What are the exact steps to configure CAS 5.0.0 RC1 to use LDAP?

[Sascha Müller]

Hey everybody,

I tried to configure LDAP login through CAS 5.0.0 RC1 for more or less 4 days now.

As far as I understand the documentation, all I have to do is:

• add the dependency cas-server-support-ldap to my pom.xml and
  
• configure ldap support via cas.properties (like url, baseDn etc.).
  

But when I try to login, I get the following message on the console:

Cannot find authentication handler that supports [username] of type [UsernamePasswordCredential], which suggests a configuration problem.

 

I get the strong feeling I'm missing something really important here...

[Misagh Moayyed]

Without knowing what you have so far, it’s very difficult to say. Either you have misplaced the configuration, or you have misdefined the property keys.

-- 
Misagh

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/51f27ef4-59b9-4b3e-9cf6-e6908bf3d98d%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Sascha Müller]

Ok. So here's a full rundown of what I've done so far including config files and log. Hope that helps.

First of all I've cloned the repository of the CAS war overlay and switched to branch 5.0. Then I've generated a certificate (thekeystore) and put it into '/etc/cas/'. When I run cas, https seems to be working fine.

Next I changed the cas.properties to

cas.server.name=https://localhost:8443
cas.server.prefix=https://localhost:8443/cas

cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.config=file:/etc/cas/config/log4j2.xml
# cas.serviceRegistry.config.location: classpath:/services
cas.authn.accept.users= 

### LDAP settings ###
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].ldapUrl=ldap://ldapserver.company.com:389/dc=company,dc=com
cas.authn.ldap[0].dnFormat=uid=%s,ou=Users,dc=company,dc=com
cas.authn.ldap[0].baseDn=dc=company,dc=com
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].principalAttributeId=uid
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=true
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].blockWaitTime=5000

 

I got assured by our systems department, that these settings should be ok. I did not touch 'application.yml' or any other file (except the pom.xml, which I attached alongside the cas.log).

Now, when I run "./build.sh clean package" & "./build.sh run" the server starts up, but login fails with the message

2016-08-24 07:47:01,453 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [sam] of type [UsernamePasswordCredential], which suggests a configuration problem.>

If you need anything else, please let me know.

Thanks in advance.

[Misagh Moayyed]

CAS does not know how to authenticate you. Define a type

https://apereo.github.io/cas/development/installation/Configuration-Properties.html#ldap-authentication 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f628b1e7-6a11-48fa-92f2-143866f3e39f%40apereo.org.

[Sascha Müller]

I totally missed that one!

Thank you so much.

[Erdal Gunyar]

I don't know where did you get the path in the end of:

cas.authn.ldap[0].ldapUrl=ldap://ldapserver.company.com:389/dc=company,dc=com

But that saved me from hours of Google digging!

Thanks a lot! :)

Erdal.

[Stefan Schulz]

In the latest version (5.0.5) the comma needs to be URL encoded, otherwise CAS assumes 'dc=com' to be a second server.

cas.authn.ldap[0].ldapUrl=ldap://ldapserver.company.com:389/dc=company%2Cdc=com

Took me a while to figure that out...
Note: I am only answering as this is the only place I found (i.e. top google results) with a complete CAS 5.0.X LDAP configuration.



[Ng Sek Long]

Both the "commas" and "%2C" comments saved my life, Thank you Erdal and Stefan!

Also, I found that type=DIRECT is also needed for my case (type=AUTHENTICATED did not work for me)

Here's my code that works in CAS 5.1.2 for future people

Let say your server named [your.ldap.server]

With Port:[389]

And you can search your user with:[ou=people,dc=somesite,dc=net]

Your Admin account named:[admin]

with Password:[abcd1234]

cas.authn.ldap[0].type=DIRECT

cas.authn.ldap[0].ldapUrl=ldap://your.ldap.server:389/ou=people%2Cdc=somesite%2Cdc=net

