Trouble getting LdapAuthenticationHandler Configured.
437 views
Skip to first unread message
Daniel
Nov 17, 2016, 9:01:08 AM11/17/16
to CAS Community
Greetings,
After being unable to authenticate directly to our Oracle 12g database using the Encoded Query option, we have synced our users to an openLDAP instance.
I am receiving the following error:
16-Nov-2016 14:57:58.043 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 66821 ms
2016-11-16 14:58:03,745 INFO [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies for warn cookie generator to: /cas/ >
2016-11-16 14:58:16,081 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentie [UsernamePasswordCredential], which suggests a configuration problem.>
2016-11-16 14:58:16,099 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: myUsername
WHAT: Supplied credentials: [myUsername]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Wed Nov 16 14:58:16 EST 2016
CLIENT IP ADDRESS: 192.168.x.x
SERVER IP ADDRESS: 10.25.0.0
=============================================================
My configuration (using the maven overlay for CAS 5.0 from github is as follows:
cas.server.prefix: https://cas.example.org:8443/cas
cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.config: file:/etc/cas/config/log4j2.xml
# cas.serviceRegistry.config.location: classpath:/services
cas.authn.accept.users=
cas.authn.policy.req.handlername=LdapAuthenticationHandler
cas.authn.policy.req.enabled=true
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://127.0.0.1
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].baseDn=ou=bannerAccounts,dc=bannerldap,dc=sunypoly,dc=edu
cas.authn.ldap[0].userFilter=uid={0}
cas.authn.ldap[0].bindDn=cn=Directory Manager,dc=sunypoly,dc=edu
cas.authn.ldap[0].bindCredential=xxxxxxxxxxxxxxxxx
cas.authn.ldap[0].principalAttributeId=uid
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
I have looked through the properties list several time and don't understand what I could be missing.
Thank you,
John Stevens II
Nov 18, 2016, 10:32:02 AM11/18/16
to cas-...@apereo.org
Do you have debugging turned on for ldap in your log file?
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7fc8d010-f285-42d3-bd2e-f7757a525e24%40apereo.org.
Elendrys Yagami
Nov 19, 2016, 5:30:07 AM11/19/16
to CAS Community
Hi,
I just came through the same kind of difficulty so 3 things to check :
- have you loaded the ldap dependency in pom.xml ?
- do you have set the ldaptive logging to "debug" ?
If you did so, you shall see messages from ldaptive in the logs then you can debug what is going on with the ldap logs. If you have no trace from ldaptive, then either the dependy has not been loaded or the loglevel is not debug, but the default log should at least show information on startup
Then but nonetheless, I did chose the AUTHENTICATED method, but has writtent your user shall have an SHA-1 encoded password (we use SSHA here). I took me a while to realise that it is clearly written in the doc. (but here you should have traces in your ldap log telling that compare operation failed)
I just came through the same kind of difficulty so 3 things to check :
- have you loaded the ldap dependency in pom.xml ?
- do you have set the ldaptive logging to "debug" ?
If you did so, you shall see messages from ldaptive in the logs then you can debug what is going on with the ldap logs. If you have no trace from ldaptive, then either the dependy has not been loaded or the loglevel is not debug, but the default log should at least show information on startup
Then but nonetheless, I did chose the AUTHENTICATED method, but has writtent your user shall have an SHA-1 encoded password (we use SSHA here). I took me a while to realise that it is clearly written in the doc. (but here you should have traces in your ldap log telling that compare operation failed)
Daniel
Nov 21, 2016, 9:34:50 AM11/21/16
to CAS Community
Thank you Elendrys.
I added:
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-jdbc</artifactId>
<version>${cas.version}</version>
</dependency>
to pom.xml and everything is working now.
In our setup we rely on the search to find the DN of a user and then perform a direct simple bind on that DN wit the supplied password. Attempted a compare seemed to over complicate things as we would also be using SSHA passwords.
Reply all
Reply to author
Forward
0 new messages