CAS LDAP authentication failures againstDNsthatcontain"/"characters
Scott Battaglia
scott.battaglia at gmail.com
Fri Aug 8 00:02:18 EDT 2008
So I may have a fix for this. I got one of our local LDAP admins to add a
"uid=foo/bar" to the dev server so I can see it fail and debug to make it
succeed. So I found a way that returns the proper value (the method we use
now literally returns "uid=foo/bar" with the quotation marks!). I'll do a
little more testing on Monday and then this could make it into 3.3.
-Scott
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
On Thu, May 15, 2008 at 9:54 PM, Michael J. Barton <mbarton at princeton.edu>wrote:
> Scott,
>
>
>
> I was told to take the quick-fix route and temporarily rename our DNs that
> contain the "/" character. Sorry, I haven't had time to do any digging. I
> still have my test DNs and accounts set up as well as a test instance of
> CAS. If I can help out, let me know.
>
>
>
> Oh…and you've been back a few hours… you can give yourself some time to
> ease back into things J
>
> -Mike
>
>
>
>
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Thursday, May 15, 2008 9:09 PM
>
> *To:* Yale CAS mailing list
> *Subject:* Re: CAS LDAP authentication failures
> againstDNsthatcontain"/"characters
>
>
>
> Just got back a few hours ago...any luck? ;-)
>
> On Fri, May 9, 2008 at 8:33 PM, Michael J. Barton <mbarton at princeton.edu>
> wrote:
>
> Scott,
>
> Thanks for the update. I'll see what I can do in your absence and will let
> you know how things go.
>
> -Mike
>
>
>
>
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Friday, May 09, 2008 5:35 PM
>
>
> *To:* Yale CAS mailing list
> *Subject:* Re: CAS LDAP authentication failures against
> DNsthatcontain"/"characters
>
>
>
> Mike,
>
> I'm going to be away for 5 days so I can't look at this until I come back.
> If you get a minute you could try to modify the authentication handler to do
> a replace for the / to the escaped version and recompile and deploy and see
> if that works. If it works, we'd make that change to the default handlers.
> There may also be a way in Spring LDAP to have it automatically do it, but I
> won't be able to look at that until I come back.
>
> -Scott
>
> On Fri, May 9, 2008 at 3:52 PM, Michael J. Barton <mbarton at princeton.edu>
> wrote:
>
> I stood up a CAS 3.2.1 Server and configured it similar to our production
> 3.0.7 instance. The behavior is the same in both instances.
>
> Any account that has a "/" character in a portion of their DN (ie.
> cn=mbarton,ou=Math/Physics Department,dc=Princeton,dc=edu") fails to
> authenticate.
>
> It would appear that the Spring LDAP is not doing the escaping you
> suggested. Any thoughts on how I should proceed?
>
>
>
>
>
> -Mike
>
>
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Thursday, May 08, 2008 12:16 PM
>
>
> *To:* Yale CAS mailing list
>
> *Subject:* Re: CAS LDAP authentication failures against DNs
> thatcontain"/"characters
>
>
>
> I did some quick digging. It looks like "/" is a reserved character in
> JNDI, but not LDAP so it needs to be escaped. I'm not sure if newer
> versions of Spring LDAP properly escape. Would you be able to set up a test
> CAS server locally copying your LDAP configuration to it and try it out?
>
> -Scott
>
> On Thu, May 8, 2008 at 10:20 AM, Michael J. Barton <mbarton at princeton.edu>
> wrote:
>
> After I sent my response, it occurred to me that is what you meant. Need
> more caffeine. :-)
>
>
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Thursday, May 08, 2008 10:11 AM
>
>
> *To:* Yale CAS mailing list
>
> *Subject:* Re: CAS LDAP authentication failures against DNs that
> contain"/"characters
>
>
>
> Sorry, I meant its a banned character at Rutgers in our NetIds so I can't
> create a test account with it ;-)
>
> -Scott
>
> On Thu, May 8, 2008 at 10:02 AM, Michael J. Barton <mbarton at princeton.edu>
> wrote:
>
> Scott,
>
>
>
> Thanks for getting back to me. We have code/apps in other languages (Perl,
> .NET, etc.) that does not have issue with our DNs and per our directory
> services manager, the "/" is not a banned character per RFC 2253 (and
> others). I've also used tools like Apache Directory Studio and it respects
> these DNs. Temporarily I can rename the OUs, changing the "/" to a "-", but
> our nightly directory synchronization processes rename the OUs back, so the
> renaming is not a sustainable solution. I responded to your off-list
> email giving you some other information you were asking for. Thanks again.
