CAS 4.2.7 and Active Directory

603 views

Skip to first unread message

Ben Branch

unread,

Jan 18, 2017, 10:41:18 AM1/18/17

to cas-...@apereo.org

Hello,

Making my first attempt at standing up a 4.2.7 environment and I’m running into some issues with being able to authenticate against Active Directory. Below are some snippets from my deployerConfigContext.xml and my cas.properties.

<bean id="ldapAuthenticationHandler"

class="org.jasig.cas.authentication.LdapAuthenticationHandler"

p:principalIdAttribute="sAMAccountName"

c:authenticator-ref="authenticator">

<map>

</map>

</property>

</bean>

<ldaptive:ad-authenticator id="authenticator"

ldapUrl="${ldap.url}"

userFilter="${ldap.authn.searchFilter}"

bindDn="${ldap.managerDn}"

bindCredential="${ldap.managerPassword}"

allowMultipleDns="${ldap.allowMultipleDns:false}"

connectTimeout="${ldap.connectTimeout}"

validateOnCheckOut="${ldap.pool.validateOnCheckout}"

failFastInitialize="true"

blockWaitTime="${ldap.pool.blockWaitTime}"

idleTime="${ldap.pool.idleTime}"

baseDn="${ldap.baseDn}"

maxPoolSize="${ldap.pool.maxSize}"

minPoolSize="${ldap.pool.minSize}"

validatePeriodically="${ldap.pool.validatePeriodically}"

validatePeriod="${ldap.pool.validatePeriod}"

prunePeriod="${ldap.pool.prunePeriod}"

useSSL="${ldap.use.ssl:false}"

subtreeSearch="${ldap.subtree.search:true}"

useStartTLS="${ldap.useStartTLS}" />

<util:map id="authenticationHandlersResolvers">

</util:map>

------

#========================================

# General properties

#========================================

ldap.url=ldap://xxxx.xxxx.local

# Start TLS for SSL connections

ldap.useStartTLS=false

# Directory root DN

ldap.rootDn=dc=uco,dc=local

# Base DN of users to be authenticated

ldap.baseDn=dc=uco,dc=local

# LDAP connection timeout in milliseconds

ldap.connectTimeout=3000

# Manager credential DN

ldap.managerDn=xxxx...@uco.local

#ldap.managerDn=cn=xxxxx,ou=xxxxx,ou=.xxxxx,ou=.xxxxx,dc=uco,dc=local

# Manager credential password

ldap.managerPassword=xxxxxxxxxx

#========================================

# LDAP connection pool configuration

#========================================

ldap.pool.minSize=1

ldap.pool.maxSize=10

ldap.pool.validateOnCheckout=false

ldap.pool.validatePeriodically=true

# Amount of time in milliseconds to block on pool exhausted condition

# before giving up.

ldap.pool.blockWaitTime=3000

# Frequency of connection validation in seconds

# Only applies if validatePeriodically=true

ldap.pool.validatePeriod=300

# Attempt to prune connections every N seconds

ldap.pool.prunePeriod=300

# Maximum amount of time an idle connection is allowed to be in

# pool before it is liable to be removed/destroyed

ldap.pool.idleTime=600

#========================================

# Authentication

#========================================

ldap.authn.searchFilter=sAMAccountName=%u

# Ldap domain used to resolve dn

ldap.domain=uco.local

# Should LDAP Password Policy be enabled?

ldap.usePpolicy=false

# Allow multiple DNs during authentication?

ldap.allowMultipleDns=false

I’m getting the following error message when I try to authenticate against the CAS:

2017-01-18 09:01:26,293 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - resolve user=bbranch

2017-01-18 09:01:26,293 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - searching for DN using userFilter

2017-01-18 09:01:26,294 DEBUG [org.ldaptive.SearchOperation] - execute request=[org.ldaptive.SearchRequest@783549601::baseDn=dc=uco,dc=local, searchFilter=[org.ldaptive.SearchFilter@1643232954::filter=sAMAccountName=%u, parameters={user=bbranch}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@272582350::config=[org.ldaptive.ConnectionConfig@637269160::ldapUrl=ldap://xxxxxx.uco.local, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1334607410::bindDn=cn=xxxx,ou=xxxxx,ou=.xxxx,ou=.xxxx,dc=uco,dc=local, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@708937399::metadata=[ldapUrl=ldap://xxxxx.uco.local, count=1], environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@871591437::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.DefaultConnectionStrategy@165ee3dd, controlProcessor=org.ldaptive.provider.ControlProcessor@7f3016b8, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@32be3220]

