cas+ldap [beginner's?] problem

>> When I try to authenticate, I cannot get in, and the error seems connected
>> to the ldap user I specified:
>> Error in object 'credentials': codes
>> [error.authentication.credentials.bad.credentials,error.authentication.credentials.bad];
>> arguments []; default message [error.authentication.credentials.bad],
>>    
>
> I've found it's most helpful to review the LDAP logs when
> troubleshooting authentication failures like this.  There are at least
> three points of failure:  the administrative bind, user search to
> lookup user DN, and user bind; the logs will likely isolate which of
> those is the cause of failure.  Once you identify which phase is
> failing, it would help to post your entire LdapContextSource bean
> definition so we can evaluate it against the details of your LDAP
> environment, which you'd need to provide as well.
>
> M
>
>  

>
>
> The result when I try to authenticate with username "user" is always
> as follows:
>
> [15/Oct/2009:10:43:11 +0100] conn=374073 op=0 msgId=1 - BIND
> dn="username=user,ou=people,o=sghms.ac.uk,o=sghms.ac.uk" method=128
> version=3
> [15/Oct/2009:10:43:11 +0100] conn=374073 op=0 msgId=1 - RESULT err=32
> tag=97 nentries=0 etime=0
>

> Giuseppe Sollazzo wrote:
> >
> >
> > The result when I try to authenticate with username "user" is always
>
> > as follows:
> >
> > [15/Oct/2009:10:43:11 +0100] conn=374073 op=0 msgId=1 - BIND
> > dn="username=user,ou=people,o=sghms.ac.uk,o=sghms.ac.uk" method=128
>
> > version=3
> > [15/Oct/2009:10:43:11 +0100] conn=374073 op=0 msgId=1 - RESULT
> err=32
> > tag=97 nentries=0 etime=0
> >
>
> Erm..of course I left the original output of our domain, where it
> should
> have been dn="username=user,ou=X,o=Y,o=Z"

> The ldapsearch tool (provided by ldap-utils package on Debian) is
> invaluable for diagnosing LDAP bind problems.  Execute the following
> command which attempts to bind as the user above:
>
> ldapsearch -H ldap://your.ldap.host -x -Z -b ou=X,o=Y,o=Z -D
> uid=username,ou=X,o=Y,o=Z -W uid=user
>
> Omit the -Z argument if you use an ldaps URL (SSL) to talk to your
> LDAP host.
> Hi Marvin,
> your help is being amazingly invaluable!
>
> First of all, I discovered I was being silly, using a wrong user. Only
> the Directory Manager is allowed to search ldap in my current
> configuration, so I managed to get info for "username" running this
> command:
>
> ldapsearch -H ldap://my.ldap.server -x -Z -b ou=X,o=Y,o=Z -D
> "cn=Directory Manager" -W uid=user
> So I adapted the deployerConfigContext.xml accordingly:
>
> <bean id="contextSource"
> class="org.springframework.ldap.core.support.LdapContextSource">
> <property name="pooled" value="true"/>
> <property name="urls">
> <list>
> <value>ldap://my.ldap.server</value>
> </list>
> </property>
> <property name="userDn" value="cn=Directory Manager"/>
> <property name="password" value="HISPASSWORD"/>
> <property name="baseEnvironmentProperties">
> <map>
> <entry key="java.naming.security.authentication" value="simple" />
> </map>
> </property>
> </bean> and
>
> <bean id="authenticationManager"
> class="org.jasig.cas.authentication.AuthenticationManagerImpl">
> [...]
> <property name="authenticationHandlers">
> <list>
> <bean
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
> p:httpClient-ref="httpClient" />
> <bean
> class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"
> >
> <property name="filter" value="uid=%u,ou=X,o=Y,o=Z" /> // [I also
> tried with username=%u, as it's called in our ldap]
> <property name="contextSource" ref="contextSource" />
> </bean>
>
> </list>
> </property>
> [...]
> </bind>
>
> The result when I try to authenticate with username "user" is always
> as follows:
>
> [15/Oct/2009:10:43:11 +0100] conn=374073 op=0 msgId=1 - BIND
> dn="username=user,ou=people,o=sghms.ac.uk,o=sghms.ac.uk" method=128
> version=3
> [15/Oct/2009:10:43:11 +0100] conn=374073 op=0 msgId=1 - RESULT err=32
> tag=97 nentries=0 etime=0
>
> (or uid=... in place of username)
>
> I'm wondering if I'm getting something wrong elsewhere in the
> deployerConfigContext.xml?
>
> Thanks again for your help,
> Giuseppe
>
> --
> Giuseppe Sollazzo
> Systems Developer / Administrator
>
> Computing Services
> St. George's, University of London --
> You are currently subscribed to [hidden email] as:
> [hidden email]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user

