Secure endpoints with LDAP - getting "You are not authorized to be authorized" error
Doug C
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-json-service-registry</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp-config-security</artifactId>
<version>${cas.version}</version>
</dependency>
</dependencies>
cas.server.name: https://cas.developer.local
cas.server.prefix: https://cas.developer.local/cas
cas.adminPagesSecurity.ip=^([01]?\\d\\d?|2[0-4]\\d|25[0-5])\\.([01]?\\d\\d?|2[0-4]\\d|25[0-5])\\.([01]?\\d\\d?|2[0-4]\\d|25[0-5])\\.([01]?\\d\\d?|2[0-4]\\d|25[0-5])$
cas.adminPagesSecurity.ldap.type=AUTHENTICATED
cas.adminPagesSecurity.ldap.ldapUrl=ldaps://adserver.developer.local
cas.adminPagesSecurity.ldap.useSsl=true
cas.adminPagesSecurity.ldap.useStartTls=false
cas.adminPagesSecurity.ldap.connectTimeout=5000
cas.adminPagesSecurity.ldap.baseDn=ou=User Accounts,dc=developer,dc=local
cas.adminPagesSecurity.ldap.userFilter=(sAMAccountName={user})
cas.adminPagesSecurity.ldap.subtreeSearch=true
cas.adminPagesSecurity.ldap.bindDn=cn=ADUSER,ou=User Accounts,dc=developer,dc=local
cas.adminPagesSecurity.ldap.bindCredential=xxxxxxxxxxxxx
cas.adminPagesSecurity.ldap.principalAttributePassword=
cas.adminPagesSecurity.ldap.ldapAuthz.rolePrefix=ROLE_
cas.adminPagesSecurity.ldap.ldapAuthz.roleAttribute=distinguishedName
cas.adminPagesSecurity.adminRoles[0]=ROLE_CN=TEST ADMIN,OU=USER ACCOUNTS,DC=DEVELOPER,DC=LOCAL
cas.monitor.endpoints.sensitive=true
cas.adminPagesSecurity.actuatorEndpointsEnabled=true
endpoints.enabled=true
endpoints.sensitive=true
cas.webflow.signing.key=WX9O3jkBsxlY6x75cJ4AXZOiifI6riXwd-hxC1mSVO-8yHqzNdNQclZ2JUXLAFupnevK5AHTuCnxL2qxKdXsBw
cas.webflow.encryption.keySize=16
cas.webflow.encryption.key=e4u4kLZsHJEAGeEF
cas.tgc.signingKey=H-VLFW61yvDqleC9K2OdkpmWNl0JU63-P6ToV_k6MaCv8tOMebMB6RvjL-peGb4qg1ncFWdrR3rs55g0r4-PpA
cas.tgc.encryptionKey=_bfxASYwKd83PPO5NEa94l6FJkKpt29yLImqYEg7otE
cas.authn.accept.users=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://adserver.developer.local/
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=ou=User Accounts,dc=developer,dc=local
cas.authn.ldap[0].bindDn=cn=ADUSER,ou=User Accounts,dc=developer,dc=local
cas.authn.ldap[0].bindCredential=xxxxxxxxxxx
cas.authn.ldap[0].principalAttributeId=sAMAccountName
# when principalAttributePassword is empty a simple bind is done
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].principalAttributeList=sAMAccountName,GUID,LanguageId,TrackId,givenName,sn,mail,memberOf,distinguishedName
cas.authn.ldap[0].userFilter=(sAMAccountName={user})
cas.authn.ldap[0].subtreeSearch=true
cas.authn.releaseProtocolAttributes=false
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https?://.*",
"name" : "HTTP and HTTPS",
"id" : 10000001,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"GUID" : "guid",
"LanguageId" : "language",
"TrackId" : "track",
"givenName" : "givenname",
"sn" : "surname",
"mail" : "defaultmail",
"memberOf" : "memberof",
"distinguishedName" : "dn"
}
}
}
To test I navigate to https://cas.developer.local/cas/status. I am prompted to login and I use the credentials for one of my LDAP accounts. The page that is returned is the "You are not authorized to be authorized".
