Re: [cas-user] mod_auth_cas environment variables not accessible

[David Hawes]

The CAS attributes are stored as request headers and won't be
available in the apache environment.

You'd have to store them as apache environment variables to be able to
get at them with RequestHeader (I think). Something like this should
work for you:

diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c
index 1791110..f2361ce 100644
--- a/src/mod_auth_cas.c
+++ b/src/mod_auth_cas.c
@@ -2146,6 +2146,7 @@ static void set_http_headers(request_rec *r,
cas_cfg *c, cas_dir_cfg *d, cas_sam
av = av->next;
}
apr_table_set(r->headers_in,
apr_psprintf(r->pool, "%s%s", c->CASAttributePrefix,
normalizeHeaderName(r, a->attr)), csvs);
+   apr_table_set(r->subprocess_env,
apr_psprintf(r->pool, "%s%s", c->CASAttributePrefix,
normalizeHeaderName(r, a->attr)), csvs);
a = a->next;
}
}

On Fri, 29 Oct 2021 at 15:59, Brian Keifer  wrote:
>
> I've got an application that has one field for "Full Name" but our 
> environment only releases GivenName and Surname.  I thought it would be 
> trivial to use something like mod_headers or mod_rewrite to concatenate these 
> two fields together, but it's proving more of a challenge than I expected.
>
> I used a PHP script in my application's directory to verify that the 
> variables were set by calling print_r($_SERVER); and get, among others, the 
> following variables displayed:
>
> [HTTP_CAS_SURNAME] => Keifer
> [HTTP_CAS_GIVENNAME] => Brian
>
> If I try to combine these using:
>
> RequestHeader set MyHeader "%{HTTP_CAS_GIVENNAME}e %{HTTP_CAS_SURNAME}e"
>
> I end up with this:
>
> [HTTP_MYHEADER] => (null) (null)
>
> I've tried this using mod_rewrite as well.  I used REMOTE_ADDR just to prove 
> to myself that I could at least access some variables.
>
> RewriteRule .* - [E=GIVENNAME:%{LA-U:REMOTE_ADDR}]
> RewriteRule .* - [E=SURNAME:%{LA-U:HTTP_CAS_SURNAME}]
>
> produces this:
>
> [SURNAME] =>
> [GIVENNAME] => 10.2.12.142
>
> Interestingly, using mod_headers in a similar fashion with one CAS variable 
> and REMOTE_ADDR behaves differently.  This:
>
> RequestHeader set GIVENNAME1 "%{HTTP_CAS_GIVENNAME}e"
> RequestHeader set SURNAME1 "%{REMOTE_ADDR}e"
>
> Produces:
>
> [HTTP_SURNAME1] => (null)
> [HTTP_GIVENNAME1] => (null)
>
> Can anyone shed some light on this?  Why can't I get at these variables?
>
> Thanks,
>
> -Brian
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1483014e-e004-4c68-bf22-46ec44fa9070n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCcMSNgoYijiDZ3CzJLD5m3frqqZS6WE6Uqk9Eq%2B83dcQ%40mail.gmail.com.

Re: [cas-user] mod_auth_cas doesn't set AUTH_TYPE in script enviromnent?

[David Hawes]

On Fri, 16 Apr 2021 at 16:48, Mark H. Wood  wrote:
>
> I'm tinkering with some test CGI scripts to prepare for a real
> project, and I noticed that a script protected by CAS doesn't get a
> value for AUTH_TYPE in its environment, whereas a similar location
> protected by one of the AuthType Basic does.  Am I doing something
> wrong?

No, mod_auth_cas simply does not set ap_auth_type. Does this cause you
any issue?

The attached patch against git master will set it if you'd like it to be set.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wAxe1tFY7gjkTsn6o5ATfW0%3D3eKMabpW77wZ%2BJjFEu98w%40mail.gmail.com.
diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c
index 1791110..910cbe1 100644
--- a/src/mod_auth_cas.c
+++ b/src/mod_auth_cas.c
@@ -2196,6 +2196,7 @@ int cas_authenticate(request_rec *r)
 	if(c->CASPreserveTicket && (ticket != NULL) && (cookieString != NULL) && ap_is_initial_req(r) && isValidCASCookie(r, c, cookieString, , ) && (remoteUser != NULL)) {
 		cas_set_attributes(r, attrs);
 		r->user = remoteUser;
+		r->ap_auth_type = (char * ) "CAS";
 		set_http_headers(r, c, d, attrs);
 		if (c->CASDebug)
 			ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Passing sub-auth response through with ticket parameter intact");
@@ -2243,6 +2244,7 @@ int cas_authenticate(request_rec *r)
 setCASCookie(r, d->CASGatewayCookie, "TRUE", ssl, CAS_SESSION_EXPIRE_COOKIE_NOW, c->CASGatewayCookieDomain, c->CASCookieSameSite);
 			}
 			r->user = remoteUser;
+			r->ap_auth_type = (char * ) "CAS";
 			if(d->CASAuthNHeader != NULL)
 apr_table_set(r->headers_in, d->CASAuthNHeader, remoteUser);
 
@@ -2312,6 +2314,7 @@ int cas_authenticate(request_rec *r)
 
 		if(remoteUser) {
 			r->user = remoteUser;
+			r->ap_auth_type = (char * ) "CAS";
 			set_http_headers(r, c, d, attrs);
 			return OK;
 		} else {

Re: [cas-user] Question about using CAS with LDAP...?

[David Hawes]

On Fri, 12 Feb 2021 at 12:25, KC Pullen  wrote:
>
>
> Ray,
>
> I'll take a look at the LDAP logs and see if I can find anything...

What do your mod_authnz_ldap logs say?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wC76gvQ%3DBgo%2BkoqPv6zAw9tdLDYf6BB7xUY7vt0PZ1bKw%40mail.gmail.com.

Re: [cas-user] Making CAS Auth optinal if browser has a certain cookie stored

[David Hawes]

On Tue, 1 Dec 2020 at 15:22, Bryan K. Walton  wrote:
> Is it possible to use an If Statement like this to make CAS auth
> optional?  If not, is there another way to bypass CAS auth if a
> certain cookie is already present in the user's browser?

A similar config works for me in both Directory and Location in Apache
2.4. Do you have some other config that also uses mod_auth_cas?

I'd be wary of doing this since simply knowing the name of the cookie
is enough to get access, but you know your use case and config, so it
may be fine for you.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBOCdwDZ%3DDbQKpp3WQvVFFcKf_WB_79Q3TJ-TVDbJZL-g%40mail.gmail.com.

Re: [cas-user] Re: mod_auth_cas - certificate path configuration and failed connection

[David Hawes]

On Fri, 13 Dec 2019 at 14:58, Alan S  wrote:
>
> Okay, via curl, this looks good (see the response below), and I'm getting the 
> authenticated username returned. So, this is a good step forward in 
> troubleshooting. Do you have advice for debugging the Apache module? I'm not 
> sure what would cause it to be so "quiet."

I agree, that looks good. It's with the same curl that mod_auth_cas
was compiled against, right?

As far as debugging, could you add some log messages like the following:

ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "made it here!");

to getResponseFromServer()? I'd start at around lines 1904, 1906, and
1912 of git master.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBRrHj0Fc2%2BPBAsM-iUMpdc5Tz3P5LkTPzaBHmpbAbGWA%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] Re: mod_auth_cas - certificate path configuration and failed connection

[David Hawes]

On Thu, 12 Dec 2019 at 18:09, Alan S  wrote:
>
> Still wrestling with this, I'm now specifying just the serviceValidate 
> endpoint to remove any possible problems with SAML attribute delivery. My 
> Apache configuration now looks like this:
>
> LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so
>
> CASCookiePath /var/cache/apache2/mod_auth_cas/
> CASLoginURL https://CAS_SERVER/cas/login
> CASValidateURL https://CAS_SERVER/cas/serviceValidate
> CASDebug On
>
> 
> AuthType CAS
> AuthName "Autentication required"
> CASAuthNHeader CAS-User
> Require valid-user
> 
>
> My logs never show a response validation:
>
> [Thu Dec 12 16:54:20.821632 2019] [auth_cas:debug] [pid 20232] 
> mod_auth_cas.c(2675): entering check_vhost_config()
> [Thu Dec 12 16:54:20.904208 2019] [auth_cas:debug] [pid 20233] 
> mod_auth_cas.c(2675): entering check_vhost_config()
> [Thu Dec 12 16:54:29.432630 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(2159): [client CLIENT_IP:44734] Entering cas_authenticate()
> [Thu Dec 12 16:54:29.432643 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(610): [client CLIENT_IP:44734] CAS Service 
> 'https%3a%2f%2fAPP_HOST%2fauth%2f'
> [Thu Dec 12 16:54:29.432652 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(558): [client CLIENT_IP:44734] entering getCASLoginURL()
> [Thu Dec 12 16:54:29.432663 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(535): [client CLIENT_IP:44734] entering getCASGateway()
> [Thu Dec 12 16:54:29.432671 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(625): [client CLIENT_IP:44734] entering redirectRequest()
> [Thu Dec 12 16:54:29.432681 2019] [auth_cas:debug] [pid 20238] 
> mod_auth_cas.c(637): [client CLIENT_IP:44734] Adding outgoing header: 
> Location: 
> https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
> [Thu Dec 12 16:54:34.729642 2019] [auth_cas:debug] [pid 20235] 
> mod_auth_cas.c(2159): [client CLIENT_IP:44736] Entering cas_authenticate(), 
> referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
> [Thu Dec 12 16:54:34.729659 2019] [auth_cas:debug] [pid 20235] 
> mod_auth_cas.c(682): [client CLIENT_IP:44736] Modified r->args (now ''), 
> referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
> [Thu Dec 12 16:54:34.729749 2019] [auth_cas:debug] [pid 20235] 
> mod_auth_cas.c(1832): [client CLIENT_IP:44736] entering 
> getResponseFromServer(), referer: 
> https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
> [Thu Dec 12 16:54:34.729853 2019] [auth_cas:debug] [pid 20235] 
> mod_auth_cas.c(610): [client CLIENT_IP:44736] CAS Service 
> 'https%3a%2f%2fAPP_HOST%2fauth%2f', referer: 
> https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
> [Thu Dec 12 16:54:35.031085 2019] [auth_cas:debug] [pid 20236] 
> mod_auth_cas.c(2159): [client CLIENT_IP:44754] Entering cas_authenticate(), 
> referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
> [Thu Dec 12 16:54:35.031100 2019] [auth_cas:debug] [pid 20236] 
> mod_auth_cas.c(682): [client CLIENT_IP:44754] Modified r->args (now ''), 
> referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
> [Thu Dec 12 16:54:35.031149 2019] [auth_cas:debug] [pid 20236] 
> mod_auth_cas.c(1832): [client CLIENT_IP:44754] entering 
> getResponseFromServer(), referer: 
> https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
> [Thu Dec 12 16:54:35.031241 2019] [auth_cas:debug] [pid 20236] 
> mod_auth_cas.c(610): [client CLIENT_IP:44754] CAS Service 
> 'https%3a%2f%2fAPP_HOST%2fauth%2f', referer: 
> https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
>
> Any idea what could be causing this "Secure Connection Failed" issue on a 5.3 
> server connection? (I've tried connecting on the latest mod_auth_cas master 
> and v1.2 tag.)

