CAS does not load attributes from ldap - ldap

I tried to configure CAS (6.1) to retrieve the LDAP attributes for the Principal, but it says it has no attributes [cn] and [sn] while they are obviously there.
Config:
# auth by ldap:
cas.authn.ldap[0].type=DIRECT
cas.authn.ldap[0].ldapUrl=********
cas.authn.ldap[0].baseDn=dc=boip,dc=org
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=*********
cas.authn.ldap[0].bindCredential=*********
cas.authn.ldap[0].dnFormat=uid=%s,ou=people,dc=boip,dc=org
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].searchFilter=cn={user}
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].enhanceWithEntryResolver=true
cas.authn.ldap[0].principalAttributeId=uid
cas.authn.ldap[0].principalAttributeList=sn,cn
log:
2022-03-24 10:40:32,807 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for [UsernamePasswordCredential(username=dexter, source=null, customFields={})]. Authenticator pre-configured attributes are [null], additional requested attributes for this authentication request are [[uid, cn, sn]]>
2022-03-24 10:40:32,855 DEBUG [org.apereo.cas.util.BinaryAttributeAwarePooledSearchEntryResolver] - <resolve criteria=[org.ldaptive.auth.AuthenticationCriteria#1746427848::dn=uid=dexter,ou=people,dc=boip,dc=org, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest#414781248::user=[org.ldaptive.auth.User#1436018205::identifier=dexter, context=null], returnAttributes=[uid, cn, sn], controls=null]]>
2022-03-24 10:40:32,859 DEBUG [org.apereo.cas.util.BinaryAttributeAwarePooledSearchEntryResolver] - <searching for entry using userFilter>
2022-03-24 10:40:32,861 DEBUG [org.apereo.cas.util.BinaryAttributeAwarePooledSearchEntryResolver] - <resolved result=[org.ldaptive.SearchResult#4303153::entries=[], references=[]] for criteria=[org.ldaptive.auth.AuthenticationCriteria#1746427848::dn=uid=dexter,ou=people,dc=boip,dc=org, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest#414781248::user=[org.ldaptive.auth.User#1436018205::identifier=dexter, context=null], returnAttributes=[uid, cn, sn], controls=null]]>
2022-03-24 10:40:32,862 INFO [org.ldaptive.auth.Authenticator] - <Authentication succeeded for dn: uid=dexter,ou=people,dc=boip,dc=org>
2022-03-24 10:40:32,865 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response: [[org.ldaptive.auth.AuthenticationResponse#2072381256::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=uid=dexter,ou=people,dc=boip,dc=org, ldapEntry=[dn=uid=dexter,ou=people,dc=boip,dc=org[]], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=[[org.ldaptive.control.PasswordPolicyControl#-350070253::criticality=false, timeBeforeExpiration=-1, graceAuthNsRemaining=-1, error=null]]]]>
2022-03-24 10:40:32,865 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting to examine and handle LDAP password policy via [DefaultPasswordPolicyHandlingStrategy]>
2022-03-24 10:40:32,865 DEBUG [org.apereo.cas.authentication.support.password.DefaultPasswordPolicyHandlingStrategy] - <Applying password policy [[org.ldaptive.auth.AuthenticationResponse#2072381256::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=uid=dexter,ou=people,dc=boip,dc=org, ldapEntry=[dn=uid=dexter,ou=people,dc=boip,dc=org[]], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=[[org.ldaptive.control.PasswordPolicyControl#-350070253::criticality=false, timeBeforeExpiration=-1, graceAuthNsRemaining=-1, error=null]]]] to [org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler#114ba12b]>
2022-03-24 10:40:32,865 DEBUG [org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] - <Attempting to handle LDAP account state for [[org.ldaptive.auth.AuthenticationResponse#2072381256::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=uid=dexter,ou=people,dc=boip,dc=org, ldapEntry=[dn=uid=dexter,ou=people,dc=boip,dc=org[]], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=[[org.ldaptive.control.PasswordPolicyControl#-350070253::criticality=false, timeBeforeExpiration=-1, graceAuthNsRemaining=-1, error=null]]]]>
2022-03-24 10:40:32,865 DEBUG [org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] - <Account state not defined. Returning empty list of messages.>
2022-03-24 10:40:32,865 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response returned a result [[dn=uid=dexter,ou=people,dc=boip,dc=org[]]], creating the final LDAP principal>
2022-03-24 10:40:32,865 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Creating LDAP principal for [dexter] based on [uid=dexter,ou=people,dc=boip,dc=org] and attributes [[]]>
2022-03-24 10:40:32,865 WARN [org.apereo.cas.authentication.LdapAuthenticationHandler] - <The principal id attribute [uid] is not found. CAS cannot construct the final authenticated principal if it's unable to locate the attribute that is designated as the principal id. Attributes available on the LDAP entry are [[]]. Since principal id attribute is not available, CAS will fall back to construct the principal based on the provided user id: [dexter]>
2022-03-24 10:40:32,865 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP principal identifier created is [dexter]>
2022-03-24 10:40:32,866 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <The following attributes are requested to be retrieved and mapped: [[]]>
2022-03-24 10:40:32,866 WARN [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Requested LDAP attribute [cn] could not be found on the resolved LDAP entry for [uid=dexter,ou=people,dc=boip,dc=org]>
2022-03-24 10:40:32,866 WARN [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Requested LDAP attribute [sn] could not be found on the resolved LDAP entry for [uid=dexter,ou=people,dc=boip,dc=org]>
2022-03-24 10:40:32,866 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Created LDAP principal for id [dexter] and [0] attributes>
LDAP:
I was expecting the values 'Dexter Morgan' en 'Morgan' to be returned for cn and sn respectively.
Can anybody hint on what i might be missing here?
Thank you for reading :)
Willem.

