Re: [cas-user] CAS 5 - ldap multiple OUs

2016-11-23 Thread Eric Allen 
Awesome thanks.  

On Wednesday, November 23, 2016 at 11:06:39 AM UTC-7, Misagh Moayyed wrote:
>
> The second. 
>
>  
>
> --Misagh
>
>  
>
> *From:* Eric Allen [mailto:truc...@gmail.com ] 
> *Sent:* Wednesday, November 23, 2016 10:53 AM
> *To:* jasig-cas-user 
> *Cc:* cas-...@apereo.org ; mmoa...@unicon.net 
> *Subject:* Re: [cas-user] CAS 5 - ldap multiple OUs
>
>  
>
> To use that method would it look something like this?
>
>  
>
> cas.authn.Ldap[0].type=AD
>
> cas.authn.Ldap[0].LdapUrl=https://ldap.example.org
>
> cas.authn.Ldap[0].baseDn=dc=example,dc=org
>
> cas.authn.Ldap[0].userFilter=cn={user}
>
> cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org
>
> cas.authn.Ldap[0].bindCredential=caspass
>
> cas.authn.Ldap[0].principalAttributeId=sAMAccountName
>
> cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org
>
> cas.authn.Ldap[1].dnFormat=cn=%s,ou=people,dc=example,dc=org
>
>  
>
> or like 
>
> cas.authn.Ldap[0].type=AD
>
> cas.authn.Ldap[0].LdapUrl=https://ldap.example.org
>
> cas.authn.Ldap[0].baseDn=dc=example,dc=org
>
> cas.authn.Ldap[0].userFilter=cn={user}
>
> cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org
>
> cas.authn.Ldap[0].bindCredential=caspass
>
> cas.authn.Ldap[0].principalAttributeId=sAMAccountName
>
> cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org
>
>  
>
> cas.authn.Ldap[1].type=AD
>
> cas.authn.Ldap[1].LdapUrl=https://ldap.example.org
>
> cas.authn.Ldap[1].baseDn=dc=example,dc=org
>
> cas.authn.Ldap[1].userFilter=cn={user}
>
> cas.authn.Ldap[1].bindDn=cn=cas_user,ou=utility,dc=example,dc=org
>
> cas.authn.Ldap[1].bindCredential=caspass
>
> cas.authn.Ldap[1].principalAttributeId=sAMAccountName
>
> cas.authn.Ldap[1].dnFormat=cn=%s,ou=people,dc=example,dc=org
>
>  
>
>
> On Wednesday, November 23, 2016 at 9:27:32 AM UTC-7, Misagh Moayyed wrote:
>
> You may have missed the obvious, which is that that index “[0]” is meant 
> to be incremented by you to support additional blocks and ldap authN 
> schemes. So you what you can do is define a [1], repeat your settings more 
> or less and just narrow the base for both 0 and 1 to those OUs you care 
> about.
>
>  
>
> Or you come up with a fancier filter. 
>
>  
>
> --Misagh
>
>  
>
> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org] *On Behalf Of *Eric 
> Allen
> *Sent:* Tuesday, November 22, 2016 6:03 PM
> *To:* CAS Community 
> *Subject:* [cas-user] CAS 5 - ldap multiple OUs
>
>  
>
> I'm currently stuck on how to setup authentication for two OUs in the same 
> LDAP connector.  I want to allow only the users that are in these two OUs 
> but not others. 
>
> The two OUs that I want to authenticate against are 
> ou=users,dc=example,dc=org and ou=people,dc=example,dc=org.  I'm using 
> example.org to keep the examples easier to understand. 
>
> I can get one OU to work just fine.  Current config
>
>  
>
> cas.authn.Ldap[0].type=AD
>
> cas.authn.Ldap[0].LdapUrl=https://ldap.example.org
>
> cas.authn.Ldap[0].baseDn=dc=example,dc=org
>
> cas.authn.Ldap[0].userFilter=cn={user}
>
> cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org
>
> cas.authn.Ldap[0].bindCredential=caspass
>
> cas.authn.Ldap[0].principalAttributeId=sAMAccountName
>
> cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org
>
>  
>
>  
>
> I have tried with mulitple different options for the dnFormat trying 
> ldapsearch strings but to no success.  Any suggestions on limiting access 
> to two OUs?
>
>  
>
> Thanks
>
> Eric
>
>  
>
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/74eb0615-fab6-4abb-b62e-30f9277ab341%40apereo.org
>  
> 
> .
>
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00e001d245a6%2479312fc0%246b938f40%24%40unicon.net
>  
>

