[cas-user] Re: 6.6.13 / REST / Get user profile with fresh ST

2023-12-08 Thread Chris SC 
II've found the issue. Just a problem with the curl command
When validating the ticket,  just need to use curl with '--url' option to 
encode the url (ST Id contains special characters like '-'.)
Finally, the correct curl request is :
curl -k --url  "
https://myhost.mydomain.fr/cas/p3/serviceValidate?service=myhost.mydomain
&ticket=ST-4-vodW-DXn3MSrZh1IDJ182HTy7yI-myhost"

Thank you.

Le jeudi 7 décembre 2023 à 16:54:02 UTC+1, Chris SC a écrit :

> Hello, 
> I got an issue using REST. I can't validate a service ticket to get user's 
> attributes.
> One of our service providers needs to authenticate our users with REST (it 
> works here), but impossible to get the attributes by validating the ticket. 
> (with /cas/p3/serviceValidate...)
> The error is 'invalid ticket' ... yet I follow the instructions from 
> https://fawnoos.com/2019/06/12/cas61x-rest-api/
> If anyone can point me in the right direction you can see the logs
>
> Thank you 
> ---
> *1/ Get a TGT  : *
> ---
> *Actions : *
> curl -k -X POST -H "Content-Type: Application/x-www-form-urlencoded" -H 
> "Accept: application/json" 
> https://myhost.mydomain.fr/cas/v1/tickets?service="service.mydomain.com"; 
> -d "username=casuser&password=Mellon"
>
>
> *TGT-4-Jop40r5OJhCmXxnufayW-nKMtcKpD58j9YbxG2WHDU2GLq6hBZPXdtAswNK7p34jR7A-myhost*
>
> *Logs : *
>  BEGIN
> =
> WHO: casuser
> WHAT: TGT-4-p34jR7A-pccas02
> ACTION: TICKET_GRANTING_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Thu Dec 07 16:00:37 CET 2023
> CLIENT IP ADDRESS: 172.16.6.26
> SERVER IP ADDRESS: 192.168.159.192
> =
>
>  BEGIN
> =
> WHO:  casuser
> WHAT: {location=
> https://myhost.mydomain.fr/cas/v1/tickets/TGT-4-p34jR7A-myhost, 
> status=201-CREATED}
> ACTION: REST_API_TICKET_GRANTING_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Thu Dec 07 16:00:37 CET 2023
> CLIENT IP ADDRESS: 172.16.6.26
> SERVER IP ADDRESS: 192.168.159.192
> =
>
>
> 
> *2/ Get a ST *
> ---
> curl -k -X POST -H "Content-Type: Application/x-www-form-urlencoded" -H 
> "Accept: application/json" 
> https://myhost.mydomain.fr/cas/v1/tickets/TGT-4-Jop40r5OJhCmXxnufayW-nKMtcKpD58j9YbxG2WHDU2GLq6hBZPXdtAswNK7p34jR7A-myhost?service=
> "service.mydomain.com"
>
> *ST-4-vodW-DXn3MSrZh1IDJ182HTy7yI-myhost*
>
> =
> WHO:  casuser
> WHAT: {ticket=ST-4-2HTy7yI-myhost, service=myhost.mydomain}
> ACTION: SERVICE_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Thu Dec 07 16:03:52 CET 2023
> CLIENT IP ADDRESS: 172.16.6.26
> SERVER IP ADDRESS: 192.168.159.192
> =
>
> =
> WHO:  casuser
> WHAT: {body=ST-4-2HTy7yI-myhost, status=200-OK}
> ACTION: REST_API_SERVICE_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Thu Dec 07 16:03:52 CET 2023
> CLIENT IP ADDRESS: 172.16.6.26
> SERVER IP ADDRESS: 192.168.159.192
> =
>
>
> *3/ (less than 10 seconds later) Ticket validation (to get user profile) : 
> *
>
> curl -k 
> https://myhost.mydomain.fr/cas/p3/serviceValidate?service=myhost.mydomain
> "&"ticket=ST-4-vodW-DXn3MSrZh1IDJ182HTy7yI-myhost
>
> 
> Le ticket 
> 'ST-4-vodW-DXn3MSrZh1IDJ182HTy7yI-pccas02' est 
> inconnu
> 
>
> =
> WHO: audit:unknown
> WHAT: {ticket=ST-4-2HTy7yI-myhost, service=myhost.mydomain}
> ACTION: SERVICE_TICKET_VALIDATE_FAILED
> APPLICATION: CAS
> WHEN: Thu Dec 07 16:04:22 CET 2023
> CLIENT IP ADDRESS: 172.16.6.26
> SERVER IP ADDRESS: 192.168.159.192
> =
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7168f2bf-9ad5-45f1-88a1-782268764dabn%40apereo.org.

[cas-user] 6.6.13 / REST / Get user profile with fresh ST

2023-12-07 Thread Chris SC 
Hello, 
I got an issue using REST. I can't validate a service ticket to get user's 
attributes.
One of our service providers needs to authenticate our users with REST (it 
works here), but impossible to get the attributes by validating the ticket. 
(with /cas/p3/serviceValidate...)
The error is 'invalid ticket' ... yet I follow the instructions from 
https://fawnoos.com/2019/06/12/cas61x-rest-api/
If anyone can point me in the right direction you can see the logs

Thank you 
---
*1/ Get a TGT  : *
---
*Actions : *
curl -k -X POST -H "Content-Type: Application/x-www-form-urlencoded" -H 
"Accept: application/json" 
https://myhost.mydomain.fr/cas/v1/tickets?service="service.mydomain.com"; -d 
"username=casuser&password=Mellon"

*TGT-4-Jop40r5OJhCmXxnufayW-nKMtcKpD58j9YbxG2WHDU2GLq6hBZPXdtAswNK7p34jR7A-myhost*

*Logs : *
 BEGIN
=
WHO: casuser
WHAT: TGT-4-p34jR7A-pccas02
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Thu Dec 07 16:00:37 CET 2023
CLIENT IP ADDRESS: 172.16.6.26
SERVER IP ADDRESS: 192.168.159.192
=

 BEGIN
=
WHO:  casuser
WHAT: 
{location=https://myhost.mydomain.fr/cas/v1/tickets/TGT-4-p34jR7A-myhost,
 
status=201-CREATED}
ACTION: REST_API_TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Thu Dec 07 16:00:37 CET 2023
CLIENT IP ADDRESS: 172.16.6.26
SERVER IP ADDRESS: 192.168.159.192
=



*2/ Get a ST *
---
curl -k -X POST -H "Content-Type: Application/x-www-form-urlencoded" -H 
"Accept: application/json" 
https://myhost.mydomain.fr/cas/v1/tickets/TGT-4-Jop40r5OJhCmXxnufayW-nKMtcKpD58j9YbxG2WHDU2GLq6hBZPXdtAswNK7p34jR7A-myhost?service="service.mydomain.com";

*ST-4-vodW-DXn3MSrZh1IDJ182HTy7yI-myhost*

=
WHO:  casuser
WHAT: {ticket=ST-4-2HTy7yI-myhost, service=myhost.mydomain}
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Thu Dec 07 16:03:52 CET 2023
CLIENT IP ADDRESS: 172.16.6.26
SERVER IP ADDRESS: 192.168.159.192
=

=
WHO:  casuser
WHAT: {body=ST-4-2HTy7yI-myhost, status=200-OK}
ACTION: REST_API_SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Thu Dec 07 16:03:52 CET 2023
CLIENT IP ADDRESS: 172.16.6.26
SERVER IP ADDRESS: 192.168.159.192
=


*3/ (less than 10 seconds later) Ticket validation (to get user profile) : *

curl -k 
https://myhost.mydomain.fr/cas/p3/serviceValidate?service=myhost.mydomain"&"ticket=ST-4-vodW-DXn3MSrZh1IDJ182HTy7yI-myhost


Le ticket 
'ST-4-vodW-DXn3MSrZh1IDJ182HTy7yI-pccas02' est 
inconnu


=
WHO: audit:unknown
WHAT: {ticket=ST-4-2HTy7yI-myhost, service=myhost.mydomain}
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Thu Dec 07 16:04:22 CET 2023
CLIENT IP ADDRESS: 172.16.6.26
SERVER IP ADDRESS: 192.168.159.192
=

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/35a3f35c-c929-4116-80b0-9f46e7d372dcn%40apereo.org.

[cas-user] Re: 6.6.13 - OpenID Issue - Unable to locate authentication profile

2023-11-14 Thread Chris SC 
Wow ...Finally : Problem solved !

Solution : 
In my cas.properties file : I just remove the ':443' here : 
cas.server.name: https://castest.mydomain.fr:443
cas.server.prefix: https://castest.mydomain.fr:443/cas

These parameter should probably have 'links' with  OpenID line : 
cas.authn.oidc.core.issuer=https://castest.mydomain.fr/cas/oidc

Really happy to have OpenID working for now :-)

Thanks, Christophe.

Le mardi 14 novembre 2023 à 11:13:00 UTC+1, Chris SC a écrit :

> Hello Meysam
> Thanks for trying to help me ! 
> I strictly used your configuration, modifying only the hostnames with mine 
> and still having the same issue :-/
> Fellows here seem to have had the same issue without saying why in others 
> posts :-/
>
> I really wonder what I'm missing. If anyone knows the source code for this 
> error, please point me in the right direction...
>
> Things to note : 
>
>- *I have checked for network issues*, on Tomcat, Apache2 AJP 
>configuration, everything seems OK. I have tested Tomcat with https 
>connector directly on 443 port : 
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> port="443"   protocol="org.apache.coyote.http11.Http11NioProtocol"  
>  maxThreads="100"   compression="on"  
>  scheme="https"   SSLEnabled="true"   secure="true"
>defaultSSLHostConfigName="castest.mydomain.fr 
> <http://castest.mydomain.fr>"> hostName="castest.mydomain.fr <http://castest.mydomain.fr>"
>protocols="TLSv1+TLSv1.1+TLSv1.2"> certificateFile="conf/cas.mydomain.crt"
>  certificateKeyFile="conf/cas.mydomain.fr.key"
>  certificateChainFile="conf/geant_ov_rsa_ca_4.crt" />
> *
>
>
>- *What openID client do you use for testing ? I use these 2 :*
>   - Python client  : https://github.com/Aduneo/aduneoclientfedid
>   - Apache2 with mod_auth_openidc and this configuration :
>
>
>
>
>
>
>
>
>
>
>
>
>
> * OIDCProviderAuthorizationEndpoint 
> https://castest.mydomain.fr/cas/oidc/authorize 
> <https://castest.mydomain.fr/cas/oidc/authorize>
> OIDCClientID clientOIDCClientSecret secret
> OIDCRemoteUserClaim subOIDCScope "openid profile"  
>   OIDCRedirectURI https://myclient.mydomain.fr/secureoidc/redirect_uri 
> <https://myclient.mydomain.fr/secureoidc/redirect_uri>
> LogLevel info auth_openidc:debugOIDCCryptoPassphrase 
> xyzzyz AuthType 
> openid-connect Require valid-user
> *
>
>
>- *Here is what is displaying lauching cas webapp (using tomcat 9 
>and openjdk 11)*
>
>  _  _   _ ___ _
> / \  |  _ \| |  _ \| / _ \   / ___|  / \  / ___|
>/ _ \ | |_) |  _| | |_) |  _|| | | | | | / _ \ \___ \
>   / ___ \|  __/| |___|  _ <| |__| |_| | | |___ / ___ \ ___) |
>  /_/   \_\_|   |_|_| \_\_\___/   \/_/   \_\/
>
>
> CAS Version: 6.6.13
> CAS Branch: 6.6.x
> CAS Commit Id: 7589c85d08b0ebc4f0e479f4a0448901e46ecb3c
> CAS Build Date/Time: 2023-11-14T08:28:48Z
> Spring Boot Version: 2.7.3
> Spring Version: 5.3.22
> Java Home: /opt/jdk-11.0.0.1
> Java Vendor: Oracle Corporation
> Java Version: 11.0.0.1
> JVM Free Memory: 2 GB
> JVM Maximum Memory: 3 GB
> JVM Total Memory: 2 GB
> OS Architecture: amd64
> OS Name: Linux
> OS Version: 5.15.0-88-generic
> OS Date/Time: 2023-11-14T09:54:43.298402
> OS Temp Directory: /opt/tomcat/temp
> 
> Apache Tomcat Version: Apache Tomcat/9.0.80
> 
>
>
>
> Thanks, 
> Christophe.
> Le mardi 14 novembre 2023 à 08:30:57 UTC+1, Meysam Shirazi a écrit :
>
>> edit:
>> *cas.authn.oidc.core.issuer=https://casserver/cas/oidc 
>> <https://oauth.iritco.ir/cas/oidc>*
>>
>> On Monday, November 13, 2023 at 11:19:51 PM UTC+3:30 Meysam Shirazi wrote:
>>
>>> Hi,
>>> I followed the below configuration, and everything worked fine:
>>> *CAS Version 6.6.x*
>>> *cas.properties*
>>>
>>>
>>>
>>>
>>>
>>> *cas.authn.oauth.crypto.encryption.key=0ZJCKvFSVO6PUKlzUqWzE5eXDerK_T7G1oSfGHfaAGMcas.auth

[cas-user] Re: 6.6.13 - OpenID Issue - Unable to locate authentication profile

2023-11-14 Thread Chris SC 
Hello Meysam
Thanks for trying to help me ! 
I strictly used your configuration, modifying only the hostnames with mine 
and still having the same issue :-/
Fellows here seem to have had the same issue without saying why in others 
posts :-/

I really wonder what I'm missing. If anyone knows the source code for this 
error, please point me in the right direction...

Things to note : 

   - *I have checked for network issues*, on Tomcat, Apache2 AJP 
   configuration, everything seems OK. I have tested Tomcat with https 
   connector directly on 443 port : 
















*!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
*


   - *What openID client do you use for testing ? I use these 2 :*
  - Python client  : https://github.com/Aduneo/aduneoclientfedid
  - Apache2 with mod_auth_openidc and this configuration :
   












* OIDCProviderAuthorizationEndpoint 
https://castest.mydomain.fr/cas/oidc/authorizeOIDCClientID 
clientOIDCClientSecret secret
OIDCRemoteUserClaim subOIDCScope "openid profile"  
  OIDCRedirectURI https://myclient.mydomain.fr/secureoidc/redirect_uri  
  LogLevel info auth_openidc:debug
OIDCCryptoPassphrase xyzzyz  
   AuthType openid-connect Require valid-user  
  *


   - *Here is what is displaying lauching cas webapp (using tomcat 9 
   and openjdk 11)*

 _  _   _ ___ _
/ \  |  _ \| |  _ \| / _ \   / ___|  / \  / ___|
   / _ \ | |_) |  _| | |_) |  _|| | | | | | / _ \ \___ \
  / ___ \|  __/| |___|  _ <| |__| |_| | | |___ / ___ \ ___) |
 /_/   \_\_|   |_|_| \_\_\___/   \/_/   \_\/


CAS Version: 6.6.13
CAS Branch: 6.6.x
CAS Commit Id: 7589c85d08b0ebc4f0e479f4a0448901e46ecb3c
CAS Build Date/Time: 2023-11-14T08:28:48Z
Spring Boot Version: 2.7.3
Spring Version: 5.3.22
Java Home: /opt/jdk-11.0.0.1
Java Vendor: Oracle Corporation
Java Version: 11.0.0.1
JVM Free Memory: 2 GB
JVM Maximum Memory: 3 GB
JVM Total Memory: 2 GB
OS Architecture: amd64
OS Name: Linux
OS Version: 5.15.0-88-generic
OS Date/Time: 2023-11-14T09:54:43.298402
OS Temp Directory: /opt/tomcat/temp

Apache Tomcat Version: Apache Tomcat/9.0.80




Thanks, 
Christophe.
Le mardi 14 novembre 2023 à 08:30:57 UTC+1, Meysam Shirazi a écrit :

> edit:
> *cas.authn.oidc.core.issuer=https://casserver/cas/oidc 
> <https://oauth.iritco.ir/cas/oidc>*
>
> On Monday, November 13, 2023 at 11:19:51 PM UTC+3:30 Meysam Shirazi wrote:
>
>> Hi,
>> I followed the below configuration, and everything worked fine:
>> *CAS Version 6.6.x*
>> *cas.properties*
>>
>>
>>
>>
>>
>> *cas.authn.oauth.crypto.encryption.key=0ZJCKvFSVO6PUKlzUqWzE5eXDerK_T7G1oSfGHfaAGMcas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROwcas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0cas.authn.oauth.access-token.crypto.signing.key=pqhKnchYuvHNze33lPJXZaxmaSLSQpKQS9PttqplwblZfgRnufcElzxfL52g8CClOJnp5OKZwxcBzQF69Tw_-Qcas.authn.oidc.core.issuer=https://oauth.iritco.ir/cas/oidc
>>  
>> <https://oauth.iritco.ir/cas/oidc>cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/config/keystore.jwks*
>>
>> *Service definition:*
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *{  "@class" : "org.apereo.cas.services.OidcRegisteredService",  
>> "clientId": "clientid",  "clientSecret": "clientSecret",  "serviceId" : 
>> "http://localhost:3000/(.*) <http://localhost:3000/(.*)>",  "name" : 
>> "OAuthService",  "id" : 11,  "scopes" : [ "java.util.HashSet", [ 
>> "profile", "openid" ] ],  "idTokenIssuer": "https://casserver/cas/oidc 
>> <https://casserver/cas/oidc>"}*
>> *Sample request:*
>>
>> *https://casserver/cas/oidc/authorize?response_type=code&client_id=clientid&scope=openid&redirect_uri=https:%2F%2Flocalhost:3000*
>>  
>> <https://casserver/cas/oidc/authorize?response_type=code&client_id=clientid&scope=openid&redirect_uri=https:%2F%2Flocalhost:3000>
>>
>>
>> On Monday, November 13, 2023 at 8:33:49 PM UTC+3:30 Chris SC wrote:
>>
>>> Hello, 
>>> I've spent hours trying to figure out a solution to this issue with 
>>> openOID :-/
>>> I have a fine working 6.6.13 C

[cas-user] 6.6.13 - OpenID Issue - Unable to locate authentication profile

2023-11-13 Thread Chris SC 
Hello, 
I've spent hours trying to figure out a solution to this issue with openOID 
:-/
I have a fine working 6.6.13 CAS server with LDAP,MFA settings... and for 
now I absolutely need to authenticate OpenID clients.

I would be very grateful if someone could help me. Technical details are 
below, 
Thanks in advance Christophe

I've Added OIDC support and test it with  a sample client application. 
When trying to authenticate openID Client : I'm having 
java.lang.IllegalArgumentException: Unable to locate authentication profile


*I searched for help on this group and found several similar cases, but 
without concrete solutions : *
https://groups.google.com/a/apereo.org/g/cas-user/c/YTZsZZQVesY/m/nxbCxUbyAQAJ
https://groups.google.com/a/apereo.org/g/cas-user/c/WbXWmp_8WIU/m/b7aEUbxWBAAJ

*cas.properties*
cas.authn.oidc.core.issuer=https://castest.mydomain.fr/cas/oidc
cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/config/keystore.jwks
cas.authn.oidc.discovery.scopes=openid,profile,email
cas.authn.oauth.crypto.encryption.key=IXotJflftrjq-yVfLiVp6YBWgsulwKdmSBzT-OtdU60
cas.authn.oauth.crypto.signing.key=kAsV7VOpqSAX5xx4zRuqvGHKuZgqdfV4pyd04TRqLj6NK8hr4GlJWVrWxzIlVqRdY0fBJ4NYqZ-o4KyeBhC-0w
cas.authn.oauth.access-token.crypto.encryption.key=tXFri9upjTBapQn1Ww4Vp4Ya40xr4sFX72vNIB5oGUg
cas.authn.oauth.access-token.crypto.signing.key=qwEa09A_EbkAMte7CaJrODfcF73mSly6dYpaDVTPmkx8VlX_1Q5dh9b3G0-UnTtQ1Nx3SCIxRwOoQ4cK-SsW1A

*Service definition:*
{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "clientId" : "client",
  "clientSecret" : "secret",
  "serviceId" : "^(https?)://.*",
  "name" : "testOIDC",
  "id" : 20231,
  "description" : "testOIDC",
  "scopes" : [ "java.util.HashSet", [ "openid", "profile", "email" ] ],
  "idTokenIssuer": "https://castest.mydomain.fr/cas/oidc";,
  "attributeReleasePolicy" : {
   "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }
}

*Sample request : *
https://castest.mydomain.fr/cas/oidc/authorize?response_type=code&client_id=client&scope=openid&redirect_uri=https%3A%2F%2Fcasclient%2Fclient%2Foidc%2Flogin%2Fcallback

> java.lang.IllegalArgumentException: Unable to locate authentication 
profile

*Things to note:*

   - OpenID Discovery URL works fine : 
   https://castest.mydomain.fr/cas/oidc/.well-known/openid-configuration 
   - Everything is OK when I tried to authenticate to 
   https://castest.mydomain.fr/cas/login 
   - I tried to minimize all other configuration (LDAP settings, MFA, 
   Throttle etc...)
   - I tried some 6.5.X versions
   - I had setting up debug logs in log4j2.xml : 


**

   - And everything seems OK : 

2023-11-13 15:45:29,667 DEBUG 
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] - 
2023-11-13 15:45:29,667 DEBUG 
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] - 
2023-11-13 15:45:29,670 INFO 
[org.apereo.cas.services.AbstractServicesManager] - 

Complete Exception : 
2023-11-13 15:45:03,828 ERROR 
[org.springframework.boot.web.servlet.support.ErrorPageFilter] - 

java.lang.IllegalArgumentException: Unable to locate authentication profile
at 
org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.lambda$redirectToCallbackRedirectUrl$0(OAuth20AuthorizeEndpointController.java:174)
 
~[cas-server-support-oauth-core-api-6.6.13.jar:6.6.13]
at java.util.Optional.orElseThrow(Optional.java:408) ~[?:?]
at 
org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.redirectToCallbackRedirectUrl(OAuth20AuthorizeEndpointController.java:174)
 
~[cas-server-support-oauth-core-api-6.6.13.jar:6.6.13]
at 
org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.handleRequest(OAuth20AuthorizeEndpointController.java:106)
 
~[cas-server-support-oauth-core-api-6.6.13.jar:6.6.13]
at 
org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController.handleRequest(OidcAuthorizeEndpointController.java:58)
 
~[cas-server-support-oidc-core-api-6.6.13.jar:6.6.13]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 
~[?:?]
at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at 
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
 
~[spring-web-5.3.22.jar:5.3.22]
at 
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150)
 
~[spring-web-5.3.22.jar:5.3.22]
at 
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117)
 
~[spring-webmvc-5.3.22.jar:5.3.22]
at 
org.springframework.web.servlet.mvc.method.annotation.RequestMapping

[cas-user] Re: 6.6.13 - MFA Trusted devices / expiration

2023-11-06 Thread Chris SC 
I understand better now :-) the expiration for trusted device is +100 
years, with a solution with couchDB. 
Thanks for pointing out the template and 'divs' in question.

Christophe.

Le vendredi 3 novembre 2023 à 23:19:18 UTC+1, Anthony Oslund a écrit :

>
> We are using simple MFA, but as far as the expiration (need to re-MFA) 
> goes the following may help.
>
> Researched every possible expiration property and found they were ignored.
>
> If you take a close look at the "expirationDate": 
> "2123-11-03T09:23:27.000+00:00" from your note, this is set to expire 100 
> years in the future.  No matter what we configured it always set the 
> expiration to 100 years in the future.
>
> Due to this and other issues with caching with JDBC we settled on caching 
> (including MFA) to couchDb.  Had never used couchDb before, but it 
> literally took 10-15 minutes to install and config.
>
> If you search for "MFA expiration with couchDb" in this list it explains 
> the solution we ended up using to be able to expire MFA.  Not perfect, but 
> very workable.
>
> On Friday, November 3, 2023 at 5:16:18 AM UTC-5 Chris SC wrote:
>
>> Hello, 
>> [version 6.6.13]
>> I'm working on the implementation of the MFA with the Google Auth. 
>> provider and Trusted Devices.
>> I have a question concerning the configuration of Trusted Devices.
>>
>> First time the user comes to a 'Register Device' screen (after MFA Google 
>> Auth screen), with 2 fields: 
>> 1/ Name of the current device 
>> > I want to hide this one on the template. What is the template name 
>> please ?
>>
>> 2/ Duration for registered device
>> > I want to hide this one too, by forcing an expiry time for everyone 
>> (30 days)
>>
>> I've seen some of previous 6.6 configurations using : 
>> cas.authn.mfa.trusted.expiration=30
>> cas.authn.mfa.trusted.timeUnit=DAY
>>
>> But these 2 parameters are no longer available in 6.6.13.
>> I thought that this part was now delegated on the provider side, but I 
>> can't find anything on the Google Auth configuration.
>>
>> For now, If I take a look at storage, default expiration is 1 year.
>> So How to set this parameter for now ?
>>
>> [
>> {
>> "id": 1699003407119,
>> "principal": "testuser",
>> "deviceFingerprint": "OO5ovcvIZWMPRebiQZGGp6nK2lT1GzElrgtUN87acB8ADGOy",
>> "recordDate": "2023-11-03T10:23:27+01:00",
>> "recordKey": 
>> "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6IjBjNjQyMzg3LTM3M2EtNDZkZi1iOGM3LTEyNGNlZmJiMDhlNyJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aVkzUjVJam9pU2xkVUlpd2lkSGx3SWpvaVNsZFVJdIUWhmMmt1dWFlQTQ0TFNjTmhnRDFHb1ZSVW5WejVwSWt0QWsuN3JkWkswX0lTcENaMVQ3a1BFOF9LQQ.hW-Q2nsqjhr0Dnx3LIBJilZgBRoyPAKA8RLN5x2Vtzl44lmizs4-EV-ftwU8jIx7Z7whpTgp6DASz49pc6NO8g",
>> "name": "charming_wilson",
>> "expirationDate": "2123-11-03T09:23:27.000+00:00"
>> }
>> ]
>>
>>
>> Thanks for your help! 
>> Christophe.
>>
>>
>> Current MFA trusted devices configuration : 
>> ##
>> ## MFA / Trusted Devices :
>> ##
>>
>> cas.authn.mfa.trusted.mongo.clientUri=mongodb://user:x@localhost:27017/cas-mongo-database
>> cas.authn.mfa.trusted.mongo.collection=TrustedRepository
>> cas.authn.mfa.trusted.mongo.drop-collection=false
>>
>> cas.authn.mfa.trusted.core.authentication-context-attribute=isFromTrustedMultifactorAuthentication
>> cas.authn.mfa.trusted.core.device-registration-enabled=true
>> as.authn.mfa.trusted.core.auto-assign-device-name=true
>>
>> cas.authn.mfa.trusted.crypto.enabled=true
>> as.authn.mfa.trusted.crypto.encryption.key=xxx
>> cas.authn.mfa.trusted.crypto.signing.key=xxx
>>
>> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.key=xxx
>>
>> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.key=xxx
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2979d593-1f43-44c5-99c2-15466d0f2966n%40apereo.org.

[cas-user] 6.6.13 - MFA Trusted devices / expiration

2023-11-03 Thread Chris SC 
Hello, 
[version 6.6.13]
I'm working on the implementation of the MFA with the Google Auth. provider 
and Trusted Devices.
I have a question concerning the configuration of Trusted Devices.

First time the user comes to a 'Register Device' screen (after MFA Google 
Auth screen), with 2 fields: 
1/ Name of the current device 
> I want to hide this one on the template. What is the template name 
please ?

2/ Duration for registered device
> I want to hide this one too, by forcing an expiry time for everyone 
(30 days)

I've seen some of previous 6.6 configurations using : 
cas.authn.mfa.trusted.expiration=30
cas.authn.mfa.trusted.timeUnit=DAY

But these 2 parameters are no longer available in 6.6.13.
I thought that this part was now delegated on the provider side, but I 
can't find anything on the Google Auth configuration.

For now, If I take a look at storage, default expiration is 1 year.
So How to set this parameter for now ?

[
{
"id": 1699003407119,
"principal": "testuser",
"deviceFingerprint": "OO5ovcvIZWMPRebiQZGGp6nK2lT1GzElrgtUN87acB8ADGOy",
"recordDate": "2023-11-03T10:23:27+01:00",
"recordKey": 
"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6IjBjNjQyMzg3LTM3M2EtNDZkZi1iOGM3LTEyNGNlZmJiMDhlNyJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aVkzUjVJam9pU2xkVUlpd2lkSGx3SWpvaVNsZFVJdIUWhmMmt1dWFlQTQ0TFNjTmhnRDFHb1ZSVW5WejVwSWt0QWsuN3JkWkswX0lTcENaMVQ3a1BFOF9LQQ.hW-Q2nsqjhr0Dnx3LIBJilZgBRoyPAKA8RLN5x2Vtzl44lmizs4-EV-ftwU8jIx7Z7whpTgp6DASz49pc6NO8g",
"name": "charming_wilson",
"expirationDate": "2123-11-03T09:23:27.000+00:00"
}
]


Thanks for your help! 
Christophe.


Current MFA trusted devices configuration : 
##
## MFA / Trusted Devices :
##
cas.authn.mfa.trusted.mongo.clientUri=mongodb://user:x@localhost:27017/cas-mongo-database
cas.authn.mfa.trusted.mongo.collection=TrustedRepository
cas.authn.mfa.trusted.mongo.drop-collection=false
cas.authn.mfa.trusted.core.authentication-context-attribute=isFromTrustedMultifactorAuthentication
cas.authn.mfa.trusted.core.device-registration-enabled=true
as.authn.mfa.trusted.core.auto-assign-device-name=true

cas.authn.mfa.trusted.crypto.enabled=true
as.authn.mfa.trusted.crypto.encryption.key=xxx
cas.authn.mfa.trusted.crypto.signing.key=xxx
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.key=xxx
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.key=xxx

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/412c6045-b309-4398-bca5-08bf27ad0723n%40apereo.org.

Re: [cas-user] CAS 6.6.x - SAML (Shibboleth), Unable to Decrypt EncryptedData

2023-04-19 Thread &#x27;Chris Durham' via CAS Community 
Second update - I can reproduce this error with the samltest.id website - 
which also uses a Shib 3.0 based solution.

Would anyone else be willing to create a test against that site to validate 
whether it's just my configuration or potentially a general CAS issue?

Thanks in advance!

