CAS LDAP authentication failures against DNs that contain "/" characters
Michael J. Barton
mbarton at Princeton.EDU
Wed May 7 14:53:40 EDT 2008
We have been using CAS (3.0.7) since September. We have plans to upgrade to
3.2.1 later this summer.
Our implementation is using the LDAP authentication handler against our
Active Directory and has been working great until this problem cropped up
yesterday.
We have a handful of users that consistently fail to authenticate. When they
do, we see an error in CAS.LOG like:
2008-05-07 09:15:37,285 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
AuthenticationHandler:
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to
authenticate the user which provided the following credentials: mbarton
A sample of the DN that fails is:
CN=mbarton,OU=Special Facilities -
Jadwin/Fine,OU=People,DC=pu,DC=win,DC=princeton,DC=edu
Testing a hunch we renamed the OU the account resides in, removing the "/"
character in the
OU=Special Facilities - Jadwin/Fine
portion of the DN. When we do this the user CAN authenticate. We tested
user accounts in 3 other OUs, each of which have one or more "/" characters
in the name and in each case the user fails to authenticate.
Has anyone else seen and/or resolved this error?
Has the problem been corrected in CAS 3.2.1?
This appears to be a DN parsing error, but I don't know if it is in the base
CAS code or somewhere in the Spring framework (we are using version 1.12
with CAS 3.0.7). When set logging to DEBUG, I see
"org.springframework.validation.BindException" errors in the CAS.log
Thanks in advance for any help/insight.
deployerConfigContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToP
rincipalResolver" />
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToP
rincipalResolver" />
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti
alsAuthenticationHandler">
<property name="httpClient" ref="httpClient" />
</bean>
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="sAMAccountName=%u" />
<property name="searchBase"
value="ou=People,dc=pu,dc=win,dc=princeton,dc=edu" />
<property name="contextSource" ref="contextSource" />
</bean>
</list>
</property>
</bean>
<bean id="contextSource"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="password" value="XXXXXXXXXX">
<property name="pooled" value="true" />
<property name="urls">
<list>
<value>ldaps://pu.win.princeton.edu/</value>
</list>
</property>
<property name="userName"
value="cn=XXXXXXX,ou=XXXXXXXX,ou=XXXXXX,dc=pu,dc=win,dc=princeton,dc=edu" />
<property name="baseEnvironmentProperties">
<map>
<entry>
<key><value>java.naming.security.protocol</value></key>
<value>ssl</value>
</entry>
<entry>
<key><value>java.naming.security.authentication</value></key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
</beans>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3165 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080507/ea8105a7/attachment.bin
More information about the cas
mailing list