CAS 5.1.0 - How to authenticate user with SSHA LDAP password (was working with cas.authn.ldap[0].type=SASL)

[Olivier Lamarche]

Everything was working properly with CAS 5.0.5 with cas.authn.ldap[0].type=SASL, but now, this type is removed in 5.1.0, I can't anymore authenticate my users.

Cas can find my LDAP user, but it can't be authenticated. I suspect that CAS can't authenticate my user, because, by default AUTHENTICATED mode return SHA encrypted value of my password (https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html) and compare with my LDAP SSHA encrypted password.

I tried diffrent kind of password encoder, but it seems to not working.

I can confirm that, my LDAP username/password are OK.

Here is the config :

cas.authn.ldap[0].type=AUTHENTICATED

cas.authn.ldap[0].ldapUrl=ldap://XXXXXXX:XXX

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].bindDn=cn=XXXXXXXX,dc=XXXXXXX,dc=com

cas.authn.ldap[0].baseDn=ou=XXXXXX,dc=XXXXXXXX,dc=com

cas.authn.ldap[0].userFilter=mail={user}

cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].usePasswordPolicy=false

cas.authn.ldap[0].bindCredential=XXXXXXXXX

#cas.authn.ldap[0].poolPassivator=NONE

cas.authn.ldap[0].enhanceWithEntryResolver=false

cas.authn.ldap[0].dnFormat=cn=%s,ou=XXXXXXX,dc=XXXXXXX,dc=com

cas.authn.ldap[0].principalAttributeId=uid

cas.authn.ldap[0].principalAttributePassword=userPassword

# Give an attribute list released from LDAP to CAS, could be used with attributeRepository.defaultAttributesToRelease to be visible on CAS P3 serviceValidate

cas.authn.ldap[0].principalAttributeList=uid,sn,cn:commonName,mail,givenName

cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=false

# cas.authn.ldap[0].additionalAttributes=

# cas.authn.ldap[0].credentialCriteria=

# cas.authn.ldap[0].saslMechanism=GSSAPI|DIGEST_MD5|CRAM_MD5|EXTERNAL

# cas.authn.ldap[0].saslRealm=EXAMPLE.COM

# cas.authn.ldap[0].saslAuthorizationId=

# cas.authn.ldap[0].saslMutualAuth=

# cas.authn.ldap[0].saslQualityOfProtection=

# cas.authn.ldap[0].saslSecurityStrength=

# cas.authn.ldap[0].trustCertificates=

# cas.authn.ldap[0].keystore=

# cas.authn.ldap[0].keystorePassword=

# cas.authn.ldap[0].keystoreType=JKS|JCEKS|PKCS12

cas.authn.ldap[0].minPoolSize=1

cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=true

cas.authn.ldap[0].validatePeriodically=false

# cas.authn.ldap[0].validatePeriod=600

# cas.authn.ldap[0].failFast=true

cas.authn.ldap[0].idleTime=600

cas.authn.ldap[0].prunePeriod=300

cas.authn.ldap[0].blockWaitTime=5000

cas.authn.ldap[0].timeOut=3000

cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

cas.authn.ldap[0].allowMultipleDns=false

#cas.authn.ldap[0].passwordEncoder.type=DEFAULT

#cas.authn.ldap[0].passwordEncoder.characterEncoding=UTF-8

#cas.authn.ldap[0].passwordEncoder.encodingAlgorithm=SHA-512

# cas.authn.ldap[0].passwordEncoder.secret=

# cas.authn.ldap[0].passwordEncoder.strength=16

# cas.authn.ldap[0].principalTransformation.suffix=

# cas.authn.ldap[0].principalTransformation.caseConversion=NONE|UPPERCASE|LOWERCASE

# cas.authn.ldap[0].principalTransformation.prefix=

cas.authn.ldap[0].passwordPolicy.enabled=true

cas.authn.ldap[0].passwordPolicy.policyAttributes.accountLocked=javax.security.auth.login.AccountLockedException

cas.authn.ldap[0].passwordPolicy.loginFailures=5

cas.authn.ldap[0].passwordPolicy.warningAttributeValue=

cas.authn.ldap[0].passwordPolicy.warningAttributeName=

cas.authn.ldap[0].passwordPolicy.displayWarningOnMatch=true

cas.authn.ldap[0].passwordPolicy.warnAll=true

cas.authn.ldap[0].passwordPolicy.warningDays=30

Here is the log :