I'd expect to see a CURL error or the validation response printed out.

Are there any logs on your CAS server that show the service validation
from mod_auth_cas? Can you ensure that you can "curl
https://CAS_SERVER/cas/serviceValidate; from the host running Apache
and mod_auth_cas?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBARiZuySW19_%2BrSOVdwN0YCpRssMjpiV-pWd8snzUfFA%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] Compiling Mod-auth-cas with external OpenSSL

[David Hawes]

On Mon, 4 Nov 2019 at 12:01, Colin Ryan  wrote:
>
> David,
>
> Yes I've built Apache2 itself with SSL using the safe external OpenSSL as I"m 
> trying to use with the module. When I run the totally to stock ./configure 
> line I posted it gives me
>
> checking for openssl/ssl.h in /opt/aa... yes
>
> checking whether compiling and linking against OpenSSL works... no
>
> checking for CRYPTO_new_ex_data in -lcrypto... yes
>
> checking openssl/crypto.h usability... yes
>
> checking openssl/crypto.h presence... yes
>
> checking for openssl/crypto.h... yes
>
> checking openssl/x509.h usability... yes
>
> checking openssl/x509.h presence... yes
>
> checking for openssl/x509.h... yes
>
>
> Everything compiles but when I install and ldd the .so of the module it's 
> linked to the system's OpenSSL lib's not the ones in my /opt/aa patch.

This is likely showing libraries linked to libcurl. Can you change the
output by setting LD_LIBRARY_PATH=/opt/aa/lib before running ldd?

> If I export export CPPFLAGS="-I/opt/aa/include" and LDFLAGS="-L/opt/aa/lib/ 
> -ldl"
>
> Then I get "yes" on the compiling and linking line but the ldd still 
> indicates linkage to the system's version. I suspect the -ldl is needed as 
> I'm dealing with the static OpenSSL  libssl.a and libcrypto.a..

If you're using a recent OpenSSL (1.1), you likely aren't linking
against libssl and libcrypto at all. Removing or commenting out lines
13529-13743 of configure (master) will remove these checks.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDUoUrmhiJFjdi_JmdD6brkQ8KDEtrn3qMwRZFoEW%2B06A%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] Compiling Mod-auth-cas with external OpenSSL

[David Hawes]

On Fri, 1 Nov 2019 at 15:41, Colin Ryan  wrote:
>
> Folks,
>
> For various reason's I need to compile my own mod_auth_cas module for
> use in Apache. I also have my own builds of OpenSSL  within this toolchain.
>
>
> I cannot for the life of me seem to get mod_auth_cas to use my external
> openssl libraries. I've done this many times before for other software
> components. I've tried all the tricks of setting OPENSSL_LIBS, CPPFLAGS,
> -ldl flag PKG_CONFIG_DIR etc etc that have worked in the past to no
> avail. No matter what I do it says it can find ssl.h, finds -lssl, finds
> -lcrypto BUT complains that it cannot find an link to OpenSSL and then
> builds with the systems default libraries as revealed by an "ldd" on the
> resulting mod_auth_so.c

What exact error do you get?

You should just need --with-openssl, but I've built with CPPFLAGS and
LDFLAGS as well.

I'd recommend using the same version of OpenSSL for Apache, curl, and
mod_auth_cas unless you want headaches.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wAWq5dNDgDBPQJckjSuOVE_%3D6hxdN%2BwsLGSHdCwFvOgEw%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] mod_auth_cas and attributes

[David Hawes]

On Fri, Oct 25, 2019, 05:45 Alberto Cabello Sánchez  wrote:

> On Thu, 24 Oct 2019 16:12:58 -0400
> David Hawes  wrote:
>
> > What version of mod_auth_cas are you using?
>
> Sorry, I didn't included it in my question:
>
> mod_auth_cas is 1.2, freshly cloned from
> https://github.com/apereo/mod_auth_cas.git
> CAS server is 5.3.12.1.
>
> > v1.2 supports CASv2 attributes, which should work with /serviceValidate
> > provided your server supports it.
> >
> > Turn "CASDebug On" and you should be able to see the validation
> > response with the attributes returned from your server. With
> > CASAuthnHeader set to some attribute like you've done, the released
> > attributes should be in the HTTP headers.
>
> This is the CAS info logged in Tomcat
>
> INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>  givenName=[alberto], irisPersonalUniqueID=[DOC:12345678R], mail=[
> albe...@unex.es], sn=[cabello sánchez], sn1=[cabello], sn2=[sánchez],
> uid=[alberto]}] via credentials
> [[UsernamePasswordCredential(username=alberto)]].>
>
> I can't find any reference to headers in Apache 2 logs, except
>
> Adding outgoing header: Set-Cookie:
> MOD_AUTH_CAS_S=6c60***d099;Secure;Path=/examples/jsp/;
> HttpOnly, referer: /login?service=
>
> I guess I will add some printf() statements in mod_auth_cas to gather more
> info, and explore the SAML approach.
>

Not necessary. Set "LogLevel debug" and "CASDebug On". Search for
"Validation response" in the Apache logs.

>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDtuobnoaUsmqXtO-nL5E3uoA_%2BtQHi083hY8ViXbiehA%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] mod_auth_cas and attributes

[David Hawes]

On Thu, 24 Oct 2019 at 08:44, David Curry  wrote:
>
> You should be safe from SAML messes; CASv2 attribute release via SAML 1.1 has 
> been around for years and years; much longer than the CAS server's support 
> for the SAML2 protocol and acting as an IdP/SP. You don't actually have to 
> configure anything at all; just use the other endpoint (samlValidate instead 
> of serviceValidate).

Note that you can use /serviceValidate with mod_auth_cas v1.2 if your
server releases attributes.

> CASAuthnHeader is an on/off attribute. (See the documentation: 
> https://github.com/apereo/mod_auth_cas). If you want to change the attribute 
> headers to start with something other than "CAS_", that's the 
> CASAttributePrefix directive.

CASAuthNHeader specifies the name of a header. It is used like:

CASAuthNHeader username

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wC_eCURZNpGzC%2BLQGaLzN7yWk9b7L0KjS7eYk9u%2Bb6tGA%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] mod_auth_cas and attributes

[David Hawes]

What version of mod_auth_cas are you using? v1.2 supports CASv2
attributes, which should work with /serviceValidate provided your
server supports it.

Turn "CASDebug On" and you should be able to see the validation
response with the attributes returned from your server. With
CASAuthnHeader set to some attribute like you've done, the released
attributes should be in the HTTP headers.

On Thu, 24 Oct 2019 at 06:26, Alberto Cabello Sánchez  wrote:
>
> Hi,
>
> I'm trying to get attributes released by CAS through mod_auth_cas and CASv2
> protocol (not SAML), but I'm not sure how to achieve it.
>
> I set
>
> CASAuthNHeader ATTR
>
> but it just gives the authenticated user, even if successful login page shows
> correctly the attributes defined in application.properties.
>
> Attribute release policy for that service is
> "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
>
> My validation URL is
>
> CASValidateURL /serviceValidate
>
> I don't know if this is correct. I found another value when using SAML
> validation, but I don't know if I have to change this one for CASv2 (only
> found this information regarding the SAML version).
>
> Thanks in advance,
>
> --
> Alberto Cabello Sánchez
> Servicio de Informática
> Universidad de Extremadura
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/20191024122634.9aee358820053e3c75081f5e%40unex.es.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDKF8kj6NuQBKhfP9DeT10vmRWXguFafrzxNAg8454JXQ%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] mod_auth_cas and apache 2.4 AuthMerging

[David Hawes]

On Wed, 17 Jul 2019 at 18:47, Paul Hirose  wrote:
>
> RHEL7.6, mod_auth_cas-1.1-3.el7.x86_64 (from EPEL).
> I'd like to protect my overall site with CAS.  I'd then additionally like to 
> add IP restrictions on a subset of this site.  I was hoping the first 
> Location stanza would require CAS for everything and the second Location 
> would also require I have IP 1.1.1.1.
>
> 
>  AuthType CAS
>  Require valid-user
>  CASSCope /
> 
>
> 
>  AuthMerging And
>  Require ip 1.1.1.1
> 
>
> 
>  AuthMerging And
>  Require ip 2.2.2.2
> 
>
> If I add the CAS directives to each subsequent Location stanza, it does work 
> (ie: I have to both CAS and be from the right IP.).  But I was hoping to 
> avoid having to duplicate the CAS stuff again and again.

Your example works for me. Visiting /one requires CAS auth in addition
to the IP restriction.

> If the above would work with the v1.2 release, I'm fine building that from 
> source.

It probably won't make a difference, but if you could upgrade to v1.2,
turn on Apache debug logging and "CASDebug On", and post your logs
here, it will help us figure out what's going on.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wC9RW%3DrZGLQdD3b6_-tqv4jAToUawEbUKPQggUkt3COhg%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] empty SAML response with mod_auth_cas from v1.2/master

[David Hawes]

On Mon, 3 Jun 2019 at 17:13, Alan S  wrote:
>
> Hi, all,
>
> Our previous Apache client (mod_auth_cas v1.0.9.1) worked seamlessly with our 
> organization's CAS server, and retrieving SAML attributes was no problem at 
> all. Currently, we're working toward a rollout of CAS 5.3.3, and I'm trying 
> to integrate an Apache client built from the master branch (v1.2 tag).
>
> If I return only the CAS user from serviceValidate, that response is good; 
> however, I'm getting a null response from the samlValidate endpoint, where 
> Apache reports "Validation response: (null)" with no additional logging. 
> Could I please get some troubleshooting advice for returning proper SAML 
> using the latest Apache module?

Do versions prior to v1.2 work with CAS 5.3.3?

Do your CAS server logs show anything about the CAS validation response sent?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCbXMBNGM-iL8P-SaY1XNk_NkmJMmpp%3D08a4uxN%2B_82zQ%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] mod_auth_cas / phpCas - HTTP Apache Behind HTTPS Terminated Load Balancer

[David Hawes]

On Tue, 14 May 2019 at 13:22, 'Will Gleich' via CAS Community
 wrote:
> Has anyone else solved this problem – am I over-looking something? Perhaps I 
> can spoof HTTPS with some apache header change.

Have you tried using CASRootProxiedAs with the virtual host on your LB
and setting session affinity or sticky sessions or whatever your LB
calls it?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wAcE54a8RKB1wZ%3DTy%2B%2BbAU-ekNuwdktj%3DUOFYdpPTv%3DYQ%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

[cas-user] mod_auth_cas 1.2 Release

[David Hawes]

The mod_auth_cas team is pleased to announce the release of mod_auth_cas 1.2.

https://github.com/apereo/mod_auth_cas/tree/v1.2

This release includes:
* OpenSSL 1.1 support.
* CASv2 attributes.
* CASPreserveTicket, which allows tickets to pass through when a valid
session exists.
* CASGatewayCookieDomain, to set the gateway cookie domain.
* Use a dynamic buffer to store the CAS validation response.
* Various bug and documentation fixes.
https://github.com/apereo/mod_auth_cas/milestone/6?closed=1

As always, please test in your environment, send questions to this
mailing list, and file bugs and send us pull requests at
https://github.com/apereo/mod_auth_cas .

