CAS 6.0 How to authenticate user/password with LDAP
2,257 views
Skip to first unread message
ratm
Oct 10, 2019, 10:52:20 AM10/10/19
to CAS Community
I have installed docker cas 6.0 without database and without connected cas to an application.
Application running fine and i'm searching for connect cas to ldap Oracle Directory server.
When i tried to connect with a login/password into cas 6.0 application i have this error :
WHO: myLogin WHAT: Supplied credentials:
[UsernamePasswordCredential(username=myLogin, source=null)] ACTION:
AUTHENTICATION_FAILED APPLICATION: CAS
My cas.properties :
cas.authn.ldap[0].bindDn=cn=Directory Manager
cas.authn.ldap[0].bindCredential=myPassword
cas.authn.ldap[0].baseDn=ou=personnels,ou=XX-XXX-XXXX,ou=edu,o=gov,c=uk
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].searchFilter=uid=%s
cas.authn.ldap[0].principalAttributePassword=userPassword
cas.authn.ldap[0].principalAttributeList=cn,givenName,mail,sn
Note : password is SSHA encoded in ldap.
How to verify what's wrong ? For example when i put a wrong baseDn or searchFilter i have the same error. How to perform simple login/password test to eliminate error ?
How cas deal with password, ie is the ldap who perform the password compare or cas ?
If it's cas who perform password compare how to configure cas for
Thanks in advance for any helps !
Ray Bon
Oct 10, 2019, 12:43:00 PM10/10/19
to cas-...@apereo.org
Anthony,
Test your ldap connection from the command line (ldapsearch) or a desktop app (apache directory studio) to make sure the settings are correct and there are no network issues.
Then try to add the minimum properties.
I do not have 'principalAttributePassword' in my config.
Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
ratm
Oct 11, 2019, 3:58:43 AM10/11/19
to CAS Community
Hello,
i ran ldapsearch in docker container :
ldapsearch -h server_host -D "cn=Directory Manager" -w administrateur -b "ou=personnels,ou=XXXXXX,ou=educ,o=gouv,c=fr" uid=myLogin
ldapsearch return the correct card.
in the ldap log when i connect with cas i see nothing :
[11/Oct/2019:08:26:17 +0200] conn=15 op=7019 msgId=5437415 - RESULT err=0 tag=101 nentries=1 etime=0
[11/Oct/2019:08:26:17 +0200] conn=8 op=13150 msgId=5437416 - SRCH base="ou=XXXXXXXX,ou=educ,o=gouv,c=fr" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=""
[11/Oct/2019:08:26:17 +0200] conn=8 op=13150 msgId=5437416 - SRCH base="ou=XXXXXXXX,ou=educ,o=gouv,c=fr" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=""
Thanks for help !
Best regards,
Message has been deleted
ratm
Oct 11, 2019, 8:08:41 AM10/11/19
to CAS Community
Actually CAS (serveur) makes no request to ldap !
I'm using cas-webapp-docker-master and i have add ldap support into build.gradle file :
description = "Apereo Cenrtal Authentication Service"
allprojects {
apply plugin: 'java'
}
dependencies {
compile "org.apereo.cas:cas-server-support-ldap:${project.cas.version}"
}
What's wrong ?
Matthew Uribe
Oct 11, 2019, 8:18:56 AM10/11/19
to CAS Community
It looks like you're using ldap, rather than ldaps. Is that correct? I recall when I was doing that I had to explicitly tell CAS not to encrypt the traffic. I think just providing ldap://server in the ldapUrl is not enough to prevent CAS from trying to connect securely. This is back when I was using CAS 5.2, but I had to set these properties in order to successfully query LDAP from CAS without SSL:
cas.authn.ldap[0].useSsl: false cas.authn.ldap[0].useStartTls: false
If you're trying to pull attributes as well, then the same goes for that:
cas.authn.attributeRepository.ldap[0].useSsl: falsecas.authn.attributeRepository.ldap[0].useStartTls: false
If I'm right, and this is your problem, I would expect to see something in the CAS logs about problems connecting to the LDAP server.
-Matt
ratm
Oct 11, 2019, 9:41:01 AM10/11/19
to CAS Community
Thanks for help !
Same problem with :
cas.authn.ldap[0].ldapUrl=ldap://myServer
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=falseor with
cas.authn.ldap[0].ldapUrl=ldaps://myServer
Matthew Uribe
Oct 11, 2019, 9:51:40 AM10/11/19
to cas-...@apereo.org
What kind of errors are you seeing in cas.log?
 |
|
IT staff will never ask you for your username and password.