2017-05-31 09:49:02,968 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <No specific authentication handlers are required for this transaction>

2017-05-31 09:49:02,970 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Authentication handlers used for this transaction are [OpenIdCredentialsAuthenticationHandlerHttpBasedServiceCredentialsAuthenticationHandlerLdapAuthenticationHandler]>

2017-05-31 09:49:02,977 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Transforming credential username via [org.apereo.cas.configuration.support.Beans$$Lambda$77/1077246245]>

2017-05-31 09:49:02,978 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting to encode credential password via [org.springframework.security.crypto.password.NoOpPasswordEncoder] for [aaa...@ccc.com]>

2017-05-31 09:49:02,979 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting authentication internally for transformed credential [aaa...@ccc.com]>

2017-05-31 09:49:02,982 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for [aaa...@ccc.com]. Authenticator pre-configured attributes are [null], additional requested attributes for this authentication request are [[uid, mail, givenName, sn, cn]]>

2017-05-31 09:49:02,986 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolve user=[org.ldaptive.auth.User@1810991362::identifier=aaa...@ccc.com, context=null]>

2017-05-31 09:49:02,986 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <searching for DN using userFilter>

2017-05-31 09:49:02,991 DEBUG [org.ldaptive.SearchOperation] - <execute request=[org.ldaptive.SearchRequest@-577997831::baseDn=, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2c95d987], controls=null, referralHandler=org.ldaptive.referral.SearchReferralHandler@7d707b9c, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1101123226::config=[org.ldaptive.ConnectionConfig@1520253722::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@2079692145::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@2039028212::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@255e3579], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@1884695011::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@611790701::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@76f4ed47, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@39ee281d]>

2017-05-31 09:49:03,024 DEBUG [org.ldaptive.provider.unboundid.UnboundIDConnection] - <performing search: SearchRequest(baseDN='', scope=BASE, deref=NEVER, sizeLimit=1, timeLimit=0, filter='(objectClass=*)', attrs={1.1})>

2017-05-31 09:49:03,053 DEBUG [org.ldaptive.provider.unboundid.UnboundIDConnection] - <created response: [org.ldaptive.Response@789486597::result=null, resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=2]>

2017-05-31 09:49:03,055 DEBUG [org.ldaptive.SearchOperation] - <execute response=[org.ldaptive.Response@1317418705::result=[org.ldaptive.SearchResult@-1951902882::entries=[[dn=[], responseControls=null, messageId=2]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=2] for request=[org.ldaptive.SearchRequest@-577997831::baseDn=, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@2c95d987], controls=null, referralHandler=org.ldaptive.referral.SearchReferralHandler@7d707b9c, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1101123226::config=[org.ldaptive.ConnectionConfig@1520253722::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@2079692145::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@2039028212::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@255e3579], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@1884695011::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@611790701::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@76f4ed47, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@39ee281d]>

2017-05-31 09:49:03,056 DEBUG [org.ldaptive.SearchOperation] - <execute request=[org.ldaptive.SearchRequest@1041964045::baseDn=ou=individuel,dc=xxxxxxxx,dc=com, searchFilter=[org.ldaptive.SearchFilter@-489204262::filter=mail={user}, parameters={context=null, user=aaa...@ccc.com}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1101123226::config=[org.ldaptive.ConnectionConfig@1520253722::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@2079692145::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@2039028212::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@255e3579], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@1884695011::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@611790701::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@76f4ed47, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@39ee281d]>