Related

CAS delegated authentication with OAUTH2.0 not working

I was trying to add an oauth2.0 authentication provider in our cas (v6.1.x). But I was getting the following error.
2020-11-15 10:03:30,675 INFO [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Credentials are successfully authenticated using the delegated client [OauthClient]>
2020-11-15 10:03:36,492 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [ClientCredential(credentials=#OAuth20Credentials# | code: c.lKObb15ip36uiWfOYaTXEfQ | accessToken: com.github.scribejava.core.model.OAuth2AccessToken#5ca28902 |, clientName=OauthClient, typedIdUsed=true, userProfile=null)] of type [ClientCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>
2020-11-15 10:03:36,509 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[OauthClient]: [id cannot be blank]>
2020-11-15 10:03:36,513 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: NotYetAuthenticated-e111ad8e-8e6f-4edd-9de7-d2eae5040704
As you can see the credentials are successfully authenticated. After that redirected back with unauthorized access on the browser UI with the above error.
The properties I used for delegated authentication is given below:-
cas.server.name=http://localhost:8080
cas.server.prefix=http://localhost:8080/cas
cas.authn.pac4j.oauth2[0].id=${CLIENT_ID}
cas.authn.pac4j.oauth2[0].secret=${CLIENT_SECRET}
cas.authn.pac4j.typedIdUsed=true
cas.authn.pac4j.principalAttributeId=email
cas.authn.pac4j.name=OauthClient
cas.authn.pac4j.order=0
cas.authn.pac4j.lazyInit=true
cas.authn.pac4j.oauth2[0].autoRedirect=false
cas.authn.pac4j.oauth2[0].principalAttributeId=email
cas.authn.pac4j.oauth2[0].enabled=true
cas.authn.pac4j.oauth2[0].authUrl=${AUTH_URL}
cas.authn.pac4j.oauth2[0].tokenUrl=${TOKEN_URL}
cas.authn.pac4j.oauth2[0].profileUrl=${PROFILE_URL}
cas.authn.pac4j.oauth2[0].profileVerb=GET
cas.authn.pac4j.oauth2[0].scope=profile,email,roles
cas.authn.pac4j.oauth2[0].clientName=OauthClient
Thanks in advance.