Thanks,

Dave

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wB38m27VmaMUAC5aXaVpP90%3DfgyKqdMq%2BD_9Z4YXosXXw%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

[cas-user] mod_auth_cas v1.2-RC1

[David Hawes]

mod_auth_cas v1.2-RC1 has been tagged:

https://github.com/apereo/mod_auth_cas/tree/v1.2-RC1

Various bugfixes and documentation updates are included as well as:

- OpenSSL 1.1 support
- CASv2 attributes
- CASPreserveTicket, which allows tickets to pass through when a valid
session exists.

If you'd like to help with testing, please pull the tag and give us
feedback (this thread or a GitHub issue are both fine).

Thanks,

David

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCqYzjo-dtqcHVPfuec6sMBrD-ervBjHPaVbRyekyx1tQ%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] Protect Single Page application using mod_auth_cas

[David Hawes]

The order of these directives matters. You may want to review:

http://httpd.apache.org/docs/current/sections.html#merging

We'd need more config to tell what's going on in your case.
On Fri, 30 Nov 2018 at 19:46, Shankaranand Bahushrutham
 wrote:
>
>
> I have 2 single page applications developed in angular 6. I want to protect 
> one of them with CAS and the other one should not be protected. In apache 
> webserver, i have them under htdocs folder with the name 'unsecured' and 
> 'secured'. Below is my mod_auth_cas configuration and it isn't working. It 
> protects fine if i give  but the problem is that it 
> protects the unsecured app as well.
>
> 
>   Authtype CAS
>   require valid-user
>   CASAuthNHeader sm_user
>   CASScope /secured
> 
>
> I have a rewrite rule to rewrite /* to /secured and another rule /unsecured 
> to /unsecured (this is placed above the /* so that unsecured rule executes 
> first)
>
> Please advise the right configuration
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/56801da5-25b9-41e5-a94d-b788f4000626%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wAQ3vR60PKHYwahKyWfg1PT-OM1WQhQd00tLFubdj-n_A%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] Re: Unable to Retrieve CAS User Attributes (CAS 5.3.x)

[David Hawes]

On 2 October 2018 at 01:16, Fahmi L. Ramdhani
 wrote:
> Thanks dhawes,
> I have a little trouble about this, even though it should be able to. I
> configure it according to the documentation about attributes. Below are logs
> from mod_auth_cas:

The log excerpt looks like it was after validation. There should be more logs.

Have you upgraded your mod_auth_cas? The line numbers in your logs
indicate that you haven't.

If you are using an old version and the serviceValidate endpoint, you
will not get CASv2 attributes. As David noted earlier, you will need
to use the samlValidate endpoint.

CASv2 attribute support is available in mod_auth_cas git master.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBHWK7K6A3ZFY3D5q1qjYOSLZ6Xxo1SMUeKbkzXH5iaOQ%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] Unable to Retrieve CAS User Attributes (CAS 5.3.x)

[David Hawes]

On 1 October 2018 at 15:18, Fahmi L. Ramdhani
 wrote:
> Hi,
>
> I'am unable to retrieves CAS User Attributes using mod_auth_cas. Below is my
> configuration:
> 100-domain.com.conf
> 
> 
> ServerName domain.com
> ServerAlias www.domain.com
> ServerAdmin ad...@domain.com
>
>
> DocumentRoot /home/user/www/sites/domain.com
> 
> 
> CASAuthNHeader On
> AuthType CAS
> 
>
>
> # Options Indexes FollowSymLinks
> # AllowOverride All
> # Require all granted
> Require valid-user
> 
>
>
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
>
>
> SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
>
>
> Include /etc/letsencrypt/options-ssl-apache.conf
>
>
> 
> CASLoginUrl   https://login.domain.com/cas/login
> CASValidateUrlhttps://login.domain.com/cas/serviceValidate
> CASValidateServer off

This directive was removed in 2014. You should use a newer version of
mod_auth_cas.

When you've upgraded, set "LogLevel debug" and "CASDebug On" to see
your validation response in the logs. Are there attributes there?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wAQEQuNX0mz3L155ERFekB9CXLzO-u8fMDvaaGNwqJKUg%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] Mod_Auth_Cas Headers

[David Hawes]

On 1 October 2018 at 14:02, Ramakrishna G  wrote:
> David,
>
> Can you pls share code snippet or link for setting headers to response 
> attribute.

The wording was confusing in my last email, but we are just talking
about attribute release here. You should review the documentation for
your CAS server.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wC0FrVv26d2fPx5snc30y7HrDiojA0hd3h9s4xrthfhBQ%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] Mod_Auth_Cas Headers

[David Hawes]

Just so I understand, you are setting headers on the validation
response to mod_auth_cas in your CAS server and expect the headers to
show up?

They will not show up.

You will need add those headers to the attributes sent back in the
validation response for them to be available as headers in you PHP
script.

On 29 September 2018 at 09:04, Ramakrishna G  wrote:
> Hello all,
>
> I have custom authentication handler in CAS where I set headers post
> successful validation of user. This is my code snippet.
>
> if(isValidUser(credentials.getUsername(), credentials.getPassword()))
> {
> HttpServletResponse httpResponse = (HttpServletResponse)
> ExternalContextHolder.getExternalContext().getNativeResponse();
>
> httpResponse.addHeader("CAS-Username",credentials.getUsername());
> httpResponse.addHeader("CAS-Status",status);
> httpResponse.addHeader("CAS-LastLoginTime",lastlogin);
>
> final String username = credentials.getUsername();
> AuthenticationHandlerExecutionResult result =
> createHandlerResult(credentials,
> this.principalFactory.createPrincipal(username));
> return result;
> }
>
> And I am using Mod_auth_cas CAS client. Now my problem is I am unable to
> receive the headers set in CAS.
>
> My Mod_auth_cas config is:
>
> cas.conf
> LoadModule auth_cas_module modules/mod_auth_cas.so
> CASCertificatePath /etc/pki/tls/certs/cas.com.crt
> CASCookiePath /var/cache/mod_auth_cas/
> CASLoginURL  https://localhost:8443/cas/login
> CASValidateURL  https://localhost:8443/cas/serviceValidate
> CASRootProxiedAs https://xxx.xxx.com
> CASCookieDomain cas.com
> CASSSOEnabled On
> CASIdleTimeout 1500
> CASAttributePrefix "CAS-"
>
> ssl.conf
>  
> AllowOverride
> AuthType CAS
> require valid-user
> ProxyPass http://localhost/index.php
> ProxyPassReverse http://localhost/index.php
> CASAuthNHeader user-info
>  
>
> And in my index.php file I am printing all the headers received. The problem
> is I always only receive HTTP_USER_INFO :: cas.
>  I want to receive all the headers set in CAS. Am i missing something? Can
> someone help me in getting all the headers.
>
> Thanks
> Ramakrishna G
> +91 8792114542
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P84WfKGrnaBKsy%3DANvk2DQ-tC8VNQGB8ZGhk5N%2BVu0bGQ%40mail.gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wC1SZd6w9P_AupPcPAu1AdG69v-2nnF_MfFMbGbc6xT%2Bg%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] Apache 2.4 with Mod_auth_CAS session timeouts before setting value.

[David Hawes]

For reference:

https://github.com/apereo/mod_auth_cas/issues/151

On 20 August 2018 at 16:28, Matt T  wrote:
> Hi Everyone,
>
> I'm pulling my hair out here.  We run Cognos and front-end it with Apache
> 2.4.  We've CASified the application by using mod_auth_cas.  We've compiled
> from source and installed.  Our timeouts are set as follows in the
> auth_cas.conf.
>
> CASIdleTimeout 7200
> CASTimeout 28800
>
> Our ticket timeouts in CAS are all set to two hours.
>
> The issue we're facing is that a session will time out after one hour (or
> sometimes sooner) even though everything we have is set to at least two
> hours.  When the timeout occurs and we have debugging turned out, we see
> entries in the logs that a cookie is corrupt.  I've confirmed that is
> happening because the cookie isn't present at all.
>
> When we test this issue with little traffic on a web server, it's hard to
> reproduce.  This has made us think the issue may be due to user load, cache
> size, etc.
>
> Has anyone seem this type of behavior?  If so, do you have any idea what I
> can try to resolve it?
>
> Thanks in advance!
>
> -Matt
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e6796c41-ebd2-4a5e-ae1e-576d0b78caa5%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCPM2uhpkzYNP6YU6Jv_Ht0Hj%3DyW%3DDMVwy4EjG76-Pz5A%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] Clustering Mod_auth_cas

[David Hawes]

On Fri, Aug 3, 2018 at 5:56 AM, Ramakrishna G  wrote:
> Hello Team,
>
> I have multiple CAS client (mod_auth_cas) connected to a load balancer. My
> problem is mod_auth_cas ask CASCOOKIEPATH to set to store the user
> information locally.
>
> I am planning to use NFS for the same but I feel there will be a delay in
> reading/writing the cookie information and have a feeling it is not safe to
> have this solution in production environment.

I'd be wary of this as well.

> Can we have a redis mechanism to store the mod_auth_cas cookie information?
> Do we already have it?

mod_auth_cas only stores cookies on the local file system. Development
work is necessary to support any other storage.

If it was me, I'd store the cookies in a RAM disk (someone mentioned
that in this thread), set the sticky bit on my LB, and call it a day.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBg0y%2BO9Zh5Vqnt%2BPc-y1VeG6xSsSTSdsCb45y4w_O1oQ%40mail.gmail.com.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [cas-user] Invalid cache cookie length?

[David Hawes]

On Tue, Apr 10, 2018 at 2:41 PM, Bryan K. Walton  wrote:
> What does "Invalid cache cookie length" mean in the cas debug logs?
>
> For example:
> [Mon Apr 09 16:17:29.340510 2018] [:debug] [pid 7828]
> mod_auth_cas.c(897): [client xxx.xxx.xxx.xxx:64395] Invalid cache cookie
> length for '', (expecting 32, got 0), referer:
> https:///uPortal/f/employee/normal/render.uP
>
> Is this a problem with the cookie in our CASCookiePath?  Or a problem
> with a cookie in the end user's browser?

It looks like the client sent an empty cookie. In that case I'd expect
a redirect to your CAS server to authenticate again.

It's definitely odd that the cookie is empty. Do you see this often?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBgRqsuupjpbh-cMOd2LTfyCYjxXKmBGGatRpxv%3DH0Fqg%40mail.gmail.com.

Re: [cas-user] Can I make use of XML attributes in a serviceValidate response for authorization control?

[David Hawes]

On Thu, Feb 22, 2018 at 4:14 PM, Bryan K. Walton  wrote:
> We have a mod_auth_cas installation where the CAS server on the other
> end is sending us XML attributes in their response.  I don't have any
> details on their CAS server version.  What I do know is that we are
> using the serviceValidate url for validation.  The CAS server, in
> question, does NOT have a samlValidate url option for us.
>
> When a user authenticates to our application, we get a validation
> response from their CAS server that looks like this:
>
> [Thu Feb 22 14:41:23.833837 2018] [:debug] [pid 21153]
> mod_auth_cas.c(1838): [client 10.1.88.60:39852] Validation response:
>  xmlns:cas="http://www.yale.edu/tp/cas;>jdoe
>
> As long as we use require valid-user, everything is fine, and users gain
> access to the application.
>
> My question, can mod_auth_cas work with these XML attributes
> for authorization control, without having access to a samlValidate url
> option?  For example, we would like to instruct Apache to limit access
> to those users who have "Staff" in the the "" element.

mod_auth_cas supports SAML attributes with /samlValidate and CASv2
attributes with /serviceValidate (note that you must use git master
for this support).