Re: [cas-user] require group

2016-11-23 Thread David Hawes 
I'd expect by the end of the year at the latest.

On 23 November 2016 at 12:21, pouria Mahmoudi  wrote:
> Oh by the way,
> Is it possible to tell me how soon this change would be merged?
>
> Thanks
>
>
> On Wednesday, November 23, 2016 at 9:00:14 AM UTC-8, pouria Mahmoudi wrote:
>>
>> Yes,
>> require cas-attribute GROUP_ATTRIBUTE:ADMIN is exactly what I needed but I
>> am not using samlVaildate.
>>
>> Thanks David for the reply and I hope to get the new release with this fix
>> in it.
>>
>>
>> On Tuesday, November 22, 2016 at 3:07:39 PM UTC-8, dhawes wrote:
>>>
>>> On 22 November 2016 at 16:40, pouria Mahmoudi 
>>> wrote:
>>> > Hi Everyone,
>>> > I have a problem with getting group working with mod_auth_cas.
>>> >
>>> > Here is the snippet:
>>> > 
>>> > 
>>> > Authtype CAS
>>> > Require valid-user
>>> > Require group ADMIN
>>> > CASAuthNHeader cas
>>> > 
>>> > 
>>> >
>>> > I don't see any information related to group in CAS Cookie :
>>> >
>>> > http://uconn.edu/cas/mod_auth_cas;>
>>> >admin
>>> >1479847469143283
>>> >1479847469145147
>>> >/my_app/
>>> >ST-1-cJrtZmKMkuysdXXMXhRK-cas01.example.org
>>> >
>>> > 
>>> >
>>> > I don't know what I missing. Any help would be appreciated.
>>>
>>> I'm going to assume you're using mod_auth_cas v1.1.
>>>
>>> Are you using a /samlValidate endpoint? Something like:
>>>
>>> CASValidateURL https://login.example.org/cas/samlValidate
>>> CASValidateSAML On
>>>
>>> If so and you're not getting attributes, check with your CAS server
>>> admin.
>>>
>>> If you aren't using /samlValidate, the current version of mod_auth_cas
>>> does not support CASv2 attributes with /serviceValidate.
>>>
>>> You have 2 options:
>>>
>>> 1. Use /samlValidate.
>>> 2. Try this merge request:
>>> https://github.com/Jasig/mod_auth_cas/pull/110. I've successfully
>>> tested it and it should be merged soon.
>>>
>>> As for your require statement, you probably want something like:
>>>
>>> # assuming Apache 2.4
>>> # be sure to replace GROUP_ATTRIBUTE!
>>> require cas-attribute GROUP_ATTRIBUTE:ADMIN
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4cf8bc3-b3d9-496e-b11c-4aea1599790a%40apereo.org.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wD77nuRinQ%3DxQdW%2BMqbUwE7nj57gmKEaww0v0tmGANPHQ%40mail.gmail.com.

