I did some quick digging. It looks like "/" is a reserved character in JNDI, but not LDAP so it needs to be escaped. I'm not sure if newer versions of Spring LDAP properly escape. Would you be able to set up a test CAS server locally copying your LDAP configuration to it and try it out?
-Scott On Thu, May 8, 2008 at 10:20 AM, Michael J. Barton <[EMAIL PROTECTED]> wrote: > After I sent my response, it occurred to me that is what you meant. Need > more caffeine. :-) > > > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On > Behalf Of *Scott Battaglia > *Sent:* Thursday, May 08, 2008 10:11 AM > *To:* Yale CAS mailing list > *Subject:* Re: CAS LDAP authentication failures against DNs that > contain"/"characters > > > > Sorry, I meant its a banned character at Rutgers in our NetIds so I can't > create a test account with it ;-) > > -Scott > > On Thu, May 8, 2008 at 10:02 AM, Michael J. Barton <[EMAIL PROTECTED]> > wrote: > > Scott, > > > > Thanks for getting back to me. We have code/apps in other languages > (Perl, .NET, etc.) that does not have issue with our DNs and per our > directory services manager, the "/" is not a banned character per RFC 2253 > (and others). I've also used tools like Apache Directory Studio and it > respects these DNs. Temporarily I can rename the OUs, changing the "/" to a > "-", but our nightly directory synchronization processes rename the OUs > back, so the renaming is not a sustainable solution. I responded to your > off-list email giving you some other information you were asking for. > Thanks again. > > > > > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On > Behalf Of *Scott Battaglia > *Sent:* Wednesday, May 07, 2008 3:27 PM > *To:* Yale CAS mailing list > > > *Cc:* Steven E. Niedzwiecki > *Subject:* Re: CAS LDAP authentication failures against DNs that contain > "/"characters > > > > Michael, > > I don't believe we have any accounts here at RU that have "/" in them (and > I think its a banned character) so I can't try it out here. Do you guys > have any LDAP code (non Spring) you can try it against to take the Spring > code out of the picture? > > -Scott > > On Wed, May 7, 2008 at 2:53 PM, Michael J. Barton <[EMAIL PROTECTED]> > wrote: > > We have been using CAS (3.0.7) since September. We have plans to upgrade > to > 3.2.1 later this summer. > Our implementation is using the LDAP authentication handler against our > Active Directory and has been working great until this problem cropped up > yesterday. > > We have a handful of users that consistently fail to authenticate. When > they > do, we see an error in CAS.LOG like: > > 2008-05-07 09:15:37,285 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > AuthenticationHandler: > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to > authenticate the user which provided the following credentials: mbarton > > > A sample of the DN that fails is: > > CN=mbarton,OU=Special Facilities - > Jadwin/Fine,OU=People,DC=pu,DC=win,DC=princeton,DC=edu > > > Testing a hunch we renamed the OU the account resides in, removing the "/" > character in the > > OU=Special Facilities - Jadwin/Fine > > portion of the DN. When we do this the user CAN authenticate. We tested > user accounts in 3 other OUs, each of which have one or more "/" > characters > in the name and in each case the user fails to authenticate. > > > Has anyone else seen and/or resolved this error? > Has the problem been corrected in CAS 3.2.1? > > > This appears to be a DN parsing error, but I don't know if it is in the > base > CAS code or somewhere in the Spring framework (we are using version 1.12 > with CAS 3.0.7). When set logging to DEBUG, I see > "org.springframework.validation.BindException" errors in the CAS.log > > > Thanks in advance for any help/insight. > > > deployerConfigContext.xml > > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" > "http://www.springframework.org/dtd/spring-beans.dtd";> > <beans> > <bean id="authenticationManager" > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > <property name="credentialsToPrincipalResolvers"> > <list> > <bean > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToP > rincipalResolver" /> > <bean > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToP > rincipalResolver" /> > </list> > </property> > <property name="authenticationHandlers"> > <list> > <bean > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti > alsAuthenticationHandler"> > <property name="httpClient" ref="httpClient" /> > </bean> > <bean > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > <property name="filter" value="sAMAccountName=%u" /> > <property name="searchBase" > value="ou=People,dc=pu,dc=win,dc=princeton,dc=edu" /> > <property name="contextSource" ref="contextSource" /> > </bean> > </list> > </property> > </bean> > <bean id="contextSource" > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > <property name="password" value="XXXXXXXXXX"> > <property name="pooled" value="true" /> > <property name="urls"> > <list> > <value>ldaps://pu.win.princeton.edu/</value> > </list> > </property> > <property name="userName" > value="cn=XXXXXXX,ou=XXXXXXXX,ou=XXXXXX,dc=pu,dc=win,dc=princeton,dc=edu" > /> > <property name="baseEnvironmentProperties"> > <map> > <entry> > > <key><value>java.naming.security.protocol</value></key> > <value>ssl</value> > </entry> > <entry> > > <key><value>java.naming.security.authentication</value></key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > </beans> > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > -- > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > -- > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
