CAS5 LDAP
62 views
Skip to first unread message
Lionel Samuel
May 12, 2018, 7:16:54 PM5/12/18
to CAS Community
Hi List:
I have a shiny new deployment of CAS5.2.4. I am setting up for LDAP authentication ---- however, HttpBasedServiceCredentialsAuthenticationHandler appears to be leveraged and not LdapAuthenticationHandler.....how do I toggle LDAP authentication? I have followed Any's setting for cas.properties on https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/QtzfZI1gnA4
<Authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandler]>
2018-05-12 16:11:24,362 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [lionel101] of type [UsernamePasswordCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>
2018-05-12 16:11:24,363 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: lionel101
WHAT: Supplied credentials: [lionel101]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Sat May 12 16:11:24 PDT 2018
CLIENT IP ADDRESS: snip
SERVER IP ADDRESS: snip
=============================================================
I have a shiny new deployment of CAS5.2.4. I am setting up for LDAP authentication ---- however, HttpBasedServiceCredentialsAuthenticationHandler appears to be leveraged and not LdapAuthenticationHandler.....how do I toggle LDAP authentication? I have followed Any's setting for cas.properties on https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/QtzfZI1gnA4
<Authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandler]>
2018-05-12 16:11:24,362 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [lionel101] of type [UsernamePasswordCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>
2018-05-12 16:11:24,363 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: lionel101
WHAT: Supplied credentials: [lionel101]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Sat May 12 16:11:24 PDT 2018
CLIENT IP ADDRESS: snip
SERVER IP ADDRESS: snip
=============================================================
David Curry
May 12, 2018, 7:30:06 PM5/12/18
to cas-...@apereo.org
Did you add the LDAP dependency to pom.xml and rebuild the WAR?
David A. Curry, CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.
David A. Curry, CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c2597a8-0ebd-45b8-953d-341a05204095%40apereo.org.
Lionel Samuel
May 12, 2018, 7:34:50 PM5/12/18
to CAS Community
Hi David:
It's a honor. I read your guide when googling this issue.
I had added the following to the pom.xml and had rebuilt the war via './build.sh package' --- and deployed the new WAR to the Tomcat.
Did I miss anything?
I can't see the CAS server making a call to our LDAP server --- so it must somehow be skipping LDAP altogether.
<dependency>
< <groupId>org.apereo.cas</groupId>
< <artifactId>cas-server-support-ldap</artifactId>
< <version>${cas.version}</version>
< </dependency>
It's a honor. I read your guide when googling this issue.
I had added the following to the pom.xml and had rebuilt the war via './build.sh package' --- and deployed the new WAR to the Tomcat.
Did I miss anything?
I can't see the CAS server making a call to our LDAP server --- so it must somehow be skipping LDAP altogether.
<dependency>
< <groupId>org.apereo.cas</groupId>
< <artifactId>cas-server-support-ldap</artifactId>
< <version>${cas.version}</version>
< </dependency>
David Curry
May 12, 2018, 7:43:24 PM5/12/18
to cas-...@apereo.org
Assuming you added all the LDAP properties.... Did you disable the use of the built-in credentials (casuser/Mellon)?
cas.authn.accept.users:To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/49673811-d684-4b8a-a9d7-e7b3cbe34077%40apereo.org.
Lionel Samuel
May 12, 2018, 7:51:11 PM5/12/18
to CAS Community
Yes --- here is my 'cas.properties' configuration.
The ldap connection URL and DNs are correct (validated via ldapsearch from command line).
Do you notice anything else missing?
cas.properties:
cas.server.name: http://localhost:8080/
cas.server.prefix: http://localhost:8080/edu-cas
cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.config: file:/etc/cas/config/log4j2.xml
# cas.serviceRegistry.config.location: classpath:/services
# Encrypt Cookies
cas.tgc.secure: true
cas.tgc.crypto.signing.key: snip
cas.tgc.crypto.encryption.key: snip
# Encrypt Spring Workflow
cas.webflow.crypto.signing.key: snip
cas.webflow.crypto.encryption.key: snip
# cas.authn.ldap[0].type= DIRECT
cas.authn.ldap[0].ldapUrl=ldaps://ldap.snip
# cas.authn.ldap[0].connectionStrategy=
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].subtreeSearch=true
# BaseDn used to start the LDAP search looking for accounts
cas.authn.ldap[0].baseDn=ou=PEOPLE,ou=edu
# The search filter to use while looking for accounts.
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].usePasswordPolicy=false
cas.authn.ldap[0].dnFormat=uid=%s,ou=PEOPLE,ou=edu
cas.authn.ldap[0].principalAttributeId=uid
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
# Bind credentials used to connect to the LDAP instance
#
cas.authn.ldap[0].bindDn=uid=foo,ou=edu
cas.authn.ldap[0].bindCredential=snip
cas.authn.accept.users:
The ldap connection URL and DNs are correct (validated via ldapsearch from command line).
Do you notice anything else missing?
cas.properties:
cas.server.name: http://localhost:8080/
cas.server.prefix: http://localhost:8080/edu-cas
cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.config: file:/etc/cas/config/log4j2.xml
# cas.serviceRegistry.config.location: classpath:/services
# Encrypt Cookies
cas.tgc.secure: true
cas.tgc.crypto.signing.key: snip
cas.tgc.crypto.encryption.key: snip
# Encrypt Spring Workflow
cas.webflow.crypto.signing.key: snip
cas.webflow.crypto.encryption.key: snip
# cas.authn.ldap[0].type= DIRECT
cas.authn.ldap[0].ldapUrl=ldaps://ldap.snip
# cas.authn.ldap[0].connectionStrategy=
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].subtreeSearch=true
# BaseDn used to start the LDAP search looking for accounts
cas.authn.ldap[0].baseDn=ou=PEOPLE,ou=edu
# The search filter to use while looking for accounts.
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].usePasswordPolicy=false
cas.authn.ldap[0].dnFormat=uid=%s,ou=PEOPLE,ou=edu
cas.authn.ldap[0].principalAttributeId=uid
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
# Bind credentials used to connect to the LDAP instance
#
cas.authn.ldap[0].bindDn=uid=foo,ou=edu
cas.authn.ldap[0].bindCredential=snip
cas.authn.accept.users:
Lionel Samuel
May 12, 2018, 8:02:50 PM5/12/18
to CAS Community
I am testing on my localhost and don't have SSL --- could this be it? If this is it, is there a way to disable SSL requirement for testing?
David Curry
May 12, 2018, 8:03:25 PM5/12/18
to cas-...@apereo.org
Since you have bind credentials specified, I'm thinking maybe you want AUTHENTICATED rather than DIRECT. That's just a guess, though. You might want to check the definitions of the types here:
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-authentication-1
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-authentication-1
Otherwise nothing jumps out at me as wrong, but I'm reading this in a phone. :-) If it still doesn't work I would suggest setting debug level logging and see if that helps.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/067236f8-b2d3-4bb9-b4fa-8ad1d5f7057d%40apereo.org.
Lionel Samuel
May 12, 2018, 10:19:43 PM5/12/18
to CAS Community
Thanks David!
Your guidance helped tremendously --- I had inadvertently commented out the ' cas.authn.ldap[0].type' line.
have a great weekend.
Your guidance helped tremendously --- I had inadvertently commented out the ' cas.authn.ldap[0].type' line.
have a great weekend.
David Curry
May 12, 2018, 10:47:20 PM5/12/18
to cas-...@apereo.org
Glad you figured it out.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20a622bb-1e0e-454c-8ed0-047863fb70bb%40apereo.org.
Reply all
Reply to author
Forward
0 new messages