New Error -- I broke it LOL

[Jennifer LaVoie]

I updated my pom.xml last week to install LDAP, but I didn't redeploy the war file...so I did that today, but now I can't reach https://cas3.xxx.xxx/cas/login

I can still see my self signed cert though, so I didn't wipe out my server.xml file...

If i go to here

https://cas3.xxx.xxx:8443/  I do see the default apache page is loading.

HTTP Status 404 – Not Found

---

Type Status Report

Message /cas/login

Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.

---

Apache Tomcat/9.0.7

What did I break LOL

Thank gods, I made a snapshot

[David Curry]

Looks like the CAS webapp isn't starting. catalina.out should tell you what happened?

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a583b953-6589-40a2-a967-919c9dfca886%40apereo.org.

[Jennifer LaVoie]

Thanks Dave...I had to format my ldap stuff in the cas.properties differently

It now looks like this

cas.authn.ldap[0].order:                0

cas.authn.ldap[0].name:                 Active Directory

cas.authn.ldap[0].type:                 AD

cas.authn.ldap[0].ldapUrl:              ldaps://xxx.campus.bridgew.edu:636

cas.authn.ldap[0].validatePeriod:       270

cas.authn.ldap[0].poolPassivator:       NONE

cas.authn.ldap[0].userFilter:           sAMAccountName={user}

cas.authn.ldap[0].baseDn:               dc=campus,dc=bridgew,dc=edu

#cas.authn.ldap[0].bindDn:               cn=cas5,ou=Users,dc=campus,dc=bridgew,dc=edu

#cas.authn.ldap[0].bindCredential:      xxxx

cas.authn.ldap[0].dnFormat:             cn=%s,dc=campus,dc=bridgew,dc=edu

and now the page loads, but I still can't log in

When I netstat -anop | grep java

[root@cas3-dev bin]# netstat -anop |grep java

tcp        0      0 127.0.0.1:8005          0.0.0.0:*               LISTEN      1795/java            off (0.00/0/0)

tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      1795/java            off (0.00/0/0)

tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      1795/java            off (0.00/0/0)

tcp        0      0 10.20.32.131:48450      10.20.16.65:636         ESTABLISHED 1795/java            off (0.00/0/0)

tcp        0      0 10.20.32.131:48452      10.20.16.65:636         ESTABLISHED 1795/java            off (0.00/0/0)

tcp        0      0 10.20.32.131:48446      10.20.16.65:636         ESTABLISHED 1795/java            off (0.00/0/0)

tcp        0      0 10.20.32.131:48448      10.20.16.65:636         ESTABLISHED 1795/java            off (0.00/0/0)

tcp        0      0 10.20.32.131:48456      10.20.16.65:636         ESTABLISHED 1795/java            off (0.00/0/0)

tcp        0      0 10.20.32.131:48454      10.20.16.65:636         ESTABLISHED 1795/java            off (0.00/0/0)

unix  3      [ ]         STREAM     CONNECTED     31497    1795/java            

unix  2      [ ]         STREAM     CONNECTED     31408    1795/java            

unix  3      [ ]         STREAM     CONNECTED     31498    1795/java            

unix  3      [ ]         STREAM     CONNECTED     30719    1795/java            

unix  3      [ ]         STREAM     CONNECTED     30720    1795/java            

unix  2      [ ]         STREAM     CONNECTED     31781    1795/java 

so things seem to be bound correctly

Here is my catalina.out grepping for jennifer.lavoie (username)

2018-05-15 13:27:45,866 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Examining credential [jennifer.lavoie] eligibility for authentication handler [Active Directory]>

2018-05-15 13:27:45,867 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Credential [jennifer.lavoie] eligibility is [Active Directory] for authentication handler [true]>

2018-05-15 13:27:45,868 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting to encode credential password via [org.springframework.security.crypto.password.NoOpPasswordEncoder] for [jennifer.lavoie]>

2018-05-15 13:27:45,868 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting authentication internally for transformed credential [jennifer.lavoie]>

2018-05-15 13:27:45,869 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for [jennifer.lavoie]. Authenticator pre-configured attributes are [null], additional requested attributes for this authentication request are [[]]>

2018-05-15 13:27:45,869 DEBUG [org.ldaptive.auth.FormatDnResolver] - <Formatting DN for jennifer.lavoie with cn=%s,dc=campus,dc=bridgew,dc=edu>

2018-05-15 13:27:45,869 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu with request=[org.ldaptive.auth.AuthenticationRequest@1995766693::user=[org.ldaptive.auth.User@720667905::identifier=jennifer.lavoie, context=null], returnAttributes=[], controls=null]>

2018-05-15 13:27:45,869 DEBUG [org.ldaptive.auth.PooledBindAuthenticationHandler] - <authenticate criteria=[org.ldaptive.auth.AuthenticationCriteria@157874454::dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@1995766693::user=[org.ldaptive.auth.User@720667905::identifier=jennifer.lavoie, context=null], returnAttributes=[], controls=null]]>