>
>
>
>
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Wednesday, May 07, 2008 3:27 PM
> *To:* Yale CAS mailing list
>
>
> *Cc:* Steven E. Niedzwiecki
> *Subject:* Re: CAS LDAP authentication failures against DNs that contain
> "/"characters
>
>
>
> Michael,
>
> I don't believe we have any accounts here at RU that have "/" in them (and
> I think its a banned character) so I can't try it out here. Do you guys
> have any LDAP code (non Spring) you can try it against to take the Spring
> code out of the picture?
>
> -Scott
>
> On Wed, May 7, 2008 at 2:53 PM, Michael J. Barton <mbarton at princeton.edu>
> wrote:
>
> We have been using CAS (3.0.7) since September. We have plans to upgrade
> to
> 3.2.1 later this summer.
> Our implementation is using the LDAP authentication handler against our
> Active Directory and has been working great until this problem cropped up
> yesterday.
>
> We have a handful of users that consistently fail to authenticate. When
> they
> do, we see an error in CAS.LOG like:
>
> 2008-05-07 09:15:37,285 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> AuthenticationHandler:
> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to
> authenticate the user which provided the following credentials: mbarton
>
>
> A sample of the DN that fails is:
>
> CN=mbarton,OU=Special Facilities -
> Jadwin/Fine,OU=People,DC=pu,DC=win,DC=princeton,DC=edu
>
>
> Testing a hunch we renamed the OU the account resides in, removing the "/"
> character in the
>
> OU=Special Facilities - Jadwin/Fine
>
> portion of the DN. When we do this the user CAN authenticate. We tested
> user accounts in 3 other OUs, each of which have one or more "/" characters
> in the name and in each case the user fails to authenticate.
>
>
> Has anyone else seen and/or resolved this error?
> Has the problem been corrected in CAS 3.2.1?
>
>
> This appears to be a DN parsing error, but I don't know if it is in the
> base
> CAS code or somewhere in the Spring framework (we are using version 1.12
> with CAS 3.0.7). When set logging to DEBUG, I see
> "org.springframework.validation.BindException" errors in the CAS.log
>
>
> Thanks in advance for any help/insight.
>
>
> deployerConfigContext.xml
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
> "http://www.springframework.org/dtd/spring-beans.dtd">
> <beans>
> <bean id="authenticationManager"
> class="org.jasig.cas.authentication.AuthenticationManagerImpl">
> <property name="credentialsToPrincipalResolvers">
> <list>
> <bean
>
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToP
> rincipalResolver" />
> <bean
>
> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToP
> rincipalResolver" />
> </list>
> </property>
> <property name="authenticationHandlers">
> <list>
> <bean
>
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti
> alsAuthenticationHandler">
> <property name="httpClient" ref="httpClient" />
> </bean>
> <bean
> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
> <property name="filter" value="sAMAccountName=%u" />
> <property name="searchBase"
> value="ou=People,dc=pu,dc=win,dc=princeton,dc=edu" />
> <property name="contextSource" ref="contextSource" />
> </bean>
> </list>
> </property>
> </bean>
> <bean id="contextSource"
> class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> <property name="password" value="XXXXXXXXXX">
> <property name="pooled" value="true" />
> <property name="urls">
> <list>
> <value>ldaps://pu.win.princeton.edu/</value>
> </list>
> </property>
> <property name="userName"
> value="cn=XXXXXXX,ou=XXXXXXXX,ou=XXXXXX,dc=pu,dc=win,dc=princeton,dc=edu"
> />
> <property name="baseEnvironmentProperties">
> <map>
> <entry>
>
> <key><value>java.naming.security.protocol</value></key>
> <value>ssl</value>
> </entry>
> <entry>
>
> <key><value>java.naming.security.authentication</value></key>
> <value>simple</value>
> </entry>
> </map>
> </property>
> </bean>
> </beans>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080808/c441ee79/attachment.html
More information about the cas
mailing list