Forums de discussion
[RESOLVED] CAS AND LDAP
Julien Denis Cornouiller, modifié il y a 16 années.
[RESOLVED] CAS AND LDAP
New Member Publications: 22 Date d'inscription: 10/09/07 Publications récentes
I configure LDAP Import, CAS .. all works perfectly
BUT when i check Use LDAP into CAS Tab it doesn t work (this action doesn t change anything)
so i ll see into JA-SIG website how to configure it and follow this doc http://www.ja-sig.org/wiki/display/CASUM/LDAP but i ve this error ..
do you know where is the jar containing this class?
cheers,
Julien
BUT when i check Use LDAP into CAS Tab it doesn t work (this action doesn t change anything)
so i ll see into JA-SIG website how to configure it and follow this doc http://www.ja-sig.org/wiki/display/CASUM/LDAP but i ve this error ..
java.lang.ClassNotFoundException: org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource
do you know where is the jar containing this class?
cheers,
Julien
Julien Denis Cornouiller, modifié il y a 16 années.
RE: CAS AND LDAP
New Member Publications: 22 Date d'inscription: 10/09/07 Publications récentes
it seems that cas doesn t be build with "cas support ldap",
into jasig config we have to put ldap support into pom.xml maven builder....
into jasig config we have to put ldap support into pom.xml maven builder....
Julien Denis Cornouiller, modifié il y a 16 années.
RE: CAS AND LDAP
New Member Publications: 22 Date d'inscription: 10/09/07 Publications récentes
i had the support-ldap.jar into classpath,
i ve another problem ....
my config file LIFERAY_HOME/webapps/cas-web/WEB-INF/deployerConfigContext.xml
i ve another problem ....
2007-09-12 14:38:51,345 INFO [org.jasig.cas.web.flow.AutomaticCookiePathSetterAction - <Setting ContextPath for cookies to: /cas-web>
2007-09-12 14:39:01,079 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cas-web].[cas]] - <"Servlet.service()" pour la servlet cas a genere une exception>
java.io.EOFException: SSL peer shut down incorrectly
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:723)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:390)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at org.springframework.ldap.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:59)
at org.springframework.ldap.support.AbstractContextSource.createContext(AbstractContextSource.java:193)
at org.springframework.ldap.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:104)
at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:263)
at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:314)
at org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal(BindLdapAuthenticationHandler.java:67)
at org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.authenticate(AbstractUsernamePasswordAuthenticationHandler.java:58)
at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:79)
at org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket(CentralAuthenticationServiceImpl.java:282)
at org.jasig.cas.web.flow.AuthenticationViaFormAction.submit(AuthenticationViaFormAction.java:116)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.springframework.webflow.util.DispatchMethodInvoker.invoke(DispatchMethodInvoker.java:105)
at org.springframework.webflow.action.MultiAction.doExecute(MultiAction.java:136)
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:204)
at org.springframework.webflow.AnnotatedAction.execute(AnnotatedAction.java:139)
at org.springframework.webflow.ActionExecutor.execute(ActionExecutor.java:58)
at org.springframework.webflow.ActionState.doEnter(ActionState.java:176)
at org.springframework.webflow.State.enter(State.java:194)
at org.springframework.webflow.Transition.execute(Transition.java:220)
at org.springframework.webflow.TransitionableState.onEvent(TransitionableState.java:102)
at org.springframework.webflow.Flow.onEvent(Flow.java:603)
at org.springframework.webflow.execution.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:199)
at org.springframework.webflow.ActionState.doEnter(ActionState.java:180)
at org.springframework.webflow.State.enter(State.java:194)
at org.springframework.webflow.Transition.execute(Transition.java:220)
at org.springframework.webflow.TransitionableState.onEvent(TransitionableState.java:102)
at org.springframework.webflow.Flow.onEvent(Flow.java:603)
at org.springframework.webflow.execution.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:199)
at org.springframework.webflow.execution.impl.FlowExecutionImpl.signalEvent(FlowExecutionImpl.java:193)
at org.springframework.webflow.executor.FlowExecutorImpl.signalEvent(FlowExecutorImpl.java:228)
at org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest(FlowRequestHandler.java:113)
at org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal(FlowController.java:199)
at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:45)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:728)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:396)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:360)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
at java.lang.Thread.run(Thread.java:595)
my config file LIFERAY_HOME/webapps/cas-web/WEB-INF/deployerConfigContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="urls">
<list>
<value>ldaps://192.168.1.10</value>
</list>
</property>
<property name="userName" value="Administrator@CLIO.local"/>
<property name="password" value="cliolinux"/>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" />
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="sAMAccountName=%u" />
<property name="searchBase" value="OU=SBSUsers,OU=Users,OU=MyBusiness,DC=CLIO,DC=local" />
<property name="contextSource" ref="contextSource" />
<property name="ignorePartialResultException" value="yes" /> <!-- fix because of how AD returns results -->
</bean>
<!--
<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
+-->
</list>
</property>
</bean>
</beans>
James Hong, modifié il y a 16 années.
