How is CAS 4.2.1 configured for LPPE ?

53 views
Skip to first unread message

casconfiguration casconfiguration

unread,
Mar 13, 2018, 12:00:42 PM3/13/18
to CAS Community
 Trying to get CAS version 4.2.1 to recognise and respond correctly to messages from an AD server (LPPE)such as the password must change or the account is locked. 
  
From the CAS log file it is reporting the error 773 for changing a password but it interprets it as an invalid authentication and presents the user with an Invalid Credentials message.
 
 The complete deployerConfigContext.xml file and cas.log  are attached


 =========================
 deployerConfigContext.xml
 =========================
 <?xml version="1.0" encoding="UTF-8"?>
<!--
| deployerConfigContext.xml centralizes into one file some of the declarative configuration that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.
| The beans declared in this file are instantiated at context initialization time by the Spring
| ContextLoaderListener declared in web.xml.  It finds this file because this
| file is among those declared in the context parameter "contextConfigLocation".
|
| By far the most common change you will need to make in this file is to change the last bean
| declaration to replace the default authentication handler with
| one implementing your approach for authenticating usernames and passwords.
+-->



    <util:map id="authenticationHandlersResolvers">
        <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
        <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" />  
    <entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" />
    </util:map>

    <util:list id="authenticationMetadataPopulators">
        <ref bean="successfulHandlerMetaDataPopulator" />
        <ref bean="rememberMeAuthenticationMetaDataPopulator" />
    </util:list>

    <bean id="ldapAuthenticationHandler"
    class="org.jasig.cas.authentication.LdapAuthenticationHandler"
    p:principalIdAttribute="sAMAccountName"
    c:authenticator-ref="authenticator"
      p:passwordPolicyConfiguration-ref="passwordPolicyConfiguration"> 
    </bean>

<ldaptive:ad-authenticator id="authenticator"
        ldapUrl="${ldap.url}"
        userFilter="${ldap.authn.searchFilter}"
        bindDn="${ldap.managerDn}"
        bindCredential="${ldap.managerPassword}"
        allowMultipleDns="${ldap.allowMultipleDns:false}"
        connectTimeout="${ldap.connectTimeout}"
        validateOnCheckOut="${ldap.pool.validateOnCheckout}"
        failFastInitialize="true"
        blockWaitTime="${ldap.pool.blockWaitTime}"
        idleTime="${ldap.pool.idleTime}"
        baseDn="${ldap.baseDn}"
        maxPoolSize="${ldap.pool.maxSize}"
        minPoolSize="${ldap.pool.minSize}"
        validatePeriodically="${ldap.pool.validatePeriodically}"
        validatePeriod="${ldap.pool.validatePeriod}"
        prunePeriod="${ldap.pool.prunePeriod}"
        useSSL="${ldap.use.ssl:false}"
        subtreeSearch="${ldap.subtree.search:true}"
        useStartTLS="${ldap.useStartTLS}"  />

    <bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
          p:backingMap-ref="attrRepoBackingMap" />

    <util:map id="attrRepoBackingMap">
        <entry key="uid" value="uid" />
        <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
        <entry key="groupMembership" value="groupMembership" />
        <entry>
            <key><value>memberOf</value></key>
            <list>
                <value>faculty</value>
                <value>staff</value>
                <value>org</value>
            </list>
        </entry>
    </util:map>

    <alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" />
    <alias name="personDirectoryPrincipalResolver" alias="primaryPrincipalResolver" />
    <alias name="ldapPasswordPolicyConfiguration" alias="passwordPolicyConfiguration" />

    <alias name="serviceThemeResolver" alias="themeResolver" />

    <alias name="jsonServiceRegistryDao" alias="serviceRegistryDao" />

    <alias name="defaultTicketRegistry" alias="ticketRegistry" />

    <alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" />
    <alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" />

    <alias name="anyAuthenticationPolicy" alias="authenticationPolicy" />
    <alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" />

