Greetings,
I believe I am very close to getting a working CAS instance to authenticate
from our Oracle 12g Database using the CAS5 RC5 snapshot.
I have configured the QueryAndEncodeDatabaseAuthenticationHandler via the
maven overlay in cas.properties.
I have set the following values:
cas.authn.jdbc.encode[0].driverClass=oracle.jdbc.driver.OracleDriver
cas.authn.jdbc.encode[0].url=jdbc:oracle:thin:@xxxxxxxx.edu:1521:xxxxx
cas.authn.jdbc.encode[0].user=xxxxxxxxxxx
cas.authn.jdbc.encode[0].password=xxxxxxxxxx
cas.authn.jdbc.encode[0].sql=select gobtpac_pin, gobtpac_salt from gobtpac
left join unixacct on pidm = gobtpac_pidm where userid = ?
cas.authn.jdbc.encode[0].algorithmName=SHA-1
cas.authn.jdbc.encode[0].passwordFieldName=gobtpac_pin
cas.authn.jdbc.encode[0].saltFieldName=gobtpac_salt
cas.authn.jdbc.encode[0].healthQuery=select 1 from dual
cas.authn.jdbc.encode[0].encodingAlgorithm=sha1
The gobtpac_pin field in the database is computed as sha1('password' +
salt).
When I run attempt to log in as myself I can see the database respond with
(via tcpdump -i eno1 -nnvvXSs 1514 host 136.223.xxx.xxx):
0x0070: 0001 0b01 0b0b 474f 4254 5041 435f 5049 ......GOBTPAC_PI
0x0080: 4e00 0000 0001 8000 0002 0200 0002 1000 N...............
0x0090: 0000 0203 6901 0180 010c 010c 0c47 4f42 ....i........GOB
0x00a0: 5450 4143 5f53 414c 5400 0001 0100 0107 TPAC_SALT.......
0x00b0: 0778 740a 1f0c 102b 0002 1fe8 0102 0102 .xt....+........
0x00c0: 0006 2201 0200 010a 0000 0007 2845 3441 ..".........(E4A
0x00d0: 3542 3341 3743 3044 3634 3735 4144 3541 5B3A7C0D6475AD5A
0x00e0: 3737 4641 4131 3636 3733 3536 3238 5858 77FAA166735628XX
0x00f0: 4443 3931 3108 3146 364d 4c45 4444 0801 DC911.1F6MLEDD..
This corresponds to what I get from my sql query:
select gobtpac_pin, gobtpac_salt from gobtpac left join unixacct on pidm =
gobtpac_pidm where userid = 'xxxxxxx';
-----------------------------------------
E4A5B3A7C0D6475AD5A77FAA166735628XXDC911 1F6MLEDD
I have tried:
cas.authn.jdbc.encode[0].encodingAlgorithm=sha1
&&
cas.authn.jdbc.encode[0].encodingAlgorithm=SHA-1
My instincts are telling me I have the algorithm name wrong or in the wrong
format. Drilling through the documentation I could find I ended up
at: http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html
Ultimately I get following error in catalina.out:
2016-10-31 11:31:18,374 INFO
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<QueryAndEncodeDatabaseAuthenticationHandler failed authenticating xxxxxxx>
2016-10-31 11:31:18,374 WARN
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Authentication has failed. Credentials may be incorrect or CAS cannot find
authentication handler that supports [xxxxxxx] of type
[UsernamePasswordCredential], which suggests a configuration problem.>
2016-10-31 11:31:18,375 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: xxxxxxx
WHAT: Supplied credentials: [xxxxxxx]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Mon Oct 31 11:31:18 EDT 2016
CLIENT IP ADDRESS: aa.bbb.c.d
SERVER IP ADDRESS: yyy.z.ss.ttt
=============================================================
Can someone please lend me a hand with this configuration? Or am I just way
off base on how QueryAndEncodeDatabaseAuthenticationHandler works?
Thank you,
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/457f0440-21c7-431c-b9c0-4cbf52a2bc1c%40apereo.org.