Always decline to provide the information and report such
attempts to the Help Desk (x6380).
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9c8d9193-6142-4bed-a544-e7cba05e1e84%40apereo.org.
ratm
Oct 11, 2019, 10:17:20 AM10/11/19
to CAS Community
No errors, only the audit record :
2019-10-11 14:11:41,800 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
=============================================================
WHO: myLogin
WHAT: Supplied credentials: [UsernamePasswordCredential(username=myLogin, source=null)]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Oct 11 14:11:41 UTC 2019
CLIENT IP ADDRESS: XXXXXXX
SERVER IP ADDRESS: XXXXXX
=============================================================
CLIENT IP ADDRESS: XXXXXXX
SERVER IP ADDRESS: XXXXXX
=============================================================
I'm also trying to have more debug log...
Matthew Uribe
Oct 11, 2019, 10:34:04 AM10/11/19
to cas-...@apereo.org
Do you restart CAS after changing the cas.properties file? When you do, do you get any errors on CAS startup?
|
|
IT staff will never ask you for your username and password.
Always decline to provide the information and report such
attempts to the Help Desk (x6380).
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/399ff289-a085-4838-be55-67150d801eae%40apereo.org.
Message has been deleted
ratm
Oct 11, 2019, 10:45:40 AM10/11/19
to CAS Community
I compile and restart after every change. When i made wrong change on cas.properties
My entire log :
./run.sh 6.0
0378eacccc0e2419cb62b848dee4254025e811837111162cedfca8eb5a96227d
Executing build from directory:
/cas-overlay
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 (jar:file:/cas-overlay/build/libs/cas.war!/WEB-INF/lib/groovy-2.5.5.jar!/) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.vmplugin.v7.Java7$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
__ ____ _ ____ __
/ / / ___| / \ / ___| \ \
| | | | / _ \ \___ \ | |
| | | |___ / ___ \ ___) | | |
| | \____| /_/ \_\ |____/ | |
\_\ /_/
CAS Version: 6.0.5
CAS Commit Id: 78f64b6e2bf256e48c9fac43ec80238712086a18
CAS Build Date/Time: 2019-10-11T14:33:41Z
Spring Boot Version: 2.1.2.RELEASE
Spring Version: 5.1.5.RELEASE
Java Home: /opt/zulu11.31.11-ca-jdk11.0.3-linux_x64
Java Vendor: Azul Systems, Inc.
Java Version: 11.0.3
JVM Free Memory: 201 MB
JVM Maximum Memory: 988 MB
JVM Total Memory: 263 MB
JCE Installed: Yes
Node Version: N/A
NPM Version: N/A
OS Architecture: amd64
OS Name: Linux
OS Version: 3.10.0-957.10.1.el7.x86_64
OS Date/Time: 2019-10-11T14:34:28.654815
OS Temp Directory: /tmp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/9.0.24
------------------------------------------------------------
2019-10-11 14:34:28,785 INFO [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - <Configuration files found at [/etc/cas/config] are [[file [/etc/cas/config/cas.properties]]] under profile(s) [[standalone]]>
2019-10-11 14:34:28,862 INFO [org.apereo.cas.web.CasWebApplication] - <The following profiles are active: standalone>
2019-10-11 14:34:37,724 WARN [org.apereo.cas.config.CasCoreTicketsConfiguration] - <Runtime memory is used as the persistence storage for retrieving and managing tickets. Tickets that are issued during runtime will be LOST when the web server is restarted. This MAY impact SSO functionality.>
2019-10-11 14:34:37,732 INFO [org.apereo.cas.util.CoreTicketUtils] - <Ticket registry encryption/signing is turned off. This MAY NOT be safe in a clustered production environment. Consider using other choices to handle encryption, signing and verification of ticket registry tickets, and verify the chosen ticket registry does support this behavior.>
2019-10-11 14:34:44,371 INFO [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration] - <
Using generated security password: d86bdedf-46e8-4169-b8ad-84d9518e55e6
>
2019-10-11 14:34:44,647 INFO [org.springframework.security.web.access.channel.ChannelProcessingFilter] - <Validated configuration attributes>
2019-10-11 14:34:44,679 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Creating filter chain: any request, [org.springframework.security.web.access.channel.ChannelProcessingFilter@33430fc, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@bcfe29c, org.springframework.security.web.context.SecurityContextPersistenceFilter@4f20b022, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@24fef542, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@35536760, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@37f71c05, org.springframework.security.web.session.SessionManagementFilter@6a278584, org.springframework.security.web.access.ExceptionTranslationFilter@6697f3d, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@4e2824b1]>