2018-05-15 13:27:45,873 DEBUG [org.ldaptive.BindOperation] - <execute request=[org.ldaptive.BindRequest@632797964::bindDn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, saslConfig=null, controls=[[org.ldaptive.control.PasswordPolicyControl@-350057371::criticality=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=null]], referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@588723547::config=[org.ldaptive.ConnectionConfig@1903426706::ldapUrl=ldaps://boydendc-prd.campus.bridgew.edu:636, connectTimeout=PT5S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@744860926::credentialConfig=null, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, connectionInitializer=null, connectionStrategy=org.ldaptive.DefaultConnectionStrategy@dd9392c], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@601538727::metadata=[ldapUrl=ldaps://boydendc-prd.campus.bridgew.edu:636, count=1], environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@947873970::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@3dd40ce0, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@c44eb3]>

2018-05-15 13:27:45,874 DEBUG [org.ldaptive.auth.PooledBindAuthenticationHandler] - <authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@728104502::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@588723547::config=[org.ldaptive.ConnectionConfig@1903426706::ldapUrl=ldaps://boydendc-prd.campus.bridgew.edu:636, connectTimeout=PT5S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@744860926::credentialConfig=null, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, connectionInitializer=null, connectionStrategy=org.ldaptive.DefaultConnectionStrategy@dd9392c], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@601538727::metadata=[ldapUrl=ldaps://boydendc-prd.campus.bridgew.edu:636, count=1], environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@947873970::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@3dd40ce0, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@c44eb3], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580], controls=null] for criteria=[org.ldaptive.auth.AuthenticationCriteria@157874454::dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@1995766693::user=[org.ldaptive.auth.User@720667905::identifier=jennifer.lavoie, context=null], returnAttributes=[], controls=null]]>

2018-05-15 13:27:45,874 INFO [org.ldaptive.auth.Authenticator] - <Authentication failed for dn: cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu>

2018-05-15 13:27:45,874 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@728104502::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@588723547::config=[org.ldaptive.ConnectionConfig@1903426706::ldapUrl=ldaps://boydendc-prd.campus.bridgew.edu:636, connectTimeout=PT5S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@744860926::credentialConfig=null, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, connectionInitializer=null, connectionStrategy=org.ldaptive.DefaultConnectionStrategy@dd9392c], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@601538727::metadata=[ldapUrl=ldaps://boydendc-prd.campus.bridgew.edu:636, count=1], environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.protocol=ssl, com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@947873970::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@3dd40ce0, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@c44eb3], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580], controls=null] for dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu with request=[org.ldaptive.auth.AuthenticationRequest@1995766693::user=[org.ldaptive.auth.User@720667905::identifier=jennifer.lavoie, context=null], returnAttributes=[], controls=null]>

2018-05-15 13:27:45,874 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response: [[org.ldaptive.auth.AuthenticationResponse@1798662416::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, ldapEntry=[dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu[]], accountState=null, result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580], controls=null]]>

2018-05-15 13:27:45,875 DEBUG [org.apereo.cas.authentication.support.DefaultLdapPasswordPolicyHandlingStrategy] - <Applying password policy [[org.ldaptive.auth.AuthenticationResponse@1798662416::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, ldapEntry=[dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu[]], accountState=null, result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580], controls=null]] to [org.apereo.cas.authentication.support.DefaultAccountStateHandler@42608b36]>

2018-05-15 13:27:45,876 DEBUG [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - <Attempting to handle LDAP account state for [[org.ldaptive.auth.AuthenticationResponse@1798662416::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu, ldapEntry=[dn=cn=jennifer.lavoie,dc=campus,dc=bridgew,dc=edu[]], accountState=null, result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580], controls=null]]>

2018-05-15 13:27:45,877 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [jennifer.lavoie] of type [UsernamePasswordCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>

WHO: jennifer.lavoie

WHAT: Supplied credentials: [jennifer.lavoie]

[root@cas3-dev bin]# 

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[David Curry]

This is a guess, but your dnFormat doesn't look very AD-ish to me. I note that you have an "ou=Users" in the commented-out bindDn; shouldn't you have that in dnFormat as well?

If you can, bring up one of the AD tools (under Windows) and look yourself up, and copy the DN string exactly.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a32cb4a3-5382-4f5e-a933-de38268b3d12%40apereo.org.

[Jennifer LaVoie]

ok...I will try that :)

I want to send you a pizza once I get this working LOL

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a32cb4a3-5382-4f5e-a933-de38268b3d12%40apereo.org.

[Jennifer LaVoie]

Hi Everyone

It was my malformed cas.properties entries for LDAP

Working now.

Thank you all for your help

Jen

On Tuesday, May 15, 2018 at 11:38:05 AM UTC-4, David Curry wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[Andy Ng]

Hi Jen,

One more thing to note, next time you might want to double check your debug log before posting.

I saw that you deliberately cross out "ldaps://xxx.campus.bridgew.edu:636", so I think you recognized that uri to be confidential.

But I can clearly see the actual ldap server in your debug log. Soo... yeah.

- Andy

[Jennifer LaVoie]

Ha.. thanks Andy :)

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/203165ec-cce8-4881-bc22-3bf80cd33021%40apereo.org.