Need meaning of below debug message while authenticating via LDAP

Got Ldap context on server
This is a part of Debug message.Was the first bind successful?
2X Mar 201X 15:36:36,880 DEBUG [ambari-client-thread-37] FilterBasedLdapUserSearch:115 - Searching for user 'XXXX', with user search [ searchFilter: '(&(sAMAccountName={0})(objectClass=posixAccount))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2X Mar 201X 15:36:36,917 DEBUG [ambari-client-thread-37] AbstractContextSource:349 - Got Ldap context on server 'ldap://rXXX92.corp.XXX.com:389/DC=corp,DC=XXX,DC=com'
2X Mar 201X 15:36:36,929 DEBUG [ambari-client-thread-37] DefaultAuthenticationEventPublisher:94 - No event was found for the exception org.apache.ambari.server.security.authorization.InvalidUsernamePasswordCombinationException
2X Mar 201X 15:36:36,929 DEBUG [ambari-client-thread-37] AmbariBasicAuthenticationFilter:185 - Authentication request for failed: org.apache.ambari.server.security.authorization.InvalidUsernamePasswordCombinationException: Unable to sign in. Invalid username/password combination.

No.
Looks like LDAP credentials are wrong: "Unable to sign in. Invalid username/password combination"

Kerberos Authentication for SQL Server

I am still seeing the following exception while trying to access SQL Server using Kerberos. What am I missing?
Connecting to jdbc:sqlserver://SERVER:PORT;databaseName=DB_NAME;integratedSecurity=true;authenticationScheme=JavaKerberos;applicationName=GAA-MFI-Switches; using com.microsoft.sqlserver.jdbc.SQLServerDriver = USER
Integrated authentication failed. ClientConnectionId:4d83d195-c50c-404e-8bb0-39d90d1b9fda
Some notes:
I created my keytab file KEY_TAB.keytab
Confirmed that my user has permission to access the database through SSMS
Initialized the krb cache like this:
kinit -k -t KEY_TAB.keytab USER#DOMAIN.COM
Ran 'klist" and verified that I can see my principal there:
>klist
Ticket cache: FILE:/tmp/krb5cc_cdc104145_9Z6n4S
Default principal: USER#DOMAIN.COM
Valid starting Expires Service principal
12/01/2017 14:19:10 12/02/2017 00:19:10 krbtgt/COMAIN.COM#DOMAIN.COM
renew until 12/08/2017 14:19:10
12/01/2017 14:19:38 12/02/2017 00:19:10 MSSQLSvc/[PLACEHOLDER].com:1433#DOMAIN.COM
renew until 12/08/2017 14:19:10
12/01/2017 14:19:48 12/02/2017 00:19:10 HTTP/[PLACEHOLDER].com#DOMAIN.COM
renew until 12/08/2017 14:19:10
What am I missing?

SonarQube authentication with LDAP not working

I'm having a problem getting LDAP authentication to work. Looking at the logs it seems to bind ok, but when i try to login it doesn't look like its hitting ldap at all and i get authentication failed.
In the logs I see:
2017.03.28 17:17:46 INFO web[org.sonar.INFO] Security realm: LDAP
2017.03.28 17:17:46 INFO web[o.s.p.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=ou=people,o=intra,dc=sears,dc=com, request=(&(objectClass=*searsorgperson)(uid={0})), realNameAttribute=cn, emailAttribute=mail}
2017.03.28 17:17:46 INFO web[o.s.p.l.LdapSettingsManager] Groups will not be synchronized, because property 'ldap.group.baseDn' is empty.
2017.03.28 17:17:46 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldap://trprdirqr3.intra.searshc.com:389/ou=people,o=intra,dc=sears,dc=com, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.03.28 17:17:46 INFO web[o.s.p.l.LdapContextFactory] Test LDAP connection on ldap://trprdirqr3.intra.searshc.com:389/ou=people,o=intra,dc=sears,dc=com: OK
2017.03.28 17:17:46 INFO web[org.sonar.INFO] Security realm started
My config has the following:
# General Configuration
sonar.security.realm=LDAP
sonar.authenticator.createUsers=true
sonar.authenticator.class: org.sonar.plugins.ldap.LdapAuthenticator
sonar.security.savePassword=true
sonar.security.updateUserAttributes=true
ldap.url=ldap://trprdirqr3.intra.searshc.com:389/ou=people,o=intra,dc=sears,dc=com
# User Configuration
ldap.user.baseDn=ou=people,o=intra,dc=sears,dc=com
ldap.user.request=(&(objectClass=*searsorgperson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
According to my LDAP admin, it does an anonumous check when it first comes up, but nothing is else done after that. So for some reason it doesn't seem to be hitting the LDAP server when i login. I don't have any local IDs setup besides admin.