Re: [cas-user] CAS 5 - ldap multiple OUs

2016-11-23 Thread Eric Allen 
To use that method would it look something like this?

cas.authn.Ldap[0].type=AD
cas.authn.Ldap[0].LdapUrl=https://ldap.example.org
cas.authn.Ldap[0].baseDn=dc=example,dc=org
cas.authn.Ldap[0].userFilter=cn={user}
cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org
cas.authn.Ldap[0].bindCredential=caspass
cas.authn.Ldap[0].principalAttributeId=sAMAccountName
cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org
cas.authn.Ldap[1].dnFormat=cn=%s,ou=people,dc=example,dc=org

or like 
cas.authn.Ldap[0].type=AD
cas.authn.Ldap[0].LdapUrl=https://ldap.example.org
cas.authn.Ldap[0].baseDn=dc=example,dc=org
cas.authn.Ldap[0].userFilter=cn={user}
cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org
cas.authn.Ldap[0].bindCredential=caspass
cas.authn.Ldap[0].principalAttributeId=sAMAccountName
cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org

cas.authn.Ldap[1].type=AD
cas.authn.Ldap[1].LdapUrl=https://ldap.example.org
cas.authn.Ldap[1].baseDn=dc=example,dc=org
cas.authn.Ldap[1].userFilter=cn={user}
cas.authn.Ldap[1].bindDn=cn=cas_user,ou=utility,dc=example,dc=org
cas.authn.Ldap[1].bindCredential=caspass
cas.authn.Ldap[1].principalAttributeId=sAMAccountName
cas.authn.Ldap[1].dnFormat=cn=%s,ou=people,dc=example,dc=org


On Wednesday, November 23, 2016 at 9:27:32 AM UTC-7, Misagh Moayyed wrote:
>
> You may have missed the obvious, which is that that index “[0]” is meant 
> to be incremented by you to support additional blocks and ldap authN 
> schemes. So you what you can do is define a [1], repeat your settings more 
> or less and just narrow the base for both 0 and 1 to those OUs you care 
> about.
>
>  
>
> Or you come up with a fancier filter. 
>
>  
>
> --Misagh
>
>  
>
> *From:* cas-...@apereo.org  [mailto:cas-...@apereo.org 
> ] *On Behalf Of *Eric Allen
> *Sent:* Tuesday, November 22, 2016 6:03 PM
> *To:* CAS Community 
> *Subject:* [cas-user] CAS 5 - ldap multiple OUs
>
>  
>
> I'm currently stuck on how to setup authentication for two OUs in the same 
> LDAP connector.  I want to allow only the users that are in these two OUs 
> but not others. 
>
> The two OUs that I want to authenticate against are 
> ou=users,dc=example,dc=org and ou=people,dc=example,dc=org.  I'm using 
> example.org to keep the examples easier to understand. 
>
> I can get one OU to work just fine.  Current config
>
>  
>
> cas.authn.Ldap[0].type=AD
>
> cas.authn.Ldap[0].LdapUrl=https://ldap.example.org
>
> cas.authn.Ldap[0].baseDn=dc=example,dc=org
>
> cas.authn.Ldap[0].userFilter=cn={user}
>
> cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org
>
> cas.authn.Ldap[0].bindCredential=caspass
>
> cas.authn.Ldap[0].principalAttributeId=sAMAccountName
>
> cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org
>
>  
>
>  
>
> I have tried with mulitple different options for the dnFormat trying 
> ldapsearch strings but to no success.  Any suggestions on limiting access 
> to two OUs?
>
>  
>
> Thanks
>
> Eric
>
>  
>
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/74eb0615-fab6-4abb-b62e-30f9277ab341%40apereo.org
>  
> 
> .
>
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00e001d245a6%2479312fc0%246b938f40%24%40unicon.net
>  
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails

[cas-user] CAS 4.2.7 error when deleting TGT tickets using JpaTicketRegistry (related to bug 1817)

2016-11-23 Thread Bekim 
Hello

  Using Mysql 5.5.x, Java 1.8.111, tomcat 8.5.x
 
   Did overlay deployment of multiple versions to find the delta of failure.
   cas 4.2.4 - deletes TGT tickets without causing an error
   cas 4.2.5,4,2,6,6,2,7, all versions fail with message shown below.
   Failure occurs 
at: 
cas-server-support-jpa-ticket-registry/src/main/java/org/jasig/cas/ticket/registry/JpaTicketRegistry.java,
 
call entityManager.remove(ticket);

   Looks similar to bug #1817, No EntityManager exception with 
JpaTicketRegistry, CAS 4.2.2, but not sure.

