[cas-user] Cas 5.0.5 - LdapAuthenticationHandler does not appear and login fails

Song, Doe-Hyun

unread,

Jun 5, 2017, 12:19:17 PM6/5/17

to cas-...@apereo.org

Hello CAS Community,

I am upgrading CAS4.1 to CAS5.0.5 and have difficulty to configure LDAP. It would be appreciated if I can have better understanding from you.

I can not see LdapAuthenticationHandler works for authentication. Error log does not show LdapAuthenticationHandler actually works for authentication.

From CAS 4, we changed deployerConfigConext.xml to configure PolicyBasedAuthenticationManger to use ldapAuthenticationHandler. I don’t see the configuration from CAS 5. So, I didn’t change anything at deployerConfigContext.xml.

Unfortunately, my log does not show any work of ldapAuthenticationHandler by the time I attempt to login.

The attached are my cas.properties (though it is not complete) and cas.log.

2017-06-05 11:53:54,944 DEBUG [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Ldap authenticator configured with return attributes [] for ldaps://wdccusts01p.extusers.hub1.com:636 and baseDn cn=Users,dc=EXTUSERS,dc=hub1,dc=com >

2017-06-05 11:53:54,945 DEBUG [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Password policy is enabled for ldaps://wdccusts01p.extusers.hub1.com:636. Constructing password policy configuration>

2017-06-05 11:53:54,987 DEBUG [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Initializing ldap authentication handler...>

2017-06-05 11:53:54,987 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Initializing LDAP attribute configuration...>

2017-06-05 11:53:54,988 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Configured to retrieve principal id attribute uid>

2017-06-05 11:53:54,988 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Configured to retrieve additional attributes [uid]>

2017-06-05 11:53:54,988 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP authentication entry attributes are uid>

2017-06-05 11:53:54,988 DEBUG [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Ldap authentication for ldaps://wdccusts01p.extusers.hub1.com:636 is to delegate to principal resolvers for attributes>

……………

2017-06-05 11:58:36,529 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [dhs] of type [UsernamePasswordCredential], which suggests a configuration problem.>

2017-06-05 11:58:36,537 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: dhs

WHAT: Supplied credentials: [dhs]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Mon Jun 05 11:58:36 EDT 2017

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

=============================================================

Thanks,

Doe


The information contained in this e-mail and any attachments is confidential and
intended only for the recipient. If you are not the intended recipient, the
information contained in this message may not be used, copied, or forwarded to
third parties or otherwise distributed for any other purpose. Please notify the
sender if you received this e-mail in error and delete the e-mail and its
attachments promptly.  Nothing in this e-mail may be used or deemed to form the
basis of a contractual or any other legally binding obligation unless separately
confirmed in writing by an authorized representative of ARMADA.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7C27C94EB0F1AD41BB2FA62533E661E201DA7D0FF2%40MailS01P.hub1.com.

cas.log

cas.properties

Song, Doe-Hyun

unread,

Jun 5, 2017, 2:21:00 PM6/5/17

to cas-...@apereo.org

Hello CAS Community,

It looks ldapAuthenticationHandler is not an issue. Wrong LDAP configuration caused the issue. I could authenticate my user correctly by modifying cas.properties.