You have not configured an authenticated user to do the search.
That is, the first test, anonymous bind tests the connectivity. But to search for the users DN, you need more than anonymous permissions. Then once the DN is found, bind as the logging in user. But first you need to provide the LDAP DN of the user who is the proxy that can search and its password.
Also you have an asterisk (wildcard) in your objectlass search filter:
ldap.user.request=(&(objectClass=*searsorgperson)(uid={login}))
Or is that formatting symbol? I am not sure ObjectClass can usually be searched that way).

Sonar successful authentication without password

I'm working on LDAP authentication support for Sonar. Users can authenticate using Blank password (No password) Or Correct password. If a wrong password entered, authentication fails.
Sonar should not allow any login with a blank password even when this authentication depends on an external system like LDAP, could you help me to find a solution for this problem
Stacktrace in sonar.log:
`2015.04.27 18:39:19 DEBUG o.s.p.l.LdapUsersProvider User admin not found
2015.04.27 18:39:19 DEBUG User admin not found
2015.04.27 18:39:19 DEBUG o.s.p.l.LdapUsersProvider Requesting details for user admin
2015.04.27 18:39:19 DEBUG o.s.p.l.LdapSearch Search: LdapSearch{baseDn=DC=mycompany,DC=mycompany,DC=com, scope=subtree, request=(&(objectClass=user)(memberof=CN=gpfrcip-java,OU=IDC,OU=DSI,OU=DDA - France,OU=Access groups,OU=Groups,OU=Resources,DC=mycompany,DC=mycompany,DC=com)(SAMAccountName={0})), parameters=[admin], attributes=[mail, cn]}
2015.04.27 18:39:19 DEBUG o.s.p.l.LdapContextFactory Initializing LDAP context {java.naming.provider.url= myURL, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2015.04.27 18:39:19 DEBUG Requesting details for user admin
2015.04.27 18:39:19 DEBUG Search: LdapSearch{baseDn=DC=mycompany,DC=mycompany,DC=com, scope=subtree, request=(&(objectClass=user)(memberof=CN=gpfrcip-java,OU=IDC,OU=DSI,OU=DDA - France,OU=Access groups,OU=Groups,OU=Resources,DC=mycompany,DC=mycompany,DC=com)(SAMAccountName={0})), parameters=[admin], attributes=[mail, cn]}
2015.04.27 18:39:19 DEBUG Initializing LDAP context {java.naming.provider.url= myURL, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
`
LDAP Configuration for sonar-ldap-plugin-1.2 :
sonar.security.realm: LDAP
sonar.authenticator.createUsers: false
ldap.url: myURL
ldap.user.baseDn: DC=mycompany,DC=mycompany,DC=com
ldap.bindDn:
ldap.bindPassword:
ldap.user.request: (&(objectClass=user)(memberof=CN=gpfrcip- java,OU=IDC,OU=DSI,OU=DDA - France,OU=Access groups,OU=Groups,OU=Resources,DC=mycompany,DC=mycompany,DC=com)(SAMAccountName={0}))
`
Any feedback will be highly appreciated.
Thanks in advance for your feedbacks.
Regards
Youssef ALAMI

I found the solution of this problem, i changed the version of the plugin LDAP to sonar-ldap-plugin-1.4 and the authentication was worked correctly.