   Did anyone encounter this issue and/or any other ideas how to proceed. 
   Many thanks.

   From: 
cas-server-support-jpa-ticket-registry/src/main/java/org/jasig/cas/ticket/registry/JpaTicketRegistry.java
/**
 * Removes the ticket.
 *
 * @param ticket the ticket
 * @return true if ticket was removed
 */
public boolean removeTicket(final Ticket ticket) {
try {
if (logger.isDebugEnabled()) {
final Date creationDate = new 
Date(ticket.getCreationTime());
logger.debug("Removing Ticket [{}] created: {}", ticket, 
creationDate.toString());
 }
entityManager.remove(ticket);
return true;
} catch (final Exception e) {
logger.error("Error removing {} from registry.", ticket, e);
}
return false;
}


2016-11-23 12:32:28,459 DEBUG 
[org.jasig.cas.ticket.registry.JpaTicketRegistry] - 
2016-11-23 12:32:28,459 ERROR 
[org.jasig.cas.ticket.registry.JpaTicketRegistry] - 
javax.persistence.TransactionRequiredException: No EntityManager with 
actual transaction available for current thread - cannot reliably process 
'remove' call
at 
org.springframework.orm.jpa.SharedEntityManagerCreator$SharedEntityManagerInvocationHandler.invoke(SharedEntityManagerCreator.java:278)
 
~[spring-orm-4.2.8.RELEASE.jar:4.2.8.RELEASE]
at com.sun.proxy.$Proxy75.remove(Unknown Source) ~[?:?]
at 
org.jasig.cas.ticket.registry.JpaTicketRegistry.removeTicket(JpaTicketRegistry.java:89)
 
~[cas-server-support-jpa-ticket-registry-4.2.7.jar:4.2.7]
at 
org.jasig.cas.ticket.registry.JpaTicketRegistry.deleteTicketsFromResultList(JpaTicketRegistry.java:211)
 
~[cas-server-support-jpa-ticket-registry-4.2.7.jar:4.2.7]
at 
org.jasig.cas.ticket.registry.JpaTicketRegistry.deleteTicketGrantingTickets(JpaTicketRegistry.java:241)
 
~[cas-server-support-jpa-ticket-registry-4.2.7.jar:4.2.7]
at 
org.jasig.cas.ticket.registry.JpaTicketRegistry.deleteSingleTicket(JpaTicketRegistry.java:167)
 
~[cas-server-support-jpa-ticket-registry-4.2.7.jar:4.2.7]
at 
org.jasig.cas.ticket.registry.AbstractTicketRegistry.deleteTicket(AbstractTicketRegistry.java:98)
 
~[cas-server-core-tickets-4.2.7.jar:4.2.7]
at 
org.jasig.cas.ticket.registry.AbstractTicketRegistry$$FastClassBySpringCGLIB$$b70f3271.invoke()
 
~[cas-server-core-tickets-4.2.7.jar:4.2.7]
at 
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) 
~[spring-core-4.2.8.RELEASE.jar:4.2.8.RELEASE]
at 
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651)
 
~[spring-aop-4.2.8.RELEASE.jar:4.2.8.RELEASE]
at 
org.jasig.cas.ticket.registry.JpaTicketRegistry$$EnhancerBySpringCGLIB$$b42f1b05.deleteTicket()
 
~[cas-server-support-jpa-ticket-registry-4.2.7.jar:4.2.7]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[?:1.8.0_111]
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:1.8.0_111]
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
~[?:1.8.0_111]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_111]
at 
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:302)
 
~[spring-aop-4.2.8.RELEASE.jar:4.2.8.RELEASE]
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
 