On Friday, 31 March 2023 at 23:34:19 UTC-5 Chris Durham wrote:

>
> Hey
>
> Thanks for those suggestions - finally got to the bottom of it - and Ray, 
> you were on the right lines...
>
> The IDP metadata we had got from the client was 'prettily' formatted, 
> which included helpfully adding carriage returns and spaces after the 
> X509Certificate start tag and before the end tag - grr.. removing those and 
> giving CAS those resolved the problem.  Will go back to the client and let 
> them know not to do that for anyone else either!
>
> Thanks for the help!
> Chris
> On Friday, 31 March 2023 at 10:41:26 UTC-5 Ray Bon wrote:
>
>> Chris,
>>
>> It could be that the vendor is using an encryption certificate different 
>> from the one you are expecting.
>>
>> Ray
>>
>> On Thu, 2023-03-30 at 19:58 -0700, 'Chris Durham' via CAS Community wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> Hi, 
>>
>> We've got CAS 6.6.x running beautifully with delegated IDP logins to 
>> multiple SAML providers, but the most recent one we've had to integrate 
>> with is causing me some headaches.
>>
>> The initial redirect works fine, but when it comes back CAS displays the 
>> SAML message but then fails to decrypt the SAML message and I can't figure 
>> out why - has anyone come across anything similar before?
>>
>> Chris
>>
>> Logs.. 
>>
>> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,342 ERROR 
>> [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - > valid subject assertion found in response
>> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
>> [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - > assertion failed, continue with the next one> [m
>> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
>> [org.opensaml.saml.saml2.encryption.Decrypter] - > encountered an error decrypting element content: Failed to decrypt 
>> EncryptedData> [m
>> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
>> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedData using either EncryptedData KeyInfoCredentialResolver or 
>> EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedData using EncryptedKeyResolver> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
>>  
>> -  [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
>>  
>> - > org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver>
>>  
>> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
>>  
>> - > org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver> 
>> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedData using key extracted from EncryptedKey failed: > [m
>> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
>> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedKey, valid decryption key could not be resolved> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedKey using credential from KEK KeyInfo resolver failed: > [m
>> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
>> [org.opensaml.xmlsec.encryption.support.Decrypter] - > encrypted key: Unwrapping failed> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG 
>> [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - > include list, nothing to evaluate> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG 
>> [org.opensaml.xmlsec.algorithm.AlgorithmSupport] - > exclude list, nothing to evaluate> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.Decrypter] - > URI against include and exclude list

Re: [cas-user] CAS 6.6.x - SAML (Shibboleth), Unable to Decrypt EncryptedData

2023-04-19 Thread &#x27;Chris Durham' via CAS Community 
Turns out my earlier 'solution' was a red herring.

So I'm still stuck with the problem that I can't get CAS to handle this 
particular IDP which send encrypted responses.  I've confirmed that the 
cert that they are using matches the one in the metadata etc.

I'm assuming that if there was a mismatch in times, then that would show up 
as a skew error rather than a failure to decrypt the message?  I'm also 
assuming that since CAS is trying to decode it, it at least knows it is 
encrypted - is it possible that the key is not where it's expecting it (and 
is that a CAS issue for not looking or a provider one for being 
'different') - obviously this is a bit of a stretch suggestion as I don't 
know if it would even be possible to return it in different places within 
the response!

Thanks
Chris

On Friday, 31 March 2023 at 23:34:19 UTC-5 Chris Durham wrote:

>
> Hey
>
> Thanks for those suggestions - finally got to the bottom of it - and Ray, 
> you were on the right lines...
>
> The IDP metadata we had got from the client was 'prettily' formatted, 
> which included helpfully adding carriage returns and spaces after the 
> X509Certificate start tag and before the end tag - grr.. removing those and 
> giving CAS those resolved the problem.  Will go back to the client and let 
> them know not to do that for anyone else either!
>
> Thanks for the help!
> Chris
> On Friday, 31 March 2023 at 10:41:26 UTC-5 Ray Bon wrote:
>
>> Chris,
>>
>> It could be that the vendor is using an encryption certificate different 
>> from the one you are expecting.
>>
>> Ray
>>
>> On Thu, 2023-03-30 at 19:58 -0700, 'Chris Durham' via CAS Community wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> Hi, 
>>
>> We've got CAS 6.6.x running beautifully with delegated IDP logins to 
>> multiple SAML providers, but the most recent one we've had to integrate 
>> with is causing me some headaches.
>>
>> The initial redirect works fine, but when it comes back CAS displays the 
>> SAML message but then fails to decrypt the SAML message and I can't figure 
>> out why - has anyone come across anything similar before?
>>
>> Chris
>>
>> Logs.. 
>>
>> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,342 ERROR 
>> [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - > valid subject assertion found in response
>> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
>> [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - > assertion failed, continue with the next one> [m
>> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
>> [org.opensaml.saml.saml2.encryption.Decrypter] - > encountered an error decrypting element content: Failed to decrypt 
>> EncryptedData> [m
>> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
>> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedData using either EncryptedData KeyInfoCredentialResolver or 
>> EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedData using EncryptedKeyResolver> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
>>  
>> -  [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
>>  
>> - > org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver>
>>  
>> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
>>  
>> - > org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver> 
>> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedData using key extracted from EncryptedKey failed: > [m
>> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
>> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedKey, valid decryption key could not be resolved> [m
>> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
>> [org.opensaml.xmlsec.encryption.support.Decrypter] - > EncryptedKey using credential from KEK KeyInfo resolver failed: > [m
>> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
>> [org.open

[cas-user] CAS 6.6.x - Override Spring Version

2023-04-03 Thread &#x27;Chris Durham' via CAS Community 
Hi,

We use the overlay version of CAS 6.6.7 and because of Snyk warnings need 
to override the version of Spring from 5.3.22 to 5.3.26.

I've been back through the log4j remediation stuff and tried to follow 
those guidelines alongside an older requirement to upgrade Spring from 
5.2.0, but am unable to get the generated war file to include the new files 
and exclude the old ones.

I added a bootWar section

bootWar {
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from 
"org.apereo.cas:cas-server-webapp${project.appServer}:${project.'cas.version'}@war"
provided = false
excludes = ["WEB-INF/lib/spring-*-5.3.22.*.jar"]
}
}
}

and updated the dependencies section with


compileOnly "org.springframework:spring-aop:${springVersion}"
compileOnly "org.springframework:spring-beans:${springVersion}"
compileOnly "org.springframework:spring-context:${springVersion}"
compileOnly "org.springframework:spring-context-support:${springVersion}"
compileOnly "org.springframework:spring-core:${springVersion}"
compileOnly "org.springframework:spring-expression:${springVersion}"
compileOnly "org.springframework:spring-jcl:${springVersion}"
compileOnly "org.springframework:spring-jdbc:${springVersion}"
compileOnly "org.springframework:spring-jms:${springVersion}"
compileOnly "org.springframework:spring-messaging:${springVersion}"
compileOnly "org.springframework:spring-orm:${springVersion}"
compileOnly "org.springframework:spring-oxm:${springVersion}"
compileOnly "org.springframework:spring-tx:${springVersion}"
compileOnly "org.springframework:spring-web:${springVersion}"
compileOnly "org.springframework:spring-webmvc:${springVersion}"

Where springVersion is defined as "5.3.26"

I'm presuming the issue is that Spring is pulled in from multiple projects 
- but do I have to list every single one?

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f93cf5f-d33e-4c89-a455-f1910875c61dn%40apereo.org.

Re: [cas-user] CAS 6.6.x - SAML (Shibboleth), Unable to Decrypt EncryptedData

2023-03-31 Thread &#x27;Chris Durham' via CAS Community 

Hey

Thanks for those suggestions - finally got to the bottom of it - and Ray, 
you were on the right lines...

The IDP metadata we had got from the client was 'prettily' formatted, which 
included helpfully adding carriage returns and spaces after the 
X509Certificate start tag and before the end tag - grr.. removing those and 
giving CAS those resolved the problem.  Will go back to the client and let 
them know not to do that for anyone else either!

Thanks for the help!
Chris
On Friday, 31 March 2023 at 10:41:26 UTC-5 Ray Bon wrote:

> Chris,
>
> It could be that the vendor is using an encryption certificate different 
> from the one you are expecting.
>
> Ray
>
> On Thu, 2023-03-30 at 19:58 -0700, 'Chris Durham' via CAS Community wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> Hi, 
>
> We've got CAS 6.6.x running beautifully with delegated IDP logins to 
> multiple SAML providers, but the most recent one we've had to integrate 
> with is causing me some headaches.
>
> The initial redirect works fine, but when it comes back CAS displays the 
> SAML message but then fails to decrypt the SAML message and I can't figure 
> out why - has anyone come across anything similar before?
>
> Chris
>
> Logs.. 
>
> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,342 ERROR 
> [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] -  valid subject assertion found in response
> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
> [org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] -  assertion failed, continue with the next one> [m
> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
> [org.opensaml.saml.saml2.encryption.Decrypter] -  encountered an error decrypting element content: Failed to decrypt 
> EncryptedData> [m
> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
> [org.opensaml.xmlsec.encryption.support.Decrypter] -  EncryptedData using either EncryptedData KeyInfoCredentialResolver or 
> EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver> [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
> [org.opensaml.xmlsec.encryption.support.Decrypter] -  EncryptedData using EncryptedKeyResolver> [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
>  
> -  [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
>  
> -  org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver>
>  
> [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
> [org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
>  
> -  org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver> 
> [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
> [org.opensaml.xmlsec.encryption.support.Decrypter] -  EncryptedData using key extracted from EncryptedKey failed: > [m
> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
> [org.opensaml.xmlsec.encryption.support.Decrypter] -  EncryptedKey, valid decryption key could not be resolved> [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,341 DEBUG 
> [org.opensaml.xmlsec.encryption.support.Decrypter] -  EncryptedKey using credential from KEK KeyInfo resolver failed: > [m
> 63ff8111b2f8 [1;31m2023-03-30 20:01:28,341 ERROR 
> [org.opensaml.xmlsec.encryption.support.Decrypter] -  encrypted key: Unwrapping failed> [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG 
> [org.opensaml.xmlsec.algorithm.AlgorithmSupport] -  include list, nothing to evaluate> [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG 
> [org.opensaml.xmlsec.algorithm.AlgorithmSupport] -  exclude list, nothing to evaluate> [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG 
> [org.opensaml.xmlsec.encryption.support.Decrypter] -  URI against include and exclude lists: algorithm: 
> http://www.w3.org/2009/xmlenc11#mgf1sha1, included: null, excluded: null> 
> [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG 
> [org.opensaml.xmlsec.algorithm.AlgorithmSupport] -  include list, nothing to evaluate> [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG 
> [org.opensaml.xmlsec.algorithm.AlgorithmSupport] -  exclude list, nothing to evaluate> [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG 
> [org.opensaml.xmlsec.encryption.support.Decrypter] -  URI against include and exclude lists: algorithm: 
> http://www.w3.org/2000/09/xmldsig#sha1, included: null, excluded: null> [m
> 63ff8111b2f8 [36m2023-03-30 20:01:28,338 DEBUG 
> [org.opensaml.xmlsec.algorithm.AlgorithmS

[cas-user] CAS 6.6.x - SAML (Shibboleth), Unable to Decrypt EncryptedData

2023-03-30 Thread &#x27;Chris Durham' via CAS Community 
Hi,

We've got CAS 6.6.x running beautifully with delegated IDP logins to 
multiple SAML providers, but the most recent one we've had to integrate 
with is causing me some headaches.

The initial redirect works fine, but when it comes back CAS displays the 
SAML message but then fails to decrypt the SAML message and I can't figure 
out why - has anyone come across anything similar before?

Chris

Logs.. 

63ff8111b2f8  [1;31m2023-03-30 20:01:28,342 ERROR 
[org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] -  [m 
63ff8111b2f8  [1;31m2023-03-30 20:01:28,341 ERROR 
[org.opensaml.saml.saml2.encryption.Decrypter] -  [m 
63ff8111b2f8  [1;31m2023-03-30 20:01:28,341 ERROR 
[org.opensaml.xmlsec.encryption.support.Decrypter] -  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,341 DEBUG 
[org.opensaml.xmlsec.encryption.support.Decrypter] -  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,341 DEBUG 
[org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
 
-  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,341 DEBUG 
[org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
 
- 
 [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,341 DEBUG 
[org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
 
-  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,341 DEBUG 
[org.opensaml.xmlsec.encryption.support.Decrypter] -  [m 
63ff8111b2f8  [1;31m2023-03-30 20:01:28,341 ERROR 
[org.opensaml.xmlsec.encryption.support.Decrypter] -  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,341 DEBUG 
[org.opensaml.xmlsec.encryption.support.Decrypter] -  [m 
63ff8111b2f8  [1;31m2023-03-30 20:01:28,341 ERROR 
[org.opensaml.xmlsec.encryption.support.Decrypter] -  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,338 DEBUG 
[org.opensaml.xmlsec.algorithm.AlgorithmSupport] -  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,338 DEBUG 
[org.opensaml.xmlsec.algorithm.AlgorithmSupport] -  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,338 DEBUG 
[org.opensaml.xmlsec.encryption.support.Decrypter] - http://www.w3.org/2009/xmlenc11#mgf1sha1, included: null, excluded: null> [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,338 DEBUG 
[org.opensaml.xmlsec.algorithm.AlgorithmSupport] -  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,338 DEBUG 
[org.opensaml.xmlsec.algorithm.AlgorithmSupport] -  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,338 DEBUG 
[org.opensaml.xmlsec.encryption.support.Decrypter] - http://www.w3.org/2000/09/xmldsig#sha1, included: null, excluded: null> [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,338 DEBUG 
[org.opensaml.xmlsec.algorithm.AlgorithmSupport] -  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,338 DEBUG 
[org.opensaml.xmlsec.algorithm.AlgorithmSupport] -  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,338 DEBUG 
[org.opensaml.xmlsec.encryption.support.Decrypter] - http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p, included: null, excluded: 
null> [m 
63ff8111b2f8  [32m2023-03-30 20:01:28,338 INFO 
[org.opensaml.xmlsec.algorithm.AlgorithmSupport] - http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p to key length not 
available> [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,338 DEBUG 
[org.opensaml.xmlsec.encryption.support.Decrypter] -  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,338 DEBUG 
[org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
 
-  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,337 DEBUG 
[org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver$ChainingIterator]
 
-  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,337 DEBUG 
[org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - https://shib.oit.duke.edu/shibboleth-idp against 
https://xxx.xxx.xxx.xxx/shibboleth-idp> [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,337 DEBUG 
[org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator] - https://shib.oit.duke.edu/shibboleth-idp> [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,337 DEBUG 
[org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - 
 [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,337 DEBUG 
[org.opensaml.security.trust.impl.ExplicitKeyTrustEvaluator] - 
 [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,337 DEBUG 
[org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - 
 [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,337 DEBUG 
[org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - 
 [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,337 DEBUG 
[org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine] - 
 [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,337 DEBUG 
[org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl]
 
-  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,335 DEBUG 
[org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl]
 
-  [m 
63ff8111b2f8  [36m2023-03-30 20:01:28,335 DEBUG 
[org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl]
 
- http://www.w3.org/2001/04/xmldsig-

[cas-user] CAS 6.6.2 DUO problems

2022-11-09 Thread Chris 
I am having a problem getting DUO to work with CAS 6.6.2, I am getting an 
error about action execution attributes were 'map[[empty]]', I think this 
is been caused by the following.

2022-11-09 13:03:58,807 WARN 
[org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction]
 
- 
2022-11-09 13:03:58,807 ERROR 
[org.springframework.boot.web.servlet.support.ErrorPageFilter] - 


I am working on deploying the CAS build using the CAS overlay and out 
putting a docker image, but I have tried using the war file and tomcat and 
get the same error.

Any advice or guidance would be great.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ed44b10f-6a34-4179-90a6-543e4ae74927n%40apereo.org.

[cas-user] JPA Ticket Registry : Delegated Authentication + General cause of "action execution attributes were 'map[[empty]]'"

2022-10-06 Thread &#x27;Chris Durham' via CAS Community 
Hi,

With 6.6.0, we've been using the memcached Ticket Registry support 
previously, but now we want to take advantage of the Account Profile pages 
we can't get Session information (as getTickets() is not supported), so I 
thought I would switch to JPA (since we have a suitable DB).  Logins 
without a service work perfectly and direct me to the Account Profile pages 
and I can see sessions etc.

However as soon I try and login through Delegated Authentications (any one 
of the 10+ providers we have) all responses show the CAS error page (500) 
and the logs show

DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] -  [m
DEBUG 
[org.apereo.cas.web.flow.error.DefaultDelegatedClientAuthenticationFailureEvaluator]
 
-  [m

Now I note that Misagh said map[[empty]] issues weren't an issue but were a 
symptom of another problem, but doesn't anyone have any suggestions as to 
how to debug what that "other problem" might be when the only change is 
between where the Ticket Registry is stored.

Up until that point everything looked normal and appeared to be working

On Wednesday, 25 May 2022 at 23:02:17 UTC-5 Misagh Moayyed wrote:

> It is not an error. If you see this, usually it means the problem is 
> something or somewhere else and this is not the root cause. 
>
> -- Misagh
>
> On Thu, May 26, 2022, 12:10 AM Pablo Vidaurri  wrote:
>
>> On occasion I'm seeing a login error with this in my logs:
>>
>> in state 'xxxCheck' of flow 'login' -- action execution attributes were 
>> 'map[[empty]]'
>>
>> What is the general cause of this error?
>>
>> -psv
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/16267ecb-67dc-43c6-9ed0-04d1e3623099n%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d8e8697-e573-4ed0-8b3b-a9b856fb0135n%40apereo.org.

[cas-user] CAS-Management 6.6.0 Cas service Problems

2022-10-03 Thread Chris 
I am having problems with the CAS-management service version 6.6.0 with CAS 
6.6.0 and creating CAS services via the management page.

I noticed that with CAS 6.6.0 the 
org.aperero.cas.services.RegexRegisterdService class does not seam to work, 
and it needs to be changed to org.aperero.cas.services.CasRegisterdService 
for the service to work as expected.

But via the CAS-Management Page creating a CAS service as Service Type CAS 
Client still creates the service as 
org.aperero.cas.services.RegexRegisterdService, the same way the CAS Client 
(Deprecated) type does.

Has anyone run into this or know what might need to be done to fix this 
problem

Thanks,
Chris

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c5447da7-994f-489a-8436-66fbc2f61c31n%40apereo.org.

[cas-user] Re: Getting HTML template resources

2021-08-09 Thread Chris Durham 
I find explodeWar quite useful as a task - it will create a cas-resources 
folder in your build directory with all the files in so you can get the 
correct layout..

On Monday, 9 August 2021 at 14:56:21 UTC-5 Dustin Luck wrote:

> I updated my overlay template to the latest 6.3.6 and I'm having trouble 
> getting HTML templates using the instructions in the README.md file 
> (./gradlew[.bat] listTemplateViews). When I run the command, I get a 'BUILD 
> SUCCESSFUL' message, but no templates are listed. Trying the getResource 
> command (./gradlew getResource -PresourceName=casLoginView.html), I receive 
> a message that "No resources could be found matching casLoginView.html".
>
> Any help on how to extract the HTML templates would be appreciated.
>
>
> Here is the full output from both commands
>
> *listTemplateViews*
> > Task :bootBuildInfo
> > Task :generateLombokConfig UP-TO-DATE
> > Task :compileJava UP-TO-DATE
> > Task :processResources UP-TO-DATE
> > Task :classes
> > Task :bootWarMainClassName
> > Task :extractCasBootWarOverlay UP-TO-DATE
> > Task :bootWar
> > Task :war
> > Task :assemble
> > Task :compileTestJava NO-SOURCE
> > Task :processTestResources NO-SOURCE
> > Task :testClasses UP-TO-DATE
> > Task :test NO-SOURCE
> > Task :check UP-TO-DATE
> > Task :build
>
> > Task :unzipWAR
> Unzipped WAR into 
> C:\Users\dluck\Documents\Temp\cas-overlay-template\build/app
>
> > Task :listTemplateViews
>
> Deprecated Gradle features were used in this build, making it incompatible 
> with Gradle 8.0.
>
> You can use '--warning-mode all' to show the individual deprecation 
> warnings and determine if they come from your own scripts or plugins.
>
> See 
> https://docs.gradle.org/7.1.1/userguide/command_line_interface.html#sec:command_line_warnings
>
> BUILD SUCCESSFUL in 16s
> 10 actionable tasks: 6 executed, 4 up-to-date
>
>
> *getResource*
> > Task :bootBuildInfo
> > Task :generateLombokConfig UP-TO-DATE
> > Task :compileJava UP-TO-DATE
> > Task :processResources UP-TO-DATE
> > Task :classes
> > Task :bootWarMainClassName
> > Task :extractCasBootWarOverlay UP-TO-DATE
> > Task :bootWar
> > Task :war
> > Task :assemble
> > Task :compileTestJava NO-SOURCE
> > Task :processTestResources NO-SOURCE
> > Task :testClasses UP-TO-DATE
> > Task :test NO-SOURCE
> > Task :check UP-TO-DATE
> > Task :build
>
> > Task :unzipWAR
> Unzipped WAR into 
> C:\Users\dluck\Documents\Temp\cas-overlay-template\build/app
>
> > Task :getResource
> No resources could be found matching casLoginView.html
>
> Deprecated Gradle features were used in this build, making it incompatible 
> with Gradle 8.0.
>
> You can use '--warning-mode all' to show the individual deprecation 
> warnings and determine if they come from your own scripts or plugins.
>
> See 
> https://docs.gradle.org/7.1.1/userguide/command_line_interface.html#sec:command_line_warnings
>
> BUILD SUCCESSFUL in 28s
> 10 actionable tasks: 6 executed, 4 up-to-date
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/409dc08e-dd93-4f57-9693-fbc621c69a5fn%40apereo.org.

[cas-user] CAS 6.4.0-RC6

2021-08-04 Thread Chris Durham 
Hi,

We have a setup with lots of Delegated Authentication options (and equally 
lots of services), and since migrating to RC6 we are getting a lot of

org.pac4j.core.exception.TechnicalException: Duplicate name in clients

appearing in the logs and subsequent error pages appearing.

Ticket Registry is in AWS ElastiCache (memcached)

Has anyone else experienced the same error?  I'm trying to figure out how 
the duplicates would occur in the first place too!

Chris

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a6f333b-5cde-42fa-a6d4-6ac21a21ba62n%40apereo.org.

Re: [cas-user] Re: CAS 6.2.8 password management and Office 365 ATP

2021-07-27 Thread Chris Durham 
Ray,

Thanks for that -  it all makes a lot more sense now - and after a bit of 
trial and error of figuring out what to include (the lombok stuff threw me) 
I've got it to compile - yay!

Chris


On Tuesday, 27 July 2021 at 15:06:57 UTC-5 Ray Bon wrote:

> Chris,
>
> When you get a missing dependency, search your local copy of cas for that 
> class. Once you have the path, you can include that package in build.gradle.
> e.g.
>
> compileOnly 
> "org.apereo.cas:cas-server-support-token-core-api:${casServerVersion}"
> compileOnly 
> "org.apereo.cas:cas-server-support-token-tickets:${casServerVersion}"
>
> Ray
>
>
> On Tue, 2021-07-27 at 12:59 -0700, Chris Durham wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> Would you mind sharing the additions in the build.gradle and the package 
> structure you used?   I'm using 6.4.0-RC6, but I suspect once I understand 
> what you had to add it should be transferrable logic wise 
>
> I've been trying to overlay classes to fix issues (or support our 
> apparently unique requirements), but have been unable to get it to compile 
> without complaining about lots and lots of missing dependencies.
>
> BTW i submitted a pull request with a custom patch that allowed you to 
> specify whether the Password Management TST was single use or not, but it 
> was rejected (with a reasonable explanation at least!)
>
> On Tuesday, 27 July 2021 at 10:12:00 UTC-5 joseph...@gmail.com wrote:
>
> Hi Chris, 
>
> Yes I use the overlay method. I created the package structure for that 
> class in my overlay, and then copied the class from github for my CAS 
> version. I also had to add a few dependencies in the build.gradle file to 
> compile the overlay.
>
> Joseph
>
> Le mardi 27 juillet 2021 à 11 h 00 min 36 s UTC-4, Chris Durham a écrit :
>
> Hi Joseph, 
>
> Our emails will be going to many different organizations that we have no 
> control over, so overriding that class might be our only option too.  
>
> Do you use the overlay method - and if so how do you override a single 
> class without having to import tons of stuff?
>
> Chris
>
> On Tuesday, 27 July 2021 at 07:09:29 UTC-5 joseph...@gmail.com wrote:
>
> Hi Chris, 
>
> If you have ATP activated and the password reset emails are only sent 
> within your own organization, you can ask your Office 365 admin to 
> whitelist the CAS server, this way ATP won't invalidate the password reset 
> link. However, if they can be sent to multiple organizations (who might 
> also have Office 365 and ATP activated) it would not be a practical 
> solution to ask all of them to whitelist your CAS server. I ended up 
> overriding the VerifyPasswordResetRequestAction class to remove the line 
> that deletes the ticket. The ticket is still expired after the configured 
> delay, so it solved our problem with password management.
>
> Joseph
> Le mardi 27 juillet 2021 à 00 h 54 min 47 s UTC-4, Chris Durham a écrit :
>
> Hey Joseph, 
>
> Did you get anywhere with this.  We've been having the same issue and I 
> suddenly connected the dots and realized that we use Office 365 too..
>
> Chris
>
> On Wednesday, 30 June 2021 at 07:16:10 UTC-5 joseph...@gmail.com wrote:
>
> Hi everyone, 
>
> We recently upgraded our CAS server to version 6.2.8 from version 5.3.15.1 
> . We found out that the behaviour of the password management feature, 
> specifically the password reset link, has changed. It seems that the 
> password reset link is now single use, you can't use it again after 
> clicking on it once even though it's not expired yet.
>
> After investigating the error our users had "Password reset failed - We 
> were unable to process your password reset request at this time", we found 
> out that because we use Office 365 ATP (Advanced Threat Protection), all 
> the links in the email, including the password reset link, are verified and 
> clicked before the user gets the email. This means that the password reset 
> link is already used when it gets to the user's inbox...
>
> I didn't find any configuration related to this in the CAS documentation. 
> I'm now thinking about overriding the class where the password reset token 
> is deleted after use, even though I don't like the idea of having to 
> maintain this change after future CAS updates.
>
> Has anyone had this kind of problem with password management and something 
> like Office 365 ATP and what was your solution?
>
> Thank you!
>
> Joseph
>
>
>
>
>
>

-- 
- Website:

[cas-user] Re: CAS 6.2.8 password management and Office 365 ATP

2021-07-27 Thread Chris Durham 
Would you mind sharing the additions in the build.gradle and the package 
structure you used?   I'm using 6.4.0-RC6, but I suspect once I understand 
what you had to add it should be transferrable logic wise

I've been trying to overlay classes to fix issues (or support our 
apparently unique requirements), but have been unable to get it to compile 
without complaining about lots and lots of missing dependencies.

BTW i submitted a pull request with a custom patch that allowed you to 
specify whether the Password Management TST was single use or not, but it 
was rejected (with a reasonable explanation at least!)

On Tuesday, 27 July 2021 at 10:12:00 UTC-5 joseph...@gmail.com wrote:

> Hi Chris,
>
> Yes I use the overlay method. I created the package structure for that 
> class in my overlay, and then copied the class from github for my CAS 
> version. I also had to add a few dependencies in the build.gradle file to 
> compile the overlay.
>
> Joseph
>
> Le mardi 27 juillet 2021 à 11 h 00 min 36 s UTC-4, Chris Durham a écrit :
>
>> Hi Joseph,
>>
>> Our emails will be going to many different organizations that we have no 
>> control over, so overriding that class might be our only option too.  
>>
>> Do you use the overlay method - and if so how do you override a single 
>> class without having to import tons of stuff?
>>
>> Chris
>>
>> On Tuesday, 27 July 2021 at 07:09:29 UTC-5 joseph...@gmail.com wrote:
>>
>>> Hi Chris,
>>>
>>> If you have ATP activated and the password reset emails are only sent 
>>> within your own organization, you can ask your Office 365 admin to 
>>> whitelist the CAS server, this way ATP won't invalidate the password reset 
>>> link. However, if they can be sent to multiple organizations (who might 
>>> also have Office 365 and ATP activated) it would not be a practical 
>>> solution to ask all of them to whitelist your CAS server. I ended up 
>>> overriding the VerifyPasswordResetRequestAction class to remove the line 
>>> that deletes the ticket. The ticket is still expired after the configured 
>>> delay, so it solved our problem with password management.
>>>
>>> Joseph
>>> Le mardi 27 juillet 2021 à 00 h 54 min 47 s UTC-4, Chris Durham a écrit :
>>>
>>>> Hey Joseph,
>>>>
>>>> Did you get anywhere with this.  We've been having the same issue and I 
>>>> suddenly connected the dots and realized that we use Office 365 too..
>>>>
>>>> Chris
>>>>
>>>> On Wednesday, 30 June 2021 at 07:16:10 UTC-5 joseph...@gmail.com wrote:
>>>>
>>>>> Hi everyone,
>>>>>
>>>>> We recently upgraded our CAS server to version 6.2.8 from version 
>>>>> 5.3.15.1 . We found out that the behaviour of the password management 
>>>>> feature, specifically the password reset link, has changed. It seems that 
>>>>> the password reset link is now single use, you can't use it again after 
>>>>> clicking on it once even though it's not expired yet.
>>>>>
>>>>> After investigating the error our users had "Password reset failed - 
>>>>> We were unable to process your password reset request at this time", we 
>>>>> found out that because we use Office 365 ATP (Advanced Threat 
>>>>> Protection), 
>>>>> all the links in the email, including the password reset link, are 
>>>>> verified 
>>>>> and clicked before the user gets the email. This means that the password 
>>>>> reset link is already used when it gets to the user's inbox...
>>>>>
>>>>> I didn't find any configuration related to this in the CAS 
>>>>> documentation. I'm now thinking about overriding the class where the 
>>>>> password reset token is deleted after use, even though I don't like the 
>>>>> idea of having to maintain this change after future CAS updates.
>>>>>
>>>>> Has anyone had this kind of problem with password management and 
>>>>> something like Office 365 ATP and what was your solution?
>>>>>
>>>>> Thank you!
>>>>>
>>>>> Joseph
>>>>>
>>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1ff0ff4-cf98-43ba-a5fd-895cfa0595fbn%40apereo.org.

[cas-user] Re: CAS 6.2.8 password management and Office 365 ATP

2021-07-27 Thread Chris Durham 
Hi Joseph,

Our emails will be going to many different organizations that we have no 
control over, so overriding that class might be our only option too.  

