大家好

我现在正在学习SSO, 用的是liferay, CAS 和LDAP,

LDAP的结构是               .com
                           ..example
                           ...user(node)
                           .system
                           ..admin(node)

我在liferay上开启了LDAP， 然后安装了CAS的server和client,我想让CAS也用同一个LDAP。（不知道是否可以这样做）
配置好以后，出现了错误。如下

同时deployerConfigContext.xml 也见下：

我不知道哪里出错了，这个问题已经困扰我一个星期了，如果您能解决，我将十分感谢您。


2007-05-24 09:11:30,734 ERROR [org.apache.catalina.core.ContainerBase.[Catalina]
.[localhost].[/cas-web].[cas]] - <Servlet.service() for servlet cas threw except
ion>
javax.naming.AuthenticationException: [LDAP: error code 49 - Bind failed: null]
       at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
       at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
       at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)

       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193
)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.ja
va:136)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:66)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
67)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247
)
       at javax.naming.InitialContext.init(InitialContext.java:223)
       at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:1
34)
       at org.springframework.ldap.support.LdapContextSource.getDirContextInsta
nce(LdapContextSource.java:59)
       at org.springframework.ldap.support.AbstractContextSource.createContext(
AbstractContextSource.java:193)
       at org.springframework.ldap.support.AbstractContextSource.getReadOnlyCon
text(AbstractContextSource.java:104)
       at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:263)
       at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java:314)
       at org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticat
eUsernamePasswordInternal(BindLdapAuthenticationHandler.java:70)
       at org.jasig.cas.authentication.handler.support.AbstractUsernamePassword
AuthenticationHandler.authenticate(AbstractUsernamePasswordAuthenticationHandler

.java:58)
       at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(A
uthenticationManagerImpl.java:79)
       at org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTi
cket(CentralAuthenticationServiceImpl.java:282)
       at org.jasig.cas.web.flow.AuthenticationViaFormAction.submit(Authenticat
ionViaFormAction.java:116)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.springframework.webflow.util.DispatchMethodInvoker.invoke(Dispatc
hMethodInvoker.java:103)
       at org.springframework.webflow.action.MultiAction.doExecute(MultiAction.
java:136)
       at org.springframework.webflow.action.AbstractAction.execute(AbstractAct
ion.java:203)
       at org.springframework.webflow.engine.AnnotatedAction.execute(AnnotatedA
ction.java:142)
       at org.springframework.webflow.engine.ActionExecutor.execute(ActionExecu
tor.java:61)
       at org.springframework.webflow.engine.ActionState.doEnter(ActionState.ja
va:180)
       at org.springframework.webflow.engine.State.enter(State.java:200)
       at org.springframework.webflow.engine.Transition.execute(Transition.java
:229)
       at org.springframework.webflow.engine.TransitionableState.onEvent(Transi
tionableState.java:112)
       at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
       at org.springframework.webflow.engine.impl.RequestControlContextImpl.sig
nalEvent(RequestControlContextImpl.java:207)
       at org.springframework.webflow.engine.ActionState.doEnter(ActionState.ja
va:185)
       at org.springframework.webflow.engine.State.enter(State.java:200)
       at org.springframework.webflow.engine.Transition.execute(Transition.java
:229)
       at org.springframework.webflow.engine.TransitionableState.onEvent(Transi
tionableState.java:112)
       at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
       at org.springframework.webflow.engine.impl.RequestControlContextImpl.sig
nalEvent(RequestControlContextImpl.java:207)
       at org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent
(FlowExecutionImpl.java:214)
       at org.springframework.webflow.executor.FlowExecutorImpl.resume(FlowExec
utorImpl.java:238)
       at org.springframework.webflow.executor.support.FlowRequestHandler.handl
eFlowRequest(FlowRequestHandler.java:115)
       at org.springframework.webflow.executor.mvc.FlowController.handleRequest
Internal(FlowController.java:170)
       at org.springframework.web.servlet.mvc.AbstractController.handleRequest(
AbstractController.java:153)
       at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.ha
ndle(SimpleControllerHandlerAdapter.java:48)
       at org.springframework.web.servlet.DispatcherServlet.doDispatch(Dispatch
erServlet.java:819)
       at org.springframework.web.servlet.DispatcherServlet.doService(Dispatche
rServlet.java:754)
       at org.springframework.web.servlet.FrameworkServlet.processRequest(Frame
workServlet.java:399)
       at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServ
let.java:364)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
       at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherSe
rvlet.java:115)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:252)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:173)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:213)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:178)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:126)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:105)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:107)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:148)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:869)
       at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.p
rocessConnection(Http11BaseProtocol.java:664)
       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpo
int.java:527)
       at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFol
lowerWorkerThread.java:80)
       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:684)
       at java.lang.Thread.run(Thread.java:595)

