At work recently, we decided to implement a new CAS server to test out some of our ideas for improving Single Sign On in our ecosystem. My task was to set up the CAS server and connect it to our LDAP.
To get the server set up, I followed the very detailed instructions at the JASIG site using the Maven Overlay. I suggest following this guide. You’ll be happy you did. Once I got the Tomcat server set up, and had built the initial CAS implementation, I had to connect it to the LDAP server to make sure that we had something to authenticate against. Thankfully, there’s a helpful article on the JASIG site for that as well.
Things to look out for
After doing both of these things I began to test the server and the connections and discovered that every attempt to connect came back with an error of “CAS is unavailable.” Not what I wanted to see. Checking the catalina.out log I was able to see that despite having added the secure certificate to the keystore in Tomcat, the CAS server was not performing a valid handshake with our LDAP server. After doing some digging and asking around the office, I discovered that the server that holds our LDAP has both trusted and intermediate secure certificates, and I hadn’t put the whole chain of items into the keystore. That taken care of, I went back to testing, but got the “CAS is unavailable” error again.
At this point, the catalina.out log was not helpful, simply telling me that my bind user had failed to authenticate, and nothing more detailed than that. Trouble is, when I connected to the LDAP from the command line, the username and password worked like a charm. After referring back to the original setup document and the helpful LDAP article again, and wasting more time than I wanted to, I finally decided to ask the internet via StackOverflow.
The solution turned out to be crazy simple and irritated me that I hadn’t thought of this myself. In my settings in the deployerConfigContext.xml file, I had failed to escape a period in the bind user string: ou=People,o=school.edu,o=cp needed to be ou=People,o=school\.edu,o=cp. That was all. After that, the system worked like a charm.
If you’re using the same technologies and you run into trouble, hopefully this helps you a bit.