The payload above does not look like what I would expect, which is
outlined here:

https://apereo.github.io/cas/5.1.x/protocol/CAS-Protocol-Specification.html#255-attributes-cas-30

It will not be parsed correctly and you will not be able to use those
values for authorization without modifying mod_auth_cas.
/serviceValidate in mod_auth_cas expects .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wA%2BKFUxDmmB160KEKN7SEB6-n6zVA4Jk8Ny%2BTkTbuAkCQ%40mail.gmail.com.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

On Thu, Feb 15, 2018 at 2:51 PM, Mukunthini Jeyakumar
 wrote:
> Thanks dhawes.
>
> I'm using the php code to print the values retuned in the header
>   foreach (getallheaders() as $name => $value) {
> echo "$name: $value\n";
> }
>   ?>
>
> I've no issues if I use serviceValidate, but I'm only getting the username,
> I do not see the rest of the attributes released
>
> CASValidateURL https://:8443/cas/serviceValidate
> CASValidateSAML   Off

Do you see the attributes in the validation response? You can see this
in the debug logs.

Note that only the code in master supports CASv2 attributes. If you
see the attributes in the validation response, try mod_auth_cas
master.

> if I use SAML then I get error
>
> CASValidateURL https://:8443/cas/samlValidate
> CASValidateSAML   On
>
>
> I already built CAS with SAML 1.1 by adding  cas-server-support-saml,

This sounds like a CAS server issue. Have you verified /samlValidate
is working? What does the validation response look like?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wB0t2SGDALhvdJXsf32YVa%3DDSsYMAo0tCx4Ai4FT5FaaA%40mail.gmail.com.

Re: [cas-user] mod_auth_cas environnment variable

[David Hawes]

On Tue, Feb 13, 2018 at 10:23 AM, Fabio Martelli
 wrote:
> Hi All, is there a way to force mod_auth_cas to put retrieved principal
> attributes as env variable instead of headers?

We're talking Apache environment variables, right?

Do you need anything other than REMOTE_USER? That should be there
already. mod_auth_cas would need modification to add other attributes
to the Apache env variables.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wAx5yBY2CpfrnVCeaTtafvaUyVrVpiUXM4HNaWdtXcqtQ%40mail.gmail.com.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

On Fri, Feb 9, 2018 at 4:00 PM, Mukunthini Jeyakumar
 wrote:
> Hi
>
> I'm seeing the same error even If I use /serviceValidate endpoint. As soon
> as I turn on CASValidateSAML, I'm getting the error
>
> Here is my mod_auth_cas. (I've used David Curry's Guide )
>
> LoadModule auth_cas_module modules/mod_auth_cas.so
>
> 
>
> AuthType CAS
> CASAuthNHeader  On
> 
> Require valid-user
> 
>
> 
> 
> AuthTypeCAS
> CASAuthNHeader  On
> 
> Require valid-user
> 
>
> 
>CASCertificatePath /etc/pki/tls/certs/
> CASCookiePath /var/lib/cas/
> CASValidateURL https://:8443/cas/serviceValidate
> #CASValidateURL https://:8443/cas/samlValidate
> CASLoginURL https://:8443/cas/login
> CASSSOEnabled On
> CASDebug  On
> CASValidateSAML   On
> LogLevel debug
> 

Use:

CASValidateURL https://:8443/cas/serviceValidate
CASValidateSAML   Off

or:

CASValidateURL https://:8443/cas/samlValidate
CASValidateSAML   On

What you have posted here will not work.

> 2018-02-09 15:55:50,016 WARN [org.springframework.web.servlet.PageNotFound]
> - 

SAML validation requires POST. Make sure you aren't mixing up your
directives (see above) and ensure that you can POST to
https://:8443/cas/samlValidate.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCsEnNxGKB%2BiRYaT1aeoq3i7tUtTF9h8yAhnstHEUp03Q%40mail.gmail.com.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

Are you sure your server supports /samlValidate? Are you able to use
/serviceValidate?

Post your full mod_auth_cas config here.

The 406 you see is from the CAS server. Do you have any logs on the
CAS server that indicate why the request failed?

On Fri, Feb 9, 2018 at 2:09 PM, Mukunthini Jeyakumar
 wrote:
> Hi dhawes,
>
> With the debug on,
>
>
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(2076): [client
> 129.100.6.30] Entering cas_authenticate(), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(654): [client
> 129.100.6.30] Modified r->args (now ''), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1779): [client
> 129.100.6.30] entering getResponseFromServer(), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(584): [client
> 129.100.6.30] CAS Service
> 'https%3a%2f%2f%2freturn-mapped%2findex.php', referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1856): [client
> 129.100.6.30] Validation response:  lang="en">HTTP Status 406 \xe2\x80\x93 Not
> Acceptableh1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> h2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
> h3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
> body
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
> p
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
> a {color:black;} a.name {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}HTTP
> Status 406 \xe2\x80\x93 Not AcceptableType
> Status ReportDescription The target resource does not have a
> current representation that would be acceptable to the user agent, according
> to the proactive negotiation header fields received in the request, and the
> server is unwilling to supply a default representation. />Apache Tomcat/8.5.23, referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1440): [client
> 129.100.6.30] entering isValidCASTicket(), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1446): [client
> 129.100.6.30] MOD_AUTH_CAS: response =  lang="en">HTTP Status 406 \xe2\x80\x93 Not
> Acceptableh1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> h2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
> h3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
> body
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
> p
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
> a {color:black;} a.name {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}HTTP
> Status 406 \xe2\x80\x93 Not AcceptableType
> Status ReportDescription The target resource does not have a
> current representation that would be acceptable to the user agent, according
> to the proactive negotiation header fields received in the request, and the
> server is unwilling to supply a default representation. />Apache Tomcat/8.5.23, referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [error] [client 129.100.6.30] MOD_AUTH_CAS: error
> parsing CASv2 response: XML parser error code: syntax error (2), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
>
>
> MOD_AUTH_CAS: error parsing CASv2 response: XML parser error code:
> syntax error (2), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
>
> Thanks
> Thini
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8020e24a-fa21-4a35-af09-5eb5a2a274dd%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: 

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

Set:

LogLevel debug
CASDebug On

and check your error logs. You should have information as to why you
get this error.

On Thu, Feb 8, 2018 at 1:13 PM, Mukunthini Jeyakumar
 wrote:
> Hi David,
>
> I'm using mod_auth_cas configured to use the "samlValidate" endpoint. When I
> turn on CASValidateSAML and configure saml endpoint I'm getting the
> following error
>
> Authorization Required
>
> This server could not verify that you are authorized to access the document
> requested. Either you supplied the wrong credentials (e.g., bad password),
> or your browser doesn't understand how to supply the credentials required.
>
>
> But I was able to get the principal user id without SAML endpoint
>
> I'm using CAS 5.2.2
>
>
> Thanks
>
> Thini
>
>
>>>
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b1892e8-e858-459a-9107-6b1b93d46ac2%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDtfkG6iC6eE%2B0Ju-4-Uz%2BPH6Yh2U5TyEL_f%3D81yAMhqw%40mail.gmail.com.

Re: [cas-user] Cas - Unauthorized

[David Hawes]

)
>>
>> ~
>>
>>
>> LoadModule auth_cas_module modules/mod_auth_cas.so
>>
>> CASCookiePath /var/cache/mod_auth_cas/
>>
>> CASCertificatePath  /etc/ssl/certs/
>>
>> CASLoginURL https://192.168.111.12:9443/cas/login
>>
>> CASRootProxiedAs https://192.168.111.12
>>
>> CASValidateURL https://192.168.111.12:9443/cas/serviceValidate
>>
>> #CASProxyValidateURL https://192.168.111.12:9443/cas/proxyValidate
>>
>> CASDebug On
>>
>> LogLevel debug
>>
>> CASValidateSAML On
>>
>> CASVersion 2
>>
>> #CASValidateServer off
>>
>> #CASAllowWildcardCert off
>>
>> CASTimeout 86400
>>
>> CASIdleTimeout 7200
>>
>> CASSSOEnabled On
>>
>> #LogLevel debug
>>
>>
>> 
>>
>> DocumentRoot "/var/www/html/"
>>
>> ServerName 192.168.111.12
>>
>> CASValidateSAML On
>>
>> LogLevel debug
>>
>> ErrorLog /var/log/cas_error_log
>>
>> CustomLog /var/log/cas_access_log combined
>>
>> # Other directives here
>>
>> #AuthType CAS
>>
>> #require valid-user
>>
>> 
>>
>>
>> 
>>
>>  AllowOverride
>>
>>  Order allow,deny
>>
>>  Allow from all
>>
>>  Authtype CAS
>>
>>  require valid-user
>>
>>  Allow from env=no_cas_use
>>
>>  #Satisfy Any
>>
>># require cas-attribute edupersonaffiliation:staff
>>
>> 
>>
>>
>> What am I missing?
>>
>>
>> Thankyou
>>
>> Ramakrishna
>>
>>
>>
>> On Thu, Jan 25, 2018 at 10:45 PM, David Hawes <dha...@vt.edu> wrote:
>>>
>>> On 23 January 2018 at 08:52, Ramakrishna G <ramakris...@teligenz.in>
>>> wrote:
>>> > Unauthorized
>>> >
>>> > This server could not verify that you are authorized to access the
>>> > document
>>> > requested. Either you supplied the wrong credentials (e.g., bad
>>> > password),
>>> > or your browser doesn't understand how to supply the credentials
>>> > required.
>>> >
>>> >
>>> > Ticket is generated but says the above error. I am using mod_auth_cas
>>> > in
>>> > Apache server.
>>>
>>> Set:
>>>
>>> LogLevel debug
>>> CASDebug On
>>>
>>> and check your error logs. You should have information as to why you
>>> get this error.
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCcoYC-Sg4V3dE6hOxi-0QqiaJWm44xo9PuDhAt%2Br8wxA%40mail.gmail.com.
>>
>>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P8RVBDrHjwNwMcTb2NaSt_xZL4HHWB%3D6upvDW21%3DrHTeg%40mail.gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDGW5_SksOTzA7DmoRV7JvGu%3DeP9pgVaWj_U_REU82EXw%40mail.gmail.com.

Re: [cas-user] Cas - Unauthorized

[David Hawes]

On 23 January 2018 at 08:52, Ramakrishna G  wrote:
> Unauthorized
>
> This server could not verify that you are authorized to access the document
> requested. Either you supplied the wrong credentials (e.g., bad password),
> or your browser doesn't understand how to supply the credentials required.
>
>
> Ticket is generated but says the above error. I am using mod_auth_cas in
> Apache server.

Set:

LogLevel debug
CASDebug On

and check your error logs. You should have information as to why you
get this error.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCcoYC-Sg4V3dE6hOxi-0QqiaJWm44xo9PuDhAt%2Br8wxA%40mail.gmail.com.