2017-05-31 09:49:03,057 DEBUG [org.ldaptive.provider.unboundid.UnboundIDConnection] - <performing search: SearchRequest(baseDN='ou=individuel,dc=xxxxxxxx,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='mail=aaa...@ccc.com', attrs={1.1})>

2017-05-31 09:49:03,060 DEBUG [org.ldaptive.provider.unboundid.UnboundIDConnection] - <created response: [org.ldaptive.Response@1895138053::result=null, resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=3]>

2017-05-31 09:49:03,060 DEBUG [org.ldaptive.SearchOperation] - <execute response=[org.ldaptive.Response@725665706::result=[org.ldaptive.SearchResult@191229211::entries=[[dn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com[], responseControls=null, messageId=3]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=3] for request=[org.ldaptive.SearchRequest@1041964045::baseDn=ou=individuel,dc=xxxxxxxx,dc=com, searchFilter=[org.ldaptive.SearchFilter@-489204262::filter=mail={user}, parameters={context=null, user=aaa...@ccc.com}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1101123226::config=[org.ldaptive.ConnectionConfig@1520253722::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@2079692145::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@2039028212::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@255e3579], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@1884695011::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@611790701::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@76f4ed47, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@39ee281d]>

2017-05-31 09:49:03,060 DEBUG [org.ldaptive.BindOperation] - <execute request=[org.ldaptive.BindRequest@1997076822::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, saslConfig=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1101123226::config=[org.ldaptive.ConnectionConfig@1520253722::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@2079692145::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@2039028212::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@255e3579], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@1884695011::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@611790701::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@76f4ed47, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@39ee281d]>

2017-05-31 09:49:03,070 DEBUG [org.ldaptive.BindOperation] - <execute response=[org.ldaptive.Response@1418681517::result=null, resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=4] for request=[org.ldaptive.BindRequest@1997076822::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, saslConfig=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1101123226::config=[org.ldaptive.ConnectionConfig@1520253722::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@2079692145::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@2039028212::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@255e3579], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@1884695011::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@611790701::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@76f4ed47, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@39ee281d]>

2017-05-31 09:49:03,071 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolved dn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com for user=[org.ldaptive.auth.User@1810991362::identifier=aaa...@ccc.com, context=null]>

2017-05-31 09:49:03,075 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate dn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com with request=[org.ldaptive.auth.AuthenticationRequest@518364974::user=[org.ldaptive.auth.User@1810991362::identifier=aaa...@ccc.com, context=null], returnAttributes=[uid, mail, givenName, sn, cn]]>

2017-05-31 09:49:03,077 DEBUG [org.ldaptive.auth.PooledCompareAuthenticationHandler] - <authenticate criteria=[org.ldaptive.auth.AuthenticationCriteria@1112853084::dn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@518364974::user=[org.ldaptive.auth.User@1810991362::identifier=aaa...@ccc.com, context=null], returnAttributes=[uid, mail, givenName, sn, cn]]]>

2017-05-31 09:49:03,077 DEBUG [org.ldaptive.SearchOperation] - <execute request=[org.ldaptive.SearchRequest@1891521909::baseDn=, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@10f62397], controls=null, referralHandler=org.ldaptive.referral.SearchReferralHandler@5f1c09c8, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1656964227::config=[org.ldaptive.ConnectionConfig@1763680363::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@1442941949::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1878521940::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@2ccf8f1f], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@849749463::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@1648485355::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@61f51e70, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@196ab991]>

2017-05-31 09:49:03,078 DEBUG [org.ldaptive.provider.unboundid.UnboundIDConnection] - <performing search: SearchRequest(baseDN='', scope=BASE, deref=NEVER, sizeLimit=1, timeLimit=0, filter='(objectClass=*)', attrs={1.1})>

2017-05-31 09:49:03,081 DEBUG [org.ldaptive.provider.unboundid.UnboundIDConnection] - <created response: [org.ldaptive.Response@1870936107::result=null, resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=2]>

