CAS 6.4 - Impossible to authenticate with LDAP
682 views
Skip to first unread message
Jérémie Pilette
Mar 22, 2021, 10:37:56 AM3/22/21
to CAS Community
Hi,
I have just install the CAS server version 6.4 and made my LDAP configuration.
Impossible for users to authenticate.
Maybe I forget something... I do not know what...
Do you have an idea please ?
Jérémie Pilette
Mar 22, 2021, 10:50:04 AM3/22/21
to CAS Community, Jérémie Pilette
Here my cas.properties
***********
cas.server.name=https://xxxxx.xxxxx.fr
cas.server.prefix=${cas.server.name}/cas
logging.config=file:/etc/cas/config/log4j2.xml
cas.service-registry.json.location=file:/etc/cas/services
cas.authn.ldap[0].principal-attribute-list=cn,givenName,sn
# cas.authn.ldap[0].collect-dn-attribute=false
# cas.authn.ldap[0].principal-dn-attribute-name=
# cas.authn.ldap[0].allow-multiple-principal-attribute-values=true
# cas.authn.ldap[0].allow-missing-principal-attribute-value=true
# cas.authn.ldap[0].credential-criteria=
cas.authn.ldap[0].ldap-url=ldap://xxx.yyyy.com
cas.authn.ldap[0].bind-dn=userdn
cas.authn.ldap[0].bind-credential=pwd
cas.authn.ldap[0].base-dn=my_base_dn
cas.authn.ldap[0].subtree-search=true
cas.authn.ldap[0].search-filter=my_filter
cas.authn.ldap[0].page-size=0
cas.authn.ldap[0].principal-attribute-password=userPassword
cas.authn.ldap[0].min-pool-size=3
cas.authn.ldap[0].max-pool-size=10
cas.authn.ldap[0].validate-on-checkout=true
cas.authn.ldap[0].validate-periodically=true
cas.authn.ldap[0].validate-period=PT5M
cas.authn.ldap[0].validate-timeout=PT5S
cas.authn.ldap[0].fail-fast=false
cas.authn.ldap[0].idle-time=PT10M
cas.authn.ldap[0].prune-period=PT2H
cas.authn.ldap[0].block-wait-time=PT3S
cas.authn.ldap[0].use-start-tls=true
cas.authn.ldap[0].response-timeout=PT5S
cas.server.prefix=${cas.server.name}/cas
logging.config=file:/etc/cas/config/log4j2.xml
cas.service-registry.json.location=file:/etc/cas/services
cas.authn.ldap[0].principal-attribute-list=cn,givenName,sn
# cas.authn.ldap[0].collect-dn-attribute=false
# cas.authn.ldap[0].principal-dn-attribute-name=
# cas.authn.ldap[0].allow-multiple-principal-attribute-values=true
# cas.authn.ldap[0].allow-missing-principal-attribute-value=true
# cas.authn.ldap[0].credential-criteria=
cas.authn.ldap[0].ldap-url=ldap://xxx.yyyy.com
cas.authn.ldap[0].bind-dn=userdn
cas.authn.ldap[0].bind-credential=pwd
cas.authn.ldap[0].base-dn=my_base_dn
cas.authn.ldap[0].subtree-search=true
cas.authn.ldap[0].search-filter=my_filter
cas.authn.ldap[0].page-size=0
cas.authn.ldap[0].principal-attribute-password=userPassword
cas.authn.ldap[0].min-pool-size=3
cas.authn.ldap[0].max-pool-size=10
cas.authn.ldap[0].validate-on-checkout=true
cas.authn.ldap[0].validate-periodically=true
cas.authn.ldap[0].validate-period=PT5M
cas.authn.ldap[0].validate-timeout=PT5S
cas.authn.ldap[0].fail-fast=false
cas.authn.ldap[0].idle-time=PT10M
cas.authn.ldap[0].prune-period=PT2H
cas.authn.ldap[0].block-wait-time=PT3S
cas.authn.ldap[0].use-start-tls=true
cas.authn.ldap[0].response-timeout=PT5S
*******************
Bartosz Nitkiewicz
Mar 22, 2021, 11:07:48 AM3/22/21
to CAS Community, Jérémie Pilette
Hi,
Did you build ldap dependency into your CAS server?
You should add org.apereo.cas:cas-server-support-ldap:${casServerVersion} in build.graddle and rebuild CAS app.
Regards,
BN
Jérémie Pilette
Mar 22, 2021, 11:13:17 AM3/22/21
to CAS Community, Bartosz Nitkiewicz, Jérémie Pilette
Yes I have :
compile "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
But i have seen that instead of "compile" we can put "implementation".