Re: [cas-user] Ip changed to Host name

[David Hawes]

On 23 January 2018 at 08:56, Ramakrishna G  wrote:
> Hello all,,
>
>
> I am using mod_auth_cas. While i hit cas url I give ip and cas automatically
> change it to host name. Can anyone suggest how to stop this?
>
>
> Eg: my url: https://192.168.111.XX => It redirets to my cas url as
> https://192.168.111.XX:9443/cas/login?service=https%3a%2f%2fclient.XX.local%2f
>
> instead of client.XX.local I need my ip itself in service.

See the CASRootProxiedAs directive.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wD78iACrEaJ4hpmdAmWateLjer4BtEU9TZPwZckZ5_%2BEQ%40mail.gmail.com.

Re: [cas-user] Re: CAS 5.0.8 + Active Directory - Note receiving user information

[David Hawes]

Have you tried using the /samlValidate endpoint with "CASValidateSaml On"?

/serviceValidate may or may not return attributes, depending on your
CAS server. If it does, you can use mod_auth_cas from git master,
which supports CASv2 attributes.

On 14 September 2017 at 09:11, Micas Camela  wrote:
> Hi Doug C,
>
> I solved the problem generating the casdev certificate (previous generated
> using keytool) using the following commands:
>
> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout casdev.key -out
> casdev.crt
>
> openssl pkcs12 -export -inkey casdev.key -in casdev.crt -name tomcat -out
> casdev.p12
>
> keytool -importkeystore -srckeystore casdev.p12 -srcstoretype pkcs12
> -destkeystore keystore.jks
>
>
> And importing the casdev.crt in CASCLIENT (/etc/httpd/conf/casdev.crt).
>
> But unfortunatelly I am only getting the username, without any attributes.
>
>
> Thank you
>
>
>
> On Wednesday, September 13, 2017 at 2:34:45 PM UTC+2, Micas Camela wrote:
>>
>> Hi there!
>>
>> I have configured on casdev (CentOS 7 + Tomcat 8.5.20 + CAS 5.0.8) and
>> casclient (Apache 2.4 + mod_auth_cas + php app).
>>
>> After a successfull login I am getting an error page with:
>>
>> Unauthorized
>>
>> This server could not verify that you are authorized to access the
>> document requested. Either you supplied the wrong credentials (e.g., bad
>> password), or your browser doesn't understand how to supply the credentials
>> required.
>>
>>
>> CASDEV output:
>>
>>
>> 2017-09-12 21:57:21,374 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> 
>> 2017-09-12 21:57:21,374 DEBUG
>> [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository]
>> - > attributes directly associated with the principal object which are
>> [{cn=Micas Rafael, givenName=Micas, LdapAuthenticationHandler.dn=CN=Micas
>> Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael}]>
>> 2017-09-12 21:57:21,375 DEBUG
>> [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
>> - > Rafael, givenName=Micas, LdapAuthenticationHandler.dn=CN=Micas
>> Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael}>
>> 2017-09-12 21:57:21,375 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> > LdapAuthenticationHandler.dn=CN=Micas
>> Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael} for mrafael>
>> 2017-09-12 21:57:21,375 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> > attributes for mrafael>
>> 2017-09-12 21:57:21,376 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> > {cn=Micas Rafael, givenName=Micas, LdapAuthenticationHandler.dn=CN=Micas
>> Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael} for mrafael>
>> 2017-09-12 21:57:21,376 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> 
>> 2017-09-12 21:57:21,376 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> > any>
>> 2017-09-12 21:57:21,377 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> 
>> 2017-09-12 21:57:21,377 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> 
>> 2017-09-12 21:57:21,378 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> 
>> 2017-09-12 21:57:21,378 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> 
>> 2017-09-12 21:57:21,379 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> > givenName=Micas, sn=Rafael}>
>> 2017-09-12 21:57:21,379 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> 
>> 2017-09-12 21:57:21,380 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> 
>> 2017-09-12 21:57:21,380 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> 
>> 2017-09-12 21:57:21,380 DEBUG
>> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
>> > givenName=Micas, LdapAuthenticationHandler.dn=CN=Micas
>> Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael}>
>> 2017-09-12 21:57:21,381 DEBUG
>> [org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - > access strategy policy, since no attributes rules are defined>
>> 2017-09-12 21:57:21,381 DEBUG
>> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - > authentication via ticket
>> TGT-**HSoxyIIULz-casdev allows
>> service https://192.168.0.151/secured-by-cas/index.php to participate in the
>> existing SSO session>
>> 2017-09-12 21:57:21,382 DEBUG
>> [org.apereo.cas.ticket.DefaultServiceTicketFactory] - > ticket id generator for
>> [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl]>
>> 2017-09-12 21:57:21,382 DEBUG
>> 

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

On 19 July 2017 at 15:11, David Curry  wrote:
>
> You need to have mod_auth_cas configured to use the "samlValidate" endpoint 
> on the CAS server, and also have the "CASAuthNHeader" setting turned on in 
> /etc/httpd/conf.d/cas.conf (or wherever your config file is). Like this:
>
> 
> 
> AuthTypeCAS
> CASAuthNHeader  On
> 
>
> Require valid-user
> 
>
> 
> CASLoginUrl https://cas.example.com/cas/login
> CASValidateUrl  https://cas.example.com/cas/samlValidate
> CASCookiePath   /var/cache/httpd/mod_auth_cas/
> CASValidateSAML On
> CASSSOEnabled   On
> CASDebugOff
> 
>
>
> This will give you a bunch of headers whose names begin with "CAS_". If you 
> want a different prefix instead of "CAS_", you can set it with the 
> "CASAttributePrefix" option.
>
> Anyway, then in your PHP script, you can have something like this:
>
>echo "";
>
> if (array_key_exists('REMOTE_USER', $_SERVER)) {
> echo "REMOTE_USER = " . $_SERVER['REMOTE_USER'] . "";
> }
>
> $headers = getallheaders();
> foreach ($headers as $key => $value) {
> if (strpos($key, 'CAS_') === 0) {
> echo substr($key, 4) . " = " . $value . "";
> }
> }
>
> echo "";
>   ?>
>
> to print them all out. Note that you will get more than just the attributes 
> you released; you'll also get some other information from the CAS server. For 
> example, on my current devel setup, which authenticates against Active 
> Directory first and LDAP second, and merges attributes from both, I get:
>
> REMOTE_USER = curryd
> AuthenticationMethod = Active Directory
> displayName = David Curry
> successfulAuthenticationHandlers = Active Directory
> cn = x
> EmailAddress = david.cu...@newschool.edu
> Role = staff
> samlAuthenticationStatementAuthMethod = 
> urn:oasis:names:tc:SAML:1.0:am:password
> uid = curryd
> UDC_IDENTIFIER = xxx
> Active-Directory.curryd = cn=curryd,ou=TNSUsers,dc=tns,dc=newschool,dc=edu
> sn = Curry
> Formatted-Name = David

Just wanted to +1 Dave's reply. Good stuff.

I also wanted to note that CASv2 attributes from /serviceValicate are
now supported in git master, if you need to go that route.

https://github.com/apereo/mod_auth_cas/pull/110

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBGy142k8aLGkC8B1O852jWz%2BVQ4OXdGRhQAAotDGPKrA%40mail.gmail.com.

Re: [cas-user] Redirect loop

[David Hawes]

I don't see that you have the following in your config (from the Plone docs):


ServerAlias   *
ServerRoot/var/www
ServerSignature On


Have you tried adding something like this? Without it, I'd expect the
proxy to just keep looping. This happens on my test machine.

You may still have some mod_auth_cas issues (I'd recommend upgrading
to v1.1), but this needs to work first. It may be useful to comment
out all the mod_auth_cas directives and make sure it works without
auth as expected.


On 23 May 2017 at 17:03, Pooya E <poo...@gmail.com> wrote:
> I think I know where the problem is... I need a ProxyPassReverse for the
> rewrite rule I have since it is redirecting with an address that has 8080
> appended.
> What do you think? If so, how would you write the ProxyPassReverse for that
> rewrite rule?
>
> On Monday, May 22, 2017 at 5:49:09 PM UTC-4, David Hawes wrote:
>>
>> What do the mod_auth_cas debug logs show?
>>
>> Can you post your full Apache configuration?
>>
>> What version of Apache?
>>
>> What version of mod_auth_cas?
>>
>> On 22 May 2017 at 07:56, Pooya Eslami <poo...@gmail.com> wrote:
>> > Logs show going back and forth between site and cas...
>> >
>> > $ tail -f access.log
>> >
>> > 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET / HTTP/1.1" 302
>> > 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
>> > Gecko/20100101 Firefox/52.0"
>> >
>> > 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET
>> > /?ticket=ST-8490389-1QQZghQr4Mq4Y1d0DWtX-cas HTTP/1.1" 302 587 "-"
>> > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101
>> > Firefox/52.0"
>> >
>> > 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET / HTTP/1.1" 302
>> > 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
>> > Gecko/20100101 Firefox/52.0"
>> >
>> > 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET
>> > /?ticket=ST-8490390-gdcqMZ4hYqannRw4WZRr-cas HTTP/1.1" 302 587 "-"
>> > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101
>> > Firefox/52.0"
>> >
>> > 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET / HTTP/1.1" 302
>> > 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
>> > Gecko/20100101 Firefox/52.0"
>> >
>> > 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET
>> > /?ticket=ST-8490391-dEHGGYgNNknusb4XBwFl-cas HTTP/1.1" 302 587 "-"
>> > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101
>> > Firefox/52.0"
>> >
>> > 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET / HTTP/1.1" 302
>> > 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
>> > Gecko/20100101 Firefox/52.0"
>> >
>> > 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET
>> > /?ticket=ST-8490392-tJUb7ZHBoE3UQeLBxIe4-cas HTTP/1.1" 302 587 "-"
>> > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101
>> > Firefox/52.0"
>> >
>> > 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET / HTTP/1.1" 302
>> > 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
>> > Gecko/20100101 Firefox/52.0"
>> >
>> > 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET
>> > /?ticket=ST-8490393-4oRlIYjdA9civwc149Nf-cas HTTP/1.1" 302 587 "-"
>> > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101
>> > Firefox/52.0"
>> >
>> >
>> > This goes on forever
>> >
>> > On Friday, May 19, 2017 at 10:36:25 PM UTC-4, David Hawes wrote:
>> >>
>> >> On 18 May 2017 at 17:40, Pooya Eslami <poo...@gmail.com> wrote:
>> >> > Same if that line is deleted or set to /
>> >> > I keep getting sent to cas and redirected back to site.
>> >> > I would like to try RewriteCond, but where would I stop?! If I stop
>> >> > at
>> >> > cas
>> >> > it will not redirect to cas, if stop after site, it will not redirect
>> >> > to
>> >> > cas...
>> >> > See my dilemma?
>> >>
>> >> Do you have another VirtualHost for 8080?
>> >>
>> 

Re: [cas-user] Redirect loop

[David Hawes]

What do the mod_auth_cas debug logs show?

Can you post your full Apache configuration?

What version of Apache?

What version of mod_auth_cas?

