So I may have a fix for this. I got one of our local LDAP admins to add a "uid=foo/bar" to the dev server so I can see it fail and debug to make it succeed. So I found a way that returns the proper value (the method we use now literally returns "uid=foo/bar" with the quotation marks!). I'll do a little more testing on Monday and then this could make it into 3.3.
-Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Thu, May 15, 2008 at 9:54 PM, Michael J. Barton <[EMAIL PROTECTED]>wrote: > Scott, > > > > I was told to take the quick-fix route and temporarily rename our DNs that > contain the "/" character. Sorry, I haven't had time to do any digging. I > still have my test DNs and accounts set up as well as a test instance of > CAS. If I can help out, let me know. > > > > Oh…and you've been back a few hours… you can give yourself some time to > ease back into things J > > -Mike > > > > > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On > Behalf Of *Scott Battaglia > *Sent:* Thursday, May 15, 2008 9:09 PM > > *To:* Yale CAS mailing list > *Subject:* Re: CAS LDAP authentication failures > againstDNsthatcontain"/"characters > > > > Just got back a few hours ago...any luck? ;-) > > On Fri, May 9, 2008 at 8:33 PM, Michael J. Barton <[EMAIL PROTECTED]> > wrote: > > Scott, > > Thanks for the update. I'll see what I can do in your absence and will let > you know how things go. > > -Mike > > > > > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On > Behalf Of *Scott Battaglia > *Sent:* Friday, May 09, 2008 5:35 PM > > > *To:* Yale CAS mailing list > *Subject:* Re: CAS LDAP authentication failures against > DNsthatcontain"/"characters > > > > Mike, > > I'm going to be away for 5 days so I can't look at this until I come back. > If you get a minute you could try to modify the authentication handler to do > a replace for the / to the escaped version and recompile and deploy and see > if that works. If it works, we'd make that change to the default handlers. > There may also be a way in Spring LDAP to have it automatically do it, but I > won't be able to look at that until I come back. > > -Scott > > On Fri, May 9, 2008 at 3:52 PM, Michael J. Barton <[EMAIL PROTECTED]> > wrote: > > I stood up a CAS 3.2.1 Server and configured it similar to our production > 3.0.7 instance. The behavior is the same in both instances. > > Any account that has a "/" character in a portion of their DN (ie. > cn=mbarton,ou=Math/Physics Department,dc=Princeton,dc=edu") fails to > authenticate. > > It would appear that the Spring LDAP is not doing the escaping you > suggested. Any thoughts on how I should proceed? > > > > > > -Mike > > > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On > Behalf Of *Scott Battaglia > *Sent:* Thursday, May 08, 2008 12:16 PM > > > *To:* Yale CAS mailing list > > *Subject:* Re: CAS LDAP authentication failures against DNs > thatcontain"/"characters > > > > I did some quick digging. It looks like "/" is a reserved character in > JNDI, but not LDAP so it needs to be escaped. I'm not sure if newer > versions of Spring LDAP properly escape. Would you be able to set up a test > CAS server locally copying your LDAP configuration to it and try it out? > > -Scott > > On Thu, May 8, 2008 at 10:20 AM, Michael J. Barton <[EMAIL PROTECTED]> > wrote: > > After I sent my response, it occurred to me that is what you meant. Need > more caffeine. :-) > > > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On > Behalf Of *Scott Battaglia > *Sent:* Thursday, May 08, 2008 10:11 AM > > > *To:* Yale CAS mailing list > > *Subject:* Re: CAS LDAP authentication failures against DNs that > contain"/"characters > > > > Sorry, I meant its a banned character at Rutgers in our NetIds so I can't > create a test account with it ;-) > > -Scott > > On Thu, May 8, 2008 at 10:02 AM, Michael J. Barton <[EMAIL PROTECTED]> > wrote: > > Scott, > > > > Thanks for getting back to me. We have code/apps in other languages (Perl, > .NET, etc.) that does not have issue with our DNs and per our directory > services manager, the "/" is not a banned character per RFC 2253 (and > others). I've also used tools like Apache Directory Studio and it respects > these DNs. Temporarily I can rename the OUs, changing the "/" to a "-", but > our nightly directory synchronization processes rename the OUs back, so the > renaming is not a sustainable