Do you use the overlay method - and if so how do you override a single 
class without having to import tons of stuff?

Chris

On Tuesday, 27 July 2021 at 07:09:29 UTC-5 joseph...@gmail.com wrote:

> Hi Chris,
>
> If you have ATP activated and the password reset emails are only sent 
> within your own organization, you can ask your Office 365 admin to 
> whitelist the CAS server, this way ATP won't invalidate the password reset 
> link. However, if they can be sent to multiple organizations (who might 
> also have Office 365 and ATP activated) it would not be a practical 
> solution to ask all of them to whitelist your CAS server. I ended up 
> overriding the VerifyPasswordResetRequestAction class to remove the line 
> that deletes the ticket. The ticket is still expired after the configured 
> delay, so it solved our problem with password management.
>
> Joseph
> Le mardi 27 juillet 2021 à 00 h 54 min 47 s UTC-4, Chris Durham a écrit :
>
>> Hey Joseph,
>>
>> Did you get anywhere with this.  We've been having the same issue and I 
>> suddenly connected the dots and realized that we use Office 365 too..
>>
>> Chris
>>
>> On Wednesday, 30 June 2021 at 07:16:10 UTC-5 joseph...@gmail.com wrote:
>>
>>> Hi everyone,
>>>
>>> We recently upgraded our CAS server to version 6.2.8 from version 
>>> 5.3.15.1 . We found out that the behaviour of the password management 
>>> feature, specifically the password reset link, has changed. It seems that 
>>> the password reset link is now single use, you can't use it again after 
>>> clicking on it once even though it's not expired yet.
>>>
>>> After investigating the error our users had "Password reset failed - We 
>>> were unable to process your password reset request at this time", we found 
>>> out that because we use Office 365 ATP (Advanced Threat Protection), all 
>>> the links in the email, including the password reset link, are verified and 
>>> clicked before the user gets the email. This means that the password reset 
>>> link is already used when it gets to the user's inbox...
>>>
>>> I didn't find any configuration related to this in the CAS 
>>> documentation. I'm now thinking about overriding the class where the 
>>> password reset token is deleted after use, even though I don't like the 
>>> idea of having to maintain this change after future CAS updates.
>>>
>>> Has anyone had this kind of problem with password management and 
>>> something like Office 365 ATP and what was your solution?
>>>
>>> Thank you!
>>>
>>> Joseph
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/329972cb-340e-4ede-aef3-a8c3d890e3b1n%40apereo.org.

[cas-user] Re: CAS 6.2.8 password management and Office 365 ATP

2021-07-26 Thread Chris Durham 
Hey Joseph,

Did you get anywhere with this.  We've been having the same issue and I 
suddenly connected the dots and realized that we use Office 365 too..

Chris

On Wednesday, 30 June 2021 at 07:16:10 UTC-5 joseph...@gmail.com wrote:

> Hi everyone,
>
> We recently upgraded our CAS server to version 6.2.8 from version 5.3.15.1 
> . We found out that the behaviour of the password management feature, 
> specifically the password reset link, has changed. It seems that the 
> password reset link is now single use, you can't use it again after 
> clicking on it once even though it's not expired yet.
>
> After investigating the error our users had "Password reset failed - We 
> were unable to process your password reset request at this time", we found 
> out that because we use Office 365 ATP (Advanced Threat Protection), all 
> the links in the email, including the password reset link, are verified and 
> clicked before the user gets the email. This means that the password reset 
> link is already used when it gets to the user's inbox...
>
> I didn't find any configuration related to this in the CAS documentation. 
> I'm now thinking about overriding the class where the password reset token 
> is deleted after use, even though I don't like the idea of having to 
> maintain this change after future CAS updates.
>
> Has anyone had this kind of problem with password management and something 
> like Office 365 ATP and what was your solution?
>
> Thank you!
>
> Joseph
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf31e0bb-06e6-46c4-bb02-e0aa6343942cn%40apereo.org.

[cas-user] Re: CAS logout page does not use custom theme - is it a bug?

2021-07-22 Thread Chris Durham 

Same happened to me the first time - you do have to provide updated 
Integration tests - in my case it turns out that the code was technically 
broken in two places, such that existing integration tests were incorrectly 
returning that it was ok when it wasn't, so fixing that second issue meant 
that the existing integration tests were already fit for purpose.

Whilst having to handle the integration tests may seem like a pain when 
like you I thought I had a simple defect, having gone through the 
discussion with Misagh I fully understand why it's important to ensure they 
are correct as they may hide other issues as a result.

On Thursday, 22 July 2021 at 14:55:11 UTC-5 Chia-Ying Yang wrote:

> I did submit a pull request (https://github.com/apereo/cas/pull/5204), 
> but was promptly rejected for not having associated tests.  It was a really 
> simple fix IMHO.  I'll do a little more research on how to add a test and 
> resubmit.
>
> I would appreciate any and all help!
>
> David
>
>
>
>
> On 7/22/21 3:50 PM, Chris Durham wrote:
>
> Hi, 
>
> We too have been bitten by this (and I assume it's a bug too).  If you can 
> fix it and submit that as a pull-request to the main cas project then it 
> would make me very happy!
>
> If you do submit the pull-request then I'm sure Misagh would be able to 
> point out if it was the wrong place - he has been very helpful in guiding 
> me through my first pull-request and getting it to the point where he was 
> happier with it.
>
> (We had to do some nasty js fudging in our core theme to achieve what we 
> needed - but having themed /logout pages would be far easier!)
>
> Chris
>
> On Wednesday, 21 July 2021 at 13:40:58 UTC-5 Chia-Ying Yang wrote:
>
>> I want to confirm whether this is a bug or not, in the current master 
>> branch. 
>>
>> I configured a custom theme for a registered service.  If I override 
>> casLoginView.html via overlay 
>> (src/main/resources/templates/[theme]/login/casLoginView.html), then the 
>> custom login page template is being used to render the login page.  But 
>> if I override casLogoutView.html via overlay 
>> (src/main/resources/templates/[theme]/logout/casLogoutView.html), that 
>> custom logout page template is not being used.  In fact the one from the 
>> default theme is always used.  I can even override it via overlay 
>> (src/main/resources/templates/logout/casLogoutView.html). 
>>
>> Additional details: 
>>
>> - after logging out locally, the user is being redirected to the cas 
>> server /cas/logout?service=[service ID] for single logout, i.e. the 
>> service is being supplied. 
>>
>> - during the logout flow, RegisteredServiceThemeResolver is being 
>> called, but the service retrieved from the flow scope is null.  Only 
>> LogoutRequest is in the flow scope, and inside it I do see the 
>> registered service matching what was supplied.  Because the theme 
>> resolver cannot determine the service, the default theme is used. 
>>
>> If it is indeed a bug, I think I can fix it in 
>> LogoutViewSetupAction.doInternalExecute() by placing the service into 
>> the flow scope.  I don't know enough about Spring web flow to know 
>> whether this is the right approach or the right place to fix it.  I 
>> would appreciate any feedback or suggestions! 
>>
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0b84490d-8040-4aba-a934-c6724ac6378bn%40apereo.org.

[cas-user] Re: CAS logout page does not use custom theme - is it a bug?

2021-07-22 Thread Chris Durham 
Hi,

We too have been bitten by this (and I assume it's a bug too).  If you can 
fix it and submit that as a pull-request to the main cas project then it 
would make me very happy!

If you do submit the pull-request then I'm sure Misagh would be able to 
point out if it was the wrong place - he has been very helpful in guiding 
me through my first pull-request and getting it to the point where he was 
happier with it.

(We had to do some nasty js fudging in our core theme to achieve what we 
needed - but having themed /logout pages would be far easier!)

Chris

On Wednesday, 21 July 2021 at 13:40:58 UTC-5 Chia-Ying Yang wrote:

> I want to confirm whether this is a bug or not, in the current master 
> branch.
>
> I configured a custom theme for a registered service.  If I override 
> casLoginView.html via overlay 
> (src/main/resources/templates/[theme]/login/casLoginView.html), then the 
> custom login page template is being used to render the login page.  But 
> if I override casLogoutView.html via overlay 
> (src/main/resources/templates/[theme]/logout/casLogoutView.html), that 
> custom logout page template is not being used.  In fact the one from the 
> default theme is always used.  I can even override it via overlay 
> (src/main/resources/templates/logout/casLogoutView.html).
>
> Additional details:
>
> - after logging out locally, the user is being redirected to the cas 
> server /cas/logout?service=[service ID] for single logout, i.e. the 
> service is being supplied.
>
> - during the logout flow, RegisteredServiceThemeResolver is being 
> called, but the service retrieved from the flow scope is null.  Only 
> LogoutRequest is in the flow scope, and inside it I do see the 
> registered service matching what was supplied.  Because the theme 
> resolver cannot determine the service, the default theme is used.
>
> If it is indeed a bug, I think I can fix it in 
> LogoutViewSetupAction.doInternalExecute() by placing the service into 
> the flow scope.  I don't know enough about Spring web flow to know 
> whether this is the right approach or the right place to fix it.  I 
> would appreciate any feedback or suggestions!
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f330a8c9-f44f-444a-ad34-25278c75ccb5n%40apereo.org.

[cas-user] CAS 6.4: IDP initiated login - oAuth2

2021-07-15 Thread Chris Durham 
Hi,

I know that IDP initiated (ie unsolicited) login is available for SAML, but 
is there anyway to achieve the same thing with oAuth?  We have a pair of 
portals that we interact with (and use their IDP as a delegated authority) 
that work via oAuth.

They want their "portal apps" to redirect to use using oAuth - basically by 
using the same redirect url that would be used during the delegated login 
process (ie it hits

www.mycasurl.com/cas/login?clientname=&code=z etc

Currently CAS is throwing a Unauthorized Service error and I'm presuming 
the lack of ticket is the issue.  Has anyone come across a similar request 
before?

Thanks
Chris

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/82ea34d8-5250-4fe5-8f2a-6ad25b53e13dn%40apereo.org.

Re: [cas-user] logging cas validation responses?

2021-07-15 Thread Chris Kell 
I'm getting ready to tackle logging for my application including CAS, and I
was planning on simply adding in a logging class to the CAS build that
would stream out events to a file in a csv format.  Is there anything
getting in the way of just adding a class like that?

On Wed, Jul 14, 2021 at 2:11 PM Baron Fujimoto  wrote:

> Unfortunately, that doesn't seem to do it either. I was already able to
> get the set of attributes to be released logged, and org.apache.http only
> seems to be showing me a connection to Duo for a status check. But still no
> XML cas response itself. We're not using an included servlet container, but
> an external Tomcat where we deploy the cas.war file.
>
> On Wed, Jul 14, 2021 at 9:11 AM Ray Bon  wrote:
>
>> Baron,
>>
>> You may be able to get some data from these loggers:
>>
>> 
>> > name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
>> level="debug"/>
>> 
>> > level="debug" />
>> 
>> 
>>
>> Ray
>>
>> On Wed, 2021-07-14 at 08:02 -1000, Baron Fujimoto wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>> Can CAS logging be configured to log validation responses as they would
>> be sent to the client? E.g., something like this for /p3/serviceValidate:
>>
>>   http://www.yale.edu/tp/cas";>
>> 
>>   username
>>   
>> John
>> Doe
>> Mr.
>> j...@example.org
>> staff
>> faculty
>>   
>>
>> PGTIOU-84678-8a9d...
>> 
>>   
>>
>> This doesn't seem to do it for our CAS 5.0:
>> > includeLocation="true">
>>
>> I'm trying to troubleshoot one of our clients wrestling with their OnBase
>> configuration. They are unable to get their required username attribute,
>> and I can see from our logs they're using /p3/serviceValidate. Some of the
>> logical looking attribute mappings in their config haven't been successful.
>> I'm hoping if we can provide an example of an actual response to
>> their /p3/serviceValidate this will provide clarification, or at least
>> solid data they can use for a support ticket with the vendor.
>>
>> --
>> Baron Fujimoto  :: UH Information Technology Services
>> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/205a5b6c5dd06984c83a21807c977ba6f2d84a07.camel%40uvic.ca
>> 
>> .
>>
>
>
> --
> Baron Fujimoto  :: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2P6nRSdAFK38%3DpXKgQV0T9v2NO_9viZbyMCjEDqMsy2A%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAObtmsRQXQYPwUoXs4UeuDkmc24a0D3meH_%3DToF0fjrxRBtELQ%40mail.gmail.com.

[cas-user] CAS vs Spring Security PLUS CAS

2021-07-08 Thread Chris Kell 
I'm making a web app for my company for a new product and we've setup a CAS 
server for authentication.  I'm fairly new to Spring in the first place so 
this has been pretty steep curve all around, but I've finally used the 
java-cas-client to integrate cas into my app.

I wound up doing this because all the tutorials and guides on how to set up 
spring security + CAS never worked.
But now that I've CAS going at all, I'm wondering if I shouldn't go back to 
trying to giet it working with Spring Security as well.  Does anyone have 
any comments/thoughts/experiences that might enlighten me as to what the 
"best" path forward is?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/49f5deb7-6945-4c2f-8ad4-c197fed511e8n%40apereo.org.

[cas-user] CAS 6.4.0-x

2021-07-01 Thread Chris Durham 
Hi,

Is it expected that if you have multiple themes defined that the /logout 
page doesn't choose the expected theme (as per the ?service= parameter if 
defined) and always uses the default theme?

Are there any other pages that we should be aware of that can't be themed 
(if not in the default theme)

Thanks
Chris

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1b49cdb-655e-40ce-96ba-c24dd3e55927n%40apereo.org.

[cas-user] Re: CAS 6.4.0-RC5 (and earlier) Forgot Username failure

2021-06-30 Thread Chris Durham 
Just wondering if anyone else has any issues in getting the username to 
appear in the email template for Forgot Username in CAS 6.4.0 RC5

On Saturday, 19 June 2021 at 23:49:02 UTC-5 Chris Durham wrote:

> We are trying to use the new Password Management functionality in 6.4.0 
> (with JDBC) and facing a few issues.
>
> When we submit the email for the user we get the following lines in the 
> logs
>
> WARN 
> [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] 
> -  principal>
>
> We have the following settings in our properties files
>
> cas.authn.pm.jdbc.sql-find-email=SELECT email FROM user WHERE username = ?
>
> cas.authn.pm.jdbc.sql-find-phone=SELECT phone FROM user WHERE username = ?
>
> cas.authn.pm.jdbc.sql-find-user=SELECT username FROM user WHERE email = ? 
> limit 1
>
> In our resultant email the only attribute that is added is "email" which 
> is the one thing that the user already knows :). We don't get a principal 
> or a username.
>
> Trying to read my way through the code 
> in SendForgotUsernameInstructionsAction
>
> locateUserAndProcess gets the username from 
> PasswordManagementService.findUsername(query)
>
> but sendForgotUsernameEmailToAccount builds the credentials with 
> query.getUsername() - but surely username isn't in Query - otherwise 
> locateUserAndProcess could have done the same thing?
>
> I can see this changed in the 'refactor apis for pswd mgmt' in Feb 2021 - 
> but can't see how username is supposed to get into query...
>
> One thing that is additionally slightly annoying here is that in our case 
> multiple usernames could be associated with a single email address and it 
> would be nice to tell the user all of them.
>
> Also for us it would be great if we could get information about the 
> requesting service in the email to tailor the email even further.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a27b03d1-ca92-48df-bf2c-d79d91825b72n%40apereo.org.

[cas-user] (CAS6.4.0-x) AuthenticationHandlers

2021-06-30 Thread Chris Durham 
Our CAS installation is sat in front of multiple services (current count of 
about 50) and the users who authenticate may not be able to access all of 
them.

We have used the attribute merging to make a rest call to populate an 
attributes with a list of valid services for a given user but I'm not 
struggling to figure out how to enforce it.

I thought I could define a GroovyAuthenticationHandler and get the script 
to check and also define a Required policy (that required the 
GroovyAuthenticationHandler) but I can't get it to trigger (or even notice 
that I've attempted to define it!).

Also I don't think the Groovy script gets passed into it the service, so I 
suspect we can't even check whether the service is valid for the attribute?

Does anyone have any examples of how to define the 
GroovyAuthenticationHandler and/or the Required handler to point us in the 
right direction?

I also thought about defining RequiredAttributes in the service - but 
whilst I can validate that our "userServices" attribute is present, I need 
to know whether it has a value (and ideally a specific entry in a list).  
Also having to define that for each and every service seems rather 
time-consuming?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d7a200ec-2b1b-4c65-bde0-98fc031d8b8an%40apereo.org.

[cas-user] CAS 6.4.0-RC5 (and earlier) Forgot Username failure

2021-06-19 Thread Chris Durham 
We are trying to use the new Password Management functionality in 6.4.0 
(with JDBC) and facing a few issues.

When we submit the email for the user we get the following lines in the logs

WARN 
[org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] 
- 

We have the following settings in our properties files

cas.authn.pm.jdbc.sql-find-email=SELECT email FROM user WHERE username = ?

cas.authn.pm.jdbc.sql-find-phone=SELECT phone FROM user WHERE username = ?

cas.authn.pm.jdbc.sql-find-user=SELECT username FROM user WHERE email = ? 
limit 1

In our resultant email the only attribute that is added is "email" which is 
the one thing that the user already knows :). We don't get a principal or a 
username.

Trying to read my way through the code 
in SendForgotUsernameInstructionsAction

locateUserAndProcess gets the username from 
PasswordManagementService.findUsername(query)

but sendForgotUsernameEmailToAccount builds the credentials with 
query.getUsername() - but surely username isn't in Query - otherwise 
locateUserAndProcess could have done the same thing?

I can see this changed in the 'refactor apis for pswd mgmt' in Feb 2021 - 
but can't see how username is supposed to get into query...

One thing that is additionally slightly annoying here is that in our case 
multiple usernames could be associated with a single email address and it 
would be nice to tell the user all of them.

Also for us it would be great if we could get information about the 
requesting service in the email to tailor the email even further.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c725a597-e3e2-40ae-9535-08ba1f03b34dn%40apereo.org.

[cas-user] CAS Management - Configuration classes for tests must be marked with @TestConfiguration Error

2021-05-25 Thread Chris Kell 
I am new to CAS, my entire team is, and we are trying to build 6.3.4 and we 
are g etting "Configuration classes for tests must be marked with 
@TestConfiguration Error " in casconfiguration.java, which obviously is not 
a test config file.
I've tried disabling tests, but we keep getting the error during the build.
Is there something fundamental about this we're missing?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4830a42b-0b15-4fa2-8c63-cecb791b4b22n%40apereo.org.

[cas-user] Re: Configuration classes for tests must be marked with @TestConfiguration

2021-05-24 Thread Chris Kell 
Did you find a solution to this?  I have the exact same problem.  Excluding 
tests with gradlew -x test doesn't work.

On Monday, October 12, 2020 at 8:44:29 PM UTC-6 RM2020 wrote:

> Hi, I am using following https://github.com/apereo/cas/releases/tag/v6.2.3 
> release to
> do my first *gradlew.bat clean build *tasks and I get following message. 
> How do I resolve this?
>
> > Task :api:cas-server-core-api-configuration-model:checkstyleMain
> [ant:checkstyle] [ERROR] 
> C:\Users\rm\Downloads\cas-6.2.3\api\cas-server-core-api-configuration-model\src\main\java\org\apereo\cas\configuration\CasConfigurationProperties.java:63:
>  
> Configuration classes for tests must be marked with @TestConfiguration 
> [useTestConfiguration]
>
> > Task :api:cas-server-core-api-configuration-model:checkstyleMain FAILED
>
> FAILURE: Build failed with an exception.
>
> * What went wrong:
> Execution failed for task 
> ':api:cas-server-core-api-configuration-model:checkstyleMain'.
> > Checkstyle rule violations were found. See the report at: 
> file:///C:/Users/rm/Downloads/cas-6.2.3/api/cas-server-core-api-configuration-model/build/reports/checkstyle/main.html
>   Checkstyle files with violations: 1
>   Checkstyle violations by severity: [error:1]
>
>
> * Try:
> Run with --stacktrace option to get the stack trace. Run with --info or 
> --debug option to get more log output. Run with --scan to get full insights.
>
> * Get more help at https://help.gradle.org
>
> Deprecated Gradle features were used in this build, making it incompatible 
> with Gradle 7.0.
> Use '--warning-mode all' to show the individual deprecation warnings.
> See 
> https://docs.gradle.org/6.6.1/userguide/command_line_interface.html#sec:command_line_warnings
>
> BUILD FAILED in 3m 39s
> 47 actionable tasks: 34 executed, 13 up-to-date
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9be62e47-5386-443b-afa0-b486eb058e86n%40apereo.org.

[cas-user] CAS 5.3.2 ConcurrentModificationException when creating TGT

2020-01-28 Thread Chris Luczkow 
Hi -

We're seeing this intermittent exception when running under heavy load:

java.util.ConcurrentModificationException: null
at java.util.ArrayList.sort(ArrayList.java:1464) ~[?:1.8.0_201]
at java.util.Collections.sort(Collections.java:175) ~[?:1.8.0_201]
at org.springframework.core.OrderComparator.sort(OrderComparator.java:167) 
~[spring-core-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at 
org.apereo.cas.rest.factory.ChainingRestHttpRequestCredentialFactory.fromRequestBody(ChainingRestHttpRequestCredentialFactory.java:41)
 
~[cas-server-core-rest-5.3.2.jar:5.3.2]
at 
org.apereo.cas.support.rest.resources.TicketGrantingTicketResource.createTicketGrantingTicketForRequest(TicketGrantingTicketResource.java:114)
 
~[cas-server-support-rest-5.3.2.jar:5.3.2]
at 
org.apereo.cas.support.rest.resources.TicketGrantingTicketResource.createTicketGrantingTicket(TicketGrantingTicketResource.java:66)
 
~[cas-server-support-rest-5.3.2.jar:5.3.2]

Wondering if this is a known issue or how to troubleshoot further.

Thanks
Chris

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a2ae8b98-81a7-409c-a33c-6df8a1b71919%40apereo.org.

Re: [cas-user] Re: SAMLResponse is not base64 encoded

2019-11-21 Thread Chris H 
Unfortunatly, I never got resolution on this.

Here is my ticket for the OneLogin PHP-SAML lib: 
https://github.com/onelogin/php-saml/issues/390

OneLogin quoted this from the SAML spec:

3.5.4 Message Encoding
Messages are encoded for use with this binding by encoding the XML into an HTML 
form
 control and are transmitted using the HTTP POST method. A SAML protocol 
message is 
form-encoded by applying the base-64 encoding rules to the XML representation 
of the
message and placing the result in a hidden form control within a form as 
defined by 
[HTML401] Section 17. The HTML document MUST adhere to the XHTML specification, 
[XHTML]. The base64-encoded value MAY be line-wrapped at a reasonable length
in accordance with common practice.



I'm fairly confident that we have other clients using CAS as an IdP and 
they are sending base64 encoded responses. Perhaps this is a configuration 
(though I have not been able to locate such a setting) or something that is 
only an issue on specific versions of CAS.


On Thursday, November 21, 2019 at 12:48:33 PM UTC-5, Robert Bond wrote:
>
> I have been running into this same issue for quite a while now. Have not 
> been able to identify the source.
>
> On Thu, Nov 21, 2019 at 11:25 AM Chris G > 
> wrote:
>
>> I'm just wondering if anyone figured this out. I have the same 
>> issue--SAML Responses from CAS are NOT base64 encoded, but all the clients 
>> I have seem to expect the SAML Response to be base64 encoded. 
>>
>> Is this a SAML spec, that it should be base64 encoded and CAS isn't 
>> implementing it properly?
>>
>>
>> On Wednesday, September 18, 2019 at 4:55:58 PM UTC-4, Chris H wrote:
>>>
>>>
>>> ​I am working with client who's running a CAS server ​(a backpatched 
>>> version of 3.4.12) as their IdP. We are trying to connect this with our 
>>> product, a SAML SP implemented with OneLogin's PHP client.
>>>
>>> The issue we are having is that the "SAMLResponse" POST parameter is​ 
>>> coming over in raw form, ie it is not base64 encoded. The OneLogin lib 
>>> appears to assume that this value is base64 encoded and throws an exception 
>>> when it is not. I do not see any configuration to override this behaviour.
>>>
>>> ​Is it possible to configure CAS to base64 encode this value before 
>>> sending?
>>>
>>> Any idea why this would be happening? We have several active SAML2 
>>> integrations with other clients who use CAS as their IdP.
>>>
>>> Thanks!
>>> Chris
>>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/464a638f-6566-474b-b2d3-74202141986d%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/464a638f-6566-474b-b2d3-74202141986d%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
>
> -- 
> Robert Bond
> Network Administrator
> (918) 444-5886
> Northeastern State University
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/74cf1a4d-1d61-41d8-8bb1-1fd5204b31d3%40apereo.org.

[cas-user] Re: SAMLResponse is not base64 encoded

2019-11-21 Thread Chris G 
I'm just wondering if anyone figured this out. I have the same issue--SAML 
Responses from CAS are NOT base64 encoded, but all the clients I have seem 
to expect the SAML Response to be base64 encoded. 

Is this a SAML spec, that it should be base64 encoded and CAS isn't 
implementing it properly?


On Wednesday, September 18, 2019 at 4:55:58 PM UTC-4, Chris H wrote:
>
>
> ​I am working with client who's running a CAS server ​(a backpatched 
> version of 3.4.12) as their IdP. We are trying to connect this with our 
> product, a SAML SP implemented with OneLogin's PHP client.
>
> The issue we are having is that the "SAMLResponse" POST parameter is​ 
> coming over in raw form, ie it is not base64 encoded. The OneLogin lib 
> appears to assume that this value is base64 encoded and throws an exception 
> when it is not. I do not see any configuration to override this behaviour.
>
> ​Is it possible to configure CAS to base64 encode this value before 
> sending?
>
> Any idea why this would be happening? We have several active SAML2 
> integrations with other clients who use CAS as their IdP.
>
> Thanks!
> Chris
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/464a638f-6566-474b-b2d3-74202141986d%40apereo.org.

[cas-user] Re: 6.1.1 JSON error with REST authn after update

2019-11-04 Thread Chris M. 
Hello!

We have the same problem as Alex here. 

Thanks!


Le jeudi 31 octobre 2019 13:52:52 UTC-4, Alex.B. a écrit :
>
> Hi,
>
> We updated CAS from 5.3.14 to 6.1.1 and the REST authn doesn't work 
> anymore. Nothing changed on the rest service side (the same JSON is 
> returned to CAS).
>
> *We get this error :*
>
> 2019-10-31 11:27:34,293 ERROR 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[
> service_name]: [Error while extracting response for type [class 
> org.apereo.cas.authentication.principal.SimplePrincipal] and content type 
> [application/json;charset=UTF-8]; nested exception is 
> org.springframework.http.converter.HttpMessageNotReadableException: JSON 
> parse error: Cannot deserialize instance of 
> `java.util.ArrayList` out of VALUE_STRING token; nested 
> exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: 
> Cannot deserialize instance of `java.util.ArrayList` out 
> of VALUE_STRING token
>  at [Source: (PushbackInputStream); line: 1, column: 104] (through 
> reference chain: 
> org.apereo.cas.authentication.principal.SimplePrincipal["attributes"]->java.util.LinkedHashMap["mail"])
>  
> / JSON parse error: Cannot deserialize instance of 
> `java.util.ArrayList` out of VALUE_STRING token; nested 
> exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: 
> Cannot deserialize instance of `java.util.ArrayList` out 
> of VALUE_STRING token
>  at [Source: (PushbackInputStream); line: 1, column: 104] (through 
> reference chain: 
> org.apereo.cas.authentication.principal.SimplePrincipal["attributes"]->java.util.LinkedHashMap["mail"])]>
>
>
> *cas.properties :*
>
> cas.authn.rest.uri=https://service_uri
> cas.authn.rest.name=service_name
>
> *This is an example of the JSON we are receiving from the REST service :*
>
> { "@class": "org.apereo.cas.authentication.principal.SimplePrincipal", 
> "id": "TEST01", "attributes": { "eduPersonAffiliation": ["employee", 
> "member"], "bciCodeEtablissement": "123456", "bciMatricule": "NULL_VALUE", 
> "mail": "test...@test.com ", "sn": "Test", "givenName": 
> "Test", "displayName": "test Test", "isMemberOf": ["na...@test.com 
> ", "registr...@test.com ", "
> abc-scien...@test.com ", "klm-etude...@test.com ", 
> "klm-etude...@test.com ", "klm-prap...@test.com ", 
> "klm.sans...@test.com "] } }
>
> Thank you for your help!
>
> Alex.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/afa2f256-a60d-4034-8c00-01a3e6e7d08d%40apereo.org.

[cas-user] SAMLResponse is not base64 encoded

2019-09-18 Thread Chris H 

​I am working with client who's running a CAS server ​(a backpatched 
version of 3.4.12) as their IdP. We are trying to connect this with our 
product, a SAML SP implemented with OneLogin's PHP client.

The issue we are having is that the "SAMLResponse" POST parameter is​ 
coming over in raw form, ie it is not base64 encoded. The OneLogin lib 
appears to assume that this value is base64 encoded and throws an exception 
when it is not. I do not see any configuration to override this behaviour.

​Is it possible to configure CAS to base64 encode this value before sending?

Any idea why this would be happening? We have several active SAML2 
integrations with other clients who use CAS as their IdP.

Thanks!
Chris

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a3b45e59-faf7-4f97-9c42-187004b49bc5%40apereo.org.