#========================================

# LDAP Authentication

#========================================

cas.authn.ldap[0].type=AD

# cas.authn.ldap[0].type=AUTHENTICATED

#|AUTHENTICATED|DIRECT|ANONYMOUS|SASL

cas.authn.ldap[0].ldapUrl=ldaps://wdccusts01p.extusers.hub1.com:636

cas.authn.ldap[0].useSsl=true

# Whether to use StartTLS (probably needed if not SSL connection)

cas.authn.ldap[0].useStartTls=false

# LDAP connection timeout in milliseconds - CAS4 3000

cas.authn.ldap[0].connectTimeout=5000

# Base DN of users to be authenticated

cas.authn.ldap[0].baseDn=ou=Users,dc=EXTUSERS,dc=hub1,dc=com

cas.authn.ldap[0].userFilter=cn={user}

# cas.authn.ldap[0].subtreeSearch=true

# cas.authn.ldap[0].usePasswordPolicy=true

# cas.authn.ldap[0].bindDn=cn=Directory Manager,dc=example,dc=org

# cas.authn.ldap[0].bindCredential=Password

# cas.authn.ldap[0].poolPassivator=NONE|CLOSE|BIND

# cas.authn.ldap[0].enhanceWithEntryResolver=true

cas.authn.ldap[0].dnFormat=%s...@EXTUSERS.hub1.com

#,ou=Users,dc=EXTUSERS,dc=hub1,dc=com

# cas.authn.ldap[0].principalAttributeId=uid

# cas.authn.ldap[0].principalAttributePassword=userPassword

# Give an attribute list released from LDAP to CAS, could be used with attributeRepository.defaultAttributesToRelease to be visible on CAS P3 serviceValidate

# cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,eduPersonTargettedId:SOME_IDENTIFIER

# cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true

# cas.authn.ldap[0].additionalAttributes=

# cas.authn.ldap[0].credentialCriteria=

# cas.authn.ldap[0].saslMechanism=GSSAPI|DIGEST_MD5|CRAM_MD5|EXTERNAL

# cas.authn.ldap[0].saslRealm=EXAMPLE.COM

# cas.authn.ldap[0].saslAuthorizationId=

# cas.authn.ldap[0].saslMutualAuth=

# cas.authn.ldap[0].saslQualityOfProtection=

# cas.authn.ldap[0].saslSecurityStrength=

cas.authn.ldap[0].trustCertificates=file:///C:/armadasoft/SSO/cas5-overlay/etc/security/wdccusts01p.cer

cas.authn.ldap[0].keystore=file:///C:/armadasoft/SSO/cas5-overlay/etc/security/jssecacerts

cas.authn.ldap[0].keystorePassword=changeit

cas.authn.ldap[0].keystoreType=JKS

#|JCEKS|PKCS12

cas.authn.ldap[0].minPoolSize=3

cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=true

cas.authn.ldap[0].validatePeriodically=true

# Frequency of connection validation in seconds

# Only applies if validatePeriodically=true - CAS4 300

cas.authn.ldap[0].validatePeriod=600

# cas.authn.ldap[0].failFast=true

# Maximum amount of time an idle connection is allowed to be in

# pool before it is liable to be removed/destroyed CAS4 600

cas.authn.ldap[0].idleTime=5000

# Attempt to prune connections every N seconds CAS4 300

cas.authn.ldap[0].prunePeriod=5000

# Amount of time in milliseconds to block on pool exhausted condition before giving up. CAS3 - 3000

cas.authn.ldap[0].blockWaitTime=5000

However, I still have NamingException as below.

2017-06-05 14:16:03,972 DEBUG [org.ldaptive.auth.Authenticator] - <entry resolution failed for resolver=[org.ldaptive.auth.PooledSearchEntryResolver@476953134::factory=[org.ldaptive.pool.PooledConnectionFactory@2098606393::pool=[org.ldaptive.pool.BlockingConnectionPool@917327006::name=null, poolConfig=[org.ldaptive.pool.PoolConfig@1862769336::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=true, validatePeriodically=true, validatePeriod=PT10M], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator@945032010::searchRequest=[org.ldaptive.SearchRequest@-2063251018::baseDn=, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@729047693::prunePeriod=PT1H23M20S, idleTime=PT1H23M20S], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory@2011239105::provider=org.ldaptive.provider.jndi.JndiProvider@24e094df, config=[org.ldaptive.ConnectionConfig@1022809426::ldapUrl=ldaps://wdccusts01p.extusers.hub1.com:636, connectTimeout=PT1H23M20S, responseTimeout=null, sslConfig=[org.ldaptive.ssl.SslConfig@874424395::credentialConfig=[org.ldaptive.ssl.X509CredentialConfig@-880332252::trustCertificates=file:///C:/armadasoft/SSO/cas5-overlay/etc/security/wdccusts01p.cer, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, connectionInitializer=null, connectionStrategy=org.ldaptive.DefaultConnectionStrategy@4b16c313]], initialized=true, availableCount=3, activeCount=0]], baseDn=ou=Users,dc=EXTUSERS,dc=hub1,dc=com , userFilter=cn={user}, userFilterParameters=null, allowMultipleEntries=false, subtreeSearch=true, derefAliases=null, referralHandler=null, searchEntryHandlers=null]>

org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1 ]; remaining name 'ou=Users,dc=EXTUSERS,dc=hub1,dc=com '

at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55) ~[ldaptive-1.2.0.jar!/:?]