2017-05-31 09:49:03,081 DEBUG [org.ldaptive.SearchOperation] - <execute response=[org.ldaptive.Response@1103129410::result=[org.ldaptive.SearchResult@-1951902882::entries=[[dn=[], responseControls=null, messageId=2]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=2] for request=[org.ldaptive.SearchRequest@1891521909::baseDn=, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$SearchReferenceHandler@10f62397], controls=null, referralHandler=org.ldaptive.referral.SearchReferralHandler@5f1c09c8, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1656964227::config=[org.ldaptive.ConnectionConfig@1763680363::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@1442941949::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1878521940::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@2ccf8f1f], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@849749463::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@1648485355::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@61f51e70, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@196ab991]>

2017-05-31 09:49:03,087 DEBUG [org.ldaptive.CompareOperation] - <execute request=[org.ldaptive.CompareRequest@1936625851::compareDn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com, attribute=[userPassword[e1NIQX1xeWlINUdPc2xQbmpvNnlvcUd3bGh1V0c3b2c9]], controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1656964227::config=[org.ldaptive.ConnectionConfig@1763680363::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@1442941949::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1878521940::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@2ccf8f1f], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@849749463::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@1648485355::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@61f51e70, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@196ab991]>

2017-05-31 09:49:03,096 DEBUG [org.ldaptive.CompareOperation] - <execute response=[org.ldaptive.Response@467627795::result=false, resultCode=COMPARE_FALSE, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=3] for request=[org.ldaptive.CompareRequest@1936625851::compareDn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com, attribute=[userPassword[e1NIQX1xeWlINUdPc2xQbmpvNnlvcUd3bGh1V0c3b2c9]], controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1656964227::config=[org.ldaptive.ConnectionConfig@1763680363::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@1442941949::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1878521940::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@2ccf8f1f], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@849749463::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@1648485355::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@61f51e70, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@196ab991]>

2017-05-31 09:49:03,097 DEBUG [org.ldaptive.auth.PooledCompareAuthenticationHandler] - <authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@481550235::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1656964227::config=[org.ldaptive.ConnectionConfig@1763680363::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@1442941949::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1878521940::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@2ccf8f1f], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@849749463::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@1648485355::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@61f51e70, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@196ab991], result=false, resultCode=COMPARE_FALSE, message=null, controls=null] for criteria=[org.ldaptive.auth.AuthenticationCriteria@1112853084::dn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@518364974::user=[org.ldaptive.auth.User@1810991362::identifier=aaa...@ccc.com, context=null], returnAttributes=[uid, mail, givenName, sn, cn]]]>

2017-05-31 09:49:03,097 DEBUG [org.ldaptive.BindOperation] - <execute request=[org.ldaptive.BindRequest@1806262712::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, saslConfig=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1656964227::config=[org.ldaptive.ConnectionConfig@1763680363::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@1442941949::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1878521940::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@2ccf8f1f], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@849749463::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@1648485355::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@61f51e70, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@196ab991]>

2017-05-31 09:49:03,099 DEBUG [org.ldaptive.BindOperation] - <execute response=[org.ldaptive.Response@1851287311::result=null, resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=4] for request=[org.ldaptive.BindRequest@1806262712::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, saslConfig=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1656964227::config=[org.ldaptive.ConnectionConfig@1763680363::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@1442941949::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1878521940::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@2ccf8f1f], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@849749463::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@1648485355::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@61f51e70, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@196ab991]>

2017-05-31 09:49:03,099 INFO [org.ldaptive.auth.Authenticator] - <Authentication failed for dn: cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com>