2019-10-11 14:34:45,581 WARN [org.apereo.cas.config.CasCoreServicesConfiguration] - <Runtime memory is used as the persistence storage for retrieving and persisting service definitions. Changes that are made to service definitions during runtime WILL be LOST when the CAS server is restarted. Ideally for production, you should choose a storage option (JSON, JDBC, MongoDb, etc) to track service definitions.>
2019-10-11 14:34:45,590 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [0] service(s) from [InMemoryServiceRegistry].>
2019-10-11 14:34:45,790 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [Ticket-granting Cookie]; CAS will attempt to auto-generate the encryption key>
2019-10-11 14:34:45,802 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [2JFBj6q-0YQ3UtUpcybjCgC779U5W2js83NUhMt9qaw] of size [256] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.encryption.key].>
2019-10-11 14:34:45,807 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for signing is not defined for [Ticket-granting Cookie]. CAS will attempt to auto-generate the signing key>
2019-10-11 14:34:45,809 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [zOd62gRZazRAgcF8EAU9cQvN6A3VBS2YhxB0uj8XwX9HyX9LFGz__AuEBfAvxUN7WWKNhUn3gBhryp1znetyHA] of size [512] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.signing.key].>
2019-10-11 14:34:45,946 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for signing is not defined under [cas.webflow.crypto.signing.key]. CAS will attempt to auto-generate the signing key>
2019-10-11 14:34:45,947 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated signing key [kotV91L3GXkCc_FiiCSV6FqqH6WkSTdyUZZR0CrrXaXRZ4GdP4PJS980QFHWtLbIxlawHf7Mxll1Y0xRAz0Dzw] of size [512]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.signing.key].>
2019-10-11 14:34:45,947 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for encryption is not defined under [cas.webflow.crypto.encryption.key]. CAS will attempt to auto-generate the encryption key>
2019-10-11 14:34:45,949 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated encryption key [uKS5B5X-O-a4jV_THJqz1w] of size [16]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.encryption.key].>
2019-10-11 14:34:46,717 INFO [org.apereo.cas.web.CasWebApplication] - <Started CasWebApplication in 22.288 seconds (JVM running for 26.121)>
2019-10-11 14:34:46,742 INFO [org.apereo.cas.support.events.listener.DefaultCasEventListener] - <>
2019-10-11 14:34:46,748 INFO [org.apereo.cas.support.events.listener.DefaultCasEventListener] - <
____ _____ _ ____ __ __
| _ \ | ____| / \ | _ \ \ \ / /
| |_) | | _| / _ \ | | | | \ V /
| _ < | |___ / ___ \ | |_| | | |
|_| \_\ |_____| /_/ \_\ |____/ |_|
>
2019-10-11 14:34:46,748 INFO [org.apereo.cas.support.events.listener.DefaultCasEventListener] - <>
2019-10-11 14:34:46,748 INFO [org.apereo.cas.support.events.listener.DefaultCasEventListener] - <Ready to process requests @ [2019-10-11T14:34:46.740Z]>
2019-10-11 14:35:16,268 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>
2019-10-11 14:35:16,455 INFO [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for warn cookie generator to: [/cas/] >
2019-10-11 14:35:16,502 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Fri Oct 11 14:35:16 UTC 2019,source=RankedMultifactorAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Oct 11 14:35:16 UTC 2019
CLIENT IP ADDRESS: 192.168.62.73
SERVER IP ADDRESS: 172.17.0.2
=============================================================
>
2019-10-11 14:35:28,670 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
0378eacccc0e2419cb62b848dee4254025e811837111162cedfca8eb5a96227d
Executing build from directory:
/cas-overlay
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 (jar:file:/cas-overlay/build/libs/cas.war!/WEB-INF/lib/groovy-2.5.5.jar!/) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.vmplugin.v7.Java7$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
__ ____ _ ____ __
/ / / ___| / \ / ___| \ \
| | | | / _ \ \___ \ | |
| | | |___ / ___ \ ___) | | |
| | \____| /_/ \_\ |____/ | |
\_\ /_/
CAS Version: 6.0.5
CAS Commit Id: 78f64b6e2bf256e48c9fac43ec80238712086a18
CAS Build Date/Time: 2019-10-11T14:33:41Z
Spring Boot Version: 2.1.2.RELEASE
Spring Version: 5.1.5.RELEASE
Java Home: /opt/zulu11.31.11-ca-jdk11.0.3-linux_x64
Java Vendor: Azul Systems, Inc.