> Hi Ryan,
> yes the way I get it to work is by giving the fully qualified id
>
> ldapsearch -H ldap://my.ldap.server -x -Z -b o=Y -D
> "uid=user,ou=a,ou=b,ou=c,ou=X,o=Y,o=Z" -W uid=user
>
> Here was my misunderstanding: there is a need for fully qualified
> identifier for the user who binds, not for the one we're searching
> (yep - I know it wouldn't make sense otherwise but it was not
> extremely clear to me).
>
> So, what happens now is that by adjusting the xml to look like
>
> <bean id="contextSource"
>     class="org.springframework.ldap.core.support.LdapContextSource">
>     <property name="pooled" value="true"/>
>     <property name="urls">
>         <list>
>             <value>ldap://my.ldap.server</value>
>         </list>
>     </property>
>     <property name="userDn" value="uid=user,ou=a,ou=b,ou=c,ou=X,o=Y,o=Z"/>
>     <property name="password" value="pass"/>
>     <property name="baseEnvironmentProperties">
>         <map>
>             <entry key="java.naming.security.authentication"
> value="simple" />
>         </map>
>     </property>
> </bean>
>
> and
>
> <property name="authenticationHandlers">
>     <list>
>         <bean
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
> p:httpClient-ref="httpClient" />
>         <bean
> class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
>             <property name="filter" value="uid=%u,o=Y" />
>             <property name="contextSource" ref="contextSource" />
>         </bean>
>     </list>
> </property>
>
> is that I still get kicked out when I try to authenticate with CAS on
> moodle. Just to summarize:
> - I activated CAS in the Authentication settings
> - I moved CAS on top of LDAP and Moodle Network Authentication
> - Logged out
> - clicked on Login, entered a username (in this case "user" itself, as
> given the execution of ldapsearch it should work).
>
> Any idea?
>
> Thanks,
> Giuseppe
>
> Ryan Fox wrote:
>> Sorry... now that I've read more of the thread, I can offer more help.  Funny how that works.
>>
>> The err=32 means that the dn you are binding with doesn't exist.  If you look, that is the uid=user,ou=X,o=Y,o=Z.
>>
>>  
>>> First of all, I discovered I was being silly, using a wrong user. Only
>>> the Directory Manager is allowed to search ldap in my current
>>> configuration, so I managed to get info for "username" running this
>>> command:
>>>    
>>
>> You need
>> ldapsearch -H ldap://my.ldap.server -x -Z -b ou=X,o=Y,o=Z -D "uid=user,ou=X,o=Y,o=Z" -W uid=user
>> to succeed.  I can't tell from your e-mail if it will or not, as I don't know what ACL's you have on your ldap.  The FastBindLdapAuthenticationHandler binds to your ldap as the user, and uses the result (success/error) to judge the validity of the credentials. The ldapsearch above is a good analogue for that.  Once that works, CAS auth should work (or at least progress farther).  :)
>>
>> Ryan
>>
>>
>> ----- "Giuseppe Sollazzo" <[hidden email]> wrote:
>>
>>  
>>> The ldapsearch tool (provided by ldap-utils package on Debian) is