solution. I responded to your off-list > email giving you some other information you were asking for. Thanks again. > > > > > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On > Behalf Of *Scott Battaglia > *Sent:* Wednesday, May 07, 2008 3:27 PM > *To:* Yale CAS mailing list > > > *Cc:* Steven E. Niedzwiecki > *Subject:* Re: CAS LDAP authentication failures against DNs that contain > "/"characters > > > > Michael, > > I don't believe we have any accounts here at RU that have "/" in them (and > I think its a banned character) so I can't try it out here. Do you guys > have any LDAP code (non Spring) you can try it against to take the Spring > code out of the picture? > > -Scott > > On Wed, May 7, 2008 at 2:53 PM, Michael J. Barton <[EMAIL PROTECTED]> > wrote: > > We have been using CAS (3.0.7) since September. We have plans to upgrade > to > 3.2.1 later this summer. > Our implementation is using the LDAP authentication handler against our > Active Directory and has been working great until this problem cropped up > yesterday. > > We have a handful of users that consistently fail to authenticate. When > they > do, we see an error in CAS.LOG like: > > 2008-05-07 09:15:37,285 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > AuthenticationHandler: > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to > authenticate the user which provided the following credentials: mbarton > > > A sample of the DN that fails is: > > CN=mbarton,OU=Special Facilities - > Jadwin/Fine,OU=People,DC=pu,DC=win,DC=princeton,DC=edu > > > Testing a hunch we renamed the OU the account resides in, removing the "/" > character in the > > OU=Special Facilities - Jadwin/Fine > > portion of the DN. When we do this the user CAN authenticate. We tested > user accounts in 3 other OUs, each of which have one or more "/" characters > in the name and in each case the user fails to authenticate. > > > Has anyone else seen and/or resolved this error? > Has the problem been corrected in CAS 3.2.1? > > > This appears to be a DN parsing error, but I don't know if it is in the > base > CAS code or somewhere in the Spring framework (we are using version 1.12 > with CAS 3.0.7). When set logging to DEBUG, I see > "org.springframework.validation.BindException" errors in the CAS.log > > > Thanks in advance for any help/insight. > > > deployerConfigContext.xml > > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" > "http://www.springframework.org/dtd/spring-beans.dtd";> > <beans> > <bean id="authenticationManager" > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > <property name="credentialsToPrincipalResolvers"> > <list> > <bean > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToP > rincipalResolver" /> > <bean > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToP > rincipalResolver" /> > </list> > </property> > <property name="authenticationHandlers"> > <list> > <bean > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti > alsAuthenticationHandler"> > <property name="httpClient" ref="httpClient" /> > </bean> > <bean > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > <property name="filter" value="sAMAccountName=%u" /> > <property name="searchBase" > value="ou=People,dc=pu,dc=win,dc=princeton,dc=edu" /> > <property name="contextSource" ref="contextSource" /> > </bean> > </list> > </property> > </bean> > <bean id="contextSource" > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > <property name="password" value="XXXXXXXXXX"> > <property name="pooled" value="true" /> > <property name="urls"> > <list> > <value>ldaps://pu.win.princeton.edu/</value> > </list> > </property> > <property name="userName" > value="cn=XXXXXXX,ou=XXXXXXXX,ou=XXXXXX,dc=pu,dc=win,dc=princeton,dc=edu" > /> > <property name="baseEnvironmentProperties"> > <map> > <entry> > > <key><value>java.naming.security.protocol</value></key> > <value>ssl</value> > </entry> > <entry> > > <key><value>java.naming.security.authentication</value></key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > </beans> > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > -- > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > -- > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > -- > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > -- > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > -- > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
