CAS LDAP authentication failures against DNs that contain "/" characters

We have been using CAS (3.0.7) since September.  We have plans to upgrade to
3.2.1 later this summer.
Our implementation is using the LDAP authentication handler against our
Active Directory and has been working great until this problem cropped up
yesterday.

We have a handful of users that consistently fail to authenticate. When they
do, we see an error in CAS.LOG like:

2008-05-07 09:15:37,285 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
AuthenticationHandler:
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to
authenticate the user which provided the following credentials: mbarton


A sample of the DN that fails is:

CN=mbarton,OU=Special Facilities -
Jadwin/Fine,OU=People,DC=pu,DC=win,DC=princeton,DC=edu


Testing a hunch we renamed the OU the account resides in, removing the "/"
character in the

  OU=Special Facilities - Jadwin/Fine

portion of the DN.  When we do this the user CAN authenticate.  We tested
user accounts in 3 other OUs, each of which have one or more "/" characters
in the name and in each case the user fails to authenticate.


Has anyone else seen and/or resolved this error?
Has the problem been corrected in CAS 3.2.1?


This appears to be a DN parsing error, but I don't know if it is in the base
CAS code or somewhere in the Spring framework (we are using version 1.12
with CAS 3.0.7).  When set logging to DEBUG, I see
"org.springframework.validation.BindException" errors in the CAS.log


Thanks in advance for any help/insight.


deployerConfigContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC  "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
   <bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
       <property name="credentialsToPrincipalResolvers">
           <list>
               <bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToP
rincipalResolver" />
               <bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToP
rincipalResolver" />
           </list>
       </property>
       <property name="authenticationHandlers">
           <list>
              <bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti
alsAuthenticationHandler">
                   <property name="httpClient" ref="httpClient" />
               </bean>
               <bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
                   <property name="filter" value="sAMAccountName=%u" />
                   <property name="searchBase"
value="ou=People,dc=pu,dc=win,dc=princeton,dc=edu" />
                   <property name="contextSource" ref="contextSource" />
               </bean>
           </list>
       </property>
   </bean>
   <bean id="contextSource"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
       <property name="password" value="XXXXXXXXXX">
       <property name="pooled" value="true" />
       <property name="urls">
           <list>
               <value>ldaps://pu.win.princeton.edu/</value>
           </list>
       </property>
       <property name="userName"
value="cn=XXXXXXX,ou=XXXXXXXX,ou=XXXXXX,dc=pu,dc=win,dc=princeton,dc=edu" />
       <property name="baseEnvironmentProperties">
           <map>
               <entry>

<key><value>java.naming.security.protocol</value></key>
                       <value>ssl</value>
                   </entry>
               <entry>

<key><value>java.naming.security.authentication</value></key>
                       <value>simple</value>
                   </entry>
               </map>
       </property>
   </bean>
</beans>

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Scott,

 

Thanks for getting back to me.  We have code/apps in other languages (Perl, .NET, etc.) that does not have issue with our DNs and per our directory services manager, the "/" is not a banned character per RFC 2253 (and others).  I've also used tools like Apache Directory Studio and it respects these DNs.  Temporarily I can rename the OUs, changing the "/" to a "-", but our nightly directory synchronization processes rename the OUs back, so the renaming is not a sustainable solution.     I responded to your off-list email giving you some other information you were asking for.  Thanks again.

 

 

From: cas-bounces@... [mailto:cas-bounces@...] On Behalf Of Scott Battaglia
Sent: Wednesday, May 07, 2008 3:27 PM
To: Yale CAS mailing list

Cc: Steven E. Niedzwiecki
Subject: Re: CAS LDAP authentication failures against DNs that contain "/"characters

 

Michael,

I don't believe we have any accounts here at RU that have "/" in them (and I think its a banned character) so I can't try it out here.  Do you guys have any LDAP code (non Spring) you can try it against to take the Spring code out of the picture?

-Scott

On Wed, May 7, 2008 at 2:53 PM, Michael J. Barton <mbarton@...> wrote:

We have been using CAS (3.0.7) since September.  We have plans to upgrade to
3.2.1 later this summer.
Our implementation is using the LDAP authentication handler against our
Active Directory and has been working great until this problem cropped up
yesterday.

We have a handful of users that consistently fail to authenticate. When they
do, we see an error in CAS.LOG like:

2008-05-07 09:15:37,285 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
AuthenticationHandler:
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to
authenticate the user which provided the following credentials: mbarton


A sample of the DN that fails is:

CN=mbarton,OU=Special Facilities -
Jadwin/Fine,OU=People,DC=pu,DC=win,DC=princeton,DC=edu


Testing a hunch we renamed the OU the account resides in, removing the "/"
character in the

  OU=Special Facilities - Jadwin/Fine

portion of the DN.  When we do this the user CAN authenticate.  We tested
user accounts in 3 other OUs, each of which have one or more "/" characters
in the name and in each case the user fails to authenticate.


Has anyone else seen and/or resolved this error?
Has the problem been corrected in CAS 3.2.1?