2017-01-18 09:01:26,298 DEBUG [org.ldaptive.SearchOperation] - execute response=[org.ldaptive.Response@61411435::result=[org.ldaptive.SearchResult@-188379762::entries=[], references=[[org.ldaptive.SearchReference@-192682915::referralUrls=[ldap://uco.local/CN=Configuration,DC=uco,DC=local], responseControls=null, messageId=-1, referenceResponse=null]]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1] for request=[org.ldaptive.SearchRequest@783549601::baseDn=dc=uco,dc=local, searchFilter=[org.ldaptive.SearchFilter@1643232954::filter=sAMAccountName=%u, parameters={user=bbranch}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@272582350::config=[org.ldaptive.ConnectionConfig@637269160::ldapUrl=ldap://xxxxx.uco.local, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1334607410::bindDn=cn=xxxx,ou=xxx,ou=.xxxx,ou=.xxxx,dc=uco,dc=local, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@708937399::metadata=[ldapUrl=ldap://xxxxxx.uco.local, count=1], environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@871591437::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.DefaultConnectionStrategy@165ee3dd, controlProcessor=org.ldaptive.provider.ControlProcessor@7f3016b8, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@32be3220]

2017-01-18 09:01:26,298 INFO [org.ldaptive.auth.PooledSearchDnResolver] - search for user=bbranch failed using filter=[org.ldaptive.SearchFilter@1643232954::filter=sAMAccountName=%u, parameters={user=bbranch}]

2017-01-18 09:01:26,298 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - resolved dn=null for user=bbranch

2017-01-18 09:01:26,298 DEBUG [org.ldaptive.auth.Authenticator] - authenticate dn=null with request=[org.ldaptive.auth.AuthenticationRequest@1349837485::user=bbranch, retAttrs=[mail, sAMAccountName, memberOf, displayName]]

2017-01-18 09:01:26,298 WARN [org.jasig.cas.authentication.LdapAuthenticationHandler] - DN resolution failed. DN cannot be null

2017-01-18 09:01:26,299 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - LdapAuthenticationHandler failed authenticating bbranch

The error message is very archaic, so I’m not really sure what is failing. I see that is says that the DN resolution failed, but I’m not exactly sure what that means. I found a post where it mentions that this could be a search scope issue and to enable subtree searching. From what I can tell from the error above, this is already enabled. Any help would be greatly appreciated.

Ben Branch
UNIX/Linux Administrator

University of Central Oklahoma

ITIL Foundation v3, Network+, RHCE

100 N. University Drive, Box 122

Edmond, OK 73034

D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.edu | www.uco.edu

“I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know.” - Socrates

Daniel Fisher

unread,

Jan 18, 2017, 11:42:02 AM1/18/17

to cas-...@apereo.org

On Wed, Jan 18, 2017 at 10:41 AM, Ben Branch <BBr...@uco.edu> wrote:

#========================================

# Authentication

#========================================

ldap.authn.searchFilter=sAMAccountName=%u

Try ldap.authn.searchFilter=(sAMAccountName={user})

--Daniel Fisher

Ben Branch

unread,

Jan 18, 2017, 12:57:30 PM1/18/17

to cas-...@apereo.org

Daniel,

Worked like a champ. Many thanks! Now onto trying to configure the rest of the stuff!

Ben Branch
UNIX/Linux Administrator

University of Central Oklahoma

ITIL Foundation v3, Network+, RHCE

100 N. University Drive, Box 122

Edmond, OK 73034

D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.edu | www.uco.edu

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwTMsEUWXA0MsmUUsW4A-jmeAnKPjxssKaRn0W7nTa8W5Q%40mail.gmail.com.