On 22 May 2017 at 07:56, Pooya Eslami <poo...@gmail.com> wrote:
> Logs show going back and forth between site and cas...
>
> $ tail -f access.log
>
> 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET / HTTP/1.1" 302
> 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
> Gecko/20100101 Firefox/52.0"
>
> 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET
> /?ticket=ST-8490389-1QQZghQr4Mq4Y1d0DWtX-cas HTTP/1.1" 302 587 "-"
> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101
> Firefox/52.0"
>
> 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET / HTTP/1.1" 302
> 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
> Gecko/20100101 Firefox/52.0"
>
> 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET
> /?ticket=ST-8490390-gdcqMZ4hYqannRw4WZRr-cas HTTP/1.1" 302 587 "-"
> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101
> Firefox/52.0"
>
> 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET / HTTP/1.1" 302
> 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
> Gecko/20100101 Firefox/52.0"
>
> 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET
> /?ticket=ST-8490391-dEHGGYgNNknusb4XBwFl-cas HTTP/1.1" 302 587 "-"
> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101
> Firefox/52.0"
>
> 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET / HTTP/1.1" 302
> 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
> Gecko/20100101 Firefox/52.0"
>
> 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET
> /?ticket=ST-8490392-tJUb7ZHBoE3UQeLBxIe4-cas HTTP/1.1" 302 587 "-"
> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101
> Firefox/52.0"
>
> 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET / HTTP/1.1" 302
> 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
> Gecko/20100101 Firefox/52.0"
>
> 10.55.1.102 - USER567 [18/May/2017:20:39:33 +] "GET
> /?ticket=ST-8490393-4oRlIYjdA9civwc149Nf-cas HTTP/1.1" 302 587 "-"
> "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101
> Firefox/52.0"
>
>
> This goes on forever
>
> On Friday, May 19, 2017 at 10:36:25 PM UTC-4, David Hawes wrote:
>>
>> On 18 May 2017 at 17:40, Pooya Eslami <poo...@gmail.com> wrote:
>> > Same if that line is deleted or set to /
>> > I keep getting sent to cas and redirected back to site.
>> > I would like to try RewriteCond, but where would I stop?! If I stop at
>> > cas
>> > it will not redirect to cas, if stop after site, it will not redirect to
>> > cas...
>> > See my dilemma?
>>
>> Do you have another VirtualHost for 8080?
>>
>> Your config works fine for me on Apache 2.4.17 and mod_auth_cas master
>> provided I have a separate VirtualHost for 8080.
>>
>> What do your logs show?
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines:
>> https://apereo.github.io/cas/Mailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBDn-eWAt7f2o1tNQvpTBc%2B1xghVnE1Mf7xuoc9N-kNtg%40mail.gmail.com.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wA-GN6gjcfbUsqfOm2t3MBGZF48sw8iN639TyTbvG%2BTBg%40mail.gmail.com.

Re: [cas-user] Redirect loop

[David Hawes]

On 18 May 2017 at 17:40, Pooya Eslami  wrote:
> Same if that line is deleted or set to /
> I keep getting sent to cas and redirected back to site.
> I would like to try RewriteCond, but where would I stop?! If I stop at cas
> it will not redirect to cas, if stop after site, it will not redirect to
> cas...
> See my dilemma?

Do you have another VirtualHost for 8080?

Your config works fine for me on Apache 2.4.17 and mod_auth_cas master
provided I have a separate VirtualHost for 8080.

What do your logs show?

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBDn-eWAt7f2o1tNQvpTBc%2B1xghVnE1Mf7xuoc9N-kNtg%40mail.gmail.com.

Re: [cas-user] CAS Apache Module - Ignore SSO/URL in a protected directory

[David Hawes]

On 16 February 2017 at 22:05, RJ Guroo  wrote:
> I have a requirement to ignore SSO for subsequent folders within a protected
> folder.
>
> For example: We have to protect the URI, /app1/
>
> /app1/ should be protected
> /app1/dir1/ .. protected by the first rule
> /app1/dir2/ .. protected by the first rule
> /app1/dir2/ .. protected by the first rule
> /app1/dir3/ should be excluded or ignored by SSO.
> /app1/dir4/ .. protected by the first rule
> /app1/dir5/ .. protected by the first rule
> /app1/dir6/ .. protected by the first rule
>
> We cant protect individual directories, as the real list is so big.
>
> In Siteminder langauge, we used to root protect /app1/ and have the
> following in LocalConfig of the Web Agent
>
> IgnoreUrl="/app1/dir3/"
>
> This is a frequent requirement for us. How to go about this with CAS?

Look into the CASGateway mod_auth_cas directive.

Something like:


  AuthType CAS
  CASGateway /app1/dir3
  
Require valid-user
  


  Require all granted


-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wASsr_v13To0tWUv-9SHmugD2gnX2cHRi40Q9vBbWYHVw%40mail.gmail.com.

Re: [cas-user] mod_cas_auth and cas attribute

[David Hawes]

On Thu, Feb 2, 2017 at 2:41 PM, Tom Barber  wrote:
> Hello folks
>
> I see in the readme the cas-attribute directive is for use with SAML, it is
> only SAML and not serviceValidate endpoints?

serviceValidate is supported in git master:

https://github.com/Jasig/mod_auth_cas/pull/110

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDYr8YpcpN66zYatC_U_Orh%3DybgVvJHY07ROqqAK1%2B6uA%40mail.gmail.com.

Re: [cas-user] CASifying Peoplesoft

[David Hawes]

On 26 January 2017 at 13:23, Bryan Wooten  wrote:
> We have our Peoplesoft environment CASified by adding CAS filters to the
> Weblogin web.xml and writing some custom signon  Peoplecode. It works well.
>
> Any we doing a proof of concept where the Weblogic is behind Apache. We have
> installed mod_auth_cas on the Apache. REMOTE_USER is getting set.
>
> But for some reason either Weblogic is ignoring this header or is dropping
> it.

Can you see any of the headers in Weblogic?

Maybe try using some other header that you set with CASAuthNHeader?

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wB3Ybnfe-OH-8xTeb75rNX%3D0gg%2B%3D4rVReyYQioyShS%2BZQ%40mail.gmail.com.

Re: [cas-user] Converting REMOTE_USER variable to all lower/upper case in mod_auth_cas v. 1.1?

[David Hawes]

On 25 January 2017 at 08:23, Bryan K. Walton <bwal...@leepfrog.com> wrote:
> On Tue, Jan 24, 2017 at 06:51:22PM -0500, David Hawes wrote:
>> On 24 January 2017 at 08:45, Bryan K. Walton <bwal...@leepfrog.com> wrote:
>> ...
>> > However, that same CAS server passes some users in lowercase.  Is there
>> > a way in mod_auth_cas to convert all usernames to either uppercase or
>> > lowercase, overriding what the CAS authentication server sends?
>>
>> There is no configuration option to do this in mod_auth_cas.
>>
>> I would recommend changing the case on your CAS server or the
>> application that uses REMOTE_USER.
>
> OK, thanks. The CAS server isn't our's and we have no control over it or 
> access to it.  So, we will pursue from an application angle.  One question, 
> for you (or others).  Looking at the following page:
>
> https://httpd.apache.org/docs/current/expr.html
>
> It appears that one might be able to use the REMOTE_USER variable in some 
> kind of combination with the "tolower" function in an Apache expression to 
> possible convert the variable to all lowercase.  But I can't see to figure 
> out if that is really possible, or how to implement that.  Has anybody tried 
> this?

I tried something like:

RewriteEngine On
RewriteMap uc int:toupper
RewriteRule ^ - [E=REMOTE_USER:${uc:%{LA-U:REMOTE_USER}},L]
LogLevel debug rewrite:trace6

I could see it uppercase the REMOTE_USER properly in the logs, but my
phpinfo() page did not reflect that. I expect there's something in the
auth flow that's writing it back, though I don't have time to trace it
right now.

If you're comfortable modifying source, this could of course be done
in the mod_auth_cas code. I can provide pointers if you'd like.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCGT73_5W4zJEqL0DQWQ9dbsgoyC_4VngP63dhkB_X9TA%40mail.gmail.com.

Re: [cas-user] Converting REMOTE_USER variable to all lower/upper case in mod_auth_cas v. 1.1?

[David Hawes]

On 24 January 2017 at 21:43, Chris Cheltenham
 wrote:
...
>   
>
> Authtype CAS
>
> require valid-user
>
> CASAuthNHeader CAS_USER
>
>   

Try using CAS-USER here.

2.4 is more strict with headers.

See:

https://github.com/Jasig/mod_auth_cas/issues/49#issuecomment-55311020

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDYZLufzmdJ%2B4Hw5UGT8v-Kdeg7qMnwB3juH1sOwe8t%3Dg%40mail.gmail.com.

Re: [cas-user] Converting REMOTE_USER variable to all lower/upper case in mod_auth_cas v. 1.1?

[David Hawes]

On 24 January 2017 at 16:19, Chris Cheltenham
 wrote:
> Bryon ,
>
> According to my tcpdump mod_auth_cas is pushing REMOTE_USER no matter what we 
> configure it to be.
> So when we changed the behavior of the other side to EXPECT the REMOTE_USER 
> variable , it worked.
>
> The question for CAS folks is, Is that a bug?
>
> Is it supposed to ignore the configured value in our mod_auth_cas.conf file?
>
> I would think not.

mod_auth_cas sets r->user which gets evaluated as REMOTE_USER. This is
something that can't be changed.

What does your configuration look like?

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wAtN3yqF_NaCYBF-JydjVc3JH05Y9U6QXQ_5kV5OrrQRQ%40mail.gmail.com.

Re: [cas-user] Converting REMOTE_USER variable to all lower/upper case in mod_auth_cas v. 1.1?

[David Hawes]

On 24 January 2017 at 08:45, Bryan K. Walton  wrote:
...
> However, that same CAS server passes some users in lowercase.  Is there
> a way in mod_auth_cas to convert all usernames to either uppercase or
> lowercase, overriding what the CAS authentication server sends?

There is no configuration option to do this in mod_auth_cas.

I would recommend changing the case on your CAS server or the
application that uses REMOTE_USER.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBxEWT-BoNab%2Br8fRz7n-ZRFm86yjH58RKGLAUCebTxLw%40mail.gmail.com.

Re: [cas-user] CASRootProxiedAs with variable value

[David Hawes]

I think it would need some work to become official. I'd like to make
sure we're covering similar use cases and are doing it the right way.

Feel free to create an issue on the project page and we can discuss it further:

https://github.com/Jasig/mod_auth_cas

On 11 January 2017 at 14:37, Hansi PIERRE <hansi...@gmail.com> wrote:
> Hi ...
> Until now the patch is working fine, does it have a chance to become
> official ?
>
> 2016-12-22 14:35 GMT+01:00 Hansi PIERRE <hansi...@gmail.com>:
>>
>> Hello
>>
>> Good news !! It seems to be working fine :) Thank you very much. After
>> holydays i'will try to do more tests to be sure... i'll let you know.
>>
>> Le mercredi 21 décembre 2016 22:11:49 UTC+1, Hansi PIERRE a écrit :
>>>
>>> Ho !! tks a lot :) ... i'll try it tomorrow :)
>>>
>>> Le mercredi 21 décembre 2016 17:42:18 UTC+1, dhawes a écrit :
>>>>
>>>> On 21 December 2016 at 11:22, David Hawes <dha...@vt.edu> wrote:
>>>> ...
>>>> > I've attached a horrible, inflexible, mostly untested and probably
>>>> > buggy patch against git master that should rewrite the Host header to
>>>> > the service URL. Let me know if it works for your case.
>>>>
>>>> The previous patch probably won't work. This one has the same caveats
>>>> as above, but it works on my test machine.
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines:
>> https://apereo.github.io/cas/Mailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/43ce55bc-9a68-4aa9-bcee-16993b7e270e%40apereo.org.
>
>
>
>
> --
> ... parce que schtroumpf.
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANTnBxfuD7JMnY%3DEYm19tkyUGoQeWx%3DH_QV%3DveGHORwt529ZsA%40mail.gmail.com.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDjzZ83QYWwWgVKJyOEO-1nyb6msMuX_SVx7tjf%3Dtq5Mg%40mail.gmail.com.

