Attempting to connect CAS 5.1 to LDAP and running into cert issues
43 views
Skip to first unread message
Toby Archer
Jun 28, 2017, 3:06:23 PM6/28/17
to CAS Community
We are currently running CAS 3.5. It took my all of a few seconds to realize that upgrading, while I suppose could be an option, is way more effort than just reimplementing it. So I've started work on reimplementing our arrangement with CAS 5.1.
I cloned the gradle overlay template repo and got it up and running fairly easily on my local machine. Followed the instruction and made a self signed keystore and got cas running over https. So far so good. Then I figured ldap was next. So far this is my authn configuration
First line disables the demo auth service, and the rest is supposed to get ldap up and running. But when I do I get:
This is why I added "cas.authn.ldap[0].name" at the end of the properties list there. I was hoping that that would make it decide the hose name would be dev-ldap7-1. But no such luck. Looking over the available properties I can't find anything that helps me. Anyone got any clue on how to fix this?
I cloned the gradle overlay template repo and got it up and running fairly easily on my local machine. Followed the instruction and made a self signed keystore and got cas running over https. So far so good. Then I figured ldap was next. So far this is my authn configuration
cas.authn.accept.users=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://dev-ldap7-1.usd.edu
cas.authn.ldap[0].baseDn=o=usd.edu
cas.authn.ldap[0].userFilter=uid=%u
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=cn=Directory Manager
cas.authn.ldap[0].bindCredential=lols you no see password
cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
cas.authn.ldap[0].keyStorePassword=changeit
cas.authn.ldap[0].name=dev-ldap7-1
First line disables the demo auth service, and the rest is supposed to get ldap up and running. But when I do I get:
Caused by: java.security.cert.CertificateException: Hostname '[dev-ldap7-1.usd.edu]' does not match the hostname in the server's certificate 'CN=dev-ldap7-1, CN=636, CN=Directory Server, O=Sun Microsystems'
This is why I added "cas.authn.ldap[0].name" at the end of the properties list there. I was hoping that that would make it decide the hose name would be dev-ldap7-1. But no such luck. Looking over the available properties I can't find anything that helps me. Anyone got any clue on how to fix this?
Waldbieser, Carl
Jun 28, 2017, 8:13:01 PM6/28/17
to cas-...@apereo.org
Toby,
The issue is that many TLS client libraries expect that the host name used for the connection should either match the subject on the certificate, or a subject alternative name (SAN) on the certificate. In your case, "dev-ldap7-1.usd.edu" does not match "dev-ldap7-1.636.Directory Server.Sun Microsystems".
Some libraries let you disable host name verification, which might be OK if this is a development environment, though I'm not sure how you'd do that in this case.
Other options might include:
* Update the certificate on your LDAP service to include a subject or SAN that matches the DNS name used to connect. This is likely the only reasonable option in a production environment.
* If it is a DEV environment, you could try running without TLS and just using port 389 of your DEV LDAP service can be configured that way.
Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0feb6647-e139-43b1-adac-4c9aed32fb8e%40apereo.org.
The issue is that many TLS client libraries expect that the host name used for the connection should either match the subject on the certificate, or a subject alternative name (SAN) on the certificate. In your case, "dev-ldap7-1.usd.edu" does not match "dev-ldap7-1.636.Directory Server.Sun Microsystems".
Some libraries let you disable host name verification, which might be OK if this is a development environment, though I'm not sure how you'd do that in this case.
Other options might include:
* Update the certificate on your LDAP service to include a subject or SAN that matches the DNS name used to connect. This is likely the only reasonable option in a production environment.
* If it is a DEV environment, you could try running without TLS and just using port 389 of your DEV LDAP service can be configured that way.
Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0feb6647-e139-43b1-adac-4c9aed32fb8e%40apereo.org.
Reply all
Reply to author
Forward
0 new messages