I do not know which one we have to use
Bartosz Nitkiewicz
Mar 22, 2021, 11:17:58 AM3/22/21
to CAS Community, Jérémie Pilette, Bartosz Nitkiewicz
implementation is ok
Try to add
cas.authn.ldap[0].name=adYourName
cas.authn.ldap[0].order=0
cas.authn.ldap[0].order=0
Jérémie Pilette
Mar 22, 2021, 11:18:41 AM3/22/21
to CAS Community, Jérémie Pilette, Bartosz Nitkiewicz
Here my log from tomcat : catalina.out
[2021-03-22 16:17:01] [info] #033[32m2021-03-22 16:17:01,729 INFO [org.apereo.cas.authentication.DefaultAuthenticationManager] - <[LdapAuthenticationHandler] exception details: [Invalid credentials].>#033[m
[2021-03-22 16:17:01] [info] #033[32m2021-03-22 16:17:01,730 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN[2021-03-22 16:17:01] [info] =============================================================
[2021-03-22 16:17:01] [info] WHO: my_user
[2021-03-22 16:17:01] [info] WHAT: [UsernamePasswordCredential(username=my_user, source=null, customFields={})]
[2021-03-22 16:17:01] [info] ACTION: AUTHENTICATION_FAILED
[2021-03-22 16:17:01] [info] APPLICATION: CAS
[2021-03-22 16:17:01] [info] WHEN: Mon Mar 22 16:17:01 CET 2021
[2021-03-22 16:17:01] [info] CLIENT IP ADDRESS: xx.xx.xx.xx
[2021-03-22 16:17:01] [info] SERVER IP ADDRESS: yy.yy.yy.yy
[2021-03-22 16:17:01] [info] =============================================================
[2021-03-22 16:17:01] [info] >#033[m
[2021-03-22 16:17:01] [info] #033[33m2021-03-22 16:17:01,730 WARN [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <1 errors, 0 successes>#033[m
Jérémie Pilette
Mar 22, 2021, 11:21:48 AM3/22/21
to CAS Community, Bartosz Nitkiewicz, Jérémie Pilette
It doesn't change anything with this two lines added ... :o(
Jérémie Pilette
Mar 22, 2021, 11:25:41 AM3/22/21
to CAS Community, Jérémie Pilette, Bartosz Nitkiewicz
It seems to be Invalid Credential for the user.. I don't know why..
Bartosz Nitkiewicz
Mar 22, 2021, 11:53:36 AM3/22/21
to CAS Community, Jérémie Pilette, Bartosz Nitkiewicz
Maybe your LDAP server have to be authenticated through SSL/TLS (LDAPS)?
Ray Bon
Mar 22, 2021, 11:53:53 AM3/22/21
to cas-...@apereo.org, jerem....@gmail.com, bar...@nitkiewicz.eu
Jérémie
Use a tool like ldapsearch or directory studio to make sure the connection settings work from the computer running cas.
You can get more log details by debugging ldaptive (set ldap.log.level to debug).
If cas is connecting to ldap, check your ldap logs to see is happening on that end.
Ray
On Mon, 2021-03-22 at 08:25 -0700, Jérémie Pilette wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Jérémie Pilette
Mar 22, 2021, 11:57:38 AM3/22/21
to CAS Community, Bartosz Nitkiewicz, Jérémie Pilette
Yes I am using Start-tls
cas.authn.ldap[0].use-start-tls=true
Bartosz Nitkiewicz
Mar 22, 2021, 12:09:55 PM3/22/21
to CAS Community, Jérémie Pilette, Bartosz Nitkiewicz
Shouldn't you add keystore for SSL/TLS authentication?
like:
cas.authn.ldap[0].keystore=file:/etc/cas/config/keystore.jks
cas.authn.ldap[0].keystorePassword=password
cas.authn.ldap[0].keystoreType=PKCS12
cas.authn.ldap[0].keystorePassword=password
cas.authn.ldap[0].keystoreType=PKCS12
You should add your signed certificate to main JAVA keystore
Jérémie Pilette
Mar 22, 2021, 1:49:12 PM3/22/21
to CAS Community, Bartosz Nitkiewicz, Jérémie Pilette
Bartosz Nitkiewicz
I am using AJP connection between Apache2 and tomcat9.
Apache 2 is the front with TLS connetion.
Jérémie Pilette
Mar 23, 2021, 7:34:27 AM3/23/21
to CAS Community, Jérémie Pilette, Bartosz Nitkiewicz
Hi,
I have found the problem.
It was an ACL problem. I had a rule which blocked the access. I have fixed it and now all is correct.
Thank you for your helps Bartosz Nitkiewicz and Ray Bon.
Jérémie
Message has been deleted
Baba Ndiaye
Nov 4, 2021, 10:31:12 AM11/4/21
to CAS Community, Jérémie Pilette, Bartosz Nitkiewicz
Bonjour @jérémie
j'ai vu que tu as pu avancer avec LDAP je suis étudiant et je suis entrain d'intégrer l'authentification par CAS pour Moodle mais à chaque fois j'ai cette erreur
Application non autorisée à utiliser CAS
j'ai ajouté la dependence json sur le fichier build.gradle
cas.properties aussi j'ai ajouté
cas.service-registry.json.location= file:/etc/cas/services
cas.service-registry.json.location= file:/etc/cas/services
et j'ai créé un fichier .json
pourrais tu m'aider please
Reply all
Reply to author
Forward
0 new messages