//////////////////////////////////////////////////////////////////////////////////////////

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<!--
| deployerConfigContext.xml centralizes into one file some of the declarative configuration that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.  | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml.  It finds this file because this
| file is among those declared in the context parameter "contextConfigLocation".
|
| By far the most common change you will need to make in this file is to change the last bean
| declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with
| one implementing your approach for authenticating usernames and passwords.
+-->
<beans>
<!--
| This bean declares our AuthenticationManager.  The CentralAuthenticationService service bean
| declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, | "authenticationManager".  Most deployers will be able to use the default AuthenticationManager
| implementation and so do not need to change the class of this bean.  We include the whole
| AuthenticationManager here in the userConfigContext.xml so that you can see the things you will
| need to change in context.
+-->
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<!--
| This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate.
| The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which | supports the presented credentials.
|
| AuthenticationManagerImpl uses these resolvers for two purposes.  First, it uses them to identify the Principal
| attempting to authenticate to CAS /login .  In the default configuration, it is the DefaultCredentialsToPrincipalResolver
| that fills this role.  If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace
| DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are
| using.
|
| Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. | You will need to change this list if you are identifying services by something more or other than their callback URL.
+-->
<property name="credentialsToPrincipalResolvers">
<list>
<!--
| UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login | by default and produces SimplePrincipal instances conveying the username from the credentials.
| | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
| need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
| Credentials you are using.
+-->
<bean

class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
<!--
| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials.  It supports the CAS 2.0 approach of
| authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
| SimpleService identified by that callback URL.
|
| If you are representing services by something more or other than an HTTPS URL whereat they are able to
| receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
+-->
<bean

class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>

<!--
| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, | AuthenticationHandlers actually authenticate credentials.  Here we declare the AuthenticationHandlers that
| authenticate the Principals that the CredentialsToPrincipalResolvers identified.  CAS will try these handlers in turn
| until it finds one that both supports the Credentials presented and succeeds in authenticating.
+-->
<property name="authenticationHandlers">
<list>

<bean

class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
   

<property name="httpClient" ref="httpClient" />
</bean>


<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
                               <property name="filter" value="uid=%u" />
                               <property name="searchBase" value="ou=system" />
                               <property name="contextSource" ref="contextSource" />
</bean>
</list>
</property>
</bean>

<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
         <property name="anonymousReadOnly" value="false" />
         <property name="userName" value="uid=admin" />
         <property name="password" value="userPassword=secret" />
         <property name="pooled" value="true" />
         <property name="urls">
                 <list>
                         <value>ldap://localhost:10389/</value>
                 </list>
         </property>

         <property name="baseEnvironmentProperties">
                 <map>
                        <entry>
                                 <key><value>java.naming.security.authentication</value></key>
                                 <value>simple</value>
                        </entry>
                 </map>
         </property>
</bean>
</beans>

ldap 密码错

你这个问题最后怎么解决了？

我们现在正在研究开源信息技术整合的研发工作，安全系统主要采用SUN的Opensso8.0，现在已经实现应用系统的SSO功能和门户系统的应用系统集成及LDAP认证的统一用户供应，但是在门户系统与Opensso8.0 集成的过程中遇到问题，并没有出现官方文档所说的页面重定向的效果，不知道是不是我们还有细节部分没有注意到，希望对相关方面进行研究并已实现功能的朋友给予帮助，共同交流研究成果，在此不胜感激！同样希望官方可以给予相关的答复，还有此功能是否在官方开发中已经实现，还是要自己改造门户系统来实现此功能？谢谢

我们也在做类似的工作，LDAP服务器是Oracle Internet Directory。现在我有一个很大的困惑：LDAP中的不同组或者不同组织单位的人的访问业务系统的权限不一样，而CAS里面已经配置好了使用LDAP验证，那么采用这样的CAS进行SSO的业务系统如何去控制不同类型的用户的访问权限呢？这个控制如果放在LDAP里，业务系统还比较好办，但这样仅仅是统一身份认证，还没到SSO的境界。如果采用CAS+LDAP可以达到统一身份认证+SSO的境界，但是权限控制很让人头疼。不知道你们是怎么样处理这个问题的？

但这样仅仅是统一身份认证，还没到SSO的境界
----
SSO就是单点登陆，没有说要做统一授权。

如果采用CAS+LDAP可以达到统一身份认证+SSO的境界，但是权限控制很让人头疼。
-----
除非你们的LDAP权限管理做得非常好，否则我建议还是不要和LDAP做权限管理进行映射。