Re: [cas-user] CAS 6.1.0-RC2 JWT error

2019-01-15 Thread Chris Peck 
HELP

On Tue, Jan 15, 2019 at 11:34 AM K S  wrote:

> here is my service JSON file :
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^https://abcd.ad.test.edu/.*";,
>   "name" : "JWTService",
>   "id" : 10078999,
>   "theme" : "default",
>   "evaluationOrder" : 1330099,
>   "properties" : {
> "@class" : "java.util.HashMap",
> "jwtAsServiceTicket" : {
>   "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
>   "values" : [ "java.util.HashSet", [ "true" ] ]
> }
> }
> }
>
>
> here is the error stack i get after logging into CAS:
>
> 2019-01-15 10:23:38,198 WARN [org.apereo.cas.util.function.FunctionUtils]
> -  106751991185212>
> java.time.DateTimeException: Invalid value for EpochDay (valid values
> -365243219162 - 365241780471): 106751991185212
> at
> java.time.temporal.ValueRange.checkValidValue(ValueRange.java:311) ~[?:?]
> at
> java.time.temporal.ChronoField.checkValidValue(ChronoField.java:717) ~[?:?]
> at java.time.LocalDate.ofEpochDay(LocalDate.java:341) ~[?:?]
> at java.time.LocalDate.plusDays(LocalDate.java:1393) ~[?:?]
> at
> java.time.LocalDateTime.plusWithOverflow(LocalDateTime.java:1571) ~[?:?]
> at java.time.LocalDateTime.plusSeconds(LocalDateTime.java:1327)
> ~[?:?]
> at java.time.ZonedDateTime.plusSeconds(ZonedDateTime.java:1767)
> ~[?:?]
> at
> org.apereo.cas.token.JWTTokenTicketBuilder.lambda$build$0(JWTTokenTicketBuilder.java:59)
> ~[cas-server-support-token-core-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
> at
> org.apereo.cas.util.function.FunctionUtils.lambda$doIf$1(FunctionUtils.java:65)
> ~[cas-server-core-util-api-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
> at
> org.apereo.cas.token.JWTTokenTicketBuilder.build(JWTTokenTicketBuilder.java:62)
> ~[cas-server-support-token-core-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
> at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method) ~[?:?]
> at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:?]
> at
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:?]
> at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
> at
> org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:246)
> ~[spring-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
> at
> org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:494)
> ~[spring-cloud-context-2.1.0.RC2.jar:2.1.0.RC2]
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
> ~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
> at
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
> ~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
> at com.sun.proxy.$Proxy335.build(Unknown Source) ~[?:?]
> at
> org.apereo.cas.token.authentication.principal.TokenWebApplicationServiceResponseBuilder.generateToken(TokenWebApplicationServiceResponseBuilder.java:72)
> ~[cas-server-support-token-tickets-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
> at
> org.apereo.cas.token.authentication.principal.TokenWebApplicationServiceResponseBuilder.buildInternal(TokenWebApplicationServiceResponseBuilder.java:51)
> ~[cas-server-support-token-tickets-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
> at
> org.apereo.cas.authentication.principal.WebApplicationServiceResponseBuilder.build(WebApplicationServiceResponseBuilder.java:45)
> ~[cas-server-core-services-authentication-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
> at
> org.apereo.cas.web.flow.actions.RedirectToServiceAction.doExecute(RedirectToServiceAction.java:41)
> ~[cas-server-core-webflow-api-6.1.0-RC1-SNAPSHOT.jar:6.1.0-RC1-SNAPSHOT]
> at
> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
> ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
> at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method) ~[?:?]
> at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:?]
> at
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:?]
> at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
> at
> org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:246)
> ~[spring-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
> at
> org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:494)
> ~[spring-cloud-context-2.1.0.RC2.jar:2.1.0.RC2]
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
> ~[spring-aop-5.1.4.RELEASE.jar:5.1.4.RELEASE]
> at
> org.springfra

[cas-user] certificates

2018-03-23 Thread Cheltenham, Chris 
Hello Everyone, 

Are we to create a certificate XX.der configured in cas.properties separate 
from the tomcat or jetty kestore? 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1290511545.2780565.1521854222781.JavaMail.zimbra%40philasd.org.

[cas-user] Inspektr

2018-02-28 Thread Cheltenham, Chris 


Does anyone use inspektr ?

 

I simply changed error to info this entry in log4j2

 









 

>From what I read this is supposed to log into cas_audit.log.

 

Is that all that I am to do?

 

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/014d01d3b0cf%24014a4600%2403ded200%24%40philasd.org.

[cas-user] Dashboard Issue with Waterfox

2018-02-28 Thread Cheltenham, Chris 


Hello Everyone.

 

Has anyone seen this problem.

 

I was finally able to set up the dashboard with some help.

 

However I found a strange anomaly.

 

Using Waterfox, the 64 bit firefox I get a 500 internal error.

 

ANY OTHER browser I used it works just fine.

 

Yes I dumped the cache and cleared history several times.

 

Also, it gives you a java stack trace in the CAS logs saying 

 

2018-02-28 10:22:12,567 DEBUG
[org.apereo.cas.web.FlowExecutionExceptionResolver] - 

org.pac4j.core.exception.TechnicalException: cannot validate CAS ticket:
ST-8-NW9hG5iesq69gE4h8cNehuDlKh0-devcas5

 

Caused by: org.jasig.cas.client.validation.TicketValidationException:
Ticket 'ST-8-NW9hG5iesq69gE4h8cNehuDlKh0-devcas5' not recognized

 

Always the same ticket # also.

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00fa01d3b0b0%246c1674a0%235de0%24%40philasd.org.

RE: [cas-user] /cas/status/dashboard

2018-02-27 Thread Cheltenham, Chris 
David,



Do I need pacj4 for the service registry?











===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Tuesday, February 27, 2018 8:58 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] /cas/status/dashboard



If you use "config" then the property is being ignored because it doesn't do 
anything, and you are likely getting the wildcard service registry entry in 
the classpath.



If you use "json" then you are most likely correctly getting your 
/etc/cas/services directory, and assuming you didn't copy the wildcard 
entry, you're not matching it any more. As to application not authorized, 
that means you don't have a correct entry.



When you have it set to "json", what does the debug log tell you it's 
loading for services?








--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Tue, Feb 27, 2018 at 8:51 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

Guys,



When I changed config to json , I get Application Not Authorized to use CAS.



I am not sure if that s good thing or not.



If I change json back to config, the portal will open.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
Matthew Uribe
Sent: Monday, February 26, 2018 3:35 PM
To: CAS Community mailto:cas-user@apereo.org> >
Subject: Re: [cas-user] /cas/status/dashboard



Chris,



I ran into the same problem. I added json files to /etc/cas/services but CAS 
was only reading those in the classpath/services directory.

I found that my problem was in my cas.properties:



Incorrect:

cas.serviceRegistry.config.location:   file:/etc/cas/services

Correct:

cas.serviceRegistry.json.location: file:/etc/cas/services


On Monday, February 26, 2018 at 12:50:26 PM UTC-7, Chris Cheltenham wrote:

David,



The only thing I can tell is that CAS is not seeing the json file from 
/etc/cas/services.

I created two and they never show up loaded in the logs.



Only the two default ones, I guess they are, show up.





2018-02-26 14:42:49,710 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - https://www.apereo.org]>

2018-02-26 14:42:49,710 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - 

2018-02-26 14:42:49,710 INFO 
[org.apereo.cas.services.AbstractServicesManager] - 



I have two json files.





cas-services5.xml



{

  @class: org.apereo.cas.services.RegexRegisteredService

  serviceId: https://devcas5\.philasd\.org/cas-services/.*

  name: HTTPS

  id: 101

  description: HTTPS protocol wildcard service.

  evaluationOrder: 1000

}







And





cas-dashboard.xml





{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://devcass5.philasd.org/cas/status/dashboard(\\z|/.*) 
<https://devcass5.philasd.org/cas/status/dashboard(%5C%5Cz%7C/.*)> ",

  "name" : "CAS Admin Dashboard",

  "id" : 12

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 1001

}





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/082beb1a-0cfc-4066-8c2b-d6e97284709f%40apereo.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/082beb1a-0cfc-4066-8c2b-d6e97284709f%40apereo.org?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiv

RE: [cas-user] /cas/status/dashboard

2018-02-27 Thread Cheltenham, Chris 
utes={}],publicKey=,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@60a66b66,logo=images/logo_cas.png,logoutUrl=,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@3b99bf80[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=,principalAttributeValueToMatch=,bypassEnabled=false],informationUrl=,privacyUrl=,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@d9010e3[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=],]]>

2018-02-27 09:36:57,741 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - https://www.apereo.org]>

2018-02-27 09:36:57,741 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - 

2018-02-27 09:36:57,742 INFO 
[org.apereo.cas.services.AbstractServicesManager] - 

2018-02-27 09:37:14,507 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - 

2018-02-27 09:37:14,507 INFO 
[org.apereo.cas.services.AbstractServicesManager] - 



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Tuesday, February 27, 2018 8:58 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] /cas/status/dashboard



If you use "config" then the property is being ignored because it doesn't do 
anything, and you are likely getting the wildcard service registry entry in 
the classpath.



If you use "json" then you are most likely correctly getting your 
/etc/cas/services directory, and assuming you didn't copy the wildcard 
entry, you're not matching it any more. As to application not authorized, 
that means you don't have a correct entry.



When you have it set to "json", what does the debug log tell you it's 
loading for services?








--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Tue, Feb 27, 2018 at 8:51 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

Guys,



When I changed config to json , I get Application Not Authorized to use CAS.



I am not sure if that s good thing or not.



If I change json back to config, the portal will open.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
Matthew Uribe
Sent: Monday, February 26, 2018 3:35 PM
To: CAS Community mailto:cas-user@apereo.org> >
Subject: Re: [cas-user] /cas/status/dashboard



Chris,



I ran into the same problem. I added json files to /etc/cas/services but CAS 
was only reading those in the classpath/services directory.

I found that my problem was in my cas.properties:



Incorrect:

cas.serviceRegistry.config.location:   file:/etc/cas/services

Correct:

cas.serviceRegistry.json.location: file:/etc/cas/services


On Monday, February 26, 2018 at 12:50:26 PM UTC-7, Chris Cheltenham wrote:

David,



The only thing I can tell is that CAS is not seeing the json file from 
/etc/cas/services.

I created two and they never show up loaded in the logs.



Only the two default ones, I guess they are, show up.





2018-02-26 14:42:49,710 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - https://www.apereo.org]>

2018-02-26 14:42:49,710 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - 

2018-02-26 14:42:49,710 INFO 
[org.apereo.cas.services.AbstractServicesManager] - 



I have two json files.





cas-services5.xml



{

  @class: org.apereo.cas.services.RegexRegisteredService

  serviceId: https://devcas5\.philasd\.org/cas-services/.*

  name: HTTPS

  id: 101

  description: HTTPS protocol wildcard service.

  evaluationOrder: 1000

}







And





cas-dashboard.xml





{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://devcass5.philasd.org/cas/status/dashboard(\\z|/.*) 
<https://devcass5.philasd.org/cas/status/dashboard(%5C%5Cz%7C/.*)> ",

  "name" : "CAS Admin Dashboard",

  "id" : 12

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 1001

}





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List G

RE: [cas-user] Dashboard

2018-02-27 Thread Cheltenham, Chris 
Ok , I guess I got mixed up with the $(cas.server) variable stuff in 
cas.properties.

So I set everything to the fqdn.



Now I get this url



https://devcas5.philasd.org/cas/status/dashboard?ticket=ST-3-hQduCqZgLwM3Scuh8r4Ry-5ctNo-devcas5



Now I get access denied ..





Here is admuser.properties



ccheltenham-ext=passwordnotused,ROLE_ADMIN





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Monday, February 26, 2018 9:58 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] Dashboard



Chris,



In the URL you posted:




 <https://devcas5.philasd.org/cas/status/> 
https://devcas5.philasd.org/cas/status/$%7Bcas.server.prefix%7D/login?service=https%3A%2F%
 
<http://2Fdevcas5.philasd.org> 
2Fdevcas5.philasd.org%2Fcas%2Fstatus%2Fdashboard



what is this part:



$%7Bcas.server.prefix%7D



supposed to do?



Looks like maybe you have a typo somehwere. The URL should look like this:



 
<https://casdev.newschool.edu/cas/login?service=https%3A%2F%2Fcasdev.newschool.edu%2Fcas%2Fstatus%2Fdashboard>https://casdev.newschool.edu/cas/login?service=https%3A%2F%2Fcasdev.newschool.edu%2Fcas%2Fstatus%2Fdashboard--Dave--DAVID
 A. CURRY, CISSPDIRECTOR OF INFORMATION SECURITYINFORMATION TECHNOLOGY71 FIFTH 
AVE., 9TH FL., NEW YORK, NY 10003+1 212 229-5300 x4728 •  
<mailto:david.cu...@newschool.edu>david.cu...@newschool.edu  
<http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>On Mon, 
Feb 26, 2018 at 9:52 AM, Cheltenham, Chrismailto:ccheltenham-...@philasd.org> > wrote:Actually I did not figure out my 
issueIf anyone know why I am getting page not found /satatus/dashboard please 
seebelow …===Thank You;Chris CheltenhamTechnology 
ServicesThe School District of PhiladelphiaWork # 215-400-5025Cell # 
215-301-6571From:  <mailto:cas-user@apereo.org> cas-user@apereo.org 
[mailto:<mailto:cas-user@apereo.org> cas-user@apereo.org] On Behalf Of 
Cheltenham,ChrisSent: Monday, February 26, 2018 9:36 AMTo:  
<mailto:cas-user@apereo.org> cas-user@apereo.orgSubject: RE: [cas-user] 
DashboardI think I figured out that yes I do need a service Jason for the 
dashboard.Please disregard.===Thank You;Chris 
CheltenhamTechnology ServicesThe School District of PhiladelphiaWork # 
215-400-5025Cell # 215-301-6571From:  <mailto:cas-user@apereo.org> 
cas-user@apereo.org [<mailto:cas-user@apereo.org> mailto:cas-user@apereo.org] 
On Behalf OfCheltenham, ChrisSent: Monday, February 26, 2018 9:30 AMTo:  
<mailto:cas-user@apereo.org> cas-user@apereo.orgSubject: [cas-user] 
DashboardUsing David Curry’s dashboard instructions I seem to have either 
missedsomething.I getPAGE Not Foundat this 
urlhttps://devcas5.philasd.org/cas/status/$%7Bcas.server.prefix%7D/login?service=https%3A%2F%2Fdevcas5.philasd.org%2Fcas%2Fstatus%2FdashboardDon’t
 I need a service for the dashboard in /etc/cas/services?Logs says I need a 
json I believe.Am I seeing this correctly?2018-02-26 09:17:32,241 
DEBUG[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - 
https://devcas5.philasd.org/cas/status/dashboard>2018-02-26 09:17:51,235 
DEBUG[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - 
https://devcas5.philasd.org/cas/status/dashboard>2018-02-26 09:21:13,277 
DEBUG[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - 
https://devcas5.philasd.org/cas/status/dashboard>2018-02-26 09:23:10,111 
INFO[org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping] 
-org.apereo.cas.web.report.DashboardController.getEndpoints(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>2018-02-26
 09:23:10,111 
INFO[org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping] 
-===Thank
 You;Chris CheltenhamTechnology ServicesThe School District of PhiladelphiaWork 
# 215-400-5025Cell # 215-301-6571--- Website: https://apereo.github.io/cas- 
Gitter Chatroom: https://gitter.im/apereo/cas- List Guidelines: 
https://goo.gl/1VRrw7- Contributions: https://goo.gl/mh7qDG---You received this 
message because you are subscribed to the Google Groups"CAS Community" group.To 
unsubscribe from this group and stop receiving emails from it, send anemail to 
cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org> .To 
view this discussion on the web 
visithttps://groups.google.com/a/apereo.org/d/msgid/cas-user/001001d3af0e%24516b8440%24f4428cc0%24%40philasd.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/001001d3af0e%24516b8440%24f4428cc0%24%40philasd.org?utm_medium=email&utm_source=footer>
 .--- Website: https://apereo.github.io/cas- Gitter Chatroom: 
https://gitter.im/apereo/cas- List Guidelines: https://goo.gl/1VRrw7- 
Contributions: ht

RE: [cas-user] Dashboard

2018-02-27 Thread Cheltenham, Chris 
David,



To answer the URL question.



It was coming from a variable setting in management.properties.

I took out all the variables for FQDN.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Monday, February 26, 2018 9:58 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] Dashboard



Chris,



In the URL you posted:




https://devcas5.philasd.org/cas/status/$%7Bcas.server.prefix%7D/login?service=https%3A%2F%2Fdevcas5.philasd.org
 
<http://2Fdevcas5.philasd.org> %2Fcas%2Fstatus%2Fdashboard



what is this part:



$%7Bcas.server.prefix%7D



supposed to do?



Looks like maybe you have a typo somehwere. The URL should look like this:



https://casdev.newschool.edu/cas/login?service=https%3A%2F%2Fcasdev.newschool.edu%2Fcas%2Fstatus%2Fdashboard



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Mon, Feb 26, 2018 at 9:52 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:



Actually I did not figure out my issue



If anyone know why I am getting page not found /satatus/dashboard please see 
below …



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
Cheltenham, Chris
Sent: Monday, February 26, 2018 9:36 AM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: RE: [cas-user] Dashboard



I think I figured out that yes I do need a service Jason for the dashboard.

Please disregard.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org] On Behalf Of Cheltenham, Chris
Sent: Monday, February 26, 2018 9:30 AM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: [cas-user] Dashboard



Using David Curry’s dashboard instructions I seem to have either missed 
something.



I get



PAGE Not Found



at this url



https://devcas5.philasd.org/cas/status/$%7Bcas.server.prefix%7D/login?service=https%3A%2F%2Fdevcas5.philasd.org%2Fcas%2Fstatus%2Fdashboard



Don’t I need a service for the dashboard in /etc/cas/services?



Logs says I need a json I believe.

Am I seeing this correctly?



2018-02-26 09:17:32,241 DEBUG 
[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - https://devcas5.philasd.org/cas/status/dashboard>

2018-02-26 09:17:51,235 DEBUG 
[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - https://devcas5.philasd.org/cas/status/dashboard>

2018-02-26 09:21:13,277 DEBUG 
[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - https://devcas5.philasd.org/cas/status/dashboard>

2018-02-26 09:23:10,111 INFO 
[org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping] - 
 
org.apereo.cas.web.report.DashboardController.getEndpoints(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>

2018-02-26 09:23:10,111 INFO 
[org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping] - 






===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/001001d3af0e%24516b8440%24f4428cc0%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/001001d3af0e%24516b8440%24f4428cc0%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto

RE: [cas-user] /cas/status/dashboard

2018-02-27 Thread Cheltenham, Chris 
Guys,



When I changed config to json , I get Application Not Authorized to use CAS.



I am not sure if that s good thing or not.



If I change json back to config, the portal will open.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Matthew 
Uribe
Sent: Monday, February 26, 2018 3:35 PM
To: CAS Community 
Subject: Re: [cas-user] /cas/status/dashboard



Chris,



I ran into the same problem. I added json files to /etc/cas/services but CAS 
was only reading those in the classpath/services directory.

I found that my problem was in my cas.properties:



Incorrect:

cas.serviceRegistry.config.location:   file:/etc/cas/services

Correct:

cas.serviceRegistry.json.location: file:/etc/cas/services


On Monday, February 26, 2018 at 12:50:26 PM UTC-7, Chris Cheltenham wrote:

David,



The only thing I can tell is that CAS is not seeing the json file from 
/etc/cas/services.

I created two and they never show up loaded in the logs.



Only the two default ones, I guess they are, show up.





2018-02-26 14:42:49,710 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - https://www.apereo.org]>

2018-02-26 14:42:49,710 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - 

2018-02-26 14:42:49,710 INFO 
[org.apereo.cas.services.AbstractServicesManager] - 



I have two json files.





cas-services5.xml



{

  @class: org.apereo.cas.services.RegexRegisteredService

  serviceId: https://devcas5\.philasd\.org/cas-services/.*

  name: HTTPS

  id: 101

  description: HTTPS protocol wildcard service.

  evaluationOrder: 1000

}







And





cas-dashboard.xml





{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://devcass5.philasd.org/cas/status/dashboard(\\z|/.*) 
<https://devcass5.philasd.org/cas/status/dashboard(%5C%5Cz%7C/.*)> ",

  "name" : "CAS Admin Dashboard",

  "id" : 12

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 1001

}





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/082beb1a-0cfc-4066-8c2b-d6e97284709f%40apereo.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/082beb1a-0cfc-4066-8c2b-d6e97284709f%40apereo.org?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/004701d3afd2%2407b4d1c0%24171e7540%24%40philasd.org.

RE: [cas-user] /cas/status/dashboard

2018-02-27 Thread Cheltenham, Chris 
David,



Re: cas.properties



I tried using the colon on every single line and I got all kinds of errors.

Mainly ssl errors ..



When I put the equals back in , it worked.



I am NOT saying you’re wrong nanny nanny poo poo …

I just saw a bunch of things break without the equals.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Tuesday, February 27, 2018 8:36 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] /cas/status/dashboard



You can use colons or equals signs, it doesn't matter. And whitespace 
between the property name and the property value is ignored (but whitespace 
at the end of the line is not).



https://docs.oracle.com/cd/E23095_01/Platform.93/ATGProgGuide/html/s0204propertiesfileformat01.html



Personally I like colons and columns that line up for readability, but 
that's me. The CAS team seems to like equals signs and no extra whitespace. 
You can use whichever format you're comfortable with, although I might 
suggest standardizing on one or the other just for sanity's sake. :-)



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Tue, Feb 27, 2018 at 8:11 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

Thanks guys, I have the json service resitry dependency in both cas and 
cas-management pom.xml.



One thing that might be tripping me up here is when to use an “=” or is it a 
“:’



For example I have them mixed.



i.e.



cas.serviceRegistry.json.location:file:/etc/cas/services

or is it

cas.serviceRegistry.json.location = file:/etc/cas/services



and I am assuming those long blank spaces don’t mean anything.



I 95% am sure my problem is in the config files, I just not sure where.







=======

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
Kevin Liu
Sent: Monday, February 26, 2018 3:56 PM
To: CAS Community mailto:cas-user@apereo.org> >
Subject: Re: [cas-user] /cas/status/dashboard



I concur with Matthew. That was my issue too until I changed it. Then 
services started picking up.

On Monday, February 26, 2018 at 2:37:37 PM UTC-6, David Curry wrote:

But think of all the experience you're getting! :-)



Seriously, I know the feeling. I think we've all been there before.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 • david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Mon, Feb 26, 2018 at 3:35 PM, Cheltenham, Chris  
wrote:

I do , I will check everything again in the morning.



Thanks for your help.



It’s frustrating because I know it’s something stupid but I just don’t see 
it yet.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of David 
Curry
Sent: Monday, February 26, 2018 3:22 PM


To: cas-...@apereo.org
Subject: Re: [cas-user] /cas/status/dashboard



Do you have





org.apereo.cas

cas-server-support-json-service-registry

${cas.version}





in pom.xml and



cas.serviceRegistry.json.location:file:/etc/cas/services



in cas.properties?



If not, you need them. If so, then dig through the archives of this group in 
the last month or twol some other folks were having similar issues.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 • david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Mon, Feb 26, 2018 at 2:50 PM, Cheltenham, Chris  
wrote:

David,



The only thing I can tell is that CAS is not seeing the json file from 
/etc/cas/services.

I created two and they never show up loaded in the logs.



Only the two default ones, I guess they are, show up.





2018-02-26 14:42:49,710 DEBUG 
[

RE: [cas-user] /cas/status/dashboard

2018-02-27 Thread Cheltenham, Chris 
Thanks guys, I have the json service resitry dependency in both cas and 
cas-management pom.xml.



One thing that might be tripping me up here is when to use an “=” or is it a 
“:’



For example I have them mixed.



i.e.



cas.serviceRegistry.json.location:file:/etc/cas/services

or is it

cas.serviceRegistry.json.location = file:/etc/cas/services



and I am assuming those long blank spaces don’t mean anything.



I 95% am sure my problem is in the config files, I just not sure where.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Kevin 
Liu
Sent: Monday, February 26, 2018 3:56 PM
To: CAS Community 
Subject: Re: [cas-user] /cas/status/dashboard



I concur with Matthew. That was my issue too until I changed it. Then 
services started picking up.

On Monday, February 26, 2018 at 2:37:37 PM UTC-6, David Curry wrote:

But think of all the experience you're getting! :-)



Seriously, I know the feeling. I think we've all been there before.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •   david.cu...@newschool.edu

  
<https://lh4.googleusercontent.com/proxy/kBxyNqPE_dwGnQ5_31vxODZ361V2PjQdxLgStd_Hjq6qhsUZ5Ls9wt8E7q_K2I1IH9Gl9beQOC7lRFhDZ6YS4RBwSzHk1J04dgKAuT9_k0gSpkU-gvRxyA=w5000-h5000>



On Mon, Feb 26, 2018 at 3:35 PM, Cheltenham, Chris  > wrote:

I do , I will check everything again in the morning.



Thanks for your help.



It’s frustrating because I know it’s something stupid but I just don’t see 
it yet.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-...@apereo.org   [mailto:cas-...@apereo.org 
 ] On Behalf Of David Curry
Sent: Monday, February 26, 2018 3:22 PM


To: cas-...@apereo.org 
Subject: Re: [cas-user] /cas/status/dashboard



Do you have





org.apereo.cas

cas-server-support-json-service-registry

${cas.version}





in pom.xml and



cas.serviceRegistry.json.location:file:/etc/cas/services



in cas.properties?



If not, you need them. If so, then dig through the archives of this group in 
the last month or twol some other folks were having similar issues.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 •   david.cu...@newschool.edu

  
<https://lh4.googleusercontent.com/proxy/kBxyNqPE_dwGnQ5_31vxODZ361V2PjQdxLgStd_Hjq6qhsUZ5Ls9wt8E7q_K2I1IH9Gl9beQOC7lRFhDZ6YS4RBwSzHk1J04dgKAuT9_k0gSpkU-gvRxyA=w5000-h5000>



On Mon, Feb 26, 2018 at 2:50 PM, Cheltenham, Chris  > wrote:

David,



The only thing I can tell is that CAS is not seeing the json file from 
/etc/cas/services.

I created two and they never show up loaded in the logs.



Only the two default ones, I guess they are, show up.





2018-02-26 14:42:49,710 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - https://www.apereo.org]>

2018-02-26 14:42:49,710 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - 

2018-02-26 14:42:49,710 INFO 
[org.apereo.cas.services.AbstractServicesManager] - 



I have two json files.





cas-services5.xml



{

  @class: org.apereo.cas.services.RegexRegisteredService

  serviceId: https://devcas5\.philasd\.org/cas-services/.*

  name: HTTPS

  id: 101

  description: HTTPS protocol wildcard service.

  evaluationOrder: 1000

}







And





cas-dashboard.xml





{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://devcass5.philasd.org/cas/status/dashboard(\\z|/.*) 
<https://devcass5.philasd.org/cas/status/dashboard(%5C%5Cz%7C/.*)> ",

  "name" : "CAS Admin Dashboard",

  "id" : 12

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 1001

}





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-...@apereo.org   [mailto:cas-...@apereo.org 
 ] On Behalf Of David Curry
Sent: Monday, February 26, 2018 2:29 PM
To: cas-...@apereo.org 
Subject: Re: [cas-user] /cas/status/dashboard



I think we've been through most of these at one time or another, but to 
assemble them all in one place...



1. You have all of these:



# The /status endpoint is protected by IP address only.

cas.adminPagesSecurity.ip:  ...a valid regex to

RE: [cas-user] /cas/status/dashboard

2018-02-26 Thread Cheltenham, Chris 
I do , I will check everything again in the morning.



Thanks for your help.



It’s frustrating because I know it’s something stupid but I just don’t see 
it yet.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Monday, February 26, 2018 3:22 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] /cas/status/dashboard



Do you have





org.apereo.cas

cas-server-support-json-service-registry

${cas.version}





in pom.xml and



cas.serviceRegistry.json.location:file:/etc/cas/services



in cas.properties?



If not, you need them. If so, then dig through the archives of this group in 
the last month or twol some other folks were having similar issues.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Mon, Feb 26, 2018 at 2:50 PM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

David,



The only thing I can tell is that CAS is not seeing the json file from 
/etc/cas/services.

I created two and they never show up loaded in the logs.



Only the two default ones, I guess they are, show up.





2018-02-26 14:42:49,710 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - https://www.apereo.org]>

2018-02-26 14:42:49,710 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - 

2018-02-26 14:42:49,710 INFO 
[org.apereo.cas.services.AbstractServicesManager] - 



I have two json files.





cas-services5.xml



{

  @class: org.apereo.cas.services.RegexRegisteredService

  serviceId: https://devcas5\.philasd\.org/cas-services/.*

  name: HTTPS

  id: 101

  description: HTTPS protocol wildcard service.

  evaluationOrder: 1000

}







And





cas-dashboard.xml





{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://devcass5.philasd.org/cas/status/dashboard(\\z|/.*) 
<https://devcass5.philasd.org/cas/status/dashboard(%5C%5Cz%7C/.*)> ",

  "name" : "CAS Admin Dashboard",

  "id" : 12

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 1001

}





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
David Curry
Sent: Monday, February 26, 2018 2:29 PM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] /cas/status/dashboard



I think we've been through most of these at one time or another, but to 
assemble them all in one place...



1. You have all of these:



# The /status endpoint is protected by IP address only.

cas.adminPagesSecurity.ip:  ...a valid regex to match your 
authorized addresses...



# The /status/whatever endpoints are protected by the CAS server, using a

# list of admin users in "users.properties".

cas.adminPagesSecurity.loginUrl:${cas.server.prefix}/login

cas.adminPagesSecurity.service: 
${cas.server.prefix}/status/dashboard

cas.adminPagesSecurity.users: 
file:/etc/cas/config/users.properties



# Define an administrator role. (This is the default; you probably don't 
need to set it explicitly.)

cas.adminPagesSecurity.adminRoles[0]:   ROLE_ADMIN



# Enable the Spring Boot actuators as well as the CAS actuators.

cas.adminPagesSecurity.actuatorEndpointsEnabled:true

cas.monitor.endpoints.enabled:  true

endpoints.enabled:  true



# Marking the endpoints "sensitive" would protect them with Spring Security;

# we want to protect them with the CAS server.

cas.monitor.endpoints.sensitive:false

endpoints.sensitive:false



2. You have a service definition that allows the dashboard to authenticate 
via CAS:



{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : 
"^https://your.cas.server.host.and.port.here/cas/status/dashboard(\\z|/.*) 
<https://your.cas.server.host.and.port.here/cas/status/dashboard(/z%7C/.*)> 
",

  "name" : "CAS Admin Dashboard",

  "id" : 123456789,

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 1234

}



3. You're sure that the "ccheltenham-ext" user can succ

RE: [cas-user] /cas/status/dashboard

2018-02-26 Thread Cheltenham, Chris 
David,



The only thing I can tell is that CAS is not seeing the json file from 
/etc/cas/services.

I created two and they never show up loaded in the logs.



Only the two default ones, I guess they are, show up.





2018-02-26 14:42:49,710 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - https://www.apereo.org]>

2018-02-26 14:42:49,710 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - 

2018-02-26 14:42:49,710 INFO 
[org.apereo.cas.services.AbstractServicesManager] - 



I have two json files.





cas-services5.xml



{

  @class: org.apereo.cas.services.RegexRegisteredService

  serviceId: https://devcas5\.philasd\.org/cas-services/.*

  name: HTTPS

  id: 101

  description: HTTPS protocol wildcard service.

  evaluationOrder: 1000

}







And





cas-dashboard.xml





{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : 
"^https://devcass5.philasd.org/cas/status/dashboard(\\z|/.*)",

  "name" : "CAS Admin Dashboard",

  "id" : 12

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 1001

}





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Monday, February 26, 2018 2:29 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] /cas/status/dashboard



I think we've been through most of these at one time or another, but to 
assemble them all in one place...