RE: CAS AND LDAP
Regular Member Publications: 115 Date d'inscription: 22/05/07 Publications récentes
I noticed that your ldap url 'ldaps://192.168.1.10' does not specify the port. ldap default port is 389 and ldaps default port is 636. Since you got an SSL error it might not be communicating on the proper port. I would recommend specifying the ldaps port.
James
James
Julien Denis Cornouiller, modifié il y a 16 années.
RE: CAS AND LDAP
New Member Publications: 22 Date d'inscription: 10/09/07 Publications récentes
it s work, effectivly i forgot port and also
ldaps:// -> ldap://
resolved ...
thanks James
ldaps:// -> ldap://
resolved ...
thanks James
Marine Wacheux, modifié il y a 16 années.
RE: CAS AND LDAP
New Member Publications: 5 Date d'inscription: 16/08/07 Publications récentes
Hello,
I am trying to use CAS and LDAP with Liferay 4.3.1, too.
I put cas-server-ldap-3.0.5.jar and ldaptemplate-1.0.2.jar in ma cas-wab/WEB-INF/lib/ folder, in order to resolve NoClassDefFound errors.
But now, I can't login through CAS with the email :
2007-09-12 19:42:26,789 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to authenticate the user which provided the following credentials: test@liferay.com>
Could you please tell me what you put in your cas-web/WEB-INF/deployerConfigContext.xml file ?
Are you using email or another field in order to authenticate in CAS and Liferay ?
Here is my deployerConfigContext.xml file :
Is there something wrong with it ?
Thanks.
I am trying to use CAS and LDAP with Liferay 4.3.1, too.
I put cas-server-ldap-3.0.5.jar and ldaptemplate-1.0.2.jar in ma cas-wab/WEB-INF/lib/ folder, in order to resolve NoClassDefFound errors.
But now, I can't login through CAS with the email :
2007-09-12 19:42:26,789 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to authenticate the user which provided the following credentials: test@liferay.com>
Could you please tell me what you put in your cas-web/WEB-INF/deployerConfigContext.xml file ?
Are you using email or another field in order to authenticate in CAS and Liferay ?
Here is my deployerConfigContext.xml file :
<beans>
<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="pooled" value="true" />
<property name="urls">
<list>
<value>ldap://192.168.1.33:10389/</value>
</list>
</property>
<property name="userName" value="{uid=admin,ou=system}" />
<property name="password" value="{secret}" />
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" />
<bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler">
<property name="filter" value="uid=%u,ou=users,dc=example,dc=com" />
<property name="contextSource" ref="contextSource" />
</bean>
</list>
</property>
</bean>
</beans>
Is there something wrong with it ?
Thanks.
Marine Wacheux, modifié il y a 16 années.
RE: CAS AND LDAP
New Member Publications: 5 Date d'inscription: 16/08/07 Publications récentes
Heu... I will have to buy glasses !! I just saw that your deployerConfigContext.xml file was already in this post !
