > > > Thanks for getting back to me. We have code/apps in other languages > (Perl, .NET, etc.) that does not have issue with our DNs and per our > directory services manager, the "/" is not a banned character per RFC 2253 > (and others). I've also used tools like Apache Directory Studio and it > respects these DNs. Temporarily I can rename the OUs, changing the "/" to a > "-", but our nightly directory synchronization processes rename the OUs > back, so the renaming is not a sustainable solution. I responded to your > off-list email giving you some other information you were asking for. > Thanks again. > > > > > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On > Behalf Of *Scott Battaglia > *Sent:* Wednesday, May 07, 2008 3:27 PM > *To:* Yale CAS mailing list > *Cc:* Steven E. Niedzwiecki > *Subject:* Re: CAS LDAP authentication failures against DNs that contain > "/"characters > > > > Michael, > > I don't believe we have any accounts here at RU that have "/" in them (and > I think its a banned character) so I can't try it out here. Do you guys > have any LDAP code (non Spring) you can try it against to take the Spring > code out of the picture? > > -Scott > > On Wed, May 7, 2008 at 2:53 PM, Michael J. Barton <[EMAIL PROTECTED]> > wrote: > > We have been using CAS (3.0.7) since September. We have plans to upgrade > to > 3.2.1 later this summer. > Our implementation is using the LDAP authentication handler against our > Active Directory and has been working great until this problem cropped up > yesterday. > > We have a handful of users that consistently fail to authenticate. When > they > do, we see an error in CAS.LOG like: > > 2008-05-07 09:15:37,285 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > AuthenticationHandler: > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to > authenticate the user which provided the following credentials: mbarton > > > A sample of the DN that fails is: > > CN=mbarton,OU=Special Facilities - > Jadwin/Fine,OU=People,DC=pu,DC=win,DC=princeton,DC=edu > > > Testing a hunch we renamed the OU the account resides in, removing the "/" > character in the > > OU=Special Facilities - Jadwin/Fine > > portion of the DN. When we do this the user CAN authenticate. We tested > user accounts in 3 other OUs, each of which have one or more "/" > characters > in the name and in each case the user fails to authenticate. > > > Has anyone else seen and/or resolved this error? > Has the problem been corrected in CAS 3.2.1? > > > This appears to be a DN parsing error, but I don't know if it is in the > base > CAS code or somewhere in the Spring framework (we are using version 1.12 > with CAS 3.0.7). When set logging to DEBUG, I see > "org.springframework.validation.BindException" errors in the CAS.log > > > Thanks in advance for any help/insight. > > > deployerConfigContext.xml > > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" > "http://www.springframework.org/dtd/spring-beans.dtd";> > <beans> > <bean id="authenticationManager" > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > <property name="credentialsToPrincipalResolvers"> > <list> > <bean > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToP > rincipalResolver" /> > <bean > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToP > rincipalResolver" /> > </list> > </property> > <property name="authenticationHandlers"> > <list> > <bean > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti > alsAuthenticationHandler"> > <property name="httpClient" ref="httpClient" /> > </bean> > <bean > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > <property name="filter" value="sAMAccountName=%u" /> > <property name="searchBase" > value="ou=People,dc=pu,dc=win,dc=princeton,dc=edu" /> > <property name="contextSource" ref="contextSource" /> > </bean> > </list> > </property> > </bean> > <bean id="contextSource" > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > <property name="password" value="XXXXXXXXXX"> > <property name="pooled" value="true" /> > <property name="urls"> > <list> > <value>ldaps://pu.win.princeton.edu/</value> > </list> > </property> > <property name="userName" > value="cn=XXXXXXX,ou=XXXXXXXX,ou=XXXXXX,dc=pu,dc=win,dc=princeton,dc=edu" > /> > <property name="baseEnvironmentProperties"> > <map> > <entry> > > <key><value>java.naming.security.protocol</value></key> > <value>ssl</value> > </entry> > <entry> > > <key><value>java.naming.security.authentication</value></key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > </beans> > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > -- > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