2017-09-14 17:05:51,728 DEBUG [org.apereo.cas.web.ldap.LdapAuthenticationProvider] - <Executing LDAP authentication request for user [testadmin]>
2017-09-14 17:05:53,837 DEBUG [org.apereo.cas.web.ldap.LdapAuthenticationProvider] - <LDAP response: [[org.ldaptive.auth.AuthenticationResponse@138934696::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=CN=Test Admin,OU=User Accounts,DC=developer,DC=local, ldapEntry=[dn=CN=Test Admin,OU=User Accounts,DC=developer,DC=local[[mail[test...@myemaildomain.com]], [GUID[testadmin]], [uSNCreated[22950]], [badPwdCount[0]], [countryCode[0]], [userParameters[m: d ]], [whenChanged[20170912210900.0Z]], [objectClass[top, person, organizationalPerson, user]], [primaryGroupID[513]], [givenName[Test]], [BillingLocationId[25]], [objectGUID[???}?B??$??]], [BillingAccountNumber[0431381]], [instanceType[4]], [objectSid[o?hG3o~???^]], [whenCreated[20060504053320.0Z]], [adminCount[1]], [dSCorePropagationData[20081126172248.0Z, 20081126172440.0Z, 16010108151056.0Z]], [sn[Admin]], [userAccountControl[66048]], [lastLogonTimestamp[131497241403024643]], [cn[Test Admin]], [codePage[0]], [accountExpires[9223372036854775807]], [sAMAccountName[testadmin]], [sAMAccountType[805306368]], [userPrincipalName[testadmin@developer]], [LanguageId[en]], [displayName[Test Admin]], [pwdLastSet[128445099571052935]], [TrackId[4]], [name[Test Admin]], [lastLogon[131498784000051542]], [objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=developer,DC=local]], [lastLogoff[0]], [distinguishedName[CN=Test Admin,OU=User Accounts,DC=developer,DC=local]], [memberOf[CN=Static Developers,OU=User Accounts,DC=developer,DC=local, CN=Administrators,CN=Builtin,DC=developer,DC=local, CN=CAS,OU=User Accounts,DC=developer,DC=local, CN=SVN Documents,OU=User Accounts,DC=developer,DC=local, CN=WSS_ADMIN_WPG,CN=Users,DC=developer,DC=local, CN=WPI Developers,OU=User Accounts,DC=developer,DC=local, CN=__ExchangeFullAdmin,OU=User Accounts,DC=developer,DC=local, CN=Domain Admins,CN=Users,DC=developer,DC=local, CN=PHP Developers,OU=User Accounts,DC=developer,DC=local, CN=Schema Admins,CN=Users,DC=developer,DC=local, CN=Enterprise Admins,CN=Users,DC=developer,DC=local, CN=VPN,OU=User Accounts,DC=developer,DC=local]], [badPasswordTime[131354220137319729]], [logonCount[32333]], [uSNChanged[29529278]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]]>
2017-09-14 17:05:53,838 DEBUG [org.apereo.cas.web.ldap.LdapAuthenticationProvider] - <Collected user profile [#CommonProfile# | id: testadmin | attributes: {BillingLocationId=[25], lastLogoff=[0], logonCount=[32333], mail=[test...@myemaildomain.com], userParameters=[m: d ], LanguageId=[en], lastLogonTimestamp=[131497241403024643], accountExpires=[9223372036854775807], displayName=[Test Admin], distinguishedName=[CN=Test Admin,OU=User Accounts,DC=developer,DC=local], countryCode=[0], objectGUID=[???}?B??$??], dSCorePropagationData=[20081126172248.0Z, 20081126172440.0Z, 16010108151056.0Z], uSNCreated=[22950], sn=[Admin], memberOf=[CN=Static Developers,OU=User Accounts,DC=developer,DC=local, CN=Administrators,CN=Builtin,DC=developer,DC=local, CN=CAS,OU=User Accounts,DC=developer,DC=local, CN=SVN Documents,OU=User Accounts,DC=developer,DC=local, CN=WSS_ADMIN_WPG,CN=Users,DC=developer,DC=local, CN=WPI Developers,OU=User Accounts,DC=developer,DC=local, CN=__ExchangeFullAdmin,OU=User Accounts,DC=developer,DC=local, CN=Domain Admins,CN=Users,DC=developer,DC=local, CN=PHP Developers,OU=User Accounts,DC=developer,DC=local, CN=Schema