~[spring-aop-4.2.8.RELEASE.jar:4.2.8.RELEASE]
at com.sun.proxy.$Proxy86.deleteTicket(Unknown Source) ~[?:?]
at 
org.jasig.cas.ticket.registry.TicketRegistryCleaner$1.apply(TicketRegistryCleaner.java:126)
 
~[cas-server-core-tickets-4.2.7.jar:4.2.7]
at 
org.jasig.cas.ticket.registry.TicketRegistryCleaner$1.apply(TicketRegistryCleaner.java:1)
 
~[cas-server-core-tickets-4.2.7.jar:4.2.7]
at 
com.google.common.collect.Iterators$8.transform(Iterators.java:799) 
~[guava-18.0.jar:?]
at 
com.google.common.collect.TransformedIterator.next(TransformedIterator.java:48) 
~[guava-18.0.jar:?]
at 
org.jasig.cas.ticket.registry.TicketRegistryCleaner.execute(TicketRegistryCleaner.java:139)
 
~[cas-server-core-tickets-4.2.7.jar:4.2.7]
at org.quartz.core.JobRunShell.run(JobRunShell.java:202) 
~[quartz-2.2.1.jar:?]
at

RE: [cas-user] CAS 5 - ldap multiple OUs

2016-11-23 Thread Misagh Moayyed 
The second.



--Misagh



From: Eric Allen [mailto:trucke...@gmail.com]
Sent: Wednesday, November 23, 2016 10:53 AM
To: jasig-cas-user 
Cc: cas-user@apereo.org; mmoay...@unicon.net
Subject: Re: [cas-user] CAS 5 - ldap multiple OUs



To use that method would it look something like this?



cas.authn.Ldap[0].type=AD

cas.authn.Ldap[0].LdapUrl=https://ldap.example.org 


cas.authn.Ldap[0].baseDn=dc=example,dc=org

cas.authn.Ldap[0].userFilter=cn={user}

cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org

cas.authn.Ldap[0].bindCredential=caspass

cas.authn.Ldap[0].principalAttributeId=sAMAccountName

cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org

cas.authn.Ldap[1].dnFormat=cn=%s,ou=people,dc=example,dc=org



or like

cas.authn.Ldap[0].type=AD

cas.authn.Ldap[0].LdapUrl=https://ldap.example.org 


cas.authn.Ldap[0].baseDn=dc=example,dc=org

cas.authn.Ldap[0].userFilter=cn={user}

cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org

cas.authn.Ldap[0].bindCredential=caspass

cas.authn.Ldap[0].principalAttributeId=sAMAccountName

cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org



cas.authn.Ldap[1].type=AD

cas.authn.Ldap[1].LdapUrl=https://ldap.example.org 


cas.authn.Ldap[1].baseDn=dc=example,dc=org

cas.authn.Ldap[1].userFilter=cn={user}

cas.authn.Ldap[1].bindDn=cn=cas_user,ou=utility,dc=example,dc=org

cas.authn.Ldap[1].bindCredential=caspass

cas.authn.Ldap[1].principalAttributeId=sAMAccountName

cas.authn.Ldap[1].dnFormat=cn=%s,ou=people,dc=example,dc=org




On Wednesday, November 23, 2016 at 9:27:32 AM UTC-7, Misagh Moayyed wrote:

You may have missed the obvious, which is that that index “[0]” is meant to 
be incremented by you to support additional blocks and ldap authN schemes. 
So you what you can do is define a [1], repeat your settings more or less 
and just narrow the base for both 0 and 1 to those OUs you care about.



Or you come up with a fancier filter.



--Misagh



From: cas-...@apereo.org   [mailto:cas-...@apereo.org 
 ] On Behalf Of Eric Allen
Sent: Tuesday, November 22, 2016 6:03 PM
To: CAS Community 
Subject: [cas-user] CAS 5 - ldap multiple OUs



I'm currently stuck on how to setup authentication for two OUs in the same 
LDAP connector.  I want to allow only the users that are in these two OUs 
but not others.