>>> invaluable for diagnosing LDAP bind problems.  Execute the following
>>> command which attempts to bind as the user above:
>>>
>>> ldapsearch -H ldap://your.ldap.host -x -Z -b ou=X,o=Y,o=Z -D
>>> uid=username,ou=X,o=Y,o=Z -W uid=user
>>>
>>> Omit the -Z argument if you use an ldaps URL (SSL) to talk to your
>>> LDAP host.
>>> Hi Marvin,
>>> your help is being amazingly invaluable!
>>>
>>> First of all, I discovered I was being silly, using a wrong user. Only
>>> the Directory Manager is allowed to search ldap in my current
>>> configuration, so I managed to get info for "username" running this
>>> command:
>>>
>>> ldapsearch -H ldap://my.ldap.server -x -Z -b ou=X,o=Y,o=Z -D
>>> "cn=Directory Manager" -W uid=user
>>> So I adapted the deployerConfigContext.xml accordingly:
>>>
>>> <bean id="contextSource"
>>> class="org.springframework.ldap.core.support.LdapContextSource">
>>> <property name="pooled" value="true"/>
>>> <property name="urls">
>>> <list>
>>> <value>ldap://my.ldap.server</value>
>>> </list>
>>> </property>
>>> <property name="userDn" value="cn=Directory Manager"/>
>>> <property name="password" value="HISPASSWORD"/>
>>> <property name="baseEnvironmentProperties">
>>> <map>
>>> <entry key="java.naming.security.authentication" value="simple" />
>>> </map>
>>> </property>
>>> </bean> and
>>>
>>> <bean id="authenticationManager"
>>> class="org.jasig.cas.authentication.AuthenticationManagerImpl">
>>> [...]
>>> <property name="authenticationHandlers">
>>> <list>
>>> <bean
>>> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
>>> p:httpClient-ref="httpClient" />
>>> <bean
>>> class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"
>>>    
>>> <property name="filter" value="uid=%u,ou=X,o=Y,o=Z" /> // [I also
>>> tried with username=%u, as it's called in our ldap]
>>> <property name="contextSource" ref="contextSource" />
>>> </bean>
>>>
>>> </list>
>>> </property>
>>> [...]
>>> </bind>
>>>
>>> The result when I try to authenticate with username "user" is always
>>> as follows:
>>>
>>> [15/Oct/2009:10:43:11 +0100] conn=374073 op=0 msgId=1 - BIND
>>> dn="username=user,ou=people,o=sghms.ac.uk,o=sghms.ac.uk" method=128
>>> version=3
>>> [15/Oct/2009:10:43:11 +0100] conn=374073 op=0 msgId=1 - RESULT err=32
>>> tag=97 nentries=0 etime=0
>>>
>>> (or uid=... in place of username)
>>>
>>> I'm wondering if I'm getting something wrong elsewhere in the
>>> deployerConfigContext.xml?
>>>
>>> Thanks again for your help,
>>> Giuseppe
>>>
>>> --
>>> Giuseppe Sollazzo
>>> Systems Developer / Administrator
>>>
>>> Computing Services
>>> St. George's, University of London --
>>> You are currently subscribed to [hidden email] as:
>>> [hidden email]
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>    
>>
>>  
>
>
> --
> Giuseppe Sollazzo
> Systems Developer / Administrator
>
> Computing Services
> St. George's, University of London
>  
> --
> You are currently subscribed to [hidden email] as: [hidden email]
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