Admins,CN=Users,DC=developer,DC=local, CN=Enterprise Admins,CN=Users,DC=developer,DC=local, CN=VPN,OU=User Accounts,DC=developer,DC=local], codePage=[0], userAccountControl=[66048], userPrincipalName=[testadmin@developer], lastLogon=[131498784000051542], TrackId=[4], whenCreated=[20060504053320.0Z], badPasswordTime=[131354220137319729], uSNChanged=[29529278], sAMAccountName=[testadmin], givenName=[Test], instanceType=[4], objectClass=[top, person, organizationalPerson, user], cn=[Test Admin], BillingAccountNumber=[0431381], whenChanged=[20170912210900.0Z], GUID=[testadmin], primaryGroupID=[513], adminCount=[1], sAMAccountType=[805306368], name=[Test Admin], objectSid=[o?hG3o~???^], badPwdCount=[0], pwdLastSet=[128445099571052935], objectCategory=[CN=Person,CN=Schema,CN=Configuration,DC=developer,DC=local]} | roles: [] | permissions: [] | isRemembered: false | clientName: null | linkedId: null |]>
2017-09-14 17:05:53,838 DEBUG [org.apereo.cas.authorization.BaseUseAttributesAuthorizationGenerator] - <Attempting to get details for user [testadmin].>
2017-09-14 17:05:53,838 DEBUG [org.apereo.cas.configuration.support.Beans] - <Constructed LDAP search filter [(sAMAccountName=testadmin)]>
2017-09-14 17:05:54,508 DEBUG [org.apereo.cas.authorization.BaseUseAttributesAuthorizationGenerator] - <LDAP user search response: [[org.ldaptive.Response@543776551::result=[org.ldaptive.SearchResult@164530940::entries=[[dn=CN=Test Admin,OU=User Accounts,DC=developer,DC=local[[distinguishedName[CN=Test Admin,OU=User Accounts,DC=developer,DC=local]]], responseControls=null, messageId=-1]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1]]>
2017-09-14 17:05:54,509 DEBUG [org.apereo.cas.web.ldap.LdapAuthenticationProvider] - <Assembled user profile with roles after generating authorization claims [#CommonProfile# | id: testadmin | attributes: {BillingLocationId=[25], lastLogoff=[0], logonCount=[32333], mail=[test...@myemaildomain.com], userParameters=[m: d ], LanguageId=[en], lastLogonTimestamp=[131497241403024643], accountExpires=[9223372036854775807], displayName=[Test Admin], distinguishedName=[CN=Test Admin,OU=User Accounts,DC=developer,DC=local], countryCode=[0], objectGUID=[???}?B??$??], dSCorePropagationData=[20081126172248.0Z, 20081126172440.0Z, 16010108151056.0Z], uSNCreated=[22950], sn=[Admin], memberOf=[CN=Static Developers,OU=User Accounts,DC=developer,DC=local, CN=Administrators,CN=Builtin,DC=developer,DC=local, CN=CAS,OU=User Accounts,DC=developer,DC=local, CN=SVN Documents,OU=User Accounts,DC=developer,DC=local, CN=WSS_ADMIN_WPG,CN=Users,DC=developer,DC=local, CN=WPI Developers,OU=User Accounts,DC=developer,DC=local, CN=__ExchangeFullAdmin,OU=User Accounts,DC=developer,DC=local, CN=Domain Admins,CN=Users,DC=developer,DC=local, CN=PHP Developers,OU=User Accounts,DC=developer,DC=local, CN=Schema Admins,CN=Users,DC=developer,DC=local, CN=Enterprise Admins,CN=Users,DC=developer,DC=local, CN=VPN,OU=User Accounts,DC=developer,DC=local], codePage=[0], userAccountControl=[66048], userPrincipalName=[testadmin@developer], lastLogon=[131498784000051542], TrackId=[4], whenCreated=[20060504053320.0Z], badPasswordTime=[131354220137319729], uSNChanged=[29529278], sAMAccountName=[testadmin], givenName=[Test], instanceType=[4], objectClass=[top, person, organizationalPerson, user], cn=[Test Admin], BillingAccountNumber=[0431381], whenChanged=[20170912210900.0Z], GUID=[testadmin], primaryGroupID=[513], adminCount=[1], sAMAccountType=[805306368], name=[Test Admin], objectSid=[o?hG3o~???^], badPwdCount=[0], pwdLastSet=[128445099571052935], objectCategory=[CN=Person,CN=Schema,CN=Configuration,DC=developer,DC=local]} | roles: [ROLE_CN=TEST ADMIN,OU=USER ACCOUNTS,DC=DEVELOPER,DC=LOCAL] | permissions: [] | isRemembered: false | clientName: null | linkedId: null |]>