1. You have all of these:



# The /status endpoint is protected by IP address only.

cas.adminPagesSecurity.ip:  ...a valid regex to match your 
authorized addresses...



# The /status/whatever endpoints are protected by the CAS server, using a

# list of admin users in "users.properties".

cas.adminPagesSecurity.loginUrl:${cas.server.prefix}/login

cas.adminPagesSecurity.service: 
${cas.server.prefix}/status/dashboard

cas.adminPagesSecurity.users: 
file:/etc/cas/config/users.properties



# Define an administrator role. (This is the default; you probably don't 
need to set it explicitly.)

cas.adminPagesSecurity.adminRoles[0]:   ROLE_ADMIN



# Enable the Spring Boot actuators as well as the CAS actuators.

cas.adminPagesSecurity.actuatorEndpointsEnabled:true

cas.monitor.endpoints.enabled:  true

endpoints.enabled:  true



# Marking the endpoints "sensitive" would protect them with Spring Security;

# we want to protect them with the CAS server.

cas.monitor.endpoints.sensitive:false

endpoints.sensitive:false



2. You have a service definition that allows the dashboard to authenticate 
via CAS:



{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : 
"^https://your.cas.server.host.and.port.here/cas/status/dashboard(\\z|/.*) 
<https://your.cas.server.host.and.port.here/cas/status/dashboard(/z|/.*)> ",

  "name" : "CAS Admin Dashboard",

  "id" : 123456789,

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 1234

}



3. You're sure that the "ccheltenham-ext" user can successfully authenticate 
via CAS. Go to https:/yourserver/cas/login to check. (Even if you're "sure," 
check it anyway, just to remove it from the equation.)



4. You're attempting to access the dashboard from an IP address that matches 
the pattern configured in cas.adminPagesSecurity.ip.



All of that together ought to do it. If it doesn't, change the CAS logging 
level to "debug" and see what you get in cas.log



--Dave








--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Mon, Feb 26, 2018 at 2:04 PM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:



Hello,



I have been stuggling with access denied on the dashboard



-  users.properties only has the following.



ccheltenham-ext=passwordnotused,ROLE_ADMIN



What else could I have misconfigured?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Group

[cas-user] /cas/status/dashboard

2018-02-26 Thread Cheltenham, Chris 


Hello,

 

I have been stuggling with access denied on the dashboard

 

-  users.properties only has the following.

 

ccheltenham-ext=passwordnotused,ROLE_ADMIN

 

What else could I have misconfigured?

 

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00a001d3af34%24a1de58a0%24e59b09e0%24%40philasd.org.

RE: [cas-user] Dashboard

2018-02-26 Thread Cheltenham, Chris 


Actually I did not figure out my issue



If anyone know why I am getting page not found /satatus/dashboard please see 
below …



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of 
Cheltenham, Chris
Sent: Monday, February 26, 2018 9:36 AM
To: cas-user@apereo.org
Subject: RE: [cas-user] Dashboard



I think I figured out that yes I do need a service Jason for the dashboard.

Please disregard.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org] On Behalf Of Cheltenham, Chris
Sent: Monday, February 26, 2018 9:30 AM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: [cas-user] Dashboard



Using David Curry’s dashboard instructions I seem to have either missed 
something.



I get



PAGE Not Found



at this url



https://devcas5.philasd.org/cas/status/$%7Bcas.server.prefix%7D/login?service=https%3A%2F%2Fdevcas5.philasd.org%2Fcas%2Fstatus%2Fdashboard



Don’t I need a service for the dashboard in /etc/cas/services?



Logs says I need a json I believe.

Am I seeing this correctly?



2018-02-26 09:17:32,241 DEBUG 
[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - https://devcas5.philasd.org/cas/status/dashboard>

2018-02-26 09:17:51,235 DEBUG 
[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - https://devcas5.philasd.org/cas/status/dashboard>

2018-02-26 09:21:13,277 DEBUG 
[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - https://devcas5.philasd.org/cas/status/dashboard>

2018-02-26 09:23:10,111 INFO 
[org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping] - 
 
org.apereo.cas.web.report.DashboardController.getEndpoints(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>

2018-02-26 09:23:10,111 INFO 
[org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping] - 






===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/001001d3af0e%24516b8440%24f4428cc0%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/001001d3af0e%24516b8440%24f4428cc0%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/001e01d3af0f%2418794f90%24496beeb0%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/001e01d3af0f%2418794f90%24496beeb0%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/002e01d3af11%2469e3adb0%243dab0910%24%40philasd.org.

RE: [cas-user] Dashboard

2018-02-26 Thread Cheltenham, Chris 


I think I figured out that yes I do need a service Jason for the dashboard.

Please disregard.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of 
Cheltenham, Chris
Sent: Monday, February 26, 2018 9:30 AM
To: cas-user@apereo.org
Subject: [cas-user] Dashboard



Using David Curry’s dashboard instructions I seem to have either missed 
something.



I get



PAGE Not Found



at this url



https://devcas5.philasd.org/cas/status/$%7Bcas.server.prefix%7D/login?service=https%3A%2F%2Fdevcas5.philasd.org%2Fcas%2Fstatus%2Fdashboard



Don’t I need a service for the dashboard in /etc/cas/services?



Logs says I need a json I believe.

Am I seeing this correctly?



2018-02-26 09:17:32,241 DEBUG 
[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - https://devcas5.philasd.org/cas/status/dashboard>

2018-02-26 09:17:51,235 DEBUG 
[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - https://devcas5.philasd.org/cas/status/dashboard>

2018-02-26 09:21:13,277 DEBUG 
[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - https://devcas5.philasd.org/cas/status/dashboard>

2018-02-26 09:23:10,111 INFO 
[org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping] - 
 
org.apereo.cas.web.report.DashboardController.getEndpoints(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>

2018-02-26 09:23:10,111 INFO 
[org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping] - 






===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/001001d3af0e%24516b8440%24f4428cc0%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/001001d3af0e%24516b8440%24f4428cc0%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/001e01d3af0f%2418794f90%24496beeb0%24%40philasd.org.

[cas-user] Dashboard

2018-02-26 Thread Cheltenham, Chris 


Using David Curry's dashboard instructions I seem to have either missed
something.

 

I get 

 

PAGE Not Found 

 

at this url

 

https://devcas5.philasd.org/cas/status/$%7Bcas.server.prefix%7D/login?serv
ice=https%3A%2F%2Fdevcas5.philasd.org%2Fcas%2Fstatus%2Fdashboard

 

Don't I need a service for the dashboard in /etc/cas/services?

 

Logs says I need a json I believe.

Am I seeing this correctly?

 

2018-02-26 09:17:32,241 DEBUG
[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - https://devcas5.philasd.org/cas/status/dashboard>

2018-02-26 09:17:51,235 DEBUG
[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - https://devcas5.philasd.org/cas/status/dashboard>

2018-02-26 09:21:13,277 DEBUG
[org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - https://devcas5.philasd.org/cas/status/dashboard>

2018-02-26 09:23:10,111 INFO
[org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping] -

org.apereo.cas.web.report.DashboardController.getEndpoints(javax.servlet.h
ttp.HttpServletRequest,javax.servlet.http.HttpServletResponse)>

2018-02-26 09:23:10,111 INFO
[org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping] -


 

 

=======

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/001001d3af0e%24516b8440%24f4428cc0%24%40philasd.org.

RE: [cas-user] pay forward?

2018-02-26 Thread Cheltenham, Chris 
Hello Michael,





I work for Philadelphia School District K thru 12.



We may be interested in the hours of part of them perhaps.



What do we need to do ?





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Michael 
O Holstein
Sent: Friday, February 23, 2018 2:39 PM
To: cas-user@apereo.org
Subject: [cas-user] pay forward?



Our annual contract with Unicon is going to renew here in a bit, and we have 
a bunch of unused consulting hours which are for features and whatnot. I'm 
sure if they're not cool with this I'll get told shortly but here's what I'm 
proposing ..



I'll bet there's a couple others in the same boat .. since you can't roll it 
.. might as well donate it.



If there's a feature that everybody thinks would be neat, or some similar 
such thing that we don't need but would collectively benefit (which happens 
regardless, eventually .. if you've read the contract) .. we propose ..



Come up with something, we'll donate our hours remaining (40 something?) to 
it .. we get new block next year anyway. If that covers it, great .. if not, 
perhaps others will agree with the idea and it'll get done collectively. But 
as long as Unicon is cool with this we're game. Yay open source, etc.



Suggestions? Needs to be well-scoped though, so if you've thought it through 
but couldn't get funding, here's your chance.



Michael Holstein CISSP

Mgr. Network & Data Security

Cleveland State University





-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM2PR0801MB0863C082C73ACC125861182783CC0%40DM2PR0801MB0863.namprd08.prod.outlook.com
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM2PR0801MB0863C082C73ACC125861182783CC0%40DM2PR0801MB0863.namprd08.prod.outlook.com?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/003601d3af03%244bc28bc0%24e347a340%24%40philasd.org.

[cas-user] mahe CAS 5 ory structure in tven question

2018-02-24 Thread Cheltenham, Chris 
Hello eveyone. 

I have a maven question. 

With CAS 4, we git cloned the github repo cas overlay. 

Did the same with CAS 5. 

Why do I not have a /src directory structure in the CAS 5 overlay? 

I get the source and target directory in theory. 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/31846232.103617.1519509224143.JavaMail.zimbra%40philasd.org.

RE: [cas-user] CAS5 management

2018-02-23 Thread Cheltenham, Chris 
Oh right , you do have good docs.



Thanks



Someone should pay you for them.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Friday, February 23, 2018 1:48 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS5 management





The /status endpoint (but not the endpoints underneath it) is only protected 
by an IP address pattern. You need to set the cas.adminPagesSecurity.ip 
property to a regular expression that matches the IP address(es) you want to 
allow access from.



See 
https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_configure-admin-pages-properties.html#configure-endpoint-security
 
for an example.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 12:33 PM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

David,



Along the same lines,



/cas/status says access denied.



Is a different file?





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
David Curry
Sent: Friday, February 23, 2018 10:52 AM


To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS5 management



Admin pages is the /status/dashboard stuff (and all the things underneath). 
The access to that is controlled with a user.properties file as well.



The format is what I gave you in the earlier email. So for casuser, it would 
be



casuser=passwordnotused,ROLE_ADMIN



or equivalently,



casuser=empty,ROLE_ADMIN



I should note that the password field (the first field after the "=") is 
only "not used" if you're using CAS to authenticate access to the management 
webapp (which I assume you are).



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:47 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

David,



I honestly don’t know what you mean.



What admin pages?



And how should this be formatted?



casuser=ROLE_ADMIN,enabled







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From:  <mailto:cas-user@apereo.org> cas-user@apereo.org [mailto: 
<mailto:cas-user@apereo.org> cas-user@apereo.org] On Behalf Of David Curry
Sent: Friday, February 23, 2018 10:33 AM
To:  <mailto:cas-user@apereo.org> cas-user@apereo.org
Subject: Re: [cas-user] CAS5 management



Your users.properties file is not formatted correctly. It's the same format 
(and in fact can be the same file) as the one for the admin pages:



# The syntax for each line is:

#

# username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

#

gnarls=passwordnotused,ROLE_ADMIN



The above allows a user named "gnarls" to have access.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>71
 FIFTH AVE., 9TH FL., NEW YORK, NY 10003+1 212 229-5300 x4728 •  
<mailto:david.cu...@newschool.edu>david.cu...@newschool.edu  
<http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>On Fri, 
Feb 23, 2018 at 10:28 AM, Cheltenham, Chrismailto:ccheltenham-...@philasd.org> > wrote:Hello Everyone,Still having 
problems with access denied on /cas-managementI turned on DEBUG and I see this 
in the logs.22T13:22:12.379-05:00[America/New_York], 
authenticationMethod=Employee-LDAP,successfulAuthenticationHandlers=Employee-LDAP,longTermAuthenticationRequestTokenUsed=false}
 | roles: [] | permissions: []| isRemembered: false | clientName: CasClient 
|linkedId: null |] does not contain the required role [ROLE_ADMIN]My 
users.properties files look thusly – casuser=ROLE_ADMIN,and yes 
ROLE_ADMIN is stated in the management.properties file. 
cas.mgmt.adminRoles[0]=ROLE_ADMINThere is a Json file in /

RE: [cas-user] CAS5 management

2018-02-23 Thread Cheltenham, Chris 
Oh ok , this is CentOs.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Ray Bon
Sent: Friday, February 23, 2018 12:48 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS5 management



Chris,



Check your service registry entry.



Ray



On Fri, 2018-02-23 at 12:33 -0500, Cheltenham, Chris wrote:

David,



Along the same lines,



/cas/status says access denied.



Is a different file?





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org] On Behalf Of David Curry
Sent: Friday, February 23, 2018 10:52 AM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS5 management



Admin pages is the /status/dashboard stuff (and all the things underneath). 
The access to that is controlled with a user.properties file as well.



The format is what I gave you in the earlier email. So for casuser, it would 
be



casuser=passwordnotused,ROLE_ADMIN



or equivalently,



casuser=empty,ROLE_ADMIN



I should note that the password field (the first field after the "=") is 
only "not used" if you're using CAS to authenticate access to the management 
webapp (which I assume you are).



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:47 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

David,



I honestly don’t know what you mean.



What admin pages?



And how should this be formatted?



casuser=ROLE_ADMIN,enabled







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From:  <mailto:cas-user@apereo.org> cas-user@apereo.org [mailto: 
<mailto:cas-user@apereo.org> cas-user@apereo.org] On Behalf Of David Curry
Sent: Friday, February 23, 2018 10:33 AM
To:  <mailto:cas-user@apereo.org> cas-user@apereo.org
Subject: Re: [cas-user] CAS5 management



Your users.properties file is not formatted correctly. It's the same format 
(and in fact can be the same file) as the one for the admin pages:



# The syntax for each line is:

#

# username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

#

gnarls=passwordnotused,ROLE_ADMIN



The above allows a user named "gnarls" to have access.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>71
 FIFTH AVE., 9TH FL., NEW YORK, NY 10003+1 212 229-5300 x4728 •  
<mailto:david.cu...@newschool.edu>david.cu...@newschool.edu  
<http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>On Fri, 
Feb 23, 2018 at 10:28 AM, Cheltenham, Chrismailto:ccheltenham-...@philasd.org> > wrote:Hello Everyone,Still having 
problems with access denied on /cas-managementI turned on DEBUG and I see this 
in the logs.22T13:22:12.379-05:00[America/New_York], 
authenticationMethod=Employee-LDAP,successfulAuthenticationHandlers=Employee-LDAP,longTermAuthenticationRequestTokenUsed=false}
 | roles: [] | permissions: []| isRemembered: false | clientName: CasClient 
|linkedId: null |] does not contain the required role [ROLE_ADMIN]My 
users.properties files look thusly – casuser=ROLE_ADMIN,and yes 
ROLE_ADMIN is stated in the management.properties file. 
cas.mgmt.adminRoles[0]=ROLE_ADMINThere is a Json file in /etc/cas/services or 
the users.properties file.That is stated in cas.properties   
cas.serviceRegistry.config.location=file:/etc/cas/servicesIs there a way to 
format the users. Properties file so anyone can use themanagement 
portal?===Thank You;Chris CheltenhamTechnology 
ServicesThe School District of PhiladelphiaWork # 215-400-5025Cell # 
215-301-6571--- Website: https://apereo.github.io/cas- Gitter Chatroom: 
https://gitter.im/apereo/cas- List Guidelines: https://goo.gl/1VRrw7- 
Contributions: https://goo.gl/mh7qDG---You received this message because you 
are subscribed to the Google Groups"CAS Community" group.To unsubscribe from 
this group and stop receiving emails from it, send anemail to 
cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org> .To 
view this discussion on the web 
visithttps://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3a

RE: [cas-user] CAS 5.2

2018-02-23 Thread Cheltenham, Chris 
Ray,



I appreciate that but I don’t know what you mean.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Ray Bon
Sent: Friday, February 23, 2018 12:36 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS 5.2



Chris,



cas.view.defaultRedirectUrl=



Ray



On Fri, 2018-02-23 at 08:36 -0500, Cheltenham, Chris wrote:

Hello Everyone,



I am sure most folks change the default landing page AFTER you get login to 
work.



It looks like it lands on a page called casGenericSuccessView.html.



My question is how do you change that page?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca <mailto:r...@uvic.ca>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519407337.1765.69.camel%40uvic.ca
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519407337.1765.69.camel%40uvic.ca?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/010b01d3accd%24c02af430%244080dc90%24%40philasd.org.

RE: [cas-user] CAS5 management

2018-02-23 Thread Cheltenham, Chris 
David,



Along the same lines,



/cas/status says access denied.



Is a different file?





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Friday, February 23, 2018 10:52 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS5 management



Admin pages is the /status/dashboard stuff (and all the things underneath). 
The access to that is controlled with a user.properties file as well.



The format is what I gave you in the earlier email. So for casuser, it would 
be



casuser=passwordnotused,ROLE_ADMIN



or equivalently,



casuser=empty,ROLE_ADMIN



I should note that the password field (the first field after the "=") is 
only "not used" if you're using CAS to authenticate access to the management 
webapp (which I assume you are).



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:47 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

David,



I honestly don’t know what you mean.



What admin pages?



And how should this be formatted?



casuser=ROLE_ADMIN,enabled







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From:  <mailto:cas-user@apereo.org> cas-user@apereo.org [mailto: 
<mailto:cas-user@apereo.org> cas-user@apereo.org] On Behalf Of David Curry
Sent: Friday, February 23, 2018 10:33 AM
To:  <mailto:cas-user@apereo.org> cas-user@apereo.org
Subject: Re: [cas-user] CAS5 management



Your users.properties file is not formatted correctly. It's the same format 
(and in fact can be the same file) as the one for the admin pages:



# The syntax for each line is:

#

# username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

#

gnarls=passwordnotused,ROLE_ADMIN



The above allows a user named "gnarls" to have access.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>71
 FIFTH AVE., 9TH FL., NEW YORK, NY 10003+1 212 229-5300 x4728 •  
<mailto:david.cu...@newschool.edu>david.cu...@newschool.edu  
<http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>On Fri, 
Feb 23, 2018 at 10:28 AM, Cheltenham, Chrismailto:ccheltenham-...@philasd.org> > wrote:Hello Everyone,Still having 
problems with access denied on /cas-managementI turned on DEBUG and I see this 
in the logs.22T13:22:12.379-05:00[America/New_York], 
authenticationMethod=Employee-LDAP,successfulAuthenticationHandlers=Employee-LDAP,longTermAuthenticationRequestTokenUsed=false}
 | roles: [] | permissions: []| isRemembered: false | clientName: CasClient 
|linkedId: null |] does not contain the required role [ROLE_ADMIN]My 
users.properties files look thusly – casuser=ROLE_ADMIN,and yes 
ROLE_ADMIN is stated in the management.properties file. 
cas.mgmt.adminRoles[0]=ROLE_ADMINThere is a Json file in /etc/cas/services or 
the users.properties file.That is stated in cas.properties   
cas.serviceRegistry.config.location=file:/etc/cas/servicesIs there a way to 
format the users. Properties file so anyone can use themanagement 
portal?===Thank You;Chris CheltenhamTechnology 
ServicesThe School District of PhiladelphiaWork # 215-400-5025Cell # 
215-301-6571--- Website: https://apereo.github.io/cas- Gitter Chatroom: 
https://gitter.im/apereo/cas- List Guidelines: https://goo.gl/1VRrw7- 
Contributions: https://goo.gl/mh7qDG---You received this message because you 
are subscribed to the Google Groups"CAS Community" group.To unsubscribe from 
this group and stop receiving emails from it, send anemail to 
cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org> .To 
view this discussion on the web 
visithttps://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org?utm_medium=email&utm_source=footer>
 .--- Website: https://apereo.github.io/cas- Gitter Chatroom: 
https://gitter.im/apereo/cas- List Guidelines: https://goo.gl/1VRrw7- 
Contributions: https://goo.gl/mh7qDG---You received this message because you 
are subscribed to the Google Groups"CAS Community" group.To unsubscribe from 
this group and stop receiving emails from it, send anemail to

RE: [cas-user] CAS5 management

2018-02-23 Thread Cheltenham, Chris 
Perfect David,



I cannot tell you how many different combination of that user.properties 
files I tried to no avail.



Thanks again





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Friday, February 23, 2018 10:58 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS5 management



As for the cheesiness of it, I believe it's inherited from Spring Security 
(which is an alternative way you can protect the management webapp):



https://docs.spring.io/spring-security/site/docs/2.0.x/reference/html/authentication-common-auth-services.html



So blame them, not the CAS project. :-)



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:53 AM, David Curry mailto:david.cu...@newschool.edu> > wrote:

You still need the (unused) password in there, like this:



ccheltenham-ext=notused,ROLE_ADMIN,enabled



(and you don't really need the "enabled"). Note that "ccheltenham-ext" 
should then be a user that can authenticate via CAS, since you're protecting 
the management webapp with CAS.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:51 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

Ok I see David,



So I tried this and still doesn’t work.



ccheltenham-ext=ROLE_ADMIN,enabled



I gotta say this is a really stupid and cheesy way to do this.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
David Curry
Sent: Friday, February 23, 2018 10:48 AM


To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS5 management



Gnarls the Narwhal is The New School's mascot.



https://www.newschool.edu/recreation/where-is-gnarls/



I wanted a "dummy" account to use in my CAS testing and documentation, and 
"casuser" was already taken, so... :-)



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:42 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

Thanks David,



What is gnarls?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
David Curry
Sent: Friday, February 23, 2018 10:33 AM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS5 management



Your users.properties file is not formatted correctly. It's the same format 
(and in fact can be the same file) as the one for the admin pages:



# The syntax for each line is:

#

# username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

#

gnarls=passwordnotused,ROLE_ADMIN



The above allows a user named "gnarls" to have access.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:28 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:



Hello Everyone,



Still having problems with access denied on /cas-management



I turned on DEBUG and I see this in the logs.



22T13:22:12.379-05:00[America/New_York], authenticationMethod=Employee-LDAP, 
successfulAuthenticationHandlers=Empl

RE: [cas-user] CAS5 management

2018-02-23 Thread Cheltenham, Chris 
Thanks again  David,



Yeah I am sure its spring.

I wasn’t; beating up anyone in particular.



Mostly out of frustration that switching a few words around makes all the 
difference and I have no clue what the combination is.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Friday, February 23, 2018 10:58 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS5 management



As for the cheesiness of it, I believe it's inherited from Spring Security 
(which is an alternative way you can protect the management webapp):



https://docs.spring.io/spring-security/site/docs/2.0.x/reference/html/authentication-common-auth-services.html



So blame them, not the CAS project. :-)



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:53 AM, David Curry mailto:david.cu...@newschool.edu> > wrote:

You still need the (unused) password in there, like this:



ccheltenham-ext=notused,ROLE_ADMIN,enabled



(and you don't really need the "enabled"). Note that "ccheltenham-ext" 
should then be a user that can authenticate via CAS, since you're protecting 
the management webapp with CAS.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:51 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

Ok I see David,



So I tried this and still doesn’t work.



ccheltenham-ext=ROLE_ADMIN,enabled



I gotta say this is a really stupid and cheesy way to do this.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
David Curry
Sent: Friday, February 23, 2018 10:48 AM


To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS5 management



Gnarls the Narwhal is The New School's mascot.



https://www.newschool.edu/recreation/where-is-gnarls/



I wanted a "dummy" account to use in my CAS testing and documentation, and 
"casuser" was already taken, so... :-)



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:42 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

Thanks David,



What is gnarls?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
David Curry
Sent: Friday, February 23, 2018 10:33 AM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS5 management



Your users.properties file is not formatted correctly. It's the same format 
(and in fact can be the same file) as the one for the admin pages:



# The syntax for each line is:

#

# username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

#

gnarls=passwordnotused,ROLE_ADMIN



The above allows a user named "gnarls" to have access.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:28 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:



Hello Everyone,



Still having problems with access denied on /cas-management



I turned on DEBUG and I see this in the logs.



22T13:22:12.379-05:00[Ameri

RE: [cas-user] CAS5 management

2018-02-23 Thread Cheltenham, Chris 
Ok I see David,



So I tried this and still doesn’t work.



ccheltenham-ext=ROLE_ADMIN,enabled



I gotta say this is a really stupid and cheesy way to do this.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Friday, February 23, 2018 10:48 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS5 management



Gnarls the Narwhal is The New School's mascot.



https://www.newschool.edu/recreation/where-is-gnarls/



I wanted a "dummy" account to use in my CAS testing and documentation, and 
"casuser" was already taken, so... :-)



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:42 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

Thanks David,



What is gnarls?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
David Curry
Sent: Friday, February 23, 2018 10:33 AM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS5 management



Your users.properties file is not formatted correctly. It's the same format 
(and in fact can be the same file) as the one for the admin pages:



# The syntax for each line is:

#

# username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

#

gnarls=passwordnotused,ROLE_ADMIN



The above allows a user named "gnarls" to have access.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:28 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:



Hello Everyone,



Still having problems with access denied on /cas-management



I turned on DEBUG and I see this in the logs.



22T13:22:12.379-05:00[America/New_York], authenticationMethod=Employee-LDAP, 
successfulAuthenticationHandlers=Employee-LDAP,

longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] 
| isRemembered: false | clientName: CasClient |

linkedId: null |] does not contain the required role [ROLE_ADMIN]





My users.properties files look thusly –

 casuser=ROLE_ADMIN,



and yes ROLE_ADMIN is stated in the management.properties file.

 cas.mgmt.adminRoles[0]=ROLE_ADMIN



There is a Json file in /etc/cas/services or the users.properties file.



That is stated in cas.properties

   cas.serviceRegistry.config.location=file:/etc/cas/services



Is there a way to format the users. Properties file so anyone can use the 
management portal?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .

To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOZfm-azTX0TzCFs7AYmY2DkvNLF%

RE: [cas-user] CAS5 management

2018-02-23 Thread Cheltenham, Chris 
David,



I honestly don’t know what you mean.



What admin pages?



And how should this be formatted?



casuser=ROLE_ADMIN,enabled







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Friday, February 23, 2018 10:33 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS5 management



Your users.properties file is not formatted correctly. It's the same format 
(and in fact can be the same file) as the one for the admin pages:



# The syntax for each line is:

#

# username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

#

gnarls=passwordnotused,ROLE_ADMIN



The above allows a user named "gnarls" to have access.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:28 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:



Hello Everyone,



Still having problems with access denied on /cas-management



I turned on DEBUG and I see this in the logs.



22T13:22:12.379-05:00[America/New_York], authenticationMethod=Employee-LDAP, 
successfulAuthenticationHandlers=Employee-LDAP,

longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] 
| isRemembered: false | clientName: CasClient |

linkedId: null |] does not contain the required role [ROLE_ADMIN]





My users.properties files look thusly –

 casuser=ROLE_ADMIN,



and yes ROLE_ADMIN is stated in the management.properties file.

 cas.mgmt.adminRoles[0]=ROLE_ADMIN



There is a Json file in /etc/cas/services or the users.properties file.



That is stated in cas.properties

   cas.serviceRegistry.config.location=file:/etc/cas/services



Is there a way to format the users. Properties file so anyone can use the 
management portal?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOZfm-azTX0TzCFs7AYmY2DkvNLF%2Bv82mJqicSZntatMA%40mail.gmail.com
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOZfm-azTX0TzCFs7AYmY2DkvNLF%2Bv82mJqicSZntatMA%40mail.gmail.com?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00a301d3acbd%249552e2f0%24bff8a8d0%24%40philasd.org.

RE: [cas-user] CAS5 management

2018-02-23 Thread Cheltenham, Chris 
Thanks David,



What is gnarls?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Friday, February 23, 2018 10:33 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS5 management



Your users.properties file is not formatted correctly. It's the same format 
(and in fact can be the same file) as the one for the admin pages:



# The syntax for each line is:

#

# username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

#

gnarls=passwordnotused,ROLE_ADMIN



The above allows a user named "gnarls" to have access.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 23, 2018 at 10:28 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:



Hello Everyone,



Still having problems with access denied on /cas-management



I turned on DEBUG and I see this in the logs.



22T13:22:12.379-05:00[America/New_York], authenticationMethod=Employee-LDAP, 
successfulAuthenticationHandlers=Employee-LDAP,

longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] 
| isRemembered: false | clientName: CasClient |

linkedId: null |] does not contain the required role [ROLE_ADMIN]





My users.properties files look thusly –

 casuser=ROLE_ADMIN,



and yes ROLE_ADMIN is stated in the management.properties file.

 cas.mgmt.adminRoles[0]=ROLE_ADMIN



There is a Json file in /etc/cas/services or the users.properties file.



That is stated in cas.properties

   cas.serviceRegistry.config.location=file:/etc/cas/services



Is there a way to format the users. Properties file so anyone can use the 
management portal?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOZfm-azTX0TzCFs7AYmY2DkvNLF%2Bv82mJqicSZntatMA%40mail.gmail.com
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOZfm-azTX0TzCFs7AYmY2DkvNLF%2Bv82mJqicSZntatMA%40mail.gmail.com?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/009501d3acbc%24e8d7c400%24ba874c00%24%40philasd.org.

[cas-user] CAS5 management

2018-02-23 Thread Cheltenham, Chris 


Hello Everyone,

 

Still having problems with access denied on /cas-management

 

I turned on DEBUG and I see this in the logs.

 

22T13:22:12.379-05:00[America/New_York],
authenticationMethod=Employee-LDAP,
successfulAuthenticationHandlers=Employee-LDAP, 

longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions:
[] | isRemembered: false | clientName: CasClient | 

linkedId: null |] does not contain the required role [ROLE_ADMIN]

 

 

My users.properties files look thusly -

 casuser=ROLE_ADMIN,

 

and yes ROLE_ADMIN is stated in the management.properties file.

 cas.mgmt.adminRoles[0]=ROLE_ADMIN

 

There is a Json file in /etc/cas/services or the users.properties file.

 

That is stated in cas.properties

   cas.serviceRegistry.config.location=file:/etc/cas/services

 

Is there a way to format the users. Properties file so anyone can use the
management portal?

 

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org.

[cas-user] CAS 5.2

2018-02-23 Thread Cheltenham, Chris 


Hello Everyone,

 

I am sure most folks change the default landing page AFTER you get login
to work.