The two OUs that I want to authenticate against are 
ou=users,dc=example,dc=org and ou=people,dc=example,dc=org.  I'm using 
example.org   to keep the examples easier to understand.

I can get one OU to work just fine.  Current config



cas.authn.Ldap[0].type=AD

cas.authn.Ldap[0].LdapUrl=https://ldap.example.org

cas.authn.Ldap[0].baseDn=dc=example,dc=org

cas.authn.Ldap[0].userFilter=cn={user}

cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org

cas.authn.Ldap[0].bindCredential=caspass

cas.authn.Ldap[0].principalAttributeId=sAMAccountName

cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org





I have tried with mulitple different options for the dnFormat trying 
ldapsearch strings but to no success.  Any suggestions on limiting access to 
two OUs?



Thanks

Eric



-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: 
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+u...@apereo.org  .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/74eb0615-fab6-4abb-b62e-30f9277ab341%40apereo.org
 

 
.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: 
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+u...@apereo.org  .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00e001d245a6%2479312fc0%246b938f40%24%40unicon.net
 

 
.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website:

Re: [cas-user] require group

2016-11-23 Thread pouria Mahmoudi 
Yes,
*require cas-attribute GROUP_ATTRIBUTE:ADMIN* is exactly what I needed but 
I am not using samlVaildate.

Thanks David for the reply and I hope to get the new release with this fix 
in it.


On Tuesday, November 22, 2016 at 3:07:39 PM UTC-8, dhawes wrote:
>
> On 22 November 2016 at 16:40, pouria Mahmoudi  > wrote: 
> > Hi Everyone, 
> > I have a problem with getting group working with mod_auth_cas. 
> > 
> > Here is the snippet: 
> >  
> >  
> > Authtype CAS 
> > Require valid-user 
> > Require group ADMIN 
> > CASAuthNHeader cas 
> >  
> >  
> > 
> > I don't see any information related to group in CAS Cookie : 
> > 
> > http://uconn.edu/cas/mod_auth_cas;> 
> >admin 
> >1479847469143283 
> >1479847469145147 
> >/my_app/ 
> >ST-1-cJrtZmKMkuysdXXMXhRK-cas01.example.org 
> > 
> >  
> > 
> > I don't know what I missing. Any help would be appreciated. 
>
> I'm going to assume you're using mod_auth_cas v1.1. 
>
> Are you using a /samlValidate endpoint? Something like: 
>
> CASValidateURL https://login.example.org/cas/samlValidate 
> CASValidateSAML On 
>
> If so and you're not getting attributes, check with your CAS server admin. 
>
> If you aren't using /samlValidate, the current version of mod_auth_cas 
> does not support CASv2 attributes with /serviceValidate. 
>
> You have 2 options: 
>
> 1. Use /samlValidate. 
> 2. Try this merge request: 
> https://github.com/Jasig/mod_auth_cas/pull/110. I've successfully 
> tested it and it should be merged soon. 
>
> As for your require statement, you probably want something like: 
>
> # assuming Apache 2.4 
> # be sure to replace GROUP_ATTRIBUTE! 
> require cas-attribute GROUP_ATTRIBUTE:ADMIN 
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb40c26e-bc92-4667-b33c-4b7a8056c210%40apereo.org.

RE: [cas-user] IO error sending HTTP request to /samlValidate

2016-11-23 Thread Misagh Moayyed 
You may want to consider upgrading the client itself, rather than a 
dependency it requires.



--Misagh



From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Manfredo 
Hopp
Sent: Tuesday, November 22, 2016 5:26 PM
To: Cas 
Subject: [cas-user] IO error sending HTTP request to /samlValidate



Hi, we have cas client applications using SAML 1.1 which we recently 
upgraded to SAML 1.1 V2.6.6.



