Help with CAS 5.1.3 & LDAP

[Chris Peck]

I cannot for the life of me figure out what I need to get my dev CAS instance to talk to LDAP. When it's running and I try to auth to the webpage I see this in the logs:

cas_1  | 2017-08-16 19:14:36,150 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandler]>

cas_1  | 2017-08-16 19:14:36,152 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [crp] of type [UsernamePasswordCredential], which suggests a configuration problem.>

I have this in my pom.xml:

    <dependencies>

        <dependency>

            <groupId>org.apereo.cas</groupId>

            <artifactId>cas-server-webapp${app.server}</artifactId>

            <version>${cas.version}</version>

            <type>war</type>

            <scope>runtime</scope>

        </dependency>

        <dependency>

             <groupId>org.apereo.cas</groupId>

             <artifactId>cas-server-support-ldap</artifactId>

             <version>${cas.version}</version>

        </dependency>

    </dependencies>

And, I've this in my cas.properties file:

/etc/cas/config # cat cas.properties 

cas.server.name: https://localhost:8443

cas.server.prefix: https://localhost:8443/cas

cas.adminPagesSecurity.ip=127\.0\.0\.1

logging.level.org.apereo=DEBUG

logging.config: file:/etc/cas/config/log4j2.xml

cas.serviceRegistry.config.location: classpath:/services

# Override cas-overlay-template auth for testing

cas.authn.accept.users=

and myh ldap.properties

# LDAP Config

cas.authn.policy.req.handlername=LdapAuthenticationHandler

cas.authn.policy.req.enabled=true

cas.authn.ldap[0].type=ANONYMOUS

cas.authn.ldap[0].ldapUrl=ldaps://ldap.somewhere

cas.authn.ldap[0].useSsl=true

cas.authn.ldap[0].baseDn=ou=people,dc=some,dc=where

cas.authn.ldap[0].userFilter=uid={user}

cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].dnFormat=uid=%s,ou=people,dc=some,dc=where

cas.authn.ldap[0].principalAttributeId=uid

cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true

It's gotta be some simple little thing I'm missing.

Thanks,

Chris

PS - it's all running in a docker container

[Brian Gibson]

I don't know if this is 100% correct but my ldap settings are in my cas.properties file, I do not have an ldap.properties file.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFZ1tgYS_eTRq09SofVSPQHirfnz32nvO-V21i9c1Q34SkV%3DWQ%40mail.gmail.com.

[Daniel M.]

OK, before you even try to configure CAS did you use a tool like ldapsearch from the server where CAS is installed to test the connection properties?

--

[Ben Howell-Thomas]

You can put this in your log4j2.xml file to see what ldap connections are happening :

        <AsyncLogger name="org.ldaptive" level="debug" additivity="false">
            <AppenderRef ref="casConsole"/>
            <AppenderRef ref="casFile"/>
        </AsyncLogger>

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFZ1tgYS_eTRq09SofVSPQHirfnz32nvO-V21i9c1Q34SkV%3DWQ%40mail.gmail.com.

--

- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1647730453.3165292.1502913221314%40mail.yahoo.com.

This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s). 

If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully;  (ii) contact Northgate Public Services immediately on +44(0)1908 264500 quoting the name of the sender and the addressee then delete it from your system.

Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted.  You should scan attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NN.  Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.

[Chris Peck]

Yes, I installed ldapseach, I also checked the logs on the LDAP server and there were no connects from the ip-address CAS is running on. 

This is what seems weird to me, or, is that normal now?:

cas_1  | 2017-08-16 19:14:36,150 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandler]>

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1647730453.3165292.1502913221314%40mail.yahoo.com.

[Ng Sek Long]

I am also using ldap for my CAS 5, and I extracted my debug line for your reference:
....

2017-08-21 12:38:29,575 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandler,LdapAuthenticationHandler]>
....

2017-08-21 12:38:29,585 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for 
....

I think you already find the problem yourself, you didn't actually implemented the LdapAuthenticationHandler, HttpBasedServiceCredentialsAuthenticationHandler is the default handler and is not useful to you

The thing that I suspect you did, which happened to me the first time I use CAS, is that your cas.properties file are not wired to CAS, so CAS actually cannot see the cas.properties file. And whatever you did do not impact CAS.

Maybe you can try to set your setting in application.properties, in the src/main/resources folder, I am sure that one get wired automatically. And see if you see any changes.

If you want an success connected ldap setting, read this: https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/QtzfZI1gnA4

Hope this help you!

-Andy