Milt,
to find out what is going on on the moodle server you should enable the
phpcas debug log. This might give you a clue how this might happen. [1]
I assume that your are logging out of moodle and your are triggering a
logout on the cas server. This then triggers the single sign-out during
which the CAS server contacts all know services connected to the user
session. Since your moodle is probably not set up to handle logout
requests [2] it assumes this access is just another unauthenticated
client and redirects to cas. The CAS server simply repeats the procedure
until some certain threshold value is reached.
If it would be a certificate error you would see a socket connection
errors. If you enable SSL debug flags for java you will see more detail
in a vanilla setup it looks like a network connection failure. So my
guess it's not SSL related.
Importing the internal CA into to java certstore certainly would not
hurt but my guess is that this was already done with your internal CA.
The HttpClient would not talk to an insecure url unless you either force
it or import the internal CA/Certificate.
Regards,
Joachim
[1]https://wiki.jasig.org/display/CASC/phpCAS+troubleshooting
[2]https://wiki.jasig.org/display/CASC/phpCAS+examples#phpCASexamples-HandlelogoutrequestsfromtheCASserver
On 22.05.2012 19:17, Milt Epstein wrote:
We're getting ready to deploy updated versions of CAS and Moodle, and
are in the process of testing things out. We happened to notice that,
in certain situations, there's a redirect loop between the Moodle
server and the CAS server. Here is a typical message from CAS
Tomcat's catalina.out:
[WARN] HttpClient - Error Sending message to url endpoint
[https://.../login/index.php]. Error is [Server redirected too many times
(20)]
We've noticed that this happens upon logging out from Moodle (that may
be the only/main instance where this happens, we're not sure yet).
Now, our test Moodle server is just using a self-signed certificate.
We were thinking that perhaps this is a factor in the redirect loop --
on the logout, CAS tries to communicate with Moodle, but can't,
because it doesn't trust the certificate, so the result is a redirect
loop.
Is that possible? Will this then go away when we move things to
production, and the Moodle server has a real signed certificate? (Or
perhaps we can import our self-signed CA's certificate into the
truststore on the CAS server so that it trusts our Moodle self-signed
certificate?)
Or is there something else going on here?
Also, we were using this test Moodle server with our old CAS instance
(our production instance), and we weren't seeing these errors/loops.
Can that be because the configuration is different on that CAS server
(e.g., we're doing the service registry different)? (Or it already
trusts our self-signed CA?)
Thanks for any assistance on this.
Milt Epstein
Applications Developer
Graduate School of Library and Information Science (GSLIS)
University of Illinois at Urbana-Champaign (UIUC)
[email protected]
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