>> Here was my misunderstanding: there is a need for fully qualified identifier
>> for the user who binds, not for the one we're searching
>>    
>
> This is only true if you are using the BindLdapAuthenticationHandler,
> but I see you're using FastBind.  I see from the XML snippets you
> shared that you are defining manager bind credentials in the context,
> then using the FastBind handler which does not need them.  Let me
> outline the use cases for Bind and FastBind:
>
> Use BindLdapAuthenticationHandler when you _cannot_ construct the full
> DN of a user from the username given in the CAS login screen.  That
> is, you must perform a search based on some other attribute, e.g.
> mail, in order to determine the DN.  This handler performs
> authentication for each user in three steps: admin bind, search, user
> bind.
>
> FastBindLdapAuthenticationHandler is more efficient and preferable
> when you can construct the DN from the username in the login form,
> e.g. uid=%s,ou=People,dc=vt,dc=edu.  The
> FastBindLdapAuthenticationHandler will immediately construct the user
> DN and use it with the password provided on the login form to perform
> an LDAP bind operation.
>
> Hopefully this will clear up what you need to do for your environment.
>
> M
>
>  

> Are you trying to run the CAS on Windows Quick Setup Guide?
> http://www.ja-sig.org/wiki/display/CASUM/CAS+on+Windows+Quick+Setup+Guide
>
> This guide was a real serious pain, most notably because of the class  
> "AuthenticatedLdapContextSource" doesn't even exist and that a class  
> in the Spring package replaces the deprecated fore-mentioned class.  
> There were other less significant problems as well, but enough to  
> cause substantial discouragement alike.
>
> I have detailed instructions I've drafted since I finally got the  
> stuff in the CAS setup guide running and I'm glad to share them with  
> you.  I believe them to be accurate, but you could test it out and let  
> me know how they did for you.  The document is attached.
>
> Cheers!
>
>
>
> Quoting Giuseppe Sollazzo <[hidden email]>:
>
>  
>> Dear all,
>> I've just started setting up CAS for our Moodle installation and  
>> can't get it to work properly with ldap. I was wondering if anyone  
>> had any similar experiences and could give me a hand.
>>
>> I can connect easily from moodle to ldap without CAS, so what I did  
>> is the following:
>> 1. I replicated the native moodle LDAP onfiguration into the CAS  
>> section of the Authentication settings page and made the same data  
>> mapping.
>> 2. I changed priority to have CAS to be above LDAP and moodle net auth.
>> 3. I set up the deployerConfigContext.xml as explained on  
>> http://www.ja-sig.org/wiki/display/CASUM/LDAP:
>>    - inserted a <bean> for the LdapContextSource using a valid LDAP  
>> user with admin capabilities
>>    - added a bean for the BindLdapAuthenticationHandler in the  
>> authentication manager section, with <property name="searchBase"  
>> value="{same ou=... that I use for my native ldap auth into moodle}"  
>> />
>> 4. Start tomcat, the deployment goes smoothly (I have DEBUG level  
>> for log4j and can see there's absolutely no problem in this phase).
>>
>> When I try to authenticate, I cannot get in, and the error seems  
>> connected to the ldap user I specified:
>> Error in object 'credentials': codes  
>> [error.authentication.credentials.bad.credentials,error.authentication.credentials.bad]; arguments []; default message [error.authentication.credentials.bad], 'org.springframework.validation.BindException.credentials' -> org.springframework.validation.BindException: org.springframework.validation.BeanPropertyBindingResult: 1  
>> errors
>> Error in object 'credentials': codes  
>> [error.authentication.credentials.bad.credentials,error.authentication.credentials.bad]; arguments []; default message [error.authentication.credentials.bad]], status =  
>> Paused]]]]>
>>
>> I tried different users, and no user at all, and I always get the same error.
>>
>> Does anyone have any idea or experience on this? I know it's  
>> possibly something very simple and I do apologize for increasing the  
>> number of messages in the mailing list :)
>>
>>
>> Of course, if anyone could show me a working  
>> deployerConfigContext.xml that would also be helpful.
>>
>> Thanks,
>> G
>>
>>
>> --
>> Giuseppe Sollazzo
>> Systems Developer / Administrator
>>
>> Computing Services
>> St. George's, University of London
>>
>>
>> --
>> You are currently subscribed to [hidden email] as:  
>> [hidden email]
>> To unsubscribe, change settings or access archives, see  
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>>    
>
>
>
>  

>> http://www.ja-sig.org/wiki/display/CASUM/CAS+on+Windows+Quick+Setup+Guide
>> ... was a real serious pain, most notably because of the class
>> "AuthenticatedLdapContextSource" doesn't even exist and that a class
>> in the Spring package replaces the deprecated fore-mentioned class.
>
> I will put on my TODO list to fix that content problem.
>
>> I have detailed instructions I've drafted since I finally got the
>> stuff in the CAS setup guide running and I'm glad to share them with
>> you.  I believe them to be accurate
>
> There is a significant problem in your guide that we discussed
> recently on the list, namely the used of pooled="true" for a context
> source used for authentication.  I will say again, pooling of any kind
> for authenticated connections is a serious security liability.  Search
> the list archives if you need further information; we discussed this
> thoroughly in the past week.
>
> I respectfully request that you register for the CASUM Wiki and
> contribute to our body of documentation that way.  If you discover a
> glaring content error, by all means correct it if you have time.
>
> Thanks,
> M
>
> --
> You are currently subscribed to [hidden email] as:  
> [hidden email]
> To unsubscribe, change settings or access archives, see  
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
>

>> diagram that illustrates the most
>> current version of CAS and describes, in detail, the intricacies of
>> the relationships between components in a typical SSO solution
>
> The best place for a CAS SSO workflow diagram is in the protocol
> documents.  I don't believe they contain a diagram currently, but I
> agree that a good diagram could be helpful to augment the verbal
> description of protocol interactions.
>
> If you would like to discuss SSO workflows in general, which is what I
> understand from the phrase "typical SSO solution," then that would be
> out of scope of the protocol documents.  I would argue that a general
> discussion of SSO belongs on a general reference like Wikipedia, and
> that CAS deployers need to come to the CAS wiki with this background
> before diving into the details of CAS deployment.  I believe a
> thoughtful bibliography of links to general SSO resources would better
> serve our audience on the CASUM wiki.
>
> M
>
> --
> You are currently subscribed to [hidden email] as:  
> [hidden email]
> To unsubscribe, change settings or access archives, see  
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>