2017-05-31 09:49:03,101 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@481550235::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1656964227::config=[org.ldaptive.ConnectionConfig@1763680363::ldapUrl=ldap://xxxx:xxxx, connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@1442941949::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1878521940::bindDn=cn=xxxxxxxx,dc=xxxxxxxx,dc=com, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@2ccf8f1f], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@849749463::metadata=[ldapUrl=ldap://xxxx:xxxx, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@1648485355::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@61f51e70, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@196ab991], result=false, resultCode=COMPARE_FALSE, message=null, controls=null] for dn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com with request=[org.ldaptive.auth.AuthenticationRequest@518364974::user=[org.ldaptive.auth.User@1810991362::identifier=aaa...@ccc.com, context=null], returnAttributes=[uid, mail, givenName, sn, cn]]>

2017-05-31 09:49:03,101 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response: [[org.ldaptive.auth.AuthenticationResponse@185733131::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com, ldapEntry=[dn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com[]], accountState=null, result=false, resultCode=COMPARE_FALSE, message=null, controls=null]]>

2017-05-31 09:49:03,102 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Applying password policy to [[org.ldaptive.auth.AuthenticationResponse@185733131::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com, ldapEntry=[dn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com[]], accountState=null, result=false, resultCode=COMPARE_FALSE, message=null, controls=null]]>

2017-05-31 09:49:03,104 DEBUG [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - <Account state not defined. Returning empty list of messages.>

2017-05-31 09:49:03,105 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[LdapAuthenticationHandler] failed authenticating [aaa...@ccc.com]>

2017-05-31 09:49:03,106 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[LdapAuthenticationHandler] exception details: [Invalid credentials]>

2017-05-31 09:49:03,106 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [aaa...@ccc.com] of type [UsernamePasswordCredential], which suggests a configuration problem.>

2017-05-31 09:49:03,110 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: aaa...@ccc.com

WHAT: Supplied credentials: [aaa...@ccc.com]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Wed May 31 09:49:03 EDT 2017

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

=============================================================

[Daniel Fisher]

On Wed, May 31, 2017 at 10:19 AM, Olivier Lamarche <olam...@gmail.com> wrote:

2017-05-31 09:49:03,075 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate dn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com with request=[org.ldaptive.auth.AuthenticationRequest@518364974::user=[org.ldaptive.auth.User@1810991362::identifier=aaa.b...@ccc.com, context=null], returnAttributes=[uid, mail, givenName, sn, cn]]>

2017-05-31 09:49:03,077 DEBUG [org.ldaptive.auth.PooledCompareAuthenticationHandler] - <authenticate criteria=[org.ldaptive.auth.AuthenticationCriteria@1112853084::dn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@518364974::user=[org.ldaptive.auth.User@1810991362::identifier=aaa...@ccc.com, context=null], returnAttributes=[uid, mail, givenName, sn, cn]]]>

The PooledCompareAuthenticationHandler component does not support salted hashes. I don't know which set of CAS properties wires up the ldaptive authentication handler, but you want to use the PooledBindAuthenticationHandler. This way your directory will handle the work of comparing salted hashes.

--Daniel Fisher

[Olivier Lamarche]

Thank you Daniel,

I set principalAttributePassword to empty, and now, CAS use PooledBindAuthenticationHandler!

Le mercredi 31 mai 2017 16:48:03 UTC-4, dfisher a écrit :

On Wed, May 31, 2017 at 10:19 AM, Olivier Lamarche <olam...@gmail.com> wrote:

2017-05-31 09:49:03,075 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate dn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com with request=[org.ldaptive.auth.AuthenticationRequest@518364974::user=[org.ldaptive.auth.User@1810991362::identifier=aaa...@ccc.com, context=null], returnAttributes=[uid, mail, givenName, sn, cn]]>

2017-05-31 09:49:03,077 DEBUG [org.ldaptive.auth.PooledCompareAuthenticationHandler] - <authenticate criteria=[org.ldaptive.auth.AuthenticationCriteria@1112853084::dn=cn=inf10771,ou=xxxxxx,ou=xxxxxx,ou=individuel,dc=xxxxxxxx,dc=com, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@518364974::user=[org.ldaptive.auth.User@1810991362::identifier=aaa...@ccc.com, context=null], returnAttributes=[uid, mail, givenName, sn, cn]]]>