Hi all, we want to deploy a CAS 5.1 server with the Maven Overlay method under Cent OS7, Java 1.8.0 and Tomcat 8.0. Currently I am trying to set up authentication against LDAP.
The configuration I am using is fairly simple: cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].ldapUrl=ldap://...:3890 cas.authn.ldap[0].bindDn=cn=manager,dc=example,dc=org cas.authn.ldap[0].bindCredential=secret cas.authn.ldap[0].baseDn=dc=example,dc=org cas.authn.ldap[0].userFilter=uid={user} cas.authn.ldap[0].subtreeSearch=true During start up of Tomcat the CAS server initializes a connection pool. In the log there are three consecutive beginning pool initialization... ... execute request=[org.ldaptive.BindRequest@261320823... execute response=[org.ldaptive.Response@753570317... [request and response happens 2 more times here] added available connection: org.ldaptive.pool.AbstractConnectionPool So in total there are 9 BindRequests+Responses during initialization. When looking at the LDAP server's logs I can also verify 9 BIND requests. So everything works as expected. Fast forward to authentication. There is a timeout when reading the LDAP response. So essentially there never is a response. See the log below for this part: 2017-06-22 15:07:13,564 DEBUG [org.ldaptive.SearchOperation] - <execute request=[org.ldaptive.SearchRequest@1990922963::baseDn=dc=example,dc=org, searchFilter=[org.ldaptive.SearchFilter@538592870::filter=uid={user}, parameters={context=null, user=t.benutzer}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1341165364::config=[org.ldaptive.ConnectionConfig@1707652548::ldapUrl=ldap://openldap-1.daasi.prj:3890, connectTimeout=PT5S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@215657008::credentialConfig=null, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@983570221::bindDn=cn=manager,dc=example,dc=org, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@36e4c967], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@1968431256::metadata=[ldapUrl=ldap://openldap-1.daasi.prj:3890, count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1701617828::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@622e959f, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@296c3fc1]> 2017-06-22 15:07:18,748 DEBUG [org.ldaptive.provider.jndi.NamingExceptionUtils] - <naming exception class javax.naming.NamingException is ambiguous, maps to multiple result codes: [OPERATIONS_ERROR, ALIAS_PROBLEM, ALIAS_DEREFERENCING_PROBLEM, LOOP_DETECT, AFFECTS_MULTIPLE_DSAS, OTHER]> 2017-06-22 15:07:18,760 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[LdapAuthenticationHandler]: [Unexpected LDAP error] (Details: [javax.naming.NamingException: LDAP response read timed out, timeout used:5000ms.; remaining name 'dc=example,dc=org'])> 2017-06-22 15:07:18,761 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [t.benutzer] of type [UsernamePasswordCredential], which suggests a configuration problem.> When looking at the LDAP server's logs I also do not see anything. It's like the request never leaves the server that is running CAS. Now the funny thing is: when I restart the LDAP server now and try to login again it does work! Another bind occurs, since the connection is no longer available and I get a response to the SearchRequest. Obviously the LDAP server log does also reflect this and shows the search operation: execute request=[org.ldaptive.SearchRequest@128569139 Operation exception encountered, reopening connection ... execute request=[org.ldaptive.BindRequest@1701619972 execute response=[org.ldaptive.Response@844611484 execute response=[org.ldaptive.Response@430713277::result=[org.ldaptive.SearchResult Authentication succeeded for dn: uid=t.benutzer,ou=people,dc=example,dc=org I pretty much tried every timeout setting that is documented in https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html and also played around with the Passivator settings. When I set up an validator the same thing happens: there is no Response to the SearchRequests and in fact the LDAP server is never receiving any requests. Any input on this is very much appreciated! -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/590d9fc7-7f70-4a56-88c2-f17d94b90abd%40apereo.org.