With one of these applications (= front end) we are experiencing problems 
when access through cas.



These intermitent problems make this application unavailabe and we end 
changing the SAML version to its prior jar version. (1.1)



We have Cas 4.0.1 installed and the client application is  under 
spring/spring security (with srping security cas) version. Following is pom 
artifacts versions:



4.2.2.RELEASE

4.0.3.RELEASE

3.2.1

2.6.6

1.5

1.4.3



Cas 4.0.1 version has opensaml-2.5.1-1.jar version.

Could this difference in version generate some problem with clients or is 
there any other known issue on this configuration.



Cas is running on tomcat .8.5.5 and application is under tomcat 6.0.45.



Any comments on this would be greatly appreciated!



Manfredo







Stacktrace of problem

===

mensaje IO error sending HTTP request to /samlValidatedescripción El 
servidor encontró un error interno que hizo que no pudiera rellenar este 
requerimiento.excepciónjava.lang.RuntimeException: IO error sending HTTP 
request to /samlValidate 
org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:215)
 
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
 
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:158)
 
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:143)
 
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
 
org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:270)
 
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121)
 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121)
 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
 
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
 
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
 
causa raízjava.io.IOException: Server returned HTTP response code: 403 for 
URL: 
https://my.domain/cas/samlValidate?TARGET=http%3A%2F%2Fmy.domain%2Fauth%2Flogin%2Fcas
 

 
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1627)
 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
 
org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:213)
 
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
 
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:158)
 
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:143)

RE: [cas-user] CAS 5 - Is it possible to disable http (leaving only SSL) in the embedded tomcat?

2016-11-23 Thread Misagh Moayyed 
The answer is also quite simple. Wrong setting.

https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html#embedded-tomcat-httpajp



--Misagh



From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Erdal 
Gunyar
Sent: Wednesday, November 23, 2016 8:12 AM
To: CAS Community 
Subject: [cas-user] CAS 5 - Is it possible to disable http (leaving only 
SSL) in the embedded tomcat?



Hello all!



The question is quite simple: is it possible to disable http (leaving only 
SSL) in the embedded tomcat?



Like for the AJP mode, I've tried (never know): server.http.enabled=false

But nothing changed.



Do someone have any hint?





Thanks,



Erdal.



-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: 
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
 .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/859d8c5f-2083-4dbf-9c6f-24f7190cda61%40apereo.org
 

 
.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00a701d245a3%24538533f0%24fa8f9bd0%24%40unicon.net.

[cas-user] Re: CAS 5 - Is it possible to disable http (leaving only SSL) in the embedded tomcat?

2016-11-23 Thread Erdal Gunyar 
More precision:

Actually all I have for the server is:
server.name=https://domain.com
server.port=443
server.context-path=/cas

And it still opens http on 8080 (looks like to default value).

By the way, removing context path value or puttin "/" in it will break the 
start up but that's another story :)

Erdal.

Le mercredi 23 novembre 2016 16:12:28 UTC+1, Erdal Gunyar a écrit :
>
> Hello all!
>
> The question is quite simple: is it possible to disable http (leaving only 
> SSL) in the embedded tomcat?
>
> Like for the AJP mode, I've tried (never know): server.http.enabled=false
> But nothing changed.
>
> Do someone have any hint?
>
>
> Thanks,
>
> Erdal.
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c6ade2f3-3630-48a8-a3d5-d4aa4f66ecdf%40apereo.org.

[cas-user] CAS 5 - Is it possible to disable http (leaving only SSL) in the embedded tomcat?

2016-11-23 Thread Erdal Gunyar 
Hello all!

The question is quite simple: is it possible to disable http (leaving only 
SSL) in the embedded tomcat?

Like for the AJP mode, I've tried (never know): server.http.enabled=false
But nothing changed.

Do someone have any hint?


Thanks,

Erdal.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/859d8c5f-2083-4dbf-9c6f-24f7190cda61%40apereo.org.