I stood up a CAS 3.2.1 Server and configured it similar to our production 3.0.7 instance. The behavior is the same in both instances.
Any account that has a "/" character in a portion of their DN (ie. cn=mbarton,ou=Math/Physics Department,dc=Princeton,dc=edu") fails to authenticate. It would appear that the Spring LDAP is not doing the escaping you suggested. Any thoughts on how I should proceed? -Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Battaglia Sent: Thursday, May 08, 2008 12:16 PM To: Yale CAS mailing list Subject: Re: CAS LDAP authentication failures against DNs thatcontain"/"characters I did some quick digging. It looks like "/" is a reserved character in JNDI, but not LDAP so it needs to be escaped. I'm not sure if newer versions of Spring LDAP properly escape. Would you be able to set up a test CAS server locally copying your LDAP configuration to it and try it out? -Scott On Thu, May 8, 2008 at 10:20 AM, Michael J. Barton <[EMAIL PROTECTED]> wrote: After I sent my response, it occurred to me that is what you meant. Need more caffeine. :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Battaglia Sent: Thursday, May 08, 2008 10:11 AM To: Yale CAS mailing list Subject: Re: CAS LDAP authentication failures against DNs that contain"/"characters Sorry, I meant its a banned character at Rutgers in our NetIds so I can't create a test account with it ;-) -Scott On Thu, May 8, 2008 at 10:02 AM, Michael J. Barton <[EMAIL PROTECTED]> wrote: Scott, Thanks for getting back to me. We have code/apps in other languages (Perl, .NET, etc.) that does not have issue with our DNs and per our directory services manager, the "/" is not a banned character per RFC 2253 (and others). I've also used tools like Apache Directory Studio and it respects these DNs. Temporarily I can rename the OUs, changing the "/" to a "-", but our nightly directory synchronization processes rename the OUs back, so the renaming is not a sustainable solution. I responded to your off-list email giving you some other information you were asking for. Thanks again. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Battaglia Sent: Wednesday, May 07, 2008 3:27 PM To: Yale CAS mailing list Cc: Steven E. Niedzwiecki Subject: Re: CAS LDAP authentication failures against DNs that contain "/"characters Michael, I don't believe we have any accounts here at RU that have "/" in them (and I think its a banned character) so I can't try it out here. Do you guys have any LDAP code (non Spring) you can try it against to take the Spring code out of the picture? -Scott On Wed, May 7, 2008 at 2:53 PM, Michael J. Barton <[EMAIL PROTECTED]> wrote: We have been using CAS (3.0.7) since September. We have plans to upgrade to 3.2.1 later this summer. Our implementation is using the LDAP authentication handler against our Active Directory and has been working great until this problem cropped up yesterday. We have a handful of users that consistently fail to authenticate. When they do, we see an error in CAS.LOG like: 2008-05-07 09:15:37,285 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to authenticate the user which provided the following credentials: mbarton A sample of the DN that fails is: CN=mbarton,OU=Special Facilities - Jadwin/Fine,OU=People,DC=pu,DC=win,DC=princeton,DC=edu Testing a hunch we renamed the OU the account resides in, removing the "/" character in the OU=Special Facilities - Jadwin/Fine portion of the DN. When we do this the user CAN authenticate. We tested user accounts in 3 other OUs, each of which have one or more "/" characters in the name and in each case the user fails to authenticate. Has anyone else seen and/or resolved this error? Has the problem been corrected in CAS 3.2.1? This appears to be a DN parsing error, but I don't know if it is in the base CAS code or somewhere in the Spring framework (we are using version 1.12 with CAS 3.0.7). When set logging to DEBUG, I see "org.springframework.validation.BindException" errors in the CAS.log Thanks in advance for any help/insight. deployerConfigContext.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd";> <beans> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToP rincipalResolver" /> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToP rincipalResolver" /> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti alsAuthenticationHandler"> <property name="httpClient" ref="httpClient" /> </bean> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="sAMAccountName=%u" /> <property name="searchBase" value="ou=People,dc=pu,dc=win,dc=princeton,dc=edu" /> <property name="contextSource" ref="contextSource" /> </bean> </list> </property> </bean> <bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> <property name="password" value="XXXXXXXXXX"> <property name="pooled" value="true" /> <property name="urls"> <list> <value>ldaps://pu.win.princeton.edu/</value> </list> </property> <property name="userName" value="cn=XXXXXXX,ou=XXXXXXXX,ou=XXXXXX,dc=pu,dc=win,dc=princeton,dc=edu" /> <property name="baseEnvironmentProperties"> <map> <entry> <key><value>java.naming.security.protocol</value></key> <value>ssl</value> </entry> <entry> <key><value>java.naming.security.authentication</value></key> <value>simple</value> </entry> </map> </property> </bean> </beans> _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