 

It looks like it lands on a page called casGenericSuccessView.html.

 

My question is how do you change that page?

 

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/002f01d3acab%243f965c00%24bec31400%24%40philasd.org.

RE: [cas-user] [5.2] Dashboard - Application Not Authorized to Use CAS

2018-02-20 Thread Cheltenham, Chris 
Man,



I don’t know what that means.



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Man H
Sent: Tuesday, February 20, 2018 11:36 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] [5.2] Dashboard - Application Not Authorized to Use 
CAS



This should be another thread since dashboard is not the same as 
cas-management.

Make it a service

El martes, 20 de febrero de 2018, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > 
escribió:

Hello Everyone,



I am getting access denied on the /cas-management

It appears CAS 5 is a bit different from 4



Does anyone know why I am getting access denied to the management stuff?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
David Curry
Sent: Tuesday, February 20, 2018 8:48 AM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] [5.2] Dashboard - Application Not Authorized to Use 
CAS



Assuming "the services directory" means you're trying to use an external 
directory full of JSON service definitions, do you have





org.apereo.cas

cas-server-support-json-service-registry

${cas.version}





in your pom.xml and



cas.serviceRegistry.json.location:file:/etc/cas/services



(whatever directory path you want) in cas.properties?



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Tue, Feb 20, 2018 at 8:41 AM, Kevin Liu mailto:annihil8...@gmail.com> > wrote:

I've added and it looks like CAS is just not picking up on any of the 
services directory. It doesn't show as registering the service.



On Monday, February 19, 2018 at 12:55:18 PM UTC-6, rbon wrote:

Put these into the log config to verify that the services you want are 
correct:





















Ray



On Mon, 2018-02-19 at 09:24 -0800, Kevin Liu wrote:

I'm trying to access https://xxx.xxx.xxx.xxx:/cas1/status/dashboard

On Monday, February 19, 2018 at 11:01:33 AM UTC-6, rbon wrote:

Kevin,



What is the URL that you are trying to access?



Ray



On Mon, 2018-02-19 at 08:34 -0800, Kevin Liu wrote:

This is my current entry in service registry



{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://xxx.xxx.xxx.xxx:/cas1/status/dashboard(\\z|/.* 
 )",

  "name" : "CAS Admin Dashboard",

  "id" : 1509646291,

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 5000

}




On Monday, February 19, 2018 at 9:06:00 AM UTC-6, David Curry wrote:

Do you have an entry in the service registry that matches the service?



{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://xxx.xxx.xxx.xxx/cas1/status/dashboard(\\z|/.*) 
<https://xxx.xxx.xxx.xxx/cas1/status/dashboard(%5C%5Cz%7C/.*)> ",

  "name" : "CAS Admin Dashboard",

  "id" : 123456789,

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 12345

}



Or something like that.


--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 • david.cu...@newschool.edu 
<mailto:david.cu...@newschool.edu>

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Mon, Feb 19, 2018 at 9:33 AM, Kevin Liu mailto:annih...@gmail.com> > wrote:

Hello,



I'm trying to enable access to the Dashboard with the default casuser:Mellon 
account but I'm running into an Application Not Authorized to Use CAS. This 
is my cas.properties file. I can't figure out what I'm missing? Looking 
online, it seems I need a registry of some sort but I can't find additional 
documentation on it.





cas.server.name <http://cas.server.name> : https://xxx.xxx.xxx.xxx

cas.server.prefix: https://xx

RE: [cas-user] [5.2] Dashboard - Application Not Authorized to Use CAS

2018-02-20 Thread Cheltenham, Chris 
Yes, Cas works properly.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Kevin 
Liu
Sent: Tuesday, February 20, 2018 11:24 AM
To: CAS Community 
Subject: Re: [cas-user] [5.2] Dashboard - Application Not Authorized to Use 
CAS



I'm not familiar with cas 4 but do you have a cas.properties file?

On Tuesday, February 20, 2018 at 10:16:01 AM UTC-6, Chris Cheltenham wrote:

Hello Everyone,



I am getting access denied on the /cas-management

It appears CAS 5 is a bit different from 4



Does anyone know why I am getting access denied to the management stuff?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-...@apereo.org   [mailto:cas-...@apereo.org 
 ] On Behalf Of David Curry
Sent: Tuesday, February 20, 2018 8:48 AM
To: cas-...@apereo.org 
Subject: Re: [cas-user] [5.2] Dashboard - Application Not Authorized to Use 
CAS



Assuming "the services directory" means you're trying to use an external 
directory full of JSON service definitions, do you have





org.apereo.cas

cas-server-support-json-service-registry

${cas.version}





in your pom.xml and



cas.serviceRegistry.json.location:file:/etc/cas/services



(whatever directory path you want) in cas.properties?



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •   david.cu...@newschool.edu

  
<https://lh4.googleusercontent.com/proxy/kBxyNqPE_dwGnQ5_31vxODZ361V2PjQdxLgStd_Hjq6qhsUZ5Ls9wt8E7q_K2I1IH9Gl9beQOC7lRFhDZ6YS4RBwSzHk1J04dgKAuT9_k0gSpkU-gvRxyA=w5000-h5000>



On Tue, Feb 20, 2018 at 8:41 AM, Kevin Liu  
 > wrote:

I've added and it looks like CAS is just not picking up on any of the 
services directory. It doesn't show as registering the service.



On Monday, February 19, 2018 at 12:55:18 PM UTC-6, rbon wrote:

Put these into the log config to verify that the services you want are 
correct:





















Ray



On Mon, 2018-02-19 at 09:24 -0800, Kevin Liu wrote:

I'm trying to access https://xxx.xxx.xxx.xxx:/cas1/status/dashboard

On Monday, February 19, 2018 at 11:01:33 AM UTC-6, rbon wrote:

Kevin,



What is the URL that you are trying to access?



Ray



On Mon, 2018-02-19 at 08:34 -0800, Kevin Liu wrote:

This is my current entry in service registry



{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://xxx.xxx.xxx.xxx:/cas1/status/dashboard(\\z|/.* 
 )",

  "name" : "CAS Admin Dashboard",

  "id" : 1509646291,

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 5000

}




On Monday, February 19, 2018 at 9:06:00 AM UTC-6, David Curry wrote:

Do you have an entry in the service registry that matches the service?



{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://xxx.xxx.xxx.xxx/cas1/status/dashboard(\\z|/.*) 
<https://xxx.xxx.xxx.xxx/cas1/status/dashboard(%5C%5Cz%7C/.*)> ",

  "name" : "CAS Admin Dashboard",

  "id" : 123456789,

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 12345

}



Or something like that.


--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 • david...@newschool.edu 

  
<https://lh4.googleusercontent.com/proxy/kBxyNqPE_dwGnQ5_31vxODZ361V2PjQdxLgStd_Hjq6qhsUZ5Ls9wt8E7q_K2I1IH9Gl9beQOC7lRFhDZ6YS4RBwSzHk1J04dgKAuT9_k0gSpkU-gvRxyA=w5000-h5000>



On Mon, Feb 19, 2018 at 9:33 AM, Kevin Liu mailto:annih...@gmail.com> > wrote:

Hello,



I'm trying to enable access to the Dashboard with the default casuser:Mellon 
account but I'm running into an Application Not Authorized to Use CAS. This 
is my cas.properties file. I can't figure out what I'm missing? Looking 
online, it seems I need a registry of some sort but I can't find additional 
documentation on it.





cas.server.name <http://cas.server.name> : https://xxx.xxx.xxx.xxx

cas.server.prefix: https://xxx.xxx.xxx.xxx/cas1



logging.config: file:/etc/cas1/config/log4j2.xml



endpoints.enabled=true

endpoints.sensitive=false

cas.adminPagesSecurity.ip=192.168.x.xx

cas.monitor.endpoints.enabl

RE: [cas-user] [5.2] Dashboard - Application Not Authorized to Use CAS

2018-02-20 Thread Cheltenham, Chris 
Hello Everyone,



I am getting access denied on the /cas-management

It appears CAS 5 is a bit different from 4



Does anyone know why I am getting access denied to the management stuff?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Tuesday, February 20, 2018 8:48 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] [5.2] Dashboard - Application Not Authorized to Use 
CAS



Assuming "the services directory" means you're trying to use an external 
directory full of JSON service definitions, do you have





org.apereo.cas

cas-server-support-json-service-registry

${cas.version}





in your pom.xml and



cas.serviceRegistry.json.location:file:/etc/cas/services



(whatever directory path you want) in cas.properties?



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Tue, Feb 20, 2018 at 8:41 AM, Kevin Liu mailto:annihil8...@gmail.com> > wrote:

I've added and it looks like CAS is just not picking up on any of the 
services directory. It doesn't show as registering the service.



On Monday, February 19, 2018 at 12:55:18 PM UTC-6, rbon wrote:

Put these into the log config to verify that the services you want are 
correct:





















Ray



On Mon, 2018-02-19 at 09:24 -0800, Kevin Liu wrote:

I'm trying to access https://xxx.xxx.xxx.xxx:/cas1/status/dashboard

On Monday, February 19, 2018 at 11:01:33 AM UTC-6, rbon wrote:

Kevin,



What is the URL that you are trying to access?



Ray



On Mon, 2018-02-19 at 08:34 -0800, Kevin Liu wrote:

This is my current entry in service registry



{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://xxx.xxx.xxx.xxx:/cas1/status/dashboard(\\z|/.* 
 )",

  "name" : "CAS Admin Dashboard",

  "id" : 1509646291,

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 5000

}




On Monday, February 19, 2018 at 9:06:00 AM UTC-6, David Curry wrote:

Do you have an entry in the service registry that matches the service?



{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://xxx.xxx.xxx.xxx/cas1/status/dashboard(\\z|/.*) 
<https://xxx.xxx.xxx.xxx/cas1/status/dashboard(%5C%5Cz%7C/.*)> ",

  "name" : "CAS Admin Dashboard",

  "id" : 123456789,

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 12345

}



Or something like that.


--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
<https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
+1 212 229-5300 x4728 • david.cu...@newschool.edu 
<mailto:david.cu...@newschool.edu>

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Mon, Feb 19, 2018 at 9:33 AM, Kevin Liu mailto:annih...@gmail.com> > wrote:



Hello,



I'm trying to enable access to the Dashboard with the default casuser:Mellon 
account but I'm running into an Application Not Authorized to Use CAS. This 
is my cas.properties file. I can't figure out what I'm missing? Looking 
online, it seems I need a registry of some sort but I can't find additional 
documentation on it.





cas.server.name <http://cas.server.name> : https://xxx.xxx.xxx.xxx

cas.server.prefix: https://xxx.xxx.xxx.xxx/cas1



logging.config: file:/etc/cas1/config/log4j2.xml



endpoints.enabled=true

endpoints.sensitive=false

cas.adminPagesSecurity.ip=192.168.x.xx

cas.monitor.endpoints.enable=true

cas.monitor.endpoints.sensitive=false

cas.adminPagesSecurity.actuatorEndpointsEnabled=true





cas.adminPagesSecurity.loginUrl=${cas.server.prefix}/login

cas.adminPagesSecurity.service=${cas.server.prefix}/status/dashboard

cas.adminPagesSecurity.users=file:/etc/cas1/config/adminusers.properties

cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN



Am I missing anything?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"C

RE: [cas-user] org.apereo.cas.authentication.PolicyBasedAuthenticationManager thow an error in log when user input Invalid credentials.

2018-02-13 Thread Cheltenham, Chris 
Something it doesn’t like in your cas.properties section I would guess.

I am not familiar with your ldap so its difficult for me to say exactly what 
you need.



Start out very simple and connect to one LDAP.

I don’t use AD so I don’t know what that require either.



Start off with something simple and build on it from there.



# LDAP connector (for single instance)

#  cas.authn.ldap[0].type=Authenticated

#  cas.authn.ldap[0].ldapUrl=ldaps://

#  cas.authn.ldap[0].useSsl=true



I saw ssl false in your configuration



#  cas.authn.ldap[0].baseDn=dc=philasd,dc=org

#  cas.authn.ldap[0].userFilter=uid={user}

#  cas.authn.ldap[0].bindDn=uid=cuth,dc=philasd,dc=org

#  cas.authn.ldap[0].bindCredential=



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Satnam 
Sarai
Sent: Tuesday, February 13, 2018 10:45 AM
To: CAS Community 
Subject: Re: [cas-user] 
org.apereo.cas.authentication.PolicyBasedAuthenticationManager thow an error 
in log when user input Invalid credentials.



thanks,Chris

we have two handlers, LDAP and jdbc.  I have disabled JDBC to see if error 
goes away. The error still show up when user input Invalid credentials.  It 
works perfectly when user input correct credentials.  We can ignore this 
error but we are afraid that we will get too many notifications about 
invalid credentials.

==
 in pom.xml i have included




 org.apereo.cas
 cas-server-support-ldap
 ${cas.version}


and cas.properties file -->



#
#  LDAP
#
#AD|AUTHENTICATED|DIRECT|ANONYMOUS
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].name = POST_Employee-LDAP
# BaseDn used to start the LDAP search looking for accounts
cas.authn.ldap[0].baseDn=
# The search filter to use while looking for accounts.
cas.authn.ldap[0].userFilter=(|(sAMAccountName={user})(proxyAddresses=smtp:{user}))
#
# Bind credentials used to connect to the LDAP instance
#
cas.authn.ldap[0].bindDn=xxx
cas.authn.ldap[0].bindCredential=xx
cas.authn.ldap[0].principalAttributeId=objectGUID
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].order=0
cas.authn.ldap[0].enhanceWithEntryResolver=true
cas.authn.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID

#
# Define attributes to be retrieved from LDAP as part of the same 
authentication transaction
# The left-hand size notes the source while the right-hand size indicate an 
optional renaming/remapping
# of the attribute definition. The same attribute name is allowed to be 
mapped multiple times to
# different attribute names.
#
# 
cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,eduPersonTargettedId:SOME_IDENTIFIER
cas.authn.ldap[0].principalAttributeList=objectGUID

# cas.authn.ldap[0].collectDnAttribute=false
# cas.authn.ldap[0].principalDnAttributeName=principalLdapDn
# cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
# cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
# cas.authn.ldap[0].credentialCriteria=
cas.authn.ldap[0].validatePeriod=  270

On Tuesday, February 13, 2018 at 7:25:49 AM UTC-8, Chris Cheltenham wrote:

Hello,



I had that exact error.



When you build your cas.war file make sure the ldap dependency embedded 
inside pom.xml.

If you don’t



After that, the cas.properties file must be formatted correctly.

This is what stumped me the most.



Thanks to David Curry for helping me out on this.





Mine LDAP inside of cas.properties looks like this.

Pay attention to the numbers in scheme zero and one and so forth if you have 
multiple authentication handlers.





# Employee LDAP

cas.authn.ldap[0].useSsl:   true

cas.authn.ldap[0].order:0

cas.authn.ldap[0].name: Employee-LDAP

cas.authn.ldap[0].type: AUTHENTICATED

cas.authn.ldap[0].ldapUrl:  ldaps://devm.philasd.net 
<http://devm.philasd.net>

cas.authn.ldap[0].validatePeriod:   270

cas.authn.ldap[0].userFilter:   uid={user}

cas.authn.ldap[0].baseDn:   dc=philasd,dc=org

cas.authn.ldap[0].bindDn: 
uid=cauth,ou=svc_accts,dc=philasd,dc=org

cas.authn.ldap[0].bindCredential: x

#

#LDAP for SG (Student Guardian)

cas.authn.ldap[1].useSsl:   true

cas.authn.ldap[1].order:1

cas.authn.ldap[1].name: SG-LDAP

cas.authn.ldap[1].type: AUTHENTICATED

cas.authn.ldap[1].ldapUrl:  ldaps://devsgm.philasd.net 
<http://devsgm.philasd.net>

cas.authn.ldap[1].validatePeriod:   270

cas.authn.ldap[1].userFilter:   uid={user}

cas.authn.ldap[1].baseDn:   dc=philasd,dc=org

cas.authn.ldap[1].bindD

RE: [cas-user] org.apereo.cas.authentication.PolicyBasedAuthenticationManager thow an error in log when user input Invalid credentials.

2018-02-13 Thread Cheltenham, Chris 
Hello,



I had that exact error.



When you build your cas.war file make sure the ldap dependency embedded 
inside pom.xml.

If you don’t



After that, the cas.properties file must be formatted correctly.

This is what stumped me the most.



Thanks to David Curry for helping me out on this.





Mine LDAP inside of cas.properties looks like this.

Pay attention to the numbers in scheme zero and one and so forth if you have 
multiple authentication handlers.





# Employee LDAP

cas.authn.ldap[0].useSsl:   true

cas.authn.ldap[0].order:0

cas.authn.ldap[0].name: Employee-LDAP

cas.authn.ldap[0].type: AUTHENTICATED

cas.authn.ldap[0].ldapUrl:  ldaps://devm.philasd.net

cas.authn.ldap[0].validatePeriod:   270

cas.authn.ldap[0].userFilter:   uid={user}

cas.authn.ldap[0].baseDn:   dc=philasd,dc=org

cas.authn.ldap[0].bindDn: 
uid=cauth,ou=svc_accts,dc=philasd,dc=org

cas.authn.ldap[0].bindCredential: x

#

#LDAP for SG (Student Guardian)

cas.authn.ldap[1].useSsl:   true

cas.authn.ldap[1].order:1

cas.authn.ldap[1].name: SG-LDAP

cas.authn.ldap[1].type: AUTHENTICATED

cas.authn.ldap[1].ldapUrl:  ldaps://devsgm.philasd.net

cas.authn.ldap[1].validatePeriod:   270

cas.authn.ldap[1].userFilter:   uid={user}

cas.authn.ldap[1].baseDn:   dc=philasd,dc=org

cas.authn.ldap[1].bindDn: 
uid=casauth,ou=svc_accts,dc=philasd,dc=org

cas.authn.ldap[1].bindCredential:  x



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Satnam 
Sarai
Sent: Tuesday, February 13, 2018 10:04 AM
To: CAS Community 
Subject: [cas-user] 
org.apereo.cas.authentication.PolicyBasedAuthenticationManager thow an error 
in log when user input Invalid credentials.



Hello,

we are upgrade cas to 5.2.x, we noticed that cas throw an error in log/email 
when user input Invalid credentials. In this case we don't want to receive 
notification when user inputs Invalid credentials as long cas blocks the 
(log will grow exponentially and email notifications will not be useful).

Is anybody else see these errors in the log as well?  Did we set up 
something incorrectly?


Here is part of CAS log

__     _     __
  / /  / ___|/ \/ ___|  \ \
 | |  | |   / _ \   \___ \   | |
 | |  | |___   / ___ \   ___) |  | |
 | |   \| /_/   \_\ |/   | |
  \_\   /_/

CAS Version: 5.2.2
CAS Commit Id: eefb26e6ea0f3f0505ea7dcfc7e11c4ebcb44b7d
CAS Build Date/Time: 1970-01-01T00:00Z
Spring Boot Version: 1.5.8.RELEASE

Java Home: C:\Program Files\Java\jre8U152
Java Vendor: Oracle Corporation
Java Version: 1.8.0_152
JVM Free Memory: 1 GB
JVM Maximum Memory: 7 GB
JVM Total Memory: 2 GB
JCE Installed: No

OS Architecture: amd64
OS Name: Windows 7
OS Version: 6.1
OS Date/Time: 2018-02-13T06:47:54.498
OS Temp Directory: 
C:\Projects\PASS5.2\trunk\test\apache-tomcat\cat_base\temp


←[0m
2018-02-13 06:48:10,827 WARN 
[org.apereo.cas.web.report.util.ControllerUtils] - 
2018-02-13 06:48:21,362 WARN 
[org.apereo.cas.web.report.util.ControllerUtils] - 
2018-02-13 06:48:25,942 WARN 
[org.apereo.cas.config.CasCoreServicesConfiguration] - 
13-Feb-2018 06:48:27.111 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployWAR Deployment of web 
application archive 
[C:\Projects\PASS5.2\trunk\test\apache-tomcat\cat_base\weba
pps\ROOT##0014.war] has finished in [46,788] ms
13-Feb-2018 06:48:27.114 INFO [main] 
org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler 
["http-nio-8080"]
13-Feb-2018 06:48:27.127 INFO [main] 
org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler 
["https-openssl-nio-8443"]
13-Feb-2018 06:48:27.132 INFO [main] 
org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler 
["ajp-nio-8009"]
13-Feb-2018 06:48:27.137 INFO [main] 
org.apache.catalina.startup.Catalina.start Server startup in 47459 ms
2018-02-13 06:50:35,302 WARN 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - 
2018-02-13 06:50:35,303 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 



















































































































-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" g

[cas-user] inspektr

2018-02-09 Thread Cheltenham, Chris 


Does anyone have better documentation for inspektr?

 

 

I just read this 

 

https://github.com/apereo/inspektr/blob/master/README.md

 

and I have NO clue what any of it means.

 

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00e101d3a1e4%24d132a910%247397fb30%24%40philasd.org.

RE: [cas-user] cas 5 management

2018-02-09 Thread Cheltenham, Chris 
Thanks David, I really appreciate your help.

Its saved me tons of time.



I almost forgot about your documentation but it has helped me a lot.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Friday, February 9, 2018 12:03 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] cas 5 management



Chris,



In my setup, I did not configure the management webapp to use LDAP directly. 
Rather, I set it up to authenticate against the CAS server, and just use the 
userPropertiesFile to control who can actually log into it. I used the same 
"admusers.properties" file that I used to control access to the admin pages 
(dashboard, etc.) since for us it's the same set of users for both, but you 
can use different files for each if you want.



Since we only have a handful of people who will use the management webapp 
(or the admin pages), and the list doesn't change very often, this seemed 
like a simpler approach than messing around with LDAP groups, etc. Just a 
thought...YMMV of course.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Fri, Feb 9, 2018 at 11:52 AM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

Thanks Travis,



I am using David Curry’s docs.

I don’t understand the CAS docs from Apereo.

I think they document with the thinking of a developer, which I am not.

Therefore, I have a lot of trouble understanding them.



I appreciate your help.





=======

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
Travis Schmidt
Sent: Friday, February 9, 2018 11:08 AM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] cas 5 management



Here is a link to getting started with CAS Management with 5.2.x



https://apereo.github.io/cas/5.2.x/installation/Installing-ServicesMgmt-Webapp.html



As far as LDAP is concerned, it is mostly a preference.  The management app 
will contact a CAS Server for authenticating a user in whichever way you 
have it set up.  For the management app you usually only have a few people 
authorized to use it, so users.json or static list is an acceptable way to 
limit who can use it.  The management app can be configured to call back to 
LDAP and query for the ROLE_* attributes on the authenticated user, but in 
my opinion is a lot more work to make something dynamic that is mostly 
static.







On Fri, Feb 9, 2018 at 7:13 AM Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:



Hello ,



I have embarked on building cas-management via the overlay.

I am assuming you build a totally separate war file with the ldapp 
dependency is you use ldap.



Is that correct?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025 
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/008401d3a1b8%249791de50%24c6b59af0%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/008401d3a1b8%249791de50%24c6b59af0%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZmsgzrQq82Dg4r_QR-27U6v4EbG8O-qq2eXmE_GKeZng%40mail.gmail.com
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZmsgzrQq82Dg4r_QR-27U6v4EbG8O-qq2eXmE_G

RE: [cas-user] cas 5 management

2018-02-09 Thread Cheltenham, Chris 
Thanks Travis,



I am using David Curry’s docs.

I don’t understand the CAS docs from Apereo.

I think they document with the thinking of a developer, which I am not.

Therefore, I have a lot of trouble understanding them.



I appreciate your help.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Travis 
Schmidt
Sent: Friday, February 9, 2018 11:08 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] cas 5 management



Here is a link to getting started with CAS Management with 5.2.x



https://apereo.github.io/cas/5.2.x/installation/Installing-ServicesMgmt-Webapp.html



As far as LDAP is concerned, it is mostly a preference.  The management app 
will contact a CAS Server for authenticating a user in whichever way you 
have it set up.  For the management app you usually only have a few people 
authorized to use it, so users.json or static list is an acceptable way to 
limit who can use it.  The management app can be configured to call back to 
LDAP and query for the ROLE_* attributes on the authenticated user, but in 
my opinion is a lot more work to make something dynamic that is mostly 
static.







On Fri, Feb 9, 2018 at 7:13 AM Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:



Hello ,



I have embarked on building cas-management via the overlay.

I am assuming you build a totally separate war file with the ldapp 
dependency is you use ldap.



Is that correct?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025 
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/008401d3a1b8%249791de50%24c6b59af0%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/008401d3a1b8%249791de50%24c6b59af0%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZmsgzrQq82Dg4r_QR-27U6v4EbG8O-qq2eXmE_GKeZng%40mail.gmail.com
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZmsgzrQq82Dg4r_QR-27U6v4EbG8O-qq2eXmE_GKeZng%40mail.gmail.com?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00b001d3a1c6%2463677f00%242a367d00%24%40philasd.org.

RE: [cas-user] Re: cas 5 management

2018-02-09 Thread Cheltenham, Chris 
Yes, great thank you.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of William 
E.
Sent: Friday, February 9, 2018 11:02 AM
To: CAS Community 
Subject: [cas-user] Re: cas 5 management



Exactly.  cas-management-overlay/target/cas-management.war





Since we use json registry, and ldap, we add the below.





org.apereo.cas

cas-server-support-json-service-registry

${cas.version}





 org.apereo.cas

 cas-server-support-ldap

 ${cas.version}








On Friday, February 9, 2018 at 9:13:54 AM UTC-6, Chris Cheltenham wrote:

  
<https://groups.google.com/a/apereo.org/group/cas-user/attach/a4682160a6bb/image001.gif?part=0.1&authuser=0>

Hello ,



I have embarked on building cas-management via the overlay.

I am assuming you build a totally separate war file with the ldapp 
dependency is you use ldap.



Is that correct?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/df4774ec-7151-4769-a96d-ee447296bced%40apereo.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/df4774ec-7151-4769-a96d-ee447296bced%40apereo.org?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00a001d3a1bf%24fd4c5520%24f7e4ff60%24%40philasd.org.

[cas-user] cas 5 management

2018-02-09 Thread Cheltenham, Chris 


Hello ,

 

I have embarked on building cas-management via the overlay.

I am assuming you build a totally separate war file with the ldapp
dependency is you use ldap.

 

Is that correct?

 

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/008401d3a1b8%249791de50%24c6b59af0%24%40philasd.org.

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
Good for you David, 

We are still using LDAP with almost 200k users and maybe 30 attributes. 
Its complicated. 

Maybe M$ will loosen the cost of AD for a k-12 school district. 
Would be nice. 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry"  
To: "cas-user"  
Sent: Thursday, February 8, 2018 12:31:22 PM 
Subject: Re: [cas-user] CAS 5.2.x 

It's a pain in the butt, mostly. :-) 

One of these days we're going to consolidate everything into the One True 
Active Directory and get rid of the second directory, which will make our lives 
easier in all sorts of ways, but that's still somewhere out on the horizon. 

The use of two AD configs just to handle two different OUs is mostly because 
there's another OU besides those two that we don't want to authenticate 
against, and so this was the simplest (although perhaps not the most efficient) 
way to do it. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 12:18 PM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 



Thanks David, 

Thats a bit eye opening, the orders and different authorizing entites. 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 12:13:48 PM 

Subject: Re: [cas-user] CAS 5.2.x 

These could probably be shortened up in a couple of ways by: 


* combining the [0] and [2] Active Directory configs, which go against 
different OUs of the same directory (but are otherwise identical), and 
* performing attribute resolution as part of the authentication process, 
which you can do now, but couldn't do in olden days. 

On the other hand, there's something to be said for configuring it in a way 
that makes sense to you, and this makes sense to me. And, of course, there's 
the fact that it works. :-) 

--Dave 

## 
## LDAP AUTHENTICATION CONFIGURATION 
## 
# 
# Active Directory LDAP authentication configuration (regular user accounts) 
# 
cas.authn.ldap[0].order: 0 
cas.authn.ldap[0].name: Active Directory 
cas.authn.ldap[0].type: AD 
cas.authn.ldap[0].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.ldap[0].validatePeriod: 270 
cas.authn.ldap[0].poolPassivator: NONE 
cas.authn.ldap[0].userFilter: sAMAccountName={user} 
cas.authn.ldap[0].baseDn: ou=TNSUsers,dc=tns,dc=newschool,dc=edu 
cas.authn.ldap[0].dnFormat: cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu 

# 
# Luminis 5 LDAP authentication configuration (all user accounts) 
# 
cas.authn.ldap[1].order: 1 
cas.authn.ldap[1].name: Luminis LDAP 
cas.authn.ldap[1].type: AUTHENTICATED 
cas.authn.ldap[1].ldapUrl: ldaps:// janus.newschool.edu 
cas.authn.ldap[1].validatePeriod: 270 
cas.authn.ldap[1].userFilter: uid={user} 
cas.authn.ldap[1].baseDn: ou=People,o=cp 
cas.authn.ldap[1].bindDn: uid=ldap_ssotest,ou=People,o=cp 
cas.authn.ldap[1].bindCredential:  

# 
# Active Directory LDAP authentication configuration (admin user accounts) 
# 
cas.authn.ldap[2].order: 2 
cas.authn.ldap[2].name: Active Directory 
cas.authn.ldap[2].type: AD 
cas.authn.ldap[2].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.ldap[2].validatePeriod: 270 
cas.authn.ldap[2].poolPassivator: NONE 
cas.authn.ldap[2].userFilter: sAMAccountName={user} 
cas.authn.ldap[2].baseDn: ou=Network,dc=tns,dc=newschool,dc=edu 
cas.authn.ldap[2].dnFormat: cn=%s,ou=Network,dc=tns,dc=newschool,dc=edu 

## 
## LDAP ATTRIBUTE REPOSITORY CONFIGURATION 
## 
# 
# Collect attributes in the repository on a keep-first-value-found basis; 
# duplicate attributes (even if they have different values) in subsequent 
# sources will be ignored. 
# 
cas.authn.attributeRepository.merger: ADD 

# 
# Active Directory LDAP attribute lookup configuration (regular user accounts) 
# 
cas.authn.attributeRepository.ldap[0].order: 0 
cas.authn.attributeRepository.ldap[0].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.attributeRepository.ldap[0].validatePeriod: 270 
cas.authn.attributeRepository.ldap[0].userFilter: sAMAccountName={user} 
cas.authn.attributeRepository.ldap[0].baseDn: 
ou=TNSUsers,dc=tns,dc=newschool,dc=edu 
cas.authn.attributeRepository.ldap[0].bindDn: 
cn=ldap_ssotest,ou=Service,ou=Users,ou=En

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
Yes I hear you. 