Re: [cas-user] CASRootProxiedAs with variable value

[David Hawes]

On 21 December 2016 at 11:22, David Hawes <dha...@vt.edu> wrote:
...
> I've attached a horrible, inflexible, mostly untested and probably
> buggy patch against git master that should rewrite the Host header to
> the service URL. Let me know if it works for your case.

The previous patch probably won't work. This one has the same caveats
as above, but it works on my test machine.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wC4K9dLioJN8Ey_2wR4tzoXNbQgGg59dpQJWvk8nxF3NA%40mail.gmail.com.
diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c
index 063aab1..1d78e9a 100644
--- a/src/mod_auth_cas.c
+++ b/src/mod_auth_cas.c
@@ -549,9 +549,18 @@ char *getCASService(const request_rec *r, const cas_cfg *c)
 {
 	const apr_port_t port = r->connection->local_addr->port;
 	const apr_byte_t ssl = isSSL(r);
-	const apr_uri_t *root_proxy = >CASRootProxiedAs;
+	//const apr_uri_t *root_proxy = >CASRootProxiedAs;
+	apr_uri_t *root_proxy;
 	char *scheme, *port_str = "", *service;
 	apr_byte_t print_port = TRUE;
+apr_uri_t rp;
+char *host = apr_psprintf(r->pool, "%s%s", "https://;, (char *) apr_table_get(r->headers_in, "Host"));
+
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Host: %s", host);
+
+	cas_setURL(r->pool, , host);
+root_proxy = 
+
 
 #ifdef APACHE2_0
 	scheme = (char *) ap_http_method(r);
@@ -2131,7 +2140,10 @@ int cas_authenticate(request_rec *r)
 	printPort = TRUE;
 
 if(c->CASRootProxiedAs.is_initialized) {
-		newLocation = apr_psprintf(r->pool, "%s%s%s%s", apr_uri_unparse(r->pool, >CASRootProxiedAs, 0), r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : ""));
+apr_uri_t rp;
+char *host = apr_psprintf(r->pool, "%s%s", "https://;, (char *) apr_table_get(r->headers_in, "Host"));
+cas_setURL(r->pool, , host);
+		newLocation = apr_psprintf(r->pool, "%s%s%s%s", apr_uri_unparse(r->pool, , 0), r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : ""));
 } else {
 #ifdef APACHE2_0
 	if(printPort == TRUE)

Re: [cas-user] CASRootProxiedAs with variable value

[David Hawes]

On 21 December 2016 at 04:27, Hansi PIERRE  wrote:
> Hello ... first thank you for the answer.
>
> Le mardi 20 décembre 2016 23:04:48 UTC+1, dhawes a écrit :
>>
>>
>> I'm not sure I follow. What prevents you from using a URL with
>> CASRootProxiedAs?
>
>
> Because my proxified URL has a variable prefix that i'm not aware of in the
> server... something like
> http://[]-myserver.com/...
> ... but this value can be found in the request's header.

Gotcha, thanks for the clarification.

There's no way to do this currently. Feel free to file a feature
request to the GitHub project and we can discuss further.

I've attached a horrible, inflexible, mostly untested and probably
buggy patch against git master that should rewrite the Host header to
the service URL. Let me know if it works for your case.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBxixFrS5g%2BWyXYX6Oh%3DM08AgYF5rDzA8gvUKRBpqnfmQ%40mail.gmail.com.
diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c
index 063aab1..988fee5 100644
--- a/src/mod_auth_cas.c
+++ b/src/mod_auth_cas.c
@@ -549,9 +549,18 @@ char *getCASService(const request_rec *r, const cas_cfg *c)
 {
 	const apr_port_t port = r->connection->local_addr->port;
 	const apr_byte_t ssl = isSSL(r);
-	const apr_uri_t *root_proxy = >CASRootProxiedAs;
+	//const apr_uri_t *root_proxy = >CASRootProxiedAs;
+	apr_uri_t *root_proxy;
 	char *scheme, *port_str = "", *service;
 	apr_byte_t print_port = TRUE;
+apr_uri_t rp;
+char *host = apr_psprintf(r->pool, "%s%s", "https://;, (char *) apr_table_get(r->headers_in, "Host"));
+
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Host: %s", host);
+
+	cas_setURL(r->pool, , host);
+root_proxy = 
+
 
 #ifdef APACHE2_0
 	scheme = (char *) ap_http_method(r);

Re: [cas-user] CASRootProxiedAs with variable value

[David Hawes]

On 20 December 2016 at 08:51, Hansi PIERRE  wrote:
...
> It seems like the variable is not resolved.
> Is there a way to set a variable as value of  "CASRootProxiedAs" ?

No, you cannot have variables in the URL.

> More generally my apache is proxyfied and i can't get the redirect set the
> external address in the service field. Is there another way to do it than
> with "CASRootProxiedAs"

I'm not sure I follow. What prevents you from using a URL with CASRootProxiedAs?

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wB98C0OoPwi43q6mXjX2xKgyjHE-%2ByXSUN_%2Bvd7jCicSw%40mail.gmail.com.

Re: [cas-user] mod_auth_cas 1.1

[David Hawes]

I see no mod_auth_cas configuration here.

On 13 December 2016 at 18:44, Chris Cheltenham
<cchelten...@swaintechs.com> wrote:
> David,
>
> Again I appreciate your help.
>
>
>
> -Original Message-
> From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
> Hawes
> Sent: Tuesday, December 13, 2016 10:52 AM
> To: CAS Community
> Subject: Re: [cas-user] mod_auth_cas 1.1
>
> On 12 December 2016 at 17:57, Chris Cheltenham <cchelten...@swaintechs.com> 
> wrote:
>> David,
>>
>> He mod_auth_cas is attached.
>
> Can you post your Apache config?
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wD4aDf-BD4gi9Hh%3D1yexiUy6W9R5XXaOdZ8UUfwooQVCA%40mail.gmail.com.
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR17MB121344956B0FE8DF4F160582C49B0%40MWHPR17MB1213.namprd17.prod.outlook.com.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDSqEY98VALi8N4Q-iq%2B1F4TsKG3Fo8K2ng7qjNja%3Dsqw%40mail.gmail.com.

Re: [cas-user] mod_auth_cas 1.1

[David Hawes]

On 12 December 2016 at 17:57, Chris Cheltenham
 wrote:
> David,
>
> He mod_auth_cas is attached.

Can you post your Apache config?

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wD4aDf-BD4gi9Hh%3D1yexiUy6W9R5XXaOdZ8UUfwooQVCA%40mail.gmail.com.

Re: [cas-user] mod_auth_cas 1.1

[David Hawes]

Please post your mod_auth_cas configuration.

Next, set your LogLevel to debug and CASDebug on. Do you see anything
useful in the error log?

On 10 December 2016 at 11:41, Chris Cheltenham
 wrote:
> Hello everyone,
>
>
>
> We are using RHEL 7.3 with apache 2.4.6 and CAS 3.5.2.1 and mod_auth_cas 1.1
>
>
>
> We are getting this error once we log into CAS.
>
>
>
> Unauthorized
>
>
>
> This server could not verify that you are authorized to access the document
> requested. Either you supplied the wrong credentials (e.g., bad password),
> or your browser doesn't understand how to supply the credentials required.
>
>
>
> The URL has the ticket I there when we proxy to the CAS server.
>
>
>
>
>
> https://test.dcis.hhs.gov/main.php?ticket=ST-42-aEak6uBsvai99PLq06Ad-test-ba.dcis.hhs.gov
>
>
>
> On other RHEL5 apache servers that work we see this in the URL
>
>
>
> https://dcis.hhs.gov/cas/login?service=https%3a%2f%2fdcis.hhs.gov%2fmain.php
>
>
>
>
>
> The install seems to go well.
>
> See below
>
>
>
> See any operating system documentation about shared libraries for
>
> more information, such as the ld(1) and ld.so(8) manual pages.
>
> --
>
> chmod 755 /usr/lib64/httpd/modules/mod_auth_cas.so
>
> make[1]: Leaving directory `/tmp/mod_auth_cas-master/src'
>
> Making install in tests
>
> make[1]: Entering directory `/tmp/mod_auth_cas-master/tests'
>
> make[2]: Entering directory `/tmp/mod_auth_cas-master/tests'
>
> make[2]: Nothing to be done for `install-exec-am'.
>
> make[2]: Nothing to be done for `install-data-am'.
>
> make[2]: Leaving directory `/tmp/mod_auth_cas-master/tests'
>
> make[1]: Leaving directory `/tmp/mod_auth_cas-master/tests'
>
> make[1]: Entering directory `/tmp/mod_auth_cas-master'
>
> make[2]: Entering directory `/tmp/mod_auth_cas-master'
>
> make[2]: Nothing to be done for `install-exec-am'.
>
> make[2]: Nothing to be done for `install-data-am'.
>
> make[2]: Leaving directory `/tmp/mod_auth_cas-master'
>
> make[1]: Leaving directory `/tmp/mod_auth_cas-master'
>
> root@test-web:/tmp/mod_auth_cas-master > ls -l
>
> total 1684
>
> -rw-r--r--. 1 root root  42423 Oct 11 18:39 aclocal.m4
>
> -rwxr-xr-x. 1 root root   7333 Oct 11 18:39 compile
>
> -rwxr-xr-x. 1 root root  42938 Oct 11 18:39 config.guess
>
> -rw-r--r--. 1 root root   5958 Dec 10 11:33 config.h
>
> -rw-r--r--. 1 root root   5576 Oct 11 18:39 config.h.in
>
> -rw-r--r--. 1 root root  60120 Dec 10 11:33 config.log
>
> -rwxr-xr-x. 1 root root  60916 Dec 10 11:33 config.status
>
> -rwxr-xr-x. 1 root root  36006 Oct 11 18:39 config.sub
>
> -rwxr-xr-x. 1 root root 491031 Oct 11 18:39 configure
>
> -rw-r--r--. 1 root root   5083 Oct 11 18:39 configure.ac
>
> -rwxr-xr-x. 1 root root  23566 Oct 11 18:39 depcomp
>
> -rwxr-xr-x. 1 root root  14675 Oct 11 18:39 install-sh
>
> -rwxr-xr-x. 1 root root 339483 Dec 10 11:33 libtool
>
> -rw-r--r--. 1 root root 324089 Oct 11 18:39 ltmain.sh
>
> drwxr-xr-x. 2 root root   4096 Oct 11 18:39 m4
>
> -rw-r--r--. 1 root root  27298 Dec 10 11:33 Makefile
>
> -rw-r--r--. 1 root root961 Oct 11 18:39 Makefile.am
>
> -rw-r--r--. 1 root root  27090 Oct 11 18:39 Makefile.in
>
> -rwxr-xr-x. 1 root root   6872 Oct 11 18:39 missing
>
> -rw-r--r--. 1 root root801 Oct 11 18:39 NOTES
>
> -rw-r--r--. 1 root root  17243 Oct 11 18:39 README
>
> -rw-r--r--. 1 root root   3327 Oct 11 18:39 README.win32
>
> drwxr-xr-x. 4 root root   4096 Dec 10 11:33 src
>
> -rw-r--r--. 1 root root 23 Dec 10 11:33 stamp-h1
>
> -rwxr-xr-x. 1 root root   4640 Oct 11 18:39 test-driver
>
> drwxr-xr-x. 3 root root   4096 Dec 10 11:33 tests
>
> root@test-web:/tmp/mod_auth_cas-master > ls -l
> /usr/lib64/httpd/modules/mod_auth_cas.so
>
> -rwxr-xr-x. 1 root root 245800 Dec 10 11:33
> /usr/lib64/httpd/modules/mod_auth_cas.so
>
> root@test-web:/tmp/mod_auth_cas-master > service httpd start
>
> Redirecting to /bin/systemctl start  httpd.service
>
> root@test-web:/tmp/mod_auth_cas-master > systemctl httpd status
>
> Unknown operation 'httpd'.
>
> root@test-web:/tmp/mod_auth_cas-master > systemctl status httpd
>
> ● httpd.service - The Apache HTTP Server
>
>Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor
> preset: disabled)
>
>Active: active (running) since Sat 2016-12-10 11:34:34 EST; 17s ago
>
>  Docs: man:httpd(8)
>
>man:apachectl(8)
>
>   Process: 10235 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited,
> status=0/SUCCESS)
>
>   Process: 29467 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
> (code=exited, status=0/SUCCESS)
>
> Main PID: 13258 (httpd)
>
>Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0
> B/sec"
>
>CGroup: /system.slice/httpd.service
>
>├─13258 /usr/sbin/httpd -DFOREGROUND
>
>├─13260 /usr/sbin/httpd -DFOREGROUND
>
>├─13262 /usr/sbin/httpd -DFOREGROUND
>
>├─13263 /usr/sbin/httpd -DFOREGROUND
>
>