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].baseDn=ou=people,dc=somesite,dc=net

cas.authn.ldap[0].userFilter=uid=%s

cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].usePasswordPolicy=false

cas.authn.ldap[0].bindDn=uid=admin,dc=somesite,dc=net

cas.authn.ldap[0].bindCredential=abcd1234

cas.authn.ldap[0].dnFormat=uid=%s,ou=people,dc=somesite,dc=net

cas.authn.ldap[0].principalAttributeId=uid

cas.authn.ldap[0].principalAttributePassword=

cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true

[Ganesh Prasad]

Hi Andy and others,

Much as I wanted to avoid troubling people with this problem, I am unable to make progress with registering the LdapAuthenticationHandler. I have posted separately on this under the subject "Not able to register LdapAuthenticationHandler" and have listed my cas.properties configuration as it pertains to LDAP. I tried with both types AUTHENTICATED and DIRECT. Neither worked.

Do I need to explicitly specify the cas-server-support-ldap dependency in my pom.xml? I thought CAS will pick it up automatically if the right config properties are set in cas.properties.

Any help would be appreciated.

Thanks in advance.

Ganesh

[Andy Ng]

Hi Ganesh,

Yup you do need to add dependency to pom.xml. As documented here: https://apereo.github.io/cas/5.2.x/installation/LDAP-Authentication.html. That might be something changed from CAS 3 to CAS 5.

Also, you might try to enable debugger mode for CAS (https://apereo.github.io/cas/development/installation/Configuration-Properties.html#logging ), that will be good for your debugging :)

Cheers!

- Andy

[Ganesh Prasad]

Thanks, Andy! That's what was missing (pom file dependency definition). I was under the impression CAS would dynamically figure these out based on the cas.properties file. (Maybe in CAS 6 :-).)

Now I have progressed to the next error, where the LDAP authentication succeeds but it's not returning the 'cn' attribute. 

In the directory, the username (cn) is the email address, and its authenticated using a password. Once authenticated, I need that value to retrieve the rest of the attributes from a database using the value of the 'email_id' column. So the 'cn' attribute in the directory needs to be mapped to the 'email_id' column of the database, and I have done this mapping in a couple of places, I think I've made an error somewhere:

cas.authn.ldap[0].principalAttributeId=cn

cas.authn.ldap[0].principalAttributeList=cn:email_id

cas.authn.attributeRepository.defaultAttributesToRelease=cn:email_id

The log says:

2018-06-12 16:37:29,161 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting authentication internally for transformed credential [crtsyd.t...@testbuyonplatform.com.au]>

2018-06-12 16:37:29,162 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for [crtsyd.t...@testbuyonplatform.com.au]. Authenticator pre-configured attributes are [null], additional requested attributes for this authentication request are [[cn]]>

2018-06-12 16:37:29,210 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response: [[org.ldaptive.auth.AuthenticationResponse@19191242::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=cn=crtsyd.t...@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au, ldapEntry=[dn=cn=crtsyd.t...@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au[]], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]]>

2018-06-12 16:37:29,211 DEBUG [org.apereo.cas.authentication.support.LdapPasswordPolicyHandlingStrategy] - <Authentication response [DefaultLdapPasswordPolicyHandlingStrategy] is supported by password policy handling strategy [{}]>

2018-06-12 16:37:29,212 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting to examine and handle LDAP password policy via [DefaultLdapPasswordPolicyHandlingStrategy]>

2018-06-12 16:37:29,213 DEBUG [org.apereo.cas.authentication.support.DefaultLdapPasswordPolicyHandlingStrategy] - <Applying password policy [[org.ldaptive.auth.AuthenticationResponse@19191242::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=cn=crtsyd.t...@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au, ldapEntry=[dn=cn=crtsyd.t...@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au[]], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]] to [org.apereo.cas.authentication.support.DefaultAccountStateHandler@1c53cb0d]>

2018-06-12 16:37:29,214 DEBUG [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - <Attempting to handle LDAP account state for [[org.ldaptive.auth.AuthenticationResponse@19191242::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=cn=crtsyd.t...@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au, ldapEntry=[dn=cn=crtsyd.t...@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au[]], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]]>

2018-06-12 16:37:29,215 DEBUG [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - <Account state not defined. Returning empty list of messages.>