I got talked into using gradle by a senior co worker but I am scrapping that. 
I am not a developer and I am trying to understand the developers environment. 

I think NOW after Mr Curry helped me with the pom.xml I am now in 
cas.properties hell. 

There are just so many options and ways to do it. 

But thank you gentlemen , hopefully i can figure out the rest. 





=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "Chris Peck"  
To: "cas-user"  
Sent: Thursday, February 8, 2018 11:38:10 AM 
Subject: Re: [cas-user] CAS 5.2.x 

All we do to build just the cas.war file is run this command in the directory 
with the pom.xml file & our src overlay directory: 
mvn clean package 
then it will poop out the warfile in target/cas.war 

We don't use their scripts. 
We keep the pom.xml file & our src overlay directory in git, when we push a 
change to our gitlab server it will build the warfile in a docker container, 
which then scp's the warfile to our cas servers automagically. This ensures a 
clean build environment every time. We don't do auto-deploy, we then ssh into 
the cas-servers and do the deploy manually. Eventually we plan on running CAS 
in docker, but, since we were under pressure to get it up version 5 we decided 
to do that later. 
Helpful - or - just more confusing? 
Chris 


On Thu, Feb 8, 2018 at 11:27 AM David Curry < david.cu...@newschool.edu > 
wrote: 




I'm afraid Gradle is a complete mystery to me. Hopefully someone else can jump 
in. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 11:13 AM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 

BQ_BEGIN

David, 

Unfortunately that did not make a difference when I built the cas.war with 
gradle. 
When I used maven I got the same list you have. 

[root@devcas5 lib]# ll | grep ldap 
-rw-r- 1 root root 14296 Feb 8 11:02 cas-server-support-ldap-5.2.2.jar 
-rw-r- 1 root root 35536 Feb 8 11:02 cas-server-support-ldap-core-5.2.2.jar 
-rw-r- 1 root root 802456 Feb 8 11:02 ldaptive-1.2.3.jar 
-rw-r- 1 root root 37195 Feb 8 11:02 ldaptive-apache-1.2.3.jar 
-rw-r- 1 root root 100050 Feb 8 11:02 ldaptive-beans-1.2.3.jar 
-rw-r- 1 root root 40832 Feb 8 11:02 ldaptive-unboundid-1.2.3.jar 
-rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar 
-rw-r- 1 root root 3574892 Feb 8 11:02 unboundid-ldapsdk-4.0.1.jar 

The bad news is I have to rebuild cas.properties because the maven build wiped 
it out. 
Bummer ... 

Hope this is the issue. 

Thanks David. 





=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 10:49:08 AM 

Subject: Re: [cas-user] CAS 5.2.x 

Try changing what you have: 

 
org.apereo.cas 
cas-server-support-ldap 
 

to this: 

 
org.apereo.cas 
cas-server-support-ldap 
${cas.version} 
 

I'm pretty sure you have to have a version in there, so Maven knows which one 
to give you. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 10:22 AM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 

BQ_BEGIN

David, 

These are my my pom.xml dependencies. 
Its funny we are all kind of guessing , that's why we are here I suppose. 
I certainly am guessing. 


 
 
org.apereo.cas 
cas-server-support-ldap 
 

 
org.apereo.cas 
cas-server-webapp${app.server} 
${cas.version} 
war 
runtime 
 
 

=== 



Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 10:18:41 AM 

Subject: Re: [cas-user] CAS 5.2.x 

I do not see this one: 


BQ_BEGIN

cas-server-support-ldap-5.2.2.jar 




which, I believe, is the one you need. I don't pretend to be an expert on these 
things. But when I build from the Maven overlay with this dependency included 
in pom.xml : 

 
org.apereo.cas 
cas-server-support-ldap 
${cas.version} 
 

Here's what I get: 


BQ_BEGIN

WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 
WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
David, 

Thats really interesting actaully. 
Do you incorporate SAML2 proxy delegation in that properties file? 

We are using Shibboleth but plan to drop Shib and use SAML2 in CAS 5. 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry"  
To: "cas-user"  
Sent: Thursday, February 8, 2018 12:13:48 PM 
Subject: Re: [cas-user] CAS 5.2.x 

These could probably be shortened up in a couple of ways by: 


* combining the [0] and [2] Active Directory configs, which go against 
different OUs of the same directory (but are otherwise identical), and 
* performing attribute resolution as part of the authentication process, 
which you can do now, but couldn't do in olden days. 

On the other hand, there's something to be said for configuring it in a way 
that makes sense to you, and this makes sense to me. And, of course, there's 
the fact that it works. :-) 

--Dave 

## 
## LDAP AUTHENTICATION CONFIGURATION 
## 
# 
# Active Directory LDAP authentication configuration (regular user accounts) 
# 
cas.authn.ldap[0].order: 0 
cas.authn.ldap[0].name: Active Directory 
cas.authn.ldap[0].type: AD 
cas.authn.ldap[0].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.ldap[0].validatePeriod: 270 
cas.authn.ldap[0].poolPassivator: NONE 
cas.authn.ldap[0].userFilter: sAMAccountName={user} 
cas.authn.ldap[0].baseDn: ou=TNSUsers,dc=tns,dc=newschool,dc=edu 
cas.authn.ldap[0].dnFormat: cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu 

# 
# Luminis 5 LDAP authentication configuration (all user accounts) 
# 
cas.authn.ldap[1].order: 1 
cas.authn.ldap[1].name: Luminis LDAP 
cas.authn.ldap[1].type: AUTHENTICATED 
cas.authn.ldap[1].ldapUrl: ldaps:// janus.newschool.edu 
cas.authn.ldap[1].validatePeriod: 270 
cas.authn.ldap[1].userFilter: uid={user} 
cas.authn.ldap[1].baseDn: ou=People,o=cp 
cas.authn.ldap[1].bindDn: uid=ldap_ssotest,ou=People,o=cp 
cas.authn.ldap[1].bindCredential:  

# 
# Active Directory LDAP authentication configuration (admin user accounts) 
# 
cas.authn.ldap[2].order: 2 
cas.authn.ldap[2].name: Active Directory 
cas.authn.ldap[2].type: AD 
cas.authn.ldap[2].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.ldap[2].validatePeriod: 270 
cas.authn.ldap[2].poolPassivator: NONE 
cas.authn.ldap[2].userFilter: sAMAccountName={user} 
cas.authn.ldap[2].baseDn: ou=Network,dc=tns,dc=newschool,dc=edu 
cas.authn.ldap[2].dnFormat: cn=%s,ou=Network,dc=tns,dc=newschool,dc=edu 

## 
## LDAP ATTRIBUTE REPOSITORY CONFIGURATION 
## 
# 
# Collect attributes in the repository on a keep-first-value-found basis; 
# duplicate attributes (even if they have different values) in subsequent 
# sources will be ignored. 
# 
cas.authn.attributeRepository.merger: ADD 

# 
# Active Directory LDAP attribute lookup configuration (regular user accounts) 
# 
cas.authn.attributeRepository.ldap[0].order: 0 
cas.authn.attributeRepository.ldap[0].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.attributeRepository.ldap[0].validatePeriod: 270 
cas.authn.attributeRepository.ldap[0].userFilter: sAMAccountName={user} 
cas.authn.attributeRepository.ldap[0].baseDn: 
ou=TNSUsers,dc=tns,dc=newschool,dc=edu 
cas.authn.attributeRepository.ldap[0].bindDn: 
cn=ldap_ssotest,ou=Service,ou=Users,ou=Enterprise 
Support,dc=tns,dc=newschool,dc=edu 
cas.authn.attributeRepository.ldap[0].bindCredential:  
cas.authn.attributeRepository.ldap[0]. attributes.cn : uid 
cas.authn.attributeRepository.ldap[0].attributes.displayName: displayName 
cas.authn.attributeRepository.ldap[0].attributes.givenName: givenName 
cas.authn.attributeRepository.ldap[0].attributes.mail: mail 
cas.authn.attributeRepository.ldap[0]. attributes.sn : sn 
cas.authn.attributeRepository.ldap[0].attributes.tnsGoogleAppsRole: role 
cas.authn.attributeRepository.ldap[0].attributes.tnsIDNumber: cn 

# 
# Luminis 5 LDAP attribute lookup configuration (all user accounts) 
# 
cas.authn.attributeRepository.ldap[1].order: 1 
cas.authn.attributeRepository.ldap[1].ldapUrl: ldaps:// janus.newschool.edu 
cas.authn.attributeRepository.ldap[1].validatePeriod: 270 
cas.authn.attributeRepository.ldap[1].userFilter: uid={user} 
cas.authn.attributeRepository.ldap[1].baseDn: ou=People,o=cp 
cas.authn.attributeRepository.ldap[1].bindDn: uid=ldap_ssotest,ou=People,o=cp 
cas.authn.attributeRepository.ldap[1].bindCredential:  
cas.authn.attributeRepository.ldap[1]. attributes.cn : cn 
cas.authn.attributeRepository.ldap[1].attributes.displayName: displayName 
cas.authn.attributeRepository.ldap[1].attributes.givenName: givenName 
c

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
Thanks David, 

Thats a bit eye opening, the orders and different authorizing entites. 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry"  
To: "cas-user"  
Sent: Thursday, February 8, 2018 12:13:48 PM 
Subject: Re: [cas-user] CAS 5.2.x 

These could probably be shortened up in a couple of ways by: 


* combining the [0] and [2] Active Directory configs, which go against 
different OUs of the same directory (but are otherwise identical), and 
* performing attribute resolution as part of the authentication process, 
which you can do now, but couldn't do in olden days. 

On the other hand, there's something to be said for configuring it in a way 
that makes sense to you, and this makes sense to me. And, of course, there's 
the fact that it works. :-) 

--Dave 

## 
## LDAP AUTHENTICATION CONFIGURATION 
## 
# 
# Active Directory LDAP authentication configuration (regular user accounts) 
# 
cas.authn.ldap[0].order: 0 
cas.authn.ldap[0].name: Active Directory 
cas.authn.ldap[0].type: AD 
cas.authn.ldap[0].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.ldap[0].validatePeriod: 270 
cas.authn.ldap[0].poolPassivator: NONE 
cas.authn.ldap[0].userFilter: sAMAccountName={user} 
cas.authn.ldap[0].baseDn: ou=TNSUsers,dc=tns,dc=newschool,dc=edu 
cas.authn.ldap[0].dnFormat: cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu 

# 
# Luminis 5 LDAP authentication configuration (all user accounts) 
# 
cas.authn.ldap[1].order: 1 
cas.authn.ldap[1].name: Luminis LDAP 
cas.authn.ldap[1].type: AUTHENTICATED 
cas.authn.ldap[1].ldapUrl: ldaps:// janus.newschool.edu 
cas.authn.ldap[1].validatePeriod: 270 
cas.authn.ldap[1].userFilter: uid={user} 
cas.authn.ldap[1].baseDn: ou=People,o=cp 
cas.authn.ldap[1].bindDn: uid=ldap_ssotest,ou=People,o=cp 
cas.authn.ldap[1].bindCredential:  

# 
# Active Directory LDAP authentication configuration (admin user accounts) 
# 
cas.authn.ldap[2].order: 2 
cas.authn.ldap[2].name: Active Directory 
cas.authn.ldap[2].type: AD 
cas.authn.ldap[2].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.ldap[2].validatePeriod: 270 
cas.authn.ldap[2].poolPassivator: NONE 
cas.authn.ldap[2].userFilter: sAMAccountName={user} 
cas.authn.ldap[2].baseDn: ou=Network,dc=tns,dc=newschool,dc=edu 
cas.authn.ldap[2].dnFormat: cn=%s,ou=Network,dc=tns,dc=newschool,dc=edu 

## 
## LDAP ATTRIBUTE REPOSITORY CONFIGURATION 
## 
# 
# Collect attributes in the repository on a keep-first-value-found basis; 
# duplicate attributes (even if they have different values) in subsequent 
# sources will be ignored. 
# 
cas.authn.attributeRepository.merger: ADD 

# 
# Active Directory LDAP attribute lookup configuration (regular user accounts) 
# 
cas.authn.attributeRepository.ldap[0].order: 0 
cas.authn.attributeRepository.ldap[0].ldapUrl: ldaps:// zuul.newschool.edu 
cas.authn.attributeRepository.ldap[0].validatePeriod: 270 
cas.authn.attributeRepository.ldap[0].userFilter: sAMAccountName={user} 
cas.authn.attributeRepository.ldap[0].baseDn: 
ou=TNSUsers,dc=tns,dc=newschool,dc=edu 
cas.authn.attributeRepository.ldap[0].bindDn: 
cn=ldap_ssotest,ou=Service,ou=Users,ou=Enterprise 
Support,dc=tns,dc=newschool,dc=edu 
cas.authn.attributeRepository.ldap[0].bindCredential:  
cas.authn.attributeRepository.ldap[0]. attributes.cn : uid 
cas.authn.attributeRepository.ldap[0].attributes.displayName: displayName 
cas.authn.attributeRepository.ldap[0].attributes.givenName: givenName 
cas.authn.attributeRepository.ldap[0].attributes.mail: mail 
cas.authn.attributeRepository.ldap[0]. attributes.sn : sn 
cas.authn.attributeRepository.ldap[0].attributes.tnsGoogleAppsRole: role 
cas.authn.attributeRepository.ldap[0].attributes.tnsIDNumber: cn 

# 
# Luminis 5 LDAP attribute lookup configuration (all user accounts) 
# 
cas.authn.attributeRepository.ldap[1].order: 1 
cas.authn.attributeRepository.ldap[1].ldapUrl: ldaps:// janus.newschool.edu 
cas.authn.attributeRepository.ldap[1].validatePeriod: 270 
cas.authn.attributeRepository.ldap[1].userFilter: uid={user} 
cas.authn.attributeRepository.ldap[1].baseDn: ou=People,o=cp 
cas.authn.attributeRepository.ldap[1].bindDn: uid=ldap_ssotest,ou=People,o=cp 
cas.authn.attributeRepository.ldap[1].bindCredential:  
cas.authn.attributeRepository.ldap[1]. attributes.cn : cn 
cas.authn.attributeRepository.ldap[1].attributes.displayName: displayName 
cas.authn.attributeRepository.ldap[1].attributes.givenName: givenName 
cas.authn.attributeRepository.ldap[1].attributes.mail: mail 
cas.authn.attributeRep

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
David, 

Would you be able to share your Cas 5 cas.properties section? 
please make sure and blank out like passwords. 




=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry"  
To: "cas-user"  
Sent: Thursday, February 8, 2018 11:27:48 AM 
Subject: Re: [cas-user] CAS 5.2.x 


I'm afraid Gradle is a complete mystery to me. Hopefully someone else can jump 
in. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 11:13 AM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 



David, 

Unfortunately that did not make a difference when I built the cas.war with 
gradle. 
When I used maven I got the same list you have. 

[root@devcas5 lib]# ll | grep ldap 
-rw-r- 1 root root 14296 Feb 8 11:02 cas-server-support-ldap-5.2.2.jar 
-rw-r- 1 root root 35536 Feb 8 11:02 cas-server-support-ldap-core-5.2.2.jar 
-rw-r- 1 root root 802456 Feb 8 11:02 ldaptive-1.2.3.jar 
-rw-r- 1 root root 37195 Feb 8 11:02 ldaptive-apache-1.2.3.jar 
-rw-r- 1 root root 100050 Feb 8 11:02 ldaptive-beans-1.2.3.jar 
-rw-r- 1 root root 40832 Feb 8 11:02 ldaptive-unboundid-1.2.3.jar 
-rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar 
-rw-r- 1 root root 3574892 Feb 8 11:02 unboundid-ldapsdk-4.0.1.jar 

The bad news is I have to rebuild cas.properties because the maven build wiped 
it out. 
Bummer ... 

Hope this is the issue. 

Thanks David. 





=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 10:49:08 AM 

Subject: Re: [cas-user] CAS 5.2.x 

Try changing what you have: 

 
org.apereo.cas 
cas-server-support-ldap 
 

to this: 

 
org.apereo.cas 
cas-server-support-ldap 
${cas.version} 
 

I'm pretty sure you have to have a version in there, so Maven knows which one 
to give you. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 10:22 AM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 

BQ_BEGIN

David, 

These are my my pom.xml dependencies. 
Its funny we are all kind of guessing , that's why we are here I suppose. 
I certainly am guessing. 


 
 
org.apereo.cas 
cas-server-support-ldap 
 

 
org.apereo.cas 
cas-server-webapp${app.server} 
${cas.version} 
war 
runtime 
 
 

=== 



Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 10:18:41 AM 

Subject: Re: [cas-user] CAS 5.2.x 

I do not see this one: 


BQ_BEGIN

cas-server-support-ldap-5.2.2.jar 




which, I believe, is the one you need. I don't pretend to be an expert on these 
things. But when I build from the Maven overlay with this dependency included 
in pom.xml : 

 
org.apereo.cas 
cas-server-support-ldap 
${cas.version} 
 

Here's what I get: 


BQ_BEGIN

WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 
WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF/lib/ldaptive-unboundid-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar 
WEB-INF/lib/ldaptive-apache-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar 

BQ_END


and when I build from the same pom.xml but with that dependency removed, here's 
what I get: 


BQ_BEGIN

WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-apache-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF/lib/ldaptive-unboundid-1.2.3.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar 

BQ_END


So that tells me (or suggests, anyway) that you should be seeing 

WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 

(and maybe WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar ). 

Are you building with the Maven overlay? Have you tried deleting your Maven 
cache directory and re-doing the " mvnw clean package "? 

--Dave 





-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 10:00 AM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 

BQ_BEGIN

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Chris Peck 
All we do to build just the cas.war file is run this command in the
directory with the pom.xml file & our src overlay directory:
*mvn clean package*
then it will poop out the warfile in *target/cas.war*

We don't use their scripts.
We keep the pom.xml file & our src overlay directory in git, when we push a
change to our gitlab server it will build the warfile in a docker
container, which then scp's the warfile to our cas servers automagically.
This ensures a clean build environment every time. We don't do
auto-deploy, we then ssh into the cas-servers and do the deploy manually.
Eventually we plan on running CAS in docker, but, since we were under
pressure to get it up version 5 we decided to do that later.
Helpful - or - just more confusing?
Chris


On Thu, Feb 8, 2018 at 11:27 AM David Curry 
wrote:

>
> I'm afraid Gradle is a complete mystery to me. Hopefully someone else can
> jump in.
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>
> [image: The New School]
>
> On Thu, Feb 8, 2018 at 11:13 AM, Cheltenham, Chris <
> ccheltenham-...@philasd.org> wrote:
>
>> David,
>>
>> Unfortunately that did not make a difference when I built the cas.war
>> with gradle.
>> When I used maven I got the same list you have.
>>
>> [root@devcas5 lib]# ll | grep ldap
>> -rw-r- 1 root root 14296 Feb 8 11:02 cas-server-support-ldap-5.2.2.jar
>> -rw-r- 1 root root 35536 Feb 8 11:02
>> cas-server-support-ldap-core-5.2.2.jar
>> -rw-r- 1 root root 802456 Feb 8 11:02 ldaptive-1.2.3.jar
>> -rw-r- 1 root root 37195 Feb 8 11:02 ldaptive-apache-1.2.3.jar
>> -rw-r- 1 root root 100050 Feb 8 11:02 ldaptive-beans-1.2.3.jar
>> -rw-r- 1 root root 40832 Feb 8 11:02 ldaptive-unboundid-1.2.3.jar
>> -rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar
>> -rw-r- 1 root root 3574892 Feb 8 11:02 unboundid-ldapsdk-4.0.1.jar
>>
>> The bad news is I have to rebuild cas.properties because the maven build
>> wiped it out.
>> Bummer ...
>>
>> Hope this is the issue.
>>
>> Thanks David.
>>
>>
>>
>> ===
>>
>> Thank You;
>>
>> Chris Cheltenham
>> Technology Services
>> The School District of Philadelphia
>>
>> Work # 215-400-5025 <(215)%20400-5025>
>> Cell # 215-301-6571 <(215)%20301-6571>
>>
>> --
>> *From: *"David Curry" 
>> *To: *"cas-user" 
>> *Sent: *Thursday, February 8, 2018 10:49:08 AM
>>
>> *Subject: *Re: [cas-user] CAS 5.2.x
>>
>> Try changing what you have:
>>
>> 
>> org.apereo.cas
>> cas-server-support-ldap
>> 
>>
>> to this:
>>
>> 
>> org.apereo.cas
>> cas-server-support-ldap
>> ${cas.version}
>> 
>>
>> I'm pretty sure you have to have a version in there, so Maven knows which
>> one to give you.
>>
>> --Dave
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
>> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Thu, Feb 8, 2018 at 10:22 AM, Cheltenham, Chris <
>> ccheltenham-...@philasd.org> wrote:
>>
>>> David,
>>>
>>> These are my my pom.xml dependencies.
>>> Its funny we are all kind of guessing , that's why we are here I suppose.
>>> I certainly am guessing.
>>>
>>>
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-ldap
>>> 
>>>
>>> 
>>> org.apereo.cas
>>> cas-server-webapp${app.server}
>>> ${cas.version}
>>> war
>>> runtime
>>> 
>>> 
>>>
>>> ===
>>>
>>>
>>> Thank You;
>>>
>>> Chris Cheltenham
>>> Technology Services
>>> The School District of Philadelphia
>>>
>>>

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
David, 

Unfortunately that did not make a difference when I built the cas.war with 
gradle. 
When I used maven I got the same list you have. 

[root@devcas5 lib]# ll | grep ldap 
-rw-r- 1 root root 14296 Feb 8 11:02 cas-server-support-ldap-5.2.2.jar 
-rw-r- 1 root root 35536 Feb 8 11:02 cas-server-support-ldap-core-5.2.2.jar 
-rw-r- 1 root root 802456 Feb 8 11:02 ldaptive-1.2.3.jar 
-rw-r- 1 root root 37195 Feb 8 11:02 ldaptive-apache-1.2.3.jar 
-rw-r- 1 root root 100050 Feb 8 11:02 ldaptive-beans-1.2.3.jar 
-rw-r- 1 root root 40832 Feb 8 11:02 ldaptive-unboundid-1.2.3.jar 
-rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar 
-rw-r- 1 root root 3574892 Feb 8 11:02 unboundid-ldapsdk-4.0.1.jar 

The bad news is I have to rebuild cas.properties because the maven build wiped 
it out. 
Bummer ... 

Hope this is the issue. 

Thanks David. 





=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry"  
To: "cas-user"  
Sent: Thursday, February 8, 2018 10:49:08 AM 
Subject: Re: [cas-user] CAS 5.2.x 

Try changing what you have: 

 
org.apereo.cas 
cas-server-support-ldap 
 

to this: 

 
org.apereo.cas 
cas-server-support-ldap 
${cas.version} 
 

I'm pretty sure you have to have a version in there, so Maven knows which one 
to give you. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 10:22 AM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 



David, 

These are my my pom.xml dependencies. 
Its funny we are all kind of guessing , that's why we are here I suppose. 
I certainly am guessing. 


 
 
org.apereo.cas 
cas-server-support-ldap 
 

 
org.apereo.cas 
cas-server-webapp${app.server} 
${cas.version} 
war 
runtime 
 
 

=== 



Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 10:18:41 AM 

Subject: Re: [cas-user] CAS 5.2.x 

I do not see this one: 


BQ_BEGIN

cas-server-support-ldap-5.2.2.jar 




which, I believe, is the one you need. I don't pretend to be an expert on these 
things. But when I build from the Maven overlay with this dependency included 
in pom.xml : 

 
org.apereo.cas 
cas-server-support-ldap 
${cas.version} 
 

Here's what I get: 


BQ_BEGIN

WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 
WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF/lib/ldaptive-unboundid-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar 
WEB-INF/lib/ldaptive-apache-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar 

BQ_END


and when I build from the same pom.xml but with that dependency removed, here's 
what I get: 


BQ_BEGIN

WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-apache-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF/lib/ldaptive-unboundid-1.2.3.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar 

BQ_END


So that tells me (or suggests, anyway) that you should be seeing 

WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 

(and maybe WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar ). 

Are you building with the Maven overlay? Have you tried deleting your Maven 
cache directory and re-doing the " mvnw clean package "? 

--Dave 





-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 10:00 AM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 

BQ_BEGIN

David, 

I have the following jars. 
Is this sufficient for ldap support? 

[root@devcas5 lib]# pwd 
/opt/tcat/webapps/cas/WEB-INF/lib 
[root@devcas5 lib]# ll | grep ldap 
-rw-r- 1 root root 35536 Jan 26 13:26 
cas-server-support-ldap-core-5.2.2.jar 
-rw-r- 1 root root 802456 Nov 27 11:40 ldaptive-1.2.3.jar 
-rw-r- 1 root root 37195 Nov 27 11:40 ldaptive-apache-1.2.3.jar 
-rw-r- 1 root root 100050 Nov 27 11:40 ldaptive-beans-1.2.3.jar 
-rw-r- 1 root root 40832 Nov 27 11:40 ldaptive-unboundid-1.2.3.jar 
-rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar 
[root@devcas5 lib]# 

My error is this - 
2018-02-07 15:28:16,450 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,450 DEBUG 
[org.apereo.cas.authenticatio

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
Man, 

Here is the debug info and the error. 

[root@devcas5 logs]# tail catalina.out 
2018-02-08 10:08:50,014 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] -  
2018-02-08 10:08:50,014 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] -  
2018-02-08 10:08:50,014 DEBUG 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] -  
2018-02-08 10:08:50,014 DEBUG 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] -  
2018-02-08 10:08:50,014 INFO 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired 
tickets removed.> 
2018-02-08 10:08:50,014 DEBUG 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] -  
2018-02-08 10:08:50,014 DEBUG 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] -  
2018-02-08 10:08:50,014 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] -  
2018-02-08 10:08:50,014 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] -  
2018-02-08 10:08:50,014 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] -  
[root@devcas5 logs]# cat catalina.out | grep ccheltenham 
2018-02-08 10:08:40,992 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-08 10:08:40,992 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-08 10:08:40,993 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-08 10:08:40,993 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-08 10:08:40,993 DEBUG 
[org.apereo.cas.authentication.AcceptUsersAuthenticationHandler] - 
<[ccheltenham-ext] was not found in the map.> 
2018-02-08 10:08:40,993 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<[AcceptUsersAuthenticationHandler] exception details: [ccheltenham-ext not 
found in backing map.].> 
2018-02-08 10:08:40,994 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
 



=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "Man H"  
To: "cas-user"  
Sent: Thursday, February 8, 2018 10:37:01 AM 
Subject: Re: [cas-user] CAS 5.2.x 

With debug you can see if cas gets connected to Ldap 

2018-02-08 12:27 GMT-03:00 Cheltenham, Chris < ccheltenham-...@philasd.org > : 



Man, 

The basedn is correct in cas.properties. 


This search returns data so you can see the base dn. 
ldapsearch -H "ldaps:// testldap.philasd.net " -x -w 'x' -LLL -b 
"dc=philasd,dc=org" -D "uid=shibauth,ou=svc_accts,dc=philasd,dc=org" 
"uid=ccheltenham-ext" 


[root@devcas5 config]# cat cas.properties | grep basedn 
[root@devcas5 config]# cat cas.properties | grep -i basedn 
cas.authn.ldap[0].baseDn=dc=philasd,dc=org 



=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "Man H" < info.ings...@gmail.com > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 10:17:57 AM 

Subject: Re: [cas-user] CAS 5.2.x 

this is an Ldap error check your properties probably baseDn 

2018-02-08 12:00 GMT-03:00 Cheltenham, Chris < ccheltenham-...@philasd.org > : 

BQ_BEGIN

David, 

I have the following jars. 
Is this sufficient for ldap support? 

[root@devcas5 lib]# pwd 
/opt/tcat/webapps/cas/WEB-INF/lib 
[root@devcas5 lib]# ll | grep ldap 
-rw-r- 1 root root 35536 Jan 26 13:26 
cas-server-support-ldap-core-5.2.2.jar 
-rw-r- 1 root root 802456 Nov 27 11:40 ldaptive-1.2.3.jar 
-rw-r- 1 root root 37195 Nov 27 11:40 ldaptive-apache-1.2.3.jar 
-rw-r- 1 root root 100050 Nov 27 11:40 ldaptive-beans-1.2.3.jar 
-rw-r- 1 root root 40832 Nov 27 11:40 ldaptive-unboundid-1.2.3.jar 
-rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar 
[root@devcas5 lib]# 

My error is this - 
2018-02-07 15:28:16,450 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,450 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.AcceptUsersAuthenticationHandler] - 
<[ccheltenham-ext] was not found in the map.> 
2018-02-07 15:28:16,452 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthent

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
Man, 

The basedn is correct in cas.properties. 


This search returns data so you can see the base dn. 
ldapsearch -H "ldaps://testldap.philasd.net" -x -w 'x' -LLL -b 
"dc=philasd,dc=org" -D "uid=shibauth,ou=svc_accts,dc=philasd,dc=org" 
"uid=ccheltenham-ext" 


[root@devcas5 config]# cat cas.properties | grep basedn 
[root@devcas5 config]# cat cas.properties | grep -i basedn 
cas.authn.ldap[0].baseDn=dc=philasd,dc=org 



=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "Man H"  
To: "cas-user"  
Sent: Thursday, February 8, 2018 10:17:57 AM 
Subject: Re: [cas-user] CAS 5.2.x 

this is an Ldap error check your properties probably baseDn 

2018-02-08 12:00 GMT-03:00 Cheltenham, Chris < ccheltenham-...@philasd.org > : 



David, 

I have the following jars. 
Is this sufficient for ldap support? 

[root@devcas5 lib]# pwd 
/opt/tcat/webapps/cas/WEB-INF/lib 
[root@devcas5 lib]# ll | grep ldap 
-rw-r- 1 root root 35536 Jan 26 13:26 
cas-server-support-ldap-core-5.2.2.jar 
-rw-r- 1 root root 802456 Nov 27 11:40 ldaptive-1.2.3.jar 
-rw-r- 1 root root 37195 Nov 27 11:40 ldaptive-apache-1.2.3.jar 
-rw-r- 1 root root 100050 Nov 27 11:40 ldaptive-beans-1.2.3.jar 
-rw-r- 1 root root 40832 Nov 27 11:40 ldaptive-unboundid-1.2.3.jar 
-rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar 
[root@devcas5 lib]# 

My error is this - 
2018-02-07 15:28:16,450 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,450 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.AcceptUsersAuthenticationHandler] - 
<[ccheltenham-ext] was not found in the map.> 
2018-02-07 15:28:16,452 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<[AcceptUsersAuthenticationHandler] exception details: [ccheltenham-ext not 
found in backing map.].> 
2018-02-07 15:28:16,452 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
 


=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 7:54:21 AM 
Subject: Re: [cas-user] CAS 5.2.x 


$ jar tvf cas.war | grep ldap 
WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 
WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF/lib/ldaptive-unboundid-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar 
WEB-INF/lib/ldaptive-apache-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar 
$ 

The cas-server-support-ldap-5.2.2.jar is the one you're looking for. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 7:27 AM, Cheltenham, Chris < ccheltenham-...@philasd.org 
> wrote: 

BQ_BEGIN

Hello folks, 

I think I have been confusing everyone with too much incongruent information. 