Re: [cas-user] require group

[David Hawes]

I'd expect by the end of the year at the latest.

On 23 November 2016 at 12:21, pouria Mahmoudi  wrote:
> Oh by the way,
> Is it possible to tell me how soon this change would be merged?
>
> Thanks
>
>
> On Wednesday, November 23, 2016 at 9:00:14 AM UTC-8, pouria Mahmoudi wrote:
>>
>> Yes,
>> require cas-attribute GROUP_ATTRIBUTE:ADMIN is exactly what I needed but I
>> am not using samlVaildate.
>>
>> Thanks David for the reply and I hope to get the new release with this fix
>> in it.
>>
>>
>> On Tuesday, November 22, 2016 at 3:07:39 PM UTC-8, dhawes wrote:
>>>
>>> On 22 November 2016 at 16:40, pouria Mahmoudi 
>>> wrote:
>>> > Hi Everyone,
>>> > I have a problem with getting group working with mod_auth_cas.
>>> >
>>> > Here is the snippet:
>>> > 
>>> > 
>>> > Authtype CAS
>>> > Require valid-user
>>> > Require group ADMIN
>>> > CASAuthNHeader cas
>>> > 
>>> > 
>>> >
>>> > I don't see any information related to group in CAS Cookie :
>>> >
>>> > http://uconn.edu/cas/mod_auth_cas;>
>>> >admin
>>> >1479847469143283
>>> >1479847469145147
>>> >/my_app/
>>> >ST-1-cJrtZmKMkuysdXXMXhRK-cas01.example.org
>>> >
>>> > 
>>> >
>>> > I don't know what I missing. Any help would be appreciated.
>>>
>>> I'm going to assume you're using mod_auth_cas v1.1.
>>>
>>> Are you using a /samlValidate endpoint? Something like:
>>>
>>> CASValidateURL https://login.example.org/cas/samlValidate
>>> CASValidateSAML On
>>>
>>> If so and you're not getting attributes, check with your CAS server
>>> admin.
>>>
>>> If you aren't using /samlValidate, the current version of mod_auth_cas
>>> does not support CASv2 attributes with /serviceValidate.
>>>
>>> You have 2 options:
>>>
>>> 1. Use /samlValidate.
>>> 2. Try this merge request:
>>> https://github.com/Jasig/mod_auth_cas/pull/110. I've successfully
>>> tested it and it should be merged soon.
>>>
>>> As for your require statement, you probably want something like:
>>>
>>> # assuming Apache 2.4
>>> # be sure to replace GROUP_ATTRIBUTE!
>>> require cas-attribute GROUP_ATTRIBUTE:ADMIN
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4cf8bc3-b3d9-496e-b11c-4aea1599790a%40apereo.org.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wD77nuRinQ%3DxQdW%2BMqbUwE7nj57gmKEaww0v0tmGANPHQ%40mail.gmail.com.

Re: [cas-user] require group

[David Hawes]

On 22 November 2016 at 16:40, pouria Mahmoudi  wrote:
> Hi Everyone,
> I have a problem with getting group working with mod_auth_cas.
>
> Here is the snippet:
> 
> 
> Authtype CAS
> Require valid-user
> Require group ADMIN
> CASAuthNHeader cas
> 
> 
>
> I don't see any information related to group in CAS Cookie :
>
> http://uconn.edu/cas/mod_auth_cas;>
>admin
>1479847469143283
>1479847469145147
>/my_app/
>ST-1-cJrtZmKMkuysdXXMXhRK-cas01.example.org
>
> 
>
> I don't know what I missing. Any help would be appreciated.

I'm going to assume you're using mod_auth_cas v1.1.

Are you using a /samlValidate endpoint? Something like:

CASValidateURL https://login.example.org/cas/samlValidate
CASValidateSAML On

If so and you're not getting attributes, check with your CAS server admin.

If you aren't using /samlValidate, the current version of mod_auth_cas
does not support CASv2 attributes with /serviceValidate.

You have 2 options:

1. Use /samlValidate.
2. Try this merge request:
https://github.com/Jasig/mod_auth_cas/pull/110. I've successfully
tested it and it should be merged soon.

As for your require statement, you probably want something like:

# assuming Apache 2.4
# be sure to replace GROUP_ATTRIBUTE!
require cas-attribute GROUP_ATTRIBUTE:ADMIN

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wA7Vdv2t%3DsOsKsoRbuGV5Uoh3yy6As_ghJtEfMk211Nwg%40mail.gmail.com.

Re: [cas-user] CASAuthNHeader to return user

[David Hawes]

On 21 November 2016 at 16:13, pouria Mahmoudi  wrote:
...
> Description: If enabled, this will store the user returned by CAS in an HTTP
> header
> accessible to your web applications.
...
> but it doesn't look like I have an http header. At least by doing Inspect
> Element on my browser I cannot see it.
>
> Any help would be appreciated.

These headers are not sent to your browser, so you will not see it
there. They are only set on the server.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wD%3D%2BShy_gPkRfz3UnJcLEfhjNYFMg-B3w8VUZjAGP-9ag%40mail.gmail.com.

Re: [cas-user] Landing Page using Gateway with mod_auth_cas

[David Hawes]

On 12 July 2016 at 11:32, Travis Schmidt  wrote:
> I have been trying to come up with a way to configure a landing page for an
> app that uses gateway to determine if the user is logged in or not with
> Apache 2.4 and mod_auth_cas.  I thought at first just doing something like
>
> Require valid-user
> Require all granted
>
> would do the trick, but the RequireAny is evaluated before authentication is
> called which means mod_auth_cas is never executed in that case.  The best I
> could come up with is something like this:
>
> 
> AuthType CAS
> AuthName "Authentication via CAS"
> CASScope /GatewayApp/
> CASSecureCookie CAS_GATEWAY_S
> CASGateway /GatewayApp/
> Require valid-user
> 
>require valid-user
> 
> 
>Require all granted
> 
> 
>
> Anyone else have or know of a better way to do this?

I can't think of a better way to do this, but I admittedly haven't
played around with the gateway stuff too much.

I'll have to think if there's a way to make this work a little more
seamlessly in Apache 2.4, which seems to be a little more strict about
setting a user during auth (which is something mod_auth_cas explicitly
does not do).

Here's the comment in the 2.4 code:

if (r->user == NULL) {
/* don't let buggy authn module crash us in authz */

:)

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCO7YfeRTUuJ3Q-om1pOQqyKk3V5gSLVnGv32gOgB-L%2Bw%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Re: Where are the cas-attribute headers?

[David Hawes]

On 30 June 2016 at 12:40, mostolog  wrote:
> Hi
>
>
> Finally, I managed to solve it.
>
> Seems that cas-attribute headers are only sent if CASAuthNHeader directive
> is enabled.

That's correct.

Also note that you may want to set your CASAttributePrefix to
something that does not contain underscores, as Apache 2.4 will
silently drop those headers.

> According to documentation:
>
> Directive: CASAuthNHeader
> Default: None
> Description: If enabled, this will store the user returned by CAS in an HTTP
> header accessible to your web applications.
>
>
> IMHO that's not exactly what's happening, and either of two should be done:
>
> Fix an error(if any) to return headers always (but when
> CASScrubRequestHeaders enabled?)
> Update documentation to reflect this directive also has an effect on
> cas-attribute headers
>
>
> Should I fill the issue? Which one?

The headers are currently coupled to CASAuthNHeader mostly because of
how authorization has evolved over the years, but I could be convinced
that they should have their own directive or even be on all the time.

In the short term documenting this better would help. Feel free to
open an issue discussing all of this, and we can decide what to do
there.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wA90THLJH-oc7RkRTVvH%2BxCdhTzBxNxSMGz%3DH%2BXjaZ-%2Bg%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Compiling mod_auth_cas on debian 8 (missing aclocal-1.15)

[David Hawes]

On 21 March 2016 at 11:00, Philippe MARASSE
 wrote:
> Hello,
>
> I'm trying to compile mod_auth_cas on a Debian 8 jessie, sources are
> cloned from github. ./configure works but make complains about missing
> aclocal-1.15.
>
> automake package for Debian 8 ships aclocal-1.14 and no backport exists
> for the next version.
>
> What should I do to make it works on this installation ?
> (As far as I remember, packaged mod_auth_cas does not work well with
> apache 2.4)
>
> $ make
> CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash
> /home/chl/src/mod_auth_cas/missing aclocal-1.15 -I m4
> /home/chl/src/mod_auth_cas/missing: ligne 81: aclocal-1.15 : commande
> introuvable
> WARNING: 'aclocal-1.15' is missing on your system.
>  You should only need it if you modified 'acinclude.m4' or
>  'configure.ac' or m4 files included by 'configure.ac'.
>  The 'aclocal' program is part of the GNU Automake package:
>  
>  It also requires GNU Autoconf, GNU m4 and Perl in order to run:
>  
>  
>  
> Makefile:398: recipe for target 'aclocal.m4' failed
> make: *** [aclocal.m4] Error 127

I thought this was fixed, I'll investigate.

In the meantime try:

autoreconf -ivf

and then ./configure && make.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.