First, thank you for your help. :)
I tried your test (I already do it) and it success: I'm able to read user info from AD. The password contains UTF-8 characters, do you think it would be an encoding issue ?
De : Patrick Gardella <patrick.gardella@asburyseminary.edu>
Envoyé : mercredi 12 octobre 2016 16:20:44
À : Stephane KERAIN
Objet : Re: [cas-user] CAS 4.2.5 - AD authentication failedIf I'm reading your log correctly (I'm fairly new to this myself), I see that AD is returning an error code 52e near the end of your log snippet:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580^@]
Looking up that error code points to "invalid credentials". (See http://www-01.ibm.com/support/docview.wss?uid=swg21290631 for details) Since it is not returnning a "data 525" error, that means that it recognizes the user, but you have the wrong password.
If you are running this on a Linux system, you can install the ldap-utils packagesudo apt-get install libnss-ldap ldap-utilsand then run a query from the command line, to make sure you have things setup properly. Using your variables, the command would be:
ldapsearch -T -x -H ldap://my-ldap-server.my-domain:389 -b 'DC=my-domain,DC=global-domain' -w 'manager-password' -D 'my-manager@my-domain.global-domain' -Z sAMAccountName='some username here that exists in your AD'
Patrick+
On Wed, Oct 12, 2016 at 9:31 AM, KERAIN Stéphane <stephan...@infodb.fr> wrote:
Hi,
I'm trying to configure my CAS server for AD authentication. I've read the documentation several times and do multiple try but nothing to do, AD authentication failed.
Need some help, please. :)
Best regards, Stépĥane.
---
cas.properties:
server.name=https://my-cas-server:8028
server.prefix=${server.name}/cas
host.name=my-cas-server.my-domain
webflow.encryption.key=jVOzaqhPXOgMbakc
webflow.signing.key=QIsan9FM86T-1W8QZaDmD8N3VzZC9P2YrWqxNWMN-qLFujSt0EShBZdzVtC5ttTRTGMB6pyWzIA3zI2VDk4yrg
accept.authn.users=casuser::Mellon
ldap.url=ldap://my-ldap-server.my-domain:389
ldap.useStartTLS=false
ldap.rootDn=dc=my-domain,dc=global-domain
#ldap.baseDn=OU=USERS,OU=MY-OU,DC=my-domain,DC=global-domain
ldap.baseDn=DC=my-domain,DC=global-domain
ldap.connectTimeout=3000
#ldap.managerDn=CN=my-manager,OU=DOMAINE,OU=ADMINISTRATEUR,OU=USERS,OU=MY-OU,DC=my-domain,DC=global-domain
ldap.managerDn=my-manager@my-domain.global-domain
ldap.managerPassword=manager-password
ldap.pool.minSize=1
ldap.pool.maxSize=10
ldap.pool.validateOnCheckout=false
ldap.pool.validatePeriodically=true
ldap.pool.blockWaitTime=3000
ldap.pool.validatePeriod=300
ldap.pool.prunePeriod=300
ldap.pool.idleTime=600
ldap.authn.searchFilter=cn={user}
ldap.domain=my-domain.global-domain
ldap.usePpolicy=false
ldap.allowMultipleDns=false
---
catalina.out:
2016-10-12 14:54:33,364 DEBUG [org.ldaptive.BindOperation] - <execute request=[org.ldaptive.BindRequest@237353622::bindDn=my-user@my.domain, saslConfig=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@896428015::config=[org.ldaptive.ConnectionConfig@1457929333::ldapUrl=ldap://my-server.mydomain:389, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1737965895::bindDn=my-user@my.domain, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@1727525661::metadata=[ldapUrl=ldap://my-server.mydomain:389, count=1], environment={com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@135425996::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.DefaultConnectionStrategy@10afcf37, controlProcessor=org.ldaptive.provider.ControlProcessor@3ae04798, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@6579518f]>
2016-10-12 14:54:33,374 ERROR [org.ldaptive.pool.BlockingConnectionPool] - <[org.ldaptive.pool.BlockingConnectionPool@923455700::name=bind-pool, poolConfig=[org.ldaptive.pool.PoolConfig@259215693::minPoolSize=1, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=300], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator@1357400872::searchRequest=[org.ldaptive.SearchRequest@1061773616::baseDn=, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=0, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@1429310040::prunePeriod=300, idleTime=600], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory@306776633::provider=org.ldaptive.provider.jndi.JndiProvider@15221fc1, config=[org.ldaptive.ConnectionConfig@1457929333::ldapUrl=ldap://my-server.mydomain:389, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1737965895::bindDn=my-user@my.domain, bindSaslConfig=null, bindControls=null]]], initialized=false, availableCount=0, activeCount=0] unable to connect to the ldap>