So, I modified my config after looking at yours.
I modified theses lines :
But when I try to authenticate, it throws the following exception :
Sep 12, 2007 9:46:22 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet cas threw exception
javax.naming.NoPermissionException: [LDAP: error code 50 - failed on search operation: Anonymous binds have been disabled!]; remaining name 'ou=users,dc=example,dc=com'
I tried to search for entries manually with the same parameters, and this work :
./ldapsearch -h 192.168.1.33 -p 10389 -b "ou=users,dc=example,dc=com" -D "uid=admin,ou=system" -w "secret" "mail=test@liferay.com"
Result :
It seems that CAS can't authenticate with "uid=admin,ou=system" / "secret", whereas I can do it manually...
I saw on some posts to add the following line :
<property name="anonymousReadOnly" value="false" />
But Tomcat failed to start :
Caused by: org.springframework.beans.NotWritablePropertyException: Invalid property 'anonymousReadOnly' of bean class [org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource]: Bean property 'anonymousReadOnly' is not writable or has an invalid setter method. Does the parameter type of the setter match the return type of the getter?
I replaced "anonymousReadOnly" by "authenticatedReadOnly" (found on other posts) => No error anymore about it, but I still have the NoPermissionException.
Any idea please ?
Thanks in advance...
So, I modified my config after looking at yours.
I modified theses lines :
(...)
<property name="userName" value="uid=admin,ou=system" />
<property name="password" value="secret" />
(...)
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="mail=%u" />
<property name="searchBase" value="ou=users,dc=example,dc=com" />
<property name="contextSource" ref="contextSource" />
</bean>
But when I try to authenticate, it throws the following exception :
Sep 12, 2007 9:46:22 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet cas threw exception
javax.naming.NoPermissionException: [LDAP: error code 50 - failed on search operation: Anonymous binds have been disabled!]; remaining name 'ou=users,dc=example,dc=com'
I tried to search for entries manually with the same parameters, and this work :
./ldapsearch -h 192.168.1.33 -p 10389 -b "ou=users,dc=example,dc=com" -D "uid=admin,ou=system" -w "secret" "mail=test@liferay.com"
Result :
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=example,dc=com> with scope subtree
# filter: mail=test@liferay.com
# requesting: ALL
#
# joebloggs, users, example.com
dn: cn=joebloggs,ou=users,dc=example,dc=com
sn: Bloggs
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: joebloggs
givenname: Joe
mail: test@liferay.com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
</ou=users,dc=example,dc=com>It seems that CAS can't authenticate with "uid=admin,ou=system" / "secret", whereas I can do it manually...
I saw on some posts to add the following line :
<property name="anonymousReadOnly" value="false" />
But Tomcat failed to start :
Caused by: org.springframework.beans.NotWritablePropertyException: Invalid property 'anonymousReadOnly' of bean class [org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource]: Bean property 'anonymousReadOnly' is not writable or has an invalid setter method. Does the parameter type of the setter match the return type of the getter?
I replaced "anonymousReadOnly" by "authenticatedReadOnly" (found on other posts) => No error anymore about it, but I still have the NoPermissionException.
Any idea please ?
Thanks in advance...
Marine W., modifié il y a 16 années.
RE: CAS AND LDAP
New Member Publications: 5 Date d'inscription: 16/08/07 Publications récentes
I temporarily passed through the "failed on search operation: Anonymous binds have been disabled" problem by authorizing LDAP anonymous access.
Now, I can go further in authentication :
- I can authenticate througs CAS with mail and password stored in LDAP.
- However, it forward me to a Liferay page that tell me to login either with a current account or with an opened id provider (in french : "S'ÂÂidentifier avec un compte courant" or "S'ÂÂidentifier avec un fournisseur d'ÂÂindentifiant ouvert"). SSO mechanism does not seem to work as I have to login twice...
In log, I see this error :
I wonder why it seach for "screenName=test@liferay.com", as I never changed Liferay authentication mode : I kept default mail based authentication mode.