Java Version: 11.0.3
JVM Free Memory: 201 MB
JVM Maximum Memory: 988 MB
JVM Total Memory: 263 MB
JCE Installed: Yes
Node Version: N/A
NPM Version: N/A
OS Architecture: amd64
OS Name: Linux
OS Version: 3.10.0-957.10.1.el7.x86_64
OS Date/Time: 2019-10-11T14:34:28.654815
OS Temp Directory: /tmp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/9.0.24
------------------------------------------------------------
2019-10-11 14:34:28,785 INFO [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - <Configuration files found at [/etc/cas/config] are [[file [/etc/cas/config/cas.properties]]] under profile(s) [[standalone]]>
2019-10-11 14:34:28,862 INFO [org.apereo.cas.web.CasWebApplication] - <The following profiles are active: standalone>
2019-10-11 14:34:37,724 WARN [org.apereo.cas.config.CasCoreTicketsConfiguration] - <Runtime memory is used as the persistence storage for retrieving and managing tickets. Tickets that are issued during runtime will be LOST when the web server is restarted. This MAY impact SSO functionality.>
2019-10-11 14:34:37,732 INFO [org.apereo.cas.util.CoreTicketUtils] - <Ticket registry encryption/signing is turned off. This MAY NOT be safe in a clustered production environment. Consider using other choices to handle encryption, signing and verification of ticket registry tickets, and verify the chosen ticket registry does support this behavior.>
2019-10-11 14:34:44,371 INFO [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration] - <
Using generated security password: d86bdedf-46e8-4169-b8ad-84d9518e55e6
>
2019-10-11 14:34:44,647 INFO [org.springframework.security.web.access.channel.ChannelProcessingFilter] - <Validated configuration attributes>
2019-10-11 14:34:44,679 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Creating filter chain: any request, [org.springframework.security.web.access.channel.ChannelProcessingFilter@33430fc, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@bcfe29c, org.springframework.security.web.context.SecurityContextPersistenceFilter@4f20b022, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@24fef542, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@35536760, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@37f71c05, org.springframework.security.web.session.SessionManagementFilter@6a278584, org.springframework.security.web.access.ExceptionTranslationFilter@6697f3d, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@4e2824b1]>
2019-10-11 14:34:45,581 WARN [org.apereo.cas.config.CasCoreServicesConfiguration] - <Runtime memory is used as the persistence storage for retrieving and persisting service definitions. Changes that are made to service definitions during runtime WILL be LOST when the CAS server is restarted. Ideally for production, you should choose a storage option (JSON, JDBC, MongoDb, etc) to track service definitions.>
2019-10-11 14:34:45,590 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [0] service(s) from [InMemoryServiceRegistry].>
2019-10-11 14:34:45,790 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [Ticket-granting Cookie]; CAS will attempt to auto-generate the encryption key>
2019-10-11 14:34:45,802 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [2JFBj6q-0YQ3UtUpcybjCgC779U5W2js83NUhMt9qaw] of size [256] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.encryption.key].>
2019-10-11 14:34:45,807 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for signing is not defined for [Ticket-granting Cookie]. CAS will attempt to auto-generate the signing key>
2019-10-11 14:34:45,809 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [zOd62gRZazRAgcF8EAU9cQvN6A3VBS2YhxB0uj8XwX9HyX9LFGz__AuEBfAvxUN7WWKNhUn3gBhryp1znetyHA] of size [512] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.signing.key].>
2019-10-11 14:34:45,946 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for signing is not defined under [cas.webflow.crypto.signing.key]. CAS will attempt to auto-generate the signing key>
2019-10-11 14:34:45,947 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated signing key [kotV91L3GXkCc_FiiCSV6FqqH6WkSTdyUZZR0CrrXaXRZ4GdP4PJS980QFHWtLbIxlawHf7Mxll1Y0xRAz0Dzw] of size [512]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.signing.key].>
2019-10-11 14:34:45,947 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for encryption is not defined under [cas.webflow.crypto.encryption.key]. CAS will attempt to auto-generate the encryption key>