2018-06-12 16:37:29,216 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response returned a result. Creating the final LDAP principal>

2018-06-12 16:37:29,217 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Creating LDAP principal for [crtsyd.t...@testbuyonplatform.com.au] based on [cn=crtsyd.t...@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au] and attributes [[]]>

2018-06-12 16:37:29,218 ERROR [org.apereo.cas.authentication.LdapAuthenticationHandler] - <The principal id attribute [cn] is not found. CAS is configured to disallow missing principal attributes>

2018-06-12 16:37:29,219 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[LdapAuthenticationHandler] exception details: [Principal id attribute is not found for null].>

2018-06-12 16:37:29,219 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [crtsyd.t...@testbuyonplatform.com.au] of type [UsernamePasswordCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>

2018-06-12 16:37:29,224 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: crtsyd.t...@testbuyonplatform.com.au

WHAT: Supplied credentials: [crtsyd.t...@testbuyonplatform.com.au]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Tue Jun 12 16:37:29 AEST 2018

Regards,

Ganesh

[Andy Ng]

Hmm, I am not familiar enough with LDAP to discuss with you about this problem, but if you can't find an answer to your use case, you can always resort to Custom Authentication Handler (https://apereo.github.io/2017/02/02/cas51-authn-handlers/), so you may have the most flexibility. 

For your reference, I get user username, go to database to do a list of validation and transformation, then go back to use Ldap to authenticate. I found that CAS definitely do not have something that support my use case, so I resort to custom authentication.

Hope this is somewhat useful info for you...

Cheers!

-Andy

[Ganesh Prasad]

OK, I've got past that error also.

I saw a post elsewhere that said if LDAP is configured to return attributes as part of the authentication, the CAS doesn't take cognisance of any other attribute repositories.

So I changed my configuration to *not* return any attributes from the LDAP authentication, then I defined LDAP a second time as an attribute repository in addition to the database.

So now it seems to work. The authentication succeeds, it constructs a principal out of the username (email address) since no attributes came back from LDAP, then it gets the rest of the attributes from the database and constructs an attribute result.

It generates a ticket granting ticket and a service ticket and redirects to my web server.

However, my web server has a problem with it. Do I need to upgrade mod_auth_cas for Apache2 because I've upgraded CAS from 3.5 to 5.2.5?

Regards,

Ganesh

On Tuesday, 12 June 2018 16:51:39 UTC+10, Ganesh Prasad wrote:

Thanks, Andy! That's what was missing (pom file dependency definition). I was under the impression CAS would dynamically figure these out based on the cas.properties file. (Maybe in CAS 6 :-).)

Now I have progressed to the next error, where the LDAP authentication succeeds but it's not returning the 'cn' attribute. 

In the directory, the username (cn) is the email address, and its authenticated using a password. Once authenticated, I need that value to retrieve the rest of the attributes from a database using the value of the 'email_id' column. So the 'cn' attribute in the directory needs to be mapped to the 'email_id' column of the database, and I have done this mapping in a couple of places, I think I've made an error somewhere:

cas.authn.ldap[0].principalAttributeId=cn

cas.authn.ldap[0].principalAttributeList=cn:email_id

cas.authn.attributeRepository.defaultAttributesToRelease=cn:email_id

The log says:

2018-06-12 16:37:29,161 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting authentication internally for transformed credential [crtsyd.testagency@testbuyonplatform.com.au]>

2018-06-12 16:37:29,162 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for [crtsyd.testagency@testbuyonplatform.com.au]. Authenticator pre-configured attributes are [null], additional requested attributes for this authentication request are [[cn]]>

2018-06-12 16:37:29,210 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response: [[org.ldaptive.auth.AuthenticationResponse@19191242::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=cn=crtsyd.testagency@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au, ldapEntry=[dn=cn=crtsyd.testagency@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au[]], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]]>

2018-06-12 16:37:29,211 DEBUG [org.apereo.cas.authentication.support.LdapPasswordPolicyHandlingStrategy] - <Authentication response [DefaultLdapPasswordPolicyHandlingStrategy] is supported by password policy handling strategy [{}]>