I saw in Liferay doc (http://content.liferay.com/4.3/doc/installation/liferay_4_customization_guide/onepage/) this :
What is NTLM ?
Does it means thar in order to have SSO work, I necessarily have to use screen name authentification in Liferay, and to enable "NTLM" ?
Thanks in advance...
Now, I can go further in authentication :
- I can authenticate througs CAS with mail and password stored in LDAP.
- However, it forward me to a Liferay page that tell me to login either with a current account or with an opened id provider (in french : "S'ÂÂidentifier avec un compte courant" or "S'ÂÂidentifier avec un fournisseur d'ÂÂindentifiant ouvert"). SSO mechanism does not seem to work as I have to login twice...
In log, I see this error :
2007-09-13 00:00:02,579 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] -
<authenticationhandler: org.jasig.cas.adaptors.ldap.bindldapauthenticationhandler successfully authenticated the user which provided following credentials: test@liferay.com>
2007-09-13 00:00:02,586 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <granted service ticket [st-2-qfju5ufocmzxydpxeswmfug6thm5qg5lvle-20] for [http: liferay2.armor-technologies.fr c portal login] user [test@liferay.com]>
00:00:02,731 ERROR [AutoLoginFilter:101] com.liferay.portal.NoSuchUserException:
No User exists with the key {companyId=1, screenName=test@liferay.com}
</granted></authenticationhandler:>I wonder why it seach for "screenName=test@liferay.com", as I never changed Liferay authentication mode : I kept default mail based authentication mode.
I saw in Liferay doc (http://content.liferay.com/4.3/doc/installation/liferay_4_customization_guide/onepage/) this :
#
# Set this to true to enable CAS single sign on. NTLM will work only if
# LDAP authentication is also enabled and the authentication is made by
# screen name. If set to true, then the property "auto.login.hooks" must
# contain a reference to the class
# com.liferay.portal.security.auth.CASAutoLogin and the filter
# com.liferay.portal.servlet.filters.sso.cas.CASFilter must be referenced
# in web.xml.
#
cas.auth.enabled=false
(...)
##
## NTLM
##
#
# Set this to true to enable NTLM single sign on. NTLM will work only if
# LDAP authentication is also enabled and the authentication is made by
# screen name. If set to true, then the property "auto.login.hooks" must
# contain a reference to the class
# com.liferay.portal.security.auth.NtlmAutoLogin and the filter
# com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter must be referenced
# in web.xml.
#
ntlm.auth.enabled=false
What is NTLM ?
Does it means thar in order to have SSO work, I necessarily have to use screen name authentification in Liferay, and to enable "NTLM" ?
Thanks in advance...
Julien Denis Cornouiller, modifié il y a 16 années.
RE: CAS AND LDAP
New Member Publications: 22 Date d'inscription: 10/09/07 Publications récentes
Hie,
personnaly i don t check NTLM and use screenName ...
personnaly i don t check NTLM and use screenName ...
Marine W., modifié il y a 16 années.
RE: CAS AND LDAP
New Member Publications: 5 Date d'inscription: 16/08/07 Publications récentes
OK, Thanks. I will try like this.
unbi notna, modifié il y a 16 années.
RE: CAS AND LDAP
New Member Publications: 9 Date d'inscription: 21/09/07 Publications récentes
hi Marine W.
i get some problem with u, i get twice login in liferay. is u'r problem in twice is solved ?? Please help me... or anybody know ??
i get some problem with u, i get twice login in liferay. is u'r problem in twice is solved ?? Please help me... or anybody know ??
Marine W., modifié il y a 16 années.
RE: CAS AND LDAP
New Member Publications: 5 Date d'inscription: 16/08/07 Publications récentes
Hi unbi notna,
I'm sorry, but I won't be able to help you, as we gave up Liferay. We finally choose not to use a portal.
Maybe someone else will help you ?
I'm sorry, but I won't be able to help you, as we gave up Liferay. We finally choose not to use a portal.
Maybe someone else will help you ?