2019-10-11 14:34:45,949 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated encryption key [uKS5B5X-O-a4jV_THJqz1w] of size [16]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.encryption.key].>
2019-10-11 14:34:46,717 INFO [org.apereo.cas.web.CasWebApplication] - <Started CasWebApplication in 22.288 seconds (JVM running for 26.121)>
2019-10-11 14:34:46,742 INFO [org.apereo.cas.support.events.listener.DefaultCasEventListener] - <>
2019-10-11 14:34:46,748 INFO [org.apereo.cas.support.events.listener.DefaultCasEventListener] - <
____ _____ _ ____ __ __
| _ \ | ____| / \ | _ \ \ \ / /
| |_) | | _| / _ \ | | | | \ V /
| _ < | |___ / ___ \ | |_| | | |
|_| \_\ |_____| /_/ \_\ |____/ |_|
>
2019-10-11 14:34:46,748 INFO [org.apereo.cas.support.events.listener.DefaultCasEventListener] - <>
2019-10-11 14:34:46,748 INFO [org.apereo.cas.support.events.listener.DefaultCasEventListener] - <Ready to process requests @ [2019-10-11T14:34:46.740Z]>
2019-10-11 14:35:16,268 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>
2019-10-11 14:35:16,455 INFO [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for warn cookie generator to: [/cas/] >
2019-10-11 14:35:16,502 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Fri Oct 11 14:35:16 UTC 2019,source=RankedMultifactorAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Oct 11 14:35:16 UTC 2019
CLIENT IP ADDRESS: 192.168.62.73
SERVER IP ADDRESS: 172.17.0.2
=============================================================
>
2019-10-11 14:35:28,670 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: myLogin
WHAT: Supplied credentials: [UsernamePasswordCredential(username=myLogin, source=null)]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Oct 11 14:35:28 UTC 2019
CLIENT IP ADDRESS: XXXXXXX
SERVER IP ADDRESS: XXXXXXXX
=============================================================
CLIENT IP ADDRESS: XXXXXXX
SERVER IP ADDRESS: XXXXXXXX
=============================================================
ratm
Oct 15, 2019, 3:12:55 AM10/15/19
to CAS Community
with cas-overlay-template-6.0 i have this error :
2019-10-15 08:31:17,180 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [UsernamePasswordCredential(username=aperrin23, source=null)] of type [UsernamePasswordCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>
ratm
Oct 15, 2019, 5:18:41 AM10/15/19
to CAS Community
it works !
I come back later with solution.
ratm
Oct 17, 2019, 5:19:42 AM10/17/19
to CAS Community
It works for SSHA password without configuration or change.
Exemple for CAS 6.0.5 provided by cas-overlay-6.0 and ldap Oracle Directory Server 11.
cas.properties :
# connexion au ldap sur votre serveur ldap en anonyme
###############################################################################
cas.authn.ldap[0].ldapUrl=ldap://myServer.fr:389/
cas.authn.ldap[0].type=ANONYMOUS
Exemple for CAS 6.0.5 provided by cas-overlay-6.0 and ldap Oracle Directory Server 11.
cas.properties :
# connexion au ldap sur votre serveur ldap en anonyme
###############################################################################
cas.authn.ldap[0].ldapUrl=ldap://myServer.fr:389/
cas.authn.ldap[0].type=ANONYMOUS
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].useStartTls=false
# connexion au ldap en mode authentifié
###############################################################################
#cas.authn.ldap[0].ldapUrl=ldap://myServer.fr:389/
#cas.authn.ldap[0].useSsl=false
#cas.authn.ldap[0].useStartTls=false
#cas.authn.ldap[0].type=AUTHENTICATED
## Identifiant pour se connecter au LDAP
#cas.authn.ldap[0].bindDn=cn=Directory Manager
#cas.authn.ldap[0].bindCredential=myPassword
# search for cas user who try to test login connection
################################################################################
cas.authn.ldap[0].baseDn=ou=XXXXXX,ou=educ,o=gouv,c=fr
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].searchFilter=(&(objectClass=person)(uid={user}))
#cas.authn.ldap[0].searchFilter=uid={user}
#cas.authn.ldap[0].principalAttributeList=cn,givenName,mail,sn
With cas-overlay-6.0 you need to copy conf :
./build.sh copy
for testing when something goes wrong :
cas server side :
=========================================================================================
telnet yourServer.fr 389
must works !