    <bean id="auditTrailManager"
          class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager"
          p:entrySeparator="${cas.audit.singleline.separator:|}"
          p:useSingleLine="${cas.audit.singleline:false}"/>

    <alias name="neverThrottle" alias="authenticationThrottle" />

    <util:list id="monitorsList">
        <ref bean="memoryMonitor" />
        <ref bean="sessionMonitor" />
    </util:list>

    <alias name="defaultPrincipalFactory" alias="principalFactory" />
    <alias name="defaultAuthenticationTransactionManager" alias="authenticationTransactionManager" />
    <alias name="defaultPrincipalElectionStrategy" alias="principalElectionStrategy" />
    <alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" />
</beans>

 




===============
CAS.LOG 
===============
2018-03-13 15:12:52,101 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: [org.ldaptive.auth.AuthenticationResponse@250697538::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local, ldapEntry=[dn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local[]], accountState=[org.ldaptive.auth.ext.ActiveDirectoryAccountState@1840498349::accountWarnings=null, accountErrors=[PASSWORD_MUST_CHANGE]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 773, v2580 ], controls=null]
2018-03-13 15:12:52,101 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying password policy to [org.ldaptive.auth.AuthenticationResponse@250697538::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local, ldapEntry=[dn=CN=A01_user1_*****_com,OU=sandbox,OU=SAAS,DC=******,DC=local[]], accountState=[org.ldaptive.auth.ext.ActiveDirectoryAccountState@1840498349::accountWarnings=null, accountErrors=[PASSWORD_MUST_CHANGE]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 773, v2580 ], controls=null]
2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - Handling error PASSWORD_MUST_CHANGE
2018-03-13 15:12:52,116 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler failed authenticating user1@*****.com
2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler exception details: null
2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [AuthenticationTransaction] for audit
2018-03-13 15:12:52,116 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [UsernamePasswordCredential] for audit
2018-03-13 15:12:52,116 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: user1@*****.com
WHAT: Supplied credentials: [user1@*****.com]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Tue Mar 13 15:12:52 UTC 2018
CLIENT IP ADDRESS: 192.168.0.152
SERVER IP ADDRESS: 192.168.0.11
=============================================================
cas.log
deployerConfigContext.xml

Ray Bon

unread,
Mar 13, 2018, 12:35:39 PM3/13/18
to cas-...@apereo.org
It could be that error code is not identified in LPPE default settings. Back in 3.5.2.1 we had to identify the error codes and what should happen for each. I have not revisited LPPE since we upgraded.

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

casconfiguration casconfiguration

unread,
Mar 15, 2018, 5:33:26 AM3/15/18
to CAS Community
Hi, and thanks for the suggestion, we tried it but it didn't solve the problem.

In case there a dependency missing from our system, it was built from Maven and in the POM file with the following dependencies
    <dependencies>
        <dependency>
            <groupId>org.jasig.cas</groupId>
            <artifactId>cas-server-webapp</artifactId>
            <version>${cas.version}</version>
            <type>war</type>
            <scope>runtime</scope>
        </dependency>
        <dependency>
             <groupId>org.jasig.cas</groupId>
             <artifactId>cas-server-support-ldap</artifactId>
             <version>${cas.version}</version>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>servlet-api</artifactId>
            <version>${servlet.version}</version>
            <scope>provided</scope>
        </dependency>
    </dependencies>
The first post to the group has a copy of the deployerConfigContext.xml so that you can see the beans that are being called.

Additional configuration goes into the cas.properties file.
 For the basic LDAP authentication there is an LDAP.properties file used.
 
 We had experimented with a separate LPPE-configuration xml file in the ...\webapps\cas\WEB-INF\spring-configuration folder  but we deleted it as we could not get it to work that way either.
 
Has anyone got LPPE to work with CAS 4.2.1?
Reply all
Reply to author
Forward
0 new messages