2017-09-14 17:05:54,509 DEBUG [org.apereo.cas.web.ldap.LdapAuthenticationProvider] - <List of authorities remapped from profile roles are [[ROLE_CN=TEST ADMIN,OU=USER ACCOUNTS,DC=DEVELOPER,DC=LOCAL]]>
2017-09-14 17:05:54,509 DEBUG [org.apereo.cas.web.ldap.LdapAuthenticationProvider] - <Executing authorization for expected admin roles [[ROLE_ACTUATOR, ROLE_CN=TEST ADMIN,OU=USER ACCOUNTS,DC=DEVELOPER,DC=LOCAL]]>
2017-09-14 17:05:54,615 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_en] - neither plain properties nor XML>
2017-09-14 17:05:54,620 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages] - neither plain properties nor XML>
2017-09-14 17:05:54,627 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:messages_en] - neither plain properties nor XML>
2017-09-14 17:05:54,629 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Re-caching properties for filename [classpath:messages] - file hasn't been modified>
Andy Ng
In the case of normal login. If you want to trigger the service defined, you need to do this:
https://cas.developer.local/cas/login?service=https%3A%2F%2Fwww.iamawebsite.com
(https%3A%2F%2Fwww.iamawebsite.com => decode => https://www.iamawebsite.com)
Then your HTTPSadnIMAPS-10001.json will have effect, otherwise your service will not trigger.
I don't know whether [https://cas.develop.local/cas/status?service=https://whatever.website] will works though (status instead of login), you can try that.
-Andy
Doug Campbell
Thanks Andy.
Normal CAS authentications are working fine with the service definition that I have and the service redirects are working as you indicated.
I don’t think there are any service redirects (or any services that need to be defined) for the spring security method. At least if I setup to use spring security with a master account and just swap out the following lines of my cas.properties:
cas.adminPagesSecurity.ldap.type=AUTHENTICATED
cas.adminPagesSecurity.ldap.ldapUrl=ldaps://adserver.developer.local
cas.adminPagesSecurity.ldap.useSsl=true
cas.adminPagesSecurity.ldap.useStartTls=false
cas.adminPagesSecurity.ldap.connectTimeout=5000
cas.adminPagesSecurity.ldap.baseDn=ou=User Accounts,dc=developer,dc=local
cas.adminPagesSecurity.ldap.userFilter=(sAMAccountName={user})
cas.adminPagesSecurity.ldap.subtreeSearch=true
cas.adminPagesSecurity.ldap.bindDn=cn=ADUSER,ou=User Accounts,dc=developer,dc=local
cas.adminPagesSecurity.ldap.bindCredential=xxxxxxxxxxxxx
cas.adminPagesSecurity.ldap.principalAttributePassword=
cas.adminPagesSecurity.ldap.ldapAuthz.rolePrefix=ROLE_
cas.adminPagesSecurity.ldap.ldapAuthz.roleAttribute=distinguishedName
cas.adminPagesSecurity.adminRoles[0]=ROLE_CN=TEST ADMIN,OU=USER ACCOUNTS,DC=DEVELOPER,DC=LOCAL
and replace them with these lines instead:
security.basic.enabled=true
security.basic.realm=CAS
security.user.name=master
security.user.password=6b934cf6-8162-4dba-878b-ed10eb3ac105
and then navigate to https://cas.developer.local/cas/status and I am presented with the Basic Authentication dialog where I put in the above credentials and the status page loads as desired.
Doug
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ab4431b1-1198-4d9a-b5a7-c6b4393ed006%40apereo.org.