ldapsearch -h yourLdapServer.fr -D "cn=Directory Manager" -w yourPassword -b "ou=personnels,ou=XXXXX,ou=educ,o=gouv,c=fr" uid=loginTest
or anonyme connexion
ldapsearch -h yourLdapServer.fr -x -b "ou=personnels,ou=XXXXX,ou=educ,o=gouv,c=fr" uid=loginTest
must provide card
ldap server side
==================================================================================================
tcpdump -v -i eth0 -s 0 -A 'tcp dst port 389'
must provide line like this (when you run ldapsearch or cas test login connection) :
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:04:23.846472 IP (tos 0x0, ttl 64, id 19303, offset 0, flags [DF], proto 6, length: 60) yourCasServer.fr.59810 > yourLdapServer.ldap: S [tcp sum ok] ...
if connection between cas and ldap fails :
correct this lines in cas.properties :
cas.authn.ldap[0].ldapUrl=ldap://myServer.fr:389/
cas.authn.ldap[0].type=ANONYMOUS
###############################################################################
#cas.authn.ldap[0].ldapUrl=ldap://myServer.fr:389/
#cas.authn.ldap[0].useSsl=false
#cas.authn.ldap[0].useStartTls=false
#cas.authn.ldap[0].type=AUTHENTICATED
## Identifiant pour se connecter au LDAP
#cas.authn.ldap[0].bindDn=cn=Directory Manager
#cas.authn.ldap[0].bindCredential=myPassword
# search for cas user who try to test login connection
################################################################################
cas.authn.ldap[0].baseDn=ou=XXXXXX,ou=educ,o=gouv,c=fr
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].searchFilter=(&(objectClass=person)(uid={user}))
#cas.authn.ldap[0].searchFilter=uid={user}
#cas.authn.ldap[0].principalAttributeList=cn,givenName,mail,sn
With cas-overlay-6.0 you need to copy conf :
./build.sh copy
for testing when something goes wrong :
cas server side :
=========================================================================================
telnet yourServer.fr 389
must works !
ldapsearch -h yourLdapServer.fr -D "cn=Directory Manager" -w yourPassword -b "ou=personnels,ou=XXXXX,ou=educ,o=gouv,c=fr" uid=loginTest
or anonyme connexion
ldapsearch -h yourLdapServer.fr -x -b "ou=personnels,ou=XXXXX,ou=educ,o=gouv,c=fr" uid=loginTest
must provide card
ldap server side
==================================================================================================
tcpdump -v -i eth0 -s 0 -A 'tcp dst port 389'
must provide line like this (when you run ldapsearch or cas test login connection) :
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:04:23.846472 IP (tos 0x0, ttl 64, id 19303, offset 0, flags [DF], proto 6, length: 60) yourCasServer.fr.59810 > yourLdapServer.ldap: S [tcp sum ok] ...
if connection between cas and ldap fails :
correct this lines in cas.properties :
cas.authn.ldap[0].ldapUrl=ldap://myServer.fr:389/
cas.authn.ldap[0].type=ANONYMOUS
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].useStartTls=false
when connection between cas and ldap is ok check cas log and acces ldap log for more information !
Alberto Cabello Sánchez
Oct 24, 2019, 6:00:53 AM10/24/19
to cas-...@apereo.org
On Thu, 10 Oct 2019 07:52:19 -0700 (PDT)
ratm <anthony....@gmail.com> wrote:
> How to verify what's wrong ? For example when i put a wrong baseDn or
> searchFilter i have the same error. How to perform simple login/password
> test to eliminate error ?
Setting log level DEBUG or TRACE in some packages (e. g. org.ldaptive) is
ratm <anthony....@gmail.com> wrote:
> How to verify what's wrong ? For example when i put a wrong baseDn or
> searchFilter i have the same error. How to perform simple login/password
> test to eliminate error ?
often useful to me. It writes lots of information to the logs, including
the actual LDAP queries being issued.
> How cas deal with password, ie is the ldap who perform the password
> compare or cas ?
By the way, this
cas.authn.ldap[0].bindDn=cn=Directory Manager
doesn't look like a DN to me. I guess this is not your actual setting, though.
--
Alberto Cabello Sánchez
Servicio de Informática
Universidad de Extremadura
Reply all
Reply to author
Forward
0 new messages