If I may I will ask things in a more logical manner. 

I an still not able to connect with CAS 5 via LDAP. 

My first question is , how do I know the ldap dependency was built into the 
cas.war file? 







=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


-- 
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 
- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org . 
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/341032203.44492473.1518092860963.JavaMail.zimbra%40philasd.org
 . 






-- 
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 
- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Comm

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
David, 

These are my my pom.xml dependencies. 
Its funny we are all kind of guessing , that's why we are here I suppose. 
I certainly am guessing. 


 
 
org.apereo.cas 
cas-server-support-ldap 
 

 
org.apereo.cas 
cas-server-webapp${app.server} 
${cas.version} 
war 
runtime 
 
 

=== 



Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry"  
To: "cas-user"  
Sent: Thursday, February 8, 2018 10:18:41 AM 
Subject: Re: [cas-user] CAS 5.2.x 

I do not see this one: 




cas-server-support-ldap-5.2.2.jar 




which, I believe, is the one you need. I don't pretend to be an expert on these 
things. But when I build from the Maven overlay with this dependency included 
in pom.xml : 

 
org.apereo.cas 
cas-server-support-ldap 
${cas.version} 
 

Here's what I get: 


BQ_BEGIN

WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 
WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF/lib/ldaptive-unboundid-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar 
WEB-INF/lib/ldaptive-apache-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar 

BQ_END


and when I build from the same pom.xml but with that dependency removed, here's 
what I get: 


BQ_BEGIN

WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-apache-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF/lib/ldaptive-unboundid-1.2.3.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar 

BQ_END


So that tells me (or suggests, anyway) that you should be seeing 

WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 

(and maybe WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar ). 

Are you building with the Maven overlay? Have you tried deleting your Maven 
cache directory and re-doing the " mvnw clean package "? 

--Dave 





-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 10:00 AM, Cheltenham, Chris < 
ccheltenham-...@philasd.org > wrote: 

BQ_BEGIN

David, 

I have the following jars. 
Is this sufficient for ldap support? 

[root@devcas5 lib]# pwd 
/opt/tcat/webapps/cas/WEB-INF/lib 
[root@devcas5 lib]# ll | grep ldap 
-rw-r- 1 root root 35536 Jan 26 13:26 
cas-server-support-ldap-core-5.2.2.jar 
-rw-r- 1 root root 802456 Nov 27 11:40 ldaptive-1.2.3.jar 
-rw-r- 1 root root 37195 Nov 27 11:40 ldaptive-apache-1.2.3.jar 
-rw-r- 1 root root 100050 Nov 27 11:40 ldaptive-beans-1.2.3.jar 
-rw-r- 1 root root 40832 Nov 27 11:40 ldaptive-unboundid-1.2.3.jar 
-rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar 
[root@devcas5 lib]# 

My error is this - 
2018-02-07 15:28:16,450 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,450 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.AcceptUsersAuthenticationHandler] - 
<[ccheltenham-ext] was not found in the map.> 
2018-02-07 15:28:16,452 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<[AcceptUsersAuthenticationHandler] exception details: [ccheltenham-ext not 
found in backing map.].> 
2018-02-07 15:28:16,452 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
 


=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry" < david.cu...@newschool.edu > 
To: "cas-user" < cas-user@apereo.org > 
Sent: Thursday, February 8, 2018 7:54:21 AM 
Subject: Re: [cas-user] CAS 5.2.x 


$ jar tvf cas.war | grep ldap 
WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 
WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF/lib/ldaptive-unboundid-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar 
WEB-INF/lib/ldaptive-apache-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar 
$ 

The cas-server-support-ldap-5.2.2.jar is the one you're looking for. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 7:27 AM, Cheltenham, Chris < ccheltenham-...@phila

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
David, 

I have the following jars. 
Is this sufficient for ldap support? 

[root@devcas5 lib]# pwd 
/opt/tcat/webapps/cas/WEB-INF/lib 
[root@devcas5 lib]# ll | grep ldap 
-rw-r- 1 root root 35536 Jan 26 13:26 
cas-server-support-ldap-core-5.2.2.jar 
-rw-r- 1 root root 802456 Nov 27 11:40 ldaptive-1.2.3.jar 
-rw-r- 1 root root 37195 Nov 27 11:40 ldaptive-apache-1.2.3.jar 
-rw-r- 1 root root 100050 Nov 27 11:40 ldaptive-beans-1.2.3.jar 
-rw-r- 1 root root 40832 Nov 27 11:40 ldaptive-unboundid-1.2.3.jar 
-rw-r- 1 root root 1991909 Aug 13 01:08 unboundid-ldapsdk-3.2.1.jar 
[root@devcas5 lib]# 

My error is this - 
2018-02-07 15:28:16,450 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,450 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 -  
2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.AcceptUsersAuthenticationHandler] - 
<[ccheltenham-ext] was not found in the map.> 
2018-02-07 15:28:16,452 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<[AcceptUsersAuthenticationHandler] exception details: [ccheltenham-ext not 
found in backing map.].> 
2018-02-07 15:28:16,452 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
 


=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry"  
To: "cas-user"  
Sent: Thursday, February 8, 2018 7:54:21 AM 
Subject: Re: [cas-user] CAS 5.2.x 


$ jar tvf cas.war | grep ldap 
WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 
WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF/lib/ldaptive-unboundid-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar 
WEB-INF/lib/ldaptive-apache-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar 
$ 

The cas-server-support-ldap-5.2.2.jar is the one you're looking for. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 7:27 AM, Cheltenham, Chris < ccheltenham-...@philasd.org 
> wrote: 



Hello folks, 

I think I have been confusing everyone with too much incongruent information. 

If I may I will ask things in a more logical manner. 

I an still not able to connect with CAS 5 via LDAP. 

My first question is , how do I know the ldap dependency was built into the 
cas.war file? 







=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


-- 
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 
- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org . 
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/341032203.44492473.1518092860963.JavaMail.zimbra%40philasd.org
 . 






-- 
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 
- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org . 
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANEt0K3ugKG7O5%3DT9p5C8%3DsVOnqsz50xuU0wrfmkFg7mg%40mail.gmail.com
 . 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/642964186.44524329.1518102001703.JavaMail.zimbra%40philasd.org.

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 

David, 

Thank You !! 


=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


From: "David Curry"  
To: "cas-user"  
Sent: Thursday, February 8, 2018 7:54:21 AM 
Subject: Re: [cas-user] CAS 5.2.x 


$ jar tvf cas.war | grep ldap 
WEB-INF/lib/cas-server-support-ldap-5.2.2.jar 
WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar 
WEB-INF/lib/ldaptive-1.2.3.jar 
WEB-INF/lib/ldaptive-beans-1.2.3.jar 
WEB-INF/lib/ldaptive-unboundid-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar 
WEB-INF/lib/ldaptive-apache-1.2.3.jar 
WEB-INF/lib/unboundid-ldapsdk-3.2.1.jar 
$ 

The cas-server-support-ldap-5.2.2.jar is the one you're looking for. 

--Dave 




-- 


DAVID A. CURRY, CISSP 
DIRECTOR OF INFORMATION SECURITY 
INFORMATION TECHNOLOGY 

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
+1 212 229-5300 x4728 • david.cu...@newschool.edu 




On Thu, Feb 8, 2018 at 7:27 AM, Cheltenham, Chris < ccheltenham-...@philasd.org 
> wrote: 



Hello folks, 

I think I have been confusing everyone with too much incongruent information. 

If I may I will ask things in a more logical manner. 

I an still not able to connect with CAS 5 via LDAP. 

My first question is , how do I know the ldap dependency was built into the 
cas.war file? 







=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 


-- 
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 
- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org . 
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/341032203.44492473.1518092860963.JavaMail.zimbra%40philasd.org
 . 






-- 
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 
- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org . 
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANEt0K3ugKG7O5%3DT9p5C8%3DsVOnqsz50xuU0wrfmkFg7mg%40mail.gmail.com
 . 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7875795.44497543.1518095082367.JavaMail.zimbra%40philasd.org.

[cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris 
Hello folks, 

I think I have been confusing everyone with too much incongruent information. 

If I may I will ask things in a more logical manner. 

I an still not able to connect with CAS 5 via LDAP. 

My first question is , how do I know the ldap dependency was built into the 
cas.war file? 







=== 

Thank You; 

Chris Cheltenham 
Technology Services 
The School District of Philadelphia 

Work # 215-400-5025 
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/341032203.44492473.1518092860963.JavaMail.zimbra%40philasd.org.

RE: [cas-user] ldap error cas 5.2

2018-02-07 Thread Cheltenham, Chris 
 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 15:28:16,450 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 15:28:16,451 DEBUG 
[org.apereo.cas.authentication.AcceptUsersAuthenticationHandler] - 
<[ccheltenham-ext] was not found in the map.>

2018-02-07 15:28:16,452 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<[AcceptUsersAuthenticationHandler] exception details: [ccheltenham-ext not 
found in backing map.].>

2018-02-07 15:28:16,457 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
 
 - <1 errors, 0 successes>

2018-02-07 15:28:16,457 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


2018-02-07 15:28:16,457 DEBUG 
[org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - 


2018-02-07 15:28:16,458 DEBUG 
[org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - 


2018-02-07 15:28:16,479 DEBUG 
[org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - 


2018-02-07 15:28:16,479 DEBUG 
[org.apereo.cas.web.flow.InitializeLoginAction] - 

2018-02-07 15:28:16,482 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 

2018-02-07 15:28:16,482 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 

2018-02-07 15:28:16,482 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 

2018-02-07 15:28:16,482 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 

2018-02-07 15:28:16,482 DEBUG 
[org.apereo.cas.services.web.ServiceThemeResolver] - 

2018-02-07 15:28:16,482 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 

2018-02-07 15:28:16,482 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 

2018-02-07 15:28:16,511 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 

2018-02-07 15:28:16,511 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 

2018-02-07 15:28:16,511 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 

2018-02-07 15:28:16,511 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 

2018-02-07 15:28:16,511 DEBUG 
[org.apereo.cas.services.web.ServiceThemeResolver] - 

2018-02-07 15:28:16,511 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 

2018-02-07 15:28:16,511 DEBUG 
[org.apereo.cas.services.web.ChainingThemeResolver] - 

[root@devcas5 logs]# cat catalina.out | grep -i error

2018-02-07 15:26:24,308 INFO 
[org.springframework.boot.web.servlet.FilterRegistrationBean] - 

2018-02-07 15:26:30,644 INFO 
[org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
 
 - 

2018-02-07 15:26:30,646 INFO 
[org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
 
 - > 
org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)>

2018-02-07 15:27:33,591 INFO 
[org.springframework.web.socket.config.WebSocketMessageBrokerStats] - 


2018-02-07 15:28:16,452 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


2018-02-07 15:28:16,457 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
 
 - <1 errors, 0 successes>

org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes

at 
org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:115)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]

at 
org.springframework.boot.web.support.ErrorPageFilter.access$000(ErrorPageFilter.java:59)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]

at 
org.springframework.boot.web.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:90)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]

at 
org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:108)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]

at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) 
~[catalina.jar:8.5.23]

2018-02-07 15:28:16,458 DEBUG 
[org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - 


2018-02-07 15:28:16,479 DEBUG 
[org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - 


[root@devcas5 logs]#



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Man H
Sent: Wednesda

RE: [cas-user] ldap error cas 5.2

2018-02-07 Thread Cheltenham, Chris 
Man,



I may have found the issue.

I cannot connect to LDAP servers via 636 but I can 389.

Therefore, am looking into importing the certs in the proper places.

Hopefully that is my issue.



But thanks for your help

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Man H
Sent: Wednesday, February 7, 2018 10:49 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] ldap error cas 5.2



# Control log levels via properties
logging.level.org.apereo.cas=debug

In cas startup you can see where properties are fetched from log like this.

  \_\   /_/

CAS Version: 5.2.2
CAS Commit Id: eefb26e6ea0f3f0505ea7dcfc7e11c4ebcb44b7d
CAS Build Date/Time: 2018-01-31T19:13:42Z
Spring Boot Version: 1.5.8.RELEASE

Java Home: /usr/local/jdk1.8.0_152/jre
Java Vendor: Oracle Corporation
Java Version: 1.8.0_152
JVM Free Memory: 560 MB
JVM Maximum Memory: 1 GB
JVM Total Memory: 928 MB
JCE Installed: No

OS Architecture: amd64
OS Name: Linux
OS Version: 4.13.0-32-generic
OS Date/Time: 2018-02-07T12:30:44.726
OS Temp Directory: /usr/local/apache-tomcat-8.5.23-cas5/temp



2018-02-07 12:30:44,791 INFO 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
 - 
2018-02-07 12:30:44,825 INFO 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
 - 
2018-02-07 12:30:44,826 INFO 
[org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration]
 
 - 
2018-02-07 12:30:44,920 INFO 
[org.apereo.cas.web.CasWebApplicationServletInitializer] - 



2018-02-07 12:14 GMT-03:00 Cheltenham, Chris mailto:ccheltenham-...@philasd.org> >:

Man,



Let me be a bit cleaere.



How do I know the ldap dependency was incorporated into the cas.war file 
during after the build?





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of 
Cheltenham, Chris
Sent: Wednesday, February 7, 2018 10:13 AM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: RE: [cas-user] ldap error cas 5.2



Man,



The question you asked is actually no clear to me.

How do I know the ldap support was loaded during the build.



It IS in the pom.xml but how can a verify its in there?





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org] On Behalf Of Man H
Sent: Tuesday, February 6, 2018 4:55 PM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] ldap error cas 5.2



Do you have ldap support dependency?



2018-02-06 15:45 GMT-03:00 Cheltenham, Chris mailto:ccheltenham-...@philasd.org> >:



Hello,



I am getting this error in my logs loggin in via LDAP.



2018-02-06 13:40:52,503 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


2018-02-06 13:40:52,504 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - http://devldapm-mgmt.philasd.net>

cas.authn.ldap[0].dnFormat=

cas.authn.ldap[0].baseDn=dc=philasd,dc=org

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].principalAttributeId=casauth

cas.authn.ldap[0].principalAttributePassword=xx

cas.authn.ldap[0].minPoolSize=3

cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=true

cas.authn.ldap[0].validatePeriodically=true

cas.authn.ldap[0].validatePeriod=600

cas.authn.ldap[0].failFast=true

cas.authn.ldap[0].idleTime=5000

cas.authn.ldap[0].prunePeriod=5000

cas.authn.ldap[0].blockWaitTime=5000







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c201d39f7a%249aea9e10%24d0bfda30%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c201d39f7a%24

RE: [cas-user] ldap error cas 5.2

2018-02-07 Thread Cheltenham, Chris 
Man,



Let me be a bit cleaere.



How do I know the ldap dependency was incorporated into the cas.war file 
during after the build?





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of 
Cheltenham, Chris
Sent: Wednesday, February 7, 2018 10:13 AM
To: cas-user@apereo.org
Subject: RE: [cas-user] ldap error cas 5.2



Man,



The question you asked is actually no clear to me.

How do I know the ldap support was loaded during the build.



It IS in the pom.xml but how can a verify its in there?





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org] On Behalf Of Man H
Sent: Tuesday, February 6, 2018 4:55 PM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] ldap error cas 5.2



Do you have ldap support dependency?



2018-02-06 15:45 GMT-03:00 Cheltenham, Chris mailto:ccheltenham-...@philasd.org> >:



Hello,



I am getting this error in my logs loggin in via LDAP.



2018-02-06 13:40:52,503 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


2018-02-06 13:40:52,504 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c201d39f7a%249aea9e10%24d0bfda30%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c201d39f7a%249aea9e10%24d0bfda30%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midn4n%3D%2BV7_2qQPMyK28gFmUGDYq48bj5OCy4BEW-RDH_w%40mail.gmail.com
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midn4n%3D%2BV7_2qQPMyK28gFmUGDYq48bj5OCy4BEW-RDH_w%40mail.gmail.com?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00d901d3a026%242a9b2b50%247fd181f0%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/00d901d3a026%242a9b2b50%247fd181f0%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00e901d3a026%2464ad8090%242e0881b0%24%40philasd.org.

RE: [cas-user] ldap error cas 5.2

2018-02-07 Thread Cheltenham, Chris 
Man,



The question you asked is actually no clear to me.

How do I know the ldap support was loaded during the build.



It IS in the pom.xml but how can a verify its in there?





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Man H
Sent: Tuesday, February 6, 2018 4:55 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] ldap error cas 5.2



Do you have ldap support dependency?



2018-02-06 15:45 GMT-03:00 Cheltenham, Chris mailto:ccheltenham-...@philasd.org> >:



Hello,



I am getting this error in my logs loggin in via LDAP.



2018-02-06 13:40:52,503 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


2018-02-06 13:40:52,504 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - http://devldapm-mgmt.philasd.net>

cas.authn.ldap[0].dnFormat=

cas.authn.ldap[0].baseDn=dc=philasd,dc=org

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].principalAttributeId=casauth

cas.authn.ldap[0].principalAttributePassword=xx

cas.authn.ldap[0].minPoolSize=3

cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=true

cas.authn.ldap[0].validatePeriodically=true

cas.authn.ldap[0].validatePeriod=600

cas.authn.ldap[0].failFast=true

cas.authn.ldap[0].idleTime=5000

cas.authn.ldap[0].prunePeriod=5000

cas.authn.ldap[0].blockWaitTime=5000







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c201d39f7a%249aea9e10%24d0bfda30%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c201d39f7a%249aea9e10%24d0bfda30%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midn4n%3D%2BV7_2qQPMyK28gFmUGDYq48bj5OCy4BEW-RDH_w%40mail.gmail.com
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midn4n%3D%2BV7_2qQPMyK28gFmUGDYq48bj5OCy4BEW-RDH_w%40mail.gmail.com?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00d901d3a026%242a9b2b50%247fd181f0%24%40philasd.org.

RE: [cas-user] ldap error cas 5.2

2018-02-07 Thread Cheltenham, Chris 


Does this help?



[root@devcas5 logs]# cat catalina.out | grep -i debug | grep -i ccheltenham

2018-02-07 09:50:32,421 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 09:50:32,422 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 09:50:32,423 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 09:50:32,423 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 09:50:32,424 DEBUG 
[org.apereo.cas.authentication.AcceptUsersAuthenticationHandler] - 
<[ccheltenham-ext] was not found in the map.>

2018-02-07 09:50:32,424 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<[AcceptUsersAuthenticationHandler] exception details: [ccheltenham-ext not 
found in backing map.].>

2018-02-07 09:50:35,202 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 09:50:35,202 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 09:50:35,203 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 09:50:35,203 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 09:50:35,203 DEBUG 
[org.apereo.cas.authentication.AcceptUsersAuthenticationHandler] - 
<[ccheltenham-ext] was not found in the map.>

2018-02-07 09:50:35,212 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<[AcceptUsersAuthenticationHandler] exception details: [ccheltenham-ext not 
found in backing map.].>

2018-02-07 09:50:36,391 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 09:50:36,391 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 09:50:36,392 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 09:50:36,392 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
 - 

2018-02-07 09:50:36,392 DEBUG 
[org.apereo.cas.authentication.AcceptUsersAuthenticationHandler] - 
<[ccheltenham-ext] was not found in the map.>

2018-02-07 09:50:36,393 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<[AcceptUsersAuthenticationHandler] exception details: [ccheltenham-ext not 
found in backing map.].>

[root@devcas5 logs]#





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Man H
Sent: Wednesday, February 7, 2018 8:32 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] ldap error cas 5.2



Could you attach start up log with debug set

El miércoles, 7 de febrero de 2018, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > 
escribió:

Yes I do.



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of Man 
H
Sent: Tuesday, February 6, 2018 4:55 PM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] ldap error cas 5.2



Do you have ldap support dependency?



2018-02-06 15:45 GMT-03:00 Cheltenham, Chris mailto:ccheltenham-...@philasd.org> >:



Hello,



I am getting this error in my logs loggin in via LDAP.



2018-02-06 13:40:52,503 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


2018-02-06 13:40:52,504 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - http://devldapm-mgmt.philasd.net>

cas.authn.ldap[0].dnFormat=

cas.authn.ldap[0].baseDn=dc=philasd,dc=org

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].principalAttributeId=casauth

cas.authn.ldap[0].principalAttributePassword=xx

cas.authn.ldap[0].minPoolSize=3

cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=true

cas.authn.ldap[0].validatePeriodically=true

cas.authn.ldap[0].validatePeriod=600

cas.authn.ldap[0].failFast=true

cas.authn.ldap[0].idleTime=5000

cas.authn.ldap[0].prunePeriod=5000

cas.authn.ldap[0].blockWaitTime=5000







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- L

RE: [cas-user] ldap error cas 5.2

2018-02-07 Thread Cheltenham, Chris 
Man,



First I would like to thank you for taking the time to help.



How do I set the logs in debug mode?

Do I globally change info to debug in the log4j2.xml?





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Man H
Sent: Wednesday, February 7, 2018 8:32 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] ldap error cas 5.2



Could you attach start up log with debug set

El miércoles, 7 de febrero de 2018, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > 
escribió:

Yes I do.



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of Man 
H
Sent: Tuesday, February 6, 2018 4:55 PM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] ldap error cas 5.2



Do you have ldap support dependency?



2018-02-06 15:45 GMT-03:00 Cheltenham, Chris mailto:ccheltenham-...@philasd.org> >:



Hello,



I am getting this error in my logs loggin in via LDAP.



2018-02-06 13:40:52,503 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


2018-02-06 13:40:52,504 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - http://devldapm-mgmt.philasd.net>

cas.authn.ldap[0].dnFormat=

cas.authn.ldap[0].baseDn=dc=philasd,dc=org

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].principalAttributeId=casauth

cas.authn.ldap[0].principalAttributePassword=xx

cas.authn.ldap[0].minPoolSize=3

cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=true

cas.authn.ldap[0].validatePeriodically=true

cas.authn.ldap[0].validatePeriod=600

cas.authn.ldap[0].failFast=true

cas.authn.ldap[0].idleTime=5000

cas.authn.ldap[0].prunePeriod=5000

cas.authn.ldap[0].blockWaitTime=5000







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c201d39f7a%249aea9e10%24d0bfda30%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c201d39f7a%249aea9e10%24d0bfda30%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midn4n%3D%2BV7_2qQPMyK28gFmUGDYq48bj5OCy4BEW-RDH_w%40mail.gmail.com
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midn4n%3D%2BV7_2qQPMyK28gFmUGDYq48bj5OCy4BEW-RDH_w%40mail.gmail.com?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/004701d3a014%245a1fa610%240e5ef230%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/004701d3a014%245a1fa610%240e5ef230%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to ca

RE: [cas-user] ldap error cas 5.2

2018-02-07 Thread Cheltenham, Chris 
Yes I do.



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Man H
Sent: Tuesday, February 6, 2018 4:55 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] ldap error cas 5.2



Do you have ldap support dependency?



2018-02-06 15:45 GMT-03:00 Cheltenham, Chris mailto:ccheltenham-...@philasd.org> >:



Hello,



I am getting this error in my logs loggin in via LDAP.



2018-02-06 13:40:52,503 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


2018-02-06 13:40:52,504 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - http://devldapm-mgmt.philasd.net>

cas.authn.ldap[0].dnFormat=

cas.authn.ldap[0].baseDn=dc=philasd,dc=org

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].principalAttributeId=casauth

cas.authn.ldap[0].principalAttributePassword=xx

cas.authn.ldap[0].minPoolSize=3

cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=true

cas.authn.ldap[0].validatePeriodically=true

cas.authn.ldap[0].validatePeriod=600

cas.authn.ldap[0].failFast=true

cas.authn.ldap[0].idleTime=5000

cas.authn.ldap[0].prunePeriod=5000

cas.authn.ldap[0].blockWaitTime=5000







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c201d39f7a%249aea9e10%24d0bfda30%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c201d39f7a%249aea9e10%24d0bfda30%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midn4n%3D%2BV7_2qQPMyK28gFmUGDYq48bj5OCy4BEW-RDH_w%40mail.gmail.com
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midn4n%3D%2BV7_2qQPMyK28gFmUGDYq48bj5OCy4BEW-RDH_w%40mail.gmail.com?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/004701d3a014%245a1fa610%240e5ef230%24%40philasd.org.

[cas-user] ldap error cas 5.2

2018-02-06 Thread Cheltenham, Chris 


Hello,

 

I am getting this error in my logs loggin in via LDAP.

 

2018-02-06 13:40:52,503 ERROR
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -


2018-02-06 13:40:52,504 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00c201d39f7a%249aea9e10%24d0bfda30%24%40philasd.org.

RE: [cas-user] CAS 5.2.x

2018-02-05 Thread Cheltenham, Chris 
David,



I am using gradle because Unicon told me it is the preferred build tool.

Our management wants me to use what Unicon suggests because we pay for their 
support.

However I realize they support both.

In actuality I want to know how to build with either in case one is 
problematic.



I appreciate your help and I will read your overlay tomorrow.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Monday, February 5, 2018 1:57 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS 5.2.x



Chris,



Are you using the Gradle overlay because you need to, or because you don't 
know which one to use. IMHO, unless you're going to be building CAS from 
source, the Maven overlay is easier to work with if you're not familiar with 
either tool.



If you use the Maven overlay 
(https://github.com/apereo/cas-overlay-template), then you'd add the 
 lines Man provided to the  section of pom.xml 
(around line 69) so that you end up with something like this:



org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war
runtime


org.apereo.cas
cas-server-support-json-service-registry
${cas.version}


org.apereo.cas
cas-server-support-ldap
${cas.version}



Then re-build the WAR file with



./mvnw clean package



If you're not a developer (I'm not a Java developer either), you might find 
the documentation I've been assembling helpful. It's not official, and it's 
certainly not the only way to do things, but it's one step at a time and 
full of examples...



https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html



--Dave








--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •  <mailto:david.cu...@newschool.edu> 
david.cu...@newschool.edu

  <http://www.newschool.edu/marketing-communication/img/tns-sig-logo.jpg>



On Mon, Feb 5, 2018 at 1:40 PM, Cheltenham, Chris 
mailto:ccheltenham-...@philasd.org> > wrote:

Man,



Are you saying the dependency goes into build.gradle?



See the problem with CAS documentation, if you are not a developer, you don’t 
know what anyone is talking about.

So I apologize if I am asking rudimentary questions.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of Man 
H
Sent: Monday, February 5, 2018 1:38 PM


To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS 5.2.x



dee https://github.com/apereo/cas-gradle-overlay-template



CAS modules may be specified under the dependencies block of the CAS 
subproject 
<https://github.com/apereo/cas-gradle-overlay-template/blob/master/cas/build.gradle>
 
:

dependencies {
compile 
"org.apereo.cas:cas-server-webapp-tomcat:${project.'cas.version'}@war"
compile "org.apereo.cas:cas-server-some-module:${project.'cas.version'}"
...
}





2018-02-05 15:31 GMT-03:00 Cheltenham, Chris mailto:ccheltenham-...@philasd.org> >:

Thanks I get that.



But to what and where.



I in the cas-gradle-overlay-template-master

There’s not pom.xml in the git repo I cloned.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of Man 
H
Sent: Monday, February 5, 2018 1:21 PM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS 5.2.x



just add

org.apereo.cas
cas-server-support-ldap




2018-02-05 15:14 GMT-03:00 Chris Cheltenham mailto:ccheltenham-...@philasd.org> >:

Hello,

I am not understanding how to bundle the LDAP authentication handler into 
the cas.war file.

Any suggestions?


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.o

RE: [cas-user] CAS 5.2.x

2018-02-05 Thread Cheltenham, Chris 
Man,



Are you saying the dependency goes into build.gradle?



See the problem with CAS documentation, if you are not a developer, you don’t 
know what anyone is talking about.

So I apologize if I am asking rudimentary questions.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Man H
Sent: Monday, February 5, 2018 1:38 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS 5.2.x



dee https://github.com/apereo/cas-gradle-overlay-template



CAS modules may be specified under the dependencies block of the CAS 
subproject 
<https://github.com/apereo/cas-gradle-overlay-template/blob/master/cas/build.gradle>
 
:

dependencies {
compile 
"org.apereo.cas:cas-server-webapp-tomcat:${project.'cas.version'}@war"
compile "org.apereo.cas:cas-server-some-module:${project.'cas.version'}"
...
}





2018-02-05 15:31 GMT-03:00 Cheltenham, Chris mailto:ccheltenham-...@philasd.org> >:

Thanks I get that.



But to what and where.



I in the cas-gradle-overlay-template-master

There’s not pom.xml in the git repo I cloned.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org> ] On Behalf Of Man 
H
Sent: Monday, February 5, 2018 1:21 PM
To: cas-user@apereo.org <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS 5.2.x



just add

org.apereo.cas
    cas-server-support-ldap




2018-02-05 15:14 GMT-03:00 Chris Cheltenham mailto:ccheltenham-...@philasd.org> >:

Hello,

I am not understanding how to bundle the LDAP authentication handler into 
the cas.war file.

Any suggestions?


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/78216792-820e-4d47-a969-ea7162e43678%40apereo.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/78216792-820e-4d47-a969-ea7162e43678%40apereo.org?utm_medium=email&utm_source=footer>
 
.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .

To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mic8zJkXRJchfqJ0q0orUy%2Bv0_nQtf7y-q9JaK8uOhuPuQ%40mail.gmail.com
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mic8zJkXRJchfqJ0q0orUy%2Bv0_nQtf7y-q9JaK8uOhuPuQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/009b01d39eaf%24965d7910%24c3186b30%24%40philasd.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/009b01d39eaf%24965d7910%24c3186b30%24%40philasd.org?utm_medium=email&utm_source=footer>
 
.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org> .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mierN2xc_dVMM1h8%3D5GwK-6%2Bb3gydqMHNe84hOCABEBCUg%40mail.gmail.com
 
<https://groups.go

  1   2   >