2018-06-12 16:37:29,212 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting to examine and handle LDAP password policy via [DefaultLdapPasswordPolicyHandlingStrategy]>

2018-06-12 16:37:29,213 DEBUG [org.apereo.cas.authentication.support.DefaultLdapPasswordPolicyHandlingStrategy] - <Applying password policy [[org.ldaptive.auth.AuthenticationResponse@19191242::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=cn=crtsyd.testagency@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au, ldapEntry=[dn=cn=crtsyd.testagency@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au[]], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]] to [org.apereo.cas.authentication.support.DefaultAccountStateHandler@1c53cb0d]>

2018-06-12 16:37:29,214 DEBUG [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - <Attempting to handle LDAP account state for [[org.ldaptive.auth.AuthenticationResponse@19191242::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=cn=crtsyd.testagency@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au, ldapEntry=[dn=cn=crtsyd.testagency@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au[]], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]]>

2018-06-12 16:37:29,215 DEBUG [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - <Account state not defined. Returning empty list of messages.>

2018-06-12 16:37:29,216 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response returned a result. Creating the final LDAP principal>

2018-06-12 16:37:29,217 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Creating LDAP principal for [crtsyd.testagency@testbuyonplatform.com.au] based on [cn=crtsyd.testagency@testbuyonplatform.com.au,ou=agencies,dc=bidonprint,dc=com,dc=au] and attributes [[]]>

2018-06-12 16:37:29,218 ERROR [org.apereo.cas.authentication.LdapAuthenticationHandler] - <The principal id attribute [cn] is not found. CAS is configured to disallow missing principal attributes>

2018-06-12 16:37:29,219 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[LdapAuthenticationHandler] exception details: [Principal id attribute is not found for null].>

2018-06-12 16:37:29,219 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [crtsyd.testagency@testbuyonplatform.com.au] of type [UsernamePasswordCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>

2018-06-12 16:37:29,224 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: crtsyd.testagency@testbuyonplatform.com.au

WHAT: Supplied credentials: [crtsyd.testagency@testbuyonplatform.com.au]

[Ganesh Prasad]

Yes, it's something to do with the token format as received by Apache. The Apache log says:

[Tue Jun 12 18:11:09.963805 2018] [:error] [pid 22056:tid 139754662188800] [client 119.63.218.4:54582] MOD_AUTH_CAS: error parsing CASv2 response: XML parser error code: mismatched tag (7)

Is this really an XML formatting problem, or has the version of the token changed (SAML 1.1 versus SAML2, etc.)?

Is there any setting on CAS to send back attribute tokens in an older format, or do I have to upgrade mod_auth_cas (and the interceptors on my Tomcat app server)?

Regards,

Ganesh

[David Hawes]

On Tue, Jun 12, 2018 at 4:34 AM, Ganesh Prasad <g.c.p...@gmail.com> wrote:
> Yes, it's something to do with the token format as received by Apache. The
> Apache log says:
>
> [Tue Jun 12 18:11:09.963805 2018] [:error] [pid 22056:tid 139754662188800]
> [client 119.63.218.4:54582] MOD_AUTH_CAS: error parsing CASv2 response: XML
> parser error code: mismatched tag (7)
>
> Is this really an XML formatting problem, or has the version of the token
> changed (SAML 1.1 versus SAML2, etc.)?

The response will be printed out if you've turned on debug logging
(CASDebug On).

Does it look valid?

[Tom O'Neill]

It's possible that an attribute is breaking the XML.

Thanks,

    Tom

-----Original Message-----
From: cas-...@apereo.org <cas-...@apereo.org> On Behalf Of David Hawes
Sent: Tuesday, June 12, 2018 12:07 PM
To: CAS Community <cas-...@apereo.org>

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---

You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCc0kVcCREPsYPVAXWrZwiRrW7CTKqxmJ_%3DyqbfVf39Pw%40mail.gmail.com.

[Ganesh Prasad]

I enabled cas-server-support-saml in the POM file. That solved the problem.

Regards,

Ganesh