at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619) ~[ldaptive-1.2.0.jar!/:?]

at org.ldaptive.provider.jndi.JndiConnection$JndiSearchIterator.initialize(JndiConnection.java:741) ~[ldaptive-1.2.0.jar!/:?]

at org.ldaptive.provider.jndi.JndiConnection.search(JndiConnection.java:463) ~[ldaptive-1.2.0.jar!/:?]

at org.ldaptive.SearchOperation.executeSearch(SearchOperation.java:103) ~[ldaptive-1.2.0.jar!/:?]

at org.ldaptive.SearchOperation.invoke(SearchOperation.java:85) ~[ldaptive-1.2.0.jar!/:?]

at org.ldaptive.SearchOperation.invoke(SearchOperation.java:15) ~[ldaptive-1.2.0.jar!/:?]

at org.ldaptive.AbstractOperation.execute(AbstractOperation.java:126) ~[ldaptive-1.2.0.jar!/:?]

at org.ldaptive.auth.PooledSearchEntryResolver.performLdapSearch(PooledSearchEntryResolver.java:62) ~[ldaptive-1.2.0.jar!/:?]

at org.ldaptive.auth.AbstractSearchEntryResolver.resolve(AbstractSearchEntryResolver.java:321) ~[ldaptive-1.2.0.jar!/:?]

at org.ldaptive.auth.Authenticator.resolveEntry(Authenticator.java:393) ~[ldaptive-1.2.0.jar!/:?]

at org.ldaptive.auth.Authenticator.authenticate(Authenticator.java:259) ~[ldaptive-1.2.0.jar!/:?]

at org.ldaptive.auth.Authenticator.authenticate(Authenticator.java:224) ~[ldaptive-1.2.0.jar!/:?]

at org.apereo.cas.authentication.LdapAuthenticationHandler.authenticateUsernamePasswordInternal(LdapAuthenticationHandler.java:181) ~[cas-server-support-ldap-5.0.5.jar!/:5.0.5]

at org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.authenticateUsernamePasswordInternal(AbstractUsernamePasswordAuthenticationHandler.java:81) ~[cas-server-core-authentication-5.0.5.jar!/:5.0.5]

at org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.doAuthentication(AbstractUsernamePasswordAuthenticationHandler.java:64) ~[cas-server-core-authentication-5.0.5.jar!/:5.0.5]

at org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:59) ~[cas-server-core-authentication-5.0.5.jar!/:5.0.5]

at org.apereo.cas.authentication.AbstractAuthenticationManager.authenticateAndResolvePrincipal(AbstractAuthenticationManager.java:209) ~[cas-server-core-authentication-5.0.5.jar!/:5.0.5]

at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.lambda$null$2(PolicyBasedAuthenticationManager.java:102) ~[cas-server-core-authentication-5.0.5.jar!/:5.0.5]

at java.util.stream.MatchOps$1MatchSink.accept(Unknown Source) ~[?:1.8.0_66]

at java.util.stream.ReferencePipeline$2$1.accept(Unknown Source) ~[?:1.8.0_66]

at java.util.HashMap$KeySpliterator.tryAdvance(Unknown Source) ~[?:1.8.0_66]

at java.util.stream.ReferencePipeline.forEachWithCancel(Unknown Source) ~[?:1.8.0_66]

at java.util.stream.AbstractPipeline.copyIntoWithCancel(Unknown Source) ~[?:1.8.0_66]

at java.util.stream.AbstractPipeline.copyInto(Unknown Source) ~[?:1.8.0_66]

at java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source) ~[?:1.8.0_66]

at java.util.stream.MatchOps$MatchOp.evaluateSequential(Unknown Source) ~[?:1.8.0_66]

at java.util.stream.AbstractPipeline.evaluate(Unknown Source) ~[?:1.8.0_66]

at java.util.stream.ReferencePipeline.anyMatch(Unknown Source) ~[?:1.8.0_66]

at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.lambda$authenticateInternal$3(PolicyBasedAuthenticationManager.java:100) ~[cas-server-core-authentication-5.0.5.jar!/:5.0.5]