LDAP response read timed

[Thierry Delaitre]

Hello

I’ve got a CAS server that works fine when connecting to eDirectory.

I’ve changed it to connect to Active Directory but I get the below. The strange thing is that half of CAS says that the user has been authenticated while the second half of the log says there is a timeout. The JVM does have the ca certs for the LDAP servers and an ldapsearch query to AD works fine so it should not be a firewall problem.

Is there some hint to debug this?

Thanks

Thierry

2017-01-06 17:24:08,867 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: />

2017-01-06 17:24:17,186 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated [username: delaitt]>

2017-01-06 17:24:19,590 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: [username: delaitt]

WHAT: supplied credentials: [username: delaitt]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Fri Jan 06 17:24:19 GMT 2017

CLIENT IP ADDRESS: XX

SERVER IP ADDRESS: XX

=============================================================

>

2017-01-06 17:24:19,592 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: [username: delaitt]

WHAT: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: LDAP response read timed out, timeout used:2000ms.; remaining name ‘OU=XX'

ACTION: TICKET_GRANTING_TICKET_NOT_CREATED

APPLICATION: CAS

WHEN: Fri Jan 06 17:24:19 GMT 2017

CLIENT IP ADDRESS: XX

SERVER IP ADDRESS: XX

=============================================================

The University of Westminster is a charity and a company limited by guarantee. Registration number: 977818 England. Registered Office: 309 Regent Street, London W1B 2UW.

This message and its attachments are private and confidential. If you have received this message in error, please notify the sender and remove it and its attachments from your system.

[Thierry Delaitre]

FYI

*** Finished

verify_data:  { 211, 149, 17, 160, 89, 28, 181, 252, 91, 11, 70, 209 }

***

%% Cached client session: [Session-3, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]

TP-Processor2, setSoTimeout(0) called

TP-Processor2, WRITE: TLSv1 Application Data, length = 128

Thread-11, READ: TLSv1 Application Data, length = 48

TP-Processor2, WRITE: TLSv1 Application Data, length = 32

TP-Processor2, WRITE: TLSv1 Application Data, length = 128

TP-Processor2, WRITE: TLSv1 Application Data, length = 32

TP-Processor2, WRITE: TLSv1 Application Data, length = 32

TP-Processor2, WRITE: TLSv1 Application Data, length = 32

TP-Processor2, WRITE: TLSv1 Application Data, length = 64

TP-Processor2, called close()

TP-Processor2, called closeInternal(true)

TP-Processor2, SEND TLSv1 ALERT:  warning, description = close_notify

TP-Processor2, WRITE: TLSv1 Alert, length = 32

TP-Processor2, called closeSocket(true)

Thread-11, handling exception: java.net.SocketException: Socket closed

%% Invalidated:  [Session-3, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]

Thread-11, called closeSocket()

2017-01-07 18:07:50,916 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: [username: delaitt]

WHAT: supplied credentials: [username: delaitt]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Sat Jan 07 18:07:50 GMT 2017

[Thierry Delaitre]

Hello

With SSL debug enabled

Finalizer, called close()

Finalizer, called closeInternal(true)

Jan 07, 2017 5:22:52 PM org.apache.coyote.http11.Http11Protocol pause

INFO: Pausing Coyote HTTP/1.1 on http-8443

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

http-8443-1, setSoTimeout(60000) called

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

http-8443-1, handling exception: java.net.SocketException: Connection reset

http-8443-1, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message

http-8443-1, WRITE: TLSv1.2 Alert, length = 2

http-8443-1, Exception sending alert: java.net.SocketException: Broken pipe (Write failed)

http-8443-1, called closeSocket()

http-8443-1, called close()

http-8443-1, called closeInternal(true)

Thierry

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/43216485-7AB0-4E19-AD62-471E3148E642%40westminster.ac.uk.

[Philippe MARASSE]

Hello,

Looks like CAS and directory cannot find a common cipher. Which JVM do you use ? FYI Java 6 is pretty outdated and does not support ECDHE key exchange out of the box.

You can get a look here :
http://stackoverflow.com/questions/27323858/java-6-ecdhe-cipher-suite-support

Regards.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ADC5E3CF-48E6-432A-847E-20689A3742D0%40westminster.ac.uk.

-- 
Philippe MARASSE

Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur 
86021 Poitiers Cedex
Tel : 05.49.44.57.19