This appears to be a DN parsing error, but I don't know if it is in the base
CAS code or somewhere in the Spring framework (we are using version 1.12
with CAS 3.0.7).  When set logging to DEBUG, I see
"org.springframework.validation.BindException" errors in the CAS.log


Thanks in advance for any help/insight.


deployerConfigContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC  "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
   <bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
       <property name="credentialsToPrincipalResolvers">
           <list>
               <bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToP
rincipalResolver" />
               <bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToP
rincipalResolver" />
           </list>
       </property>
       <property name="authenticationHandlers">
           <list>
              <bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti
alsAuthenticationHandler">
                   <property name="httpClient" ref="httpClient" />
               </bean>
               <bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
                   <property name="filter" value="sAMAccountName=%u" />
                   <property name="searchBase"
value="ou=People,dc=pu,dc=win,dc=princeton,dc=edu" />
                   <property name="contextSource" ref="contextSource" />
               </bean>
           </list>
       </property>
   </bean>
   <bean id="contextSource"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
       <property name="password" value="XXXXXXXXXX">
       <property name="pooled" value="true" />
       <property name="urls">
           <list>
               <value>ldaps://pu.win.princeton.edu/</value>
           </list>
       </property>
       <property name="userName"
value="cn=XXXXXXX,ou=XXXXXXXX,ou=XXXXXX,dc=pu,dc=win,dc=princeton,dc=edu" />
       <property name="baseEnvironmentProperties">
           <map>
               <entry>

<key><value>java.naming.security.protocol</value></key>
                       <value>ssl</value>
                   </entry>
               <entry>

<key><value>java.naming.security.authentication</value></key>
                       <value>simple</value>
                   </entry>
               </map>
       </property>
   </bean>
</beans>

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

After I sent my response, it occurred to me that is what you meant.  Need more caffeine. :-)

 

From: cas-bounces@... [mailto:cas-bounces@...] On Behalf Of Scott Battaglia
Sent: Thursday, May 08, 2008 10:11 AM

To: Yale CAS mailing list

Subject: Re: CAS LDAP authentication failures against DNs that contain"/"characters

 

Sorry, I meant its a banned character at Rutgers in our NetIds so I can't create a test account with it ;-)

-Scott

On Thu, May 8, 2008 at 10:02 AM, Michael J. Barton <mbarton@...> wrote:

Scott,

 

Thanks for getting back to me.  We have code/apps in other languages (Perl, .NET, etc.) that does not have issue with our DNs and per our directory services manager, the "/" is not a banned character per RFC 2253 (and others).  I've also used tools like Apache Directory Studio and it respects these DNs.  Temporarily I can rename the OUs, changing the "/" to a "-", but our nightly directory synchronization processes rename the OUs back, so the renaming is not a sustainable solution.     I responded to your off-list email giving you some other information you were asking for.  Thanks again.

 

 

From: cas-bounces@... [mailto:cas-bounces@...] On Behalf Of Scott Battaglia
Sent: Wednesday, May 07, 2008 3:27 PM
To: Yale CAS mailing list

Cc: Steven E. Niedzwiecki
Subject: Re: CAS LDAP authentication failures against DNs that contain "/"characters

 

Michael,

I don't believe we have any accounts here at RU that have "/" in them (and I think its a banned character) so I can't try it out here.  Do you guys have any LDAP code (non Spring) you can try it against to take the Spring code out of the picture?

-Scott

On Wed, May 7, 2008 at 2:53 PM, Michael J. Barton <mbarton@...> wrote:

We have been using CAS (3.0.7) since September.  We have plans to upgrade to
3.2.1 later this summer.
Our implementation is using the LDAP authentication handler against our
Active Directory and has been working great until this problem cropped up
yesterday.

We have a handful of users that consistently fail to authenticate. When they
do, we see an error in CAS.LOG like:

2008-05-07 09:15:37,285 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
AuthenticationHandler:
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to
authenticate the user which provided the following credentials: mbarton


A sample of the DN that fails is:

CN=mbarton,OU=Special Facilities -
Jadwin/Fine,OU=People,DC=pu,DC=win,DC=princeton,DC=edu


Testing a hunch we renamed the OU the account resides in, removing the "/"
character in the

  OU=Special Facilities - Jadwin/Fine

portion of the DN.  When we do this the user CAN authenticate.  We tested
user accounts in 3 other OUs, each of which have one or more "/" characters
in the name and in each case the user fails to authenticate.


Has anyone else seen and/or resolved this error?
Has the problem been corrected in CAS 3.2.1?


This appears to be a DN parsing error, but I don't know if it is in the base
CAS code or somewhere in the Spring framework (we are using version 1.12
with CAS 3.0.7).  When set logging to DEBUG, I see
"org.springframework.validation.BindException" errors in the CAS.log


Thanks in advance for any help/insight.


deployerConfigContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC  "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
   <bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
       <property name="credentialsToPrincipalResolvers">
           <list>
               <bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToP
rincipalResolver" />
               <bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToP
rincipalResolver" />
           </list>
       </property>
       <property name="authenticationHandlers">
           <list>
              <bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti
alsAuthenticationHandler">
                   <property name="httpClient" ref="httpClient" />
               </bean>
               <bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
                   <property name="filter" value="sAMAccountName=%u" />
                   <property name="searchBase"
value="ou=People,dc=pu,dc=win,dc=princeton,dc=edu" />
                   <property name="contextSource" ref="contextSource" />
               </bean>
           </list>
       </property>
   </bean>
   <bean id="contextSource"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
       <property name="password" value="XXXXXXXXXX">
       <property name="pooled" value="true" />
       <property name="urls">
           <list>
               <value>ldaps://pu.win.princeton.edu/</value>
           </list>
       </property>
       <property name="userName"
value="cn=XXXXXXX,ou=XXXXXXXX,ou=XXXXXX,dc=pu,dc=win,dc=princeton,dc=edu" />
       <property name="baseEnvironmentProperties">
           <map>
               <entry>

<key><value>java.naming.security.protocol</value></key>
                       <value>ssl</value>
                   </entry>
               <entry>

<key><value>java.naming.security.authentication</value></key>
                       <value>simple</value>
                   </entry>
               </map>
       </property>
   </bean>
</beans>

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas