CAS LDAP authentication failures against DNs that contain "/"characters
Scott Battaglia
scott.battaglia at gmail.com
Thu May 8 10:10:40 EDT 2008
Sorry, I meant its a banned character at Rutgers in our NetIds so I can't
create a test account with it ;-)
-Scott
On Thu, May 8, 2008 at 10:02 AM, Michael J. Barton <mbarton at princeton.edu>
wrote:
> Scott,
>
>
>
> Thanks for getting back to me. We have code/apps in other languages
> (Perl, .NET, etc.) that does not have issue with our DNs and per our
> directory services manager, the "/" is not a banned character per RFC 2253
> (and others). I've also used tools like Apache Directory Studio and it
> respects these DNs. Temporarily I can rename the OUs, changing the "/" to a
> "-", but our nightly directory synchronization processes rename the OUs
> back, so the renaming is not a sustainable solution. I responded to your
> off-list email giving you some other information you were asking for.
> Thanks again.
>
>
>
>
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Wednesday, May 07, 2008 3:27 PM
> *To:* Yale CAS mailing list
> *Cc:* Steven E. Niedzwiecki
> *Subject:* Re: CAS LDAP authentication failures against DNs that contain
> "/"characters
>
>
>
> Michael,
>
> I don't believe we have any accounts here at RU that have "/" in them (and
> I think its a banned character) so I can't try it out here. Do you guys
> have any LDAP code (non Spring) you can try it against to take the Spring
> code out of the picture?
>
> -Scott
>
> On Wed, May 7, 2008 at 2:53 PM, Michael J. Barton <mbarton at princeton.edu>
> wrote:
>
> We have been using CAS (3.0.7) since September. We have plans to upgrade
> to
> 3.2.1 later this summer.
> Our implementation is using the LDAP authentication handler against our
> Active Directory and has been working great until this problem cropped up
> yesterday.
>
> We have a handful of users that consistently fail to authenticate. When
> they
> do, we see an error in CAS.LOG like:
>
> 2008-05-07 09:15:37,285 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> AuthenticationHandler:
> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to
> authenticate the user which provided the following credentials: mbarton
>
>
> A sample of the DN that fails is:
>
> CN=mbarton,OU=Special Facilities -
> Jadwin/Fine,OU=People,DC=pu,DC=win,DC=princeton,DC=edu
>
>
> Testing a hunch we renamed the OU the account resides in, removing the "/"
> character in the
>
> OU=Special Facilities - Jadwin/Fine
>
> portion of the DN. When we do this the user CAN authenticate. We tested
> user accounts in 3 other OUs, each of which have one or more "/"
> characters
> in the name and in each case the user fails to authenticate.
>
>
> Has anyone else seen and/or resolved this error?
> Has the problem been corrected in CAS 3.2.1?
>
>
> This appears to be a DN parsing error, but I don't know if it is in the
> base
> CAS code or somewhere in the Spring framework (we are using version 1.12
> with CAS 3.0.7). When set logging to DEBUG, I see
> "org.springframework.validation.BindException" errors in the CAS.log
>
>
> Thanks in advance for any help/insight.
>
>
> deployerConfigContext.xml
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
> "http://www.springframework.org/dtd/spring-beans.dtd">
> <beans>
> <bean id="authenticationManager"
> class="org.jasig.cas.authentication.AuthenticationManagerImpl">
> <property name="credentialsToPrincipalResolvers">
> <list>
> <bean
>
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToP
> rincipalResolver" />
> <bean
>
> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToP
> rincipalResolver" />
> </list>
> </property>
> <property name="authenticationHandlers">
> <list>
> <bean
>
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti
> alsAuthenticationHandler">
> <property name="httpClient" ref="httpClient" />
> </bean>
> <bean
> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
> <property name="filter" value="sAMAccountName=%u" />
> <property name="searchBase"
> value="ou=People,dc=pu,dc=win,dc=princeton,dc=edu" />
> <property name="contextSource" ref="contextSource" />
> </bean>
> </list>
> </property>
> </bean>
> <bean id="contextSource"
> class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> <property name="password" value="XXXXXXXXXX">
> <property name="pooled" value="true" />
> <property name="urls">
> <list>
> <value>ldaps://pu.win.princeton.edu/</value>
> </list>
> </property>
> <property name="userName"
> value="cn=XXXXXXX,ou=XXXXXXXX,ou=XXXXXX,dc=pu,dc=win,dc=princeton,dc=edu"
> />
> <property name="baseEnvironmentProperties">
> <map>
> <entry>
>
> <key><value>java.naming.security.protocol</value></key>
> <value>ssl</value>
> </entry>
> <entry>
>
> <key><value>java.naming.security.authentication</value></key>
> <value>simple</value>
> </entry>
> </map>
> </property>
> </bean>
> </beans>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080508/3c9ad166/attachment.html
More information about the cas
mailing list