Jacques van der Merwe

unread,

Nov 6, 2019, 1:15:27 AM11/6/19

to CAS Community, BBr...@uco.edu

I am getting the same error but I am using UID={user}

SslConfig sslConfig = new SslConfig(new AllowAnyTrustManager());
  sslConfig.setHostnameVerifier(new CertVerifier());

  ConnectionConfig connConfig = new ConnectionConfig("ldaps://ldapserver.com:636");
  connConfig.setSslConfig(sslConfig);
  DefaultConnectionFactory connectionFactory = new DefaultConnectionFactory(connConfig);
  
  SearchDnResolver dnResolver = new SearchDnResolver(connectionFactory);
  dnResolver.setBaseDn("ou=xxxx,ou=xxxx,o=xxxxx");
  dnResolver.setUserFilter("uid={user}");
  dnResolver.setSubtreeSearch(true);
  dnResolver.setAllowMultipleDns(true);
  BindAuthenticationHandler authHandler = new BindAuthenticationHandler(connectionFactory);
  Authenticator auth = new Authenticator(dnResolver, authHandler);
  AuthenticationResponse response = auth
    .authenticate(new AuthenticationRequest(username, new Credential(password), new String[] {"mail", "sn"}));
  System.out.println("response : " + response);
//  if (AuthenticationResultCode.DN_RESOLUTION_FAILURE == response.getAuthenticationResultCode()) {
//      throw new AuthenticationException(username + "  not found");
//    }
  if (response.getResult()) {
   System.out.println("authenticated");
   LdapEntry entry = response.getLdapEntry(); // read mail and sn attribute
   System.out.println("email : " + entry.getAttribute("mail"));
   System.out.println("sn : " + entry.getAttribute("sn"));
  } else {
    String msg = response.getMessage(); // read the failure message
     ResponseControl[] ctls = response.getControls(); // read any response controls
   System.out.println("authentication failed !!! with message : " + msg);
  }

The result is

ResultCode=DN_RESOLUTION_FAILURE

The message is : DN cannot be null

thanks

Jacques

On Wednesday, January 18, 2017 at 7:57:30 PM UTC+2, Ben Branch wrote:

Daniel,

Worked like a champ. Many thanks! Now onto trying to configure the rest of the stuff!

Ben Branch
UNIX/Linux Administrator

University of Central Oklahoma

ITIL Foundation v3, Network+, RHCE

100 N. University Drive, Box 122

Edmond, OK 73034

D: 405.974.2649 | M: 405.550.6804 | bbr...@uco.edu | www.uco.edu

“I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know.” - Socrates

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Daniel Fisher
Sent: Wednesday, January 18, 2017 10:42 AM
To: cas-...@apereo.org
Subject: Re: [cas-user] CAS 4.2.7 and Active Directory

On Wed, Jan 18, 2017 at 10:41 AM, Ben Branch <BBr...@uco.edu> wrote:

#========================================

# Authentication

#========================================

ldap.authn.searchFilter=sAMAccountName=%u

Try ldap.authn.searchFilter=(sAMAccountName={user})

--Daniel Fisher

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwTMsEUWXA0MsmUUsW4A-jmeAnKPjxssKaRn0W7nTa8W5Q%40mail.gmail.com.

On Wednesday, January 18, 2017 at 7:57:30 PM UTC+2, Ben Branch wrote:

Daniel,

Worked like a champ. Many thanks! Now onto trying to configure the rest of the stuff!

Ben Branch
UNIX/Linux Administrator

University of Central Oklahoma

ITIL Foundation v3, Network+, RHCE

100 N. University Drive, Box 122

Edmond, OK 73034

D: 405.974.2649 | M: 405.550.6804 | bbr...@uco.edu | www.uco.edu

“I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know.” - Socrates

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Daniel Fisher
Sent: Wednesday, January 18, 2017 10:42 AM
To: cas-...@apereo.org
Subject: Re: [cas-user] CAS 4.2.7 and Active Directory

On Wed, Jan 18, 2017 at 10:41 AM, Ben Branch <BBr...@uco.edu> wrote:

#========================================

# Authentication

#========================================

ldap.authn.searchFilter=sAMAccountName=%u

Try ldap.authn.searchFilter=(sAMAccountName={user})

--Daniel Fisher

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

Reply all

Reply to author

Forward

0 new messages