openldap - CAS 6.2.0-RC1 cannot authenticate LDAP users

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

I am configuring CAS 6.2.0-RC1 with LDAP on the same machine Ubuntu 18.04

All authentication tests fail, i noticed after launching Wireshark that CAS sends to LDAP the SHA-1

hash of the password and when comparing LDAP returns False response.

When i display the LDAP entries i've found that effectively the password hash does not match.

Here is my cas.properties configuration and the displayed authentication error.

cas.properties:

cas.server.name=https://127.0.0.1:8443
cas.server.prefix=${cas.server.name}/cas
logging.config: file:/etc/cas/config/log4j2.xml
cas.authn.accept.users=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://127.0.0.1:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].baseDn=ou=groups,dc=localhost,dc=slapd
cas.authn.ldap[0].searchFilter=uid={user}
cas.authn.ldap[0].bindDn=cn=admin,dc=localhost,dc=slapd
cas.authn.ldap[0].bindCredential=1234
cas.authn.ldap[0].principalAttributePassword=userPassword
cas.authn.ldap[0].principalAttributeList=cn,uid,givenName
Error:
2020-01-13 02:45:21,729 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [UsernamePasswordCredential(username=user, source=null, customFields={})] of type [UsernamePasswordCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>
                Is the hash in LDAP SHA1?  Or something else?  In my case I was working with a legacy LDAP system that still used MD5.  I had to override CAS code because the algorithm does not appear to be configurable (in 6.1).  Next step is to figure out how to update hash on the fly to avoid forcing everyone to reset password...
– Luke
                Apr 27, 2020 at 20:23
        Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.