[cas-user] CAS 6.1.2 inotify issues

[Windham, Gary D - (windhamg)]

Hi all,

I'm testing CAS 6.1.2 in an external Jetty (9.4.24) container, and I've been 
running into an issue where CAS logs an error message like the following:

User limit of inotify instances reached or too many open files

Prior to a huge stack trace and the application shutting down.

I originally saw this issue when running the embedded Jetty container, then 
switched over to an external container to see if that would make any difference 
(it did not). I am running Jetty in a Docker container, and have increased the 
following sysctl parameters on the Docker host:

# sysctl -p
fs.inotify.max_user_watches = 560144
fs.inotify.max_user_instances = 512

I also have increased nofiles substantially, but that doesn't seem to have 
helped either.

Any ideas on where to begin looking to resolve this issue? I see CAS constantly 
logging messages like this: 2019-12-21 03:41:46,082 INFO 
[org.apereo.cas.util.io.PathWatcherService] - , which I assume to be related to the inotify issues.

Thanks!
--Gary

--

Gary Windham

Principal Enterprise Systems Architect

University Information Technology Services

The University of Arizona



Email: windh...@email.arizona.edu

Office: +1 520 626 5981

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABpeFHE6uayme1VKSmpVmt1La1woeU8pMLSqbT28txU3wWCzzg%40mail.gmail.com.

Re: [cas-user] Issue with LPPE and memcached ticket registry

[Windham, Gary D - (windhamg)]

Doug, thank you very much for your feedback and the workaround. That does, 
indeed, fix the immediate issue at hand. Hopefully the Kryo serialization issue 
will be resolved soon.

Thanks again!
--Gary

--

Gary Windham

Principal Enterprise Systems Architect

University Information Technology Services

The University of Arizona



Email: windh...@email.arizona.edu<mailto:windh...@email.arizona.edu>

Office: +1 520 626 5981


On Sun, Apr 28, 2019 at 8:26 PM Doug Campbell 
mailto:wdouglascampb...@gmail.com>> wrote:
I don’t know if this is an ideal workaround but I found in my case if I changed 
the transcoder setting from KYRO to SERIAL that everything starting working 
great.

cas.ticket.registry.memcached.transcoder: SERIAL

In the documentation it recommends using KYRO stating “This component is 
recommended over the default Java serialization mechanism since it produces 
much more compact data, which benefits both storage requirements and 
throughput.”  There are two other options as well:  WHALIN and WHALINV1.

I am not sure if it really matters which one but since the use of KYRO seems 
buggy maybe the recommendation for using it is no longer the best.


From: cas-user@apereo.org<mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org<mailto:cas-user@apereo.org>] On Behalf Of Doug 
Campbell
Sent: Monday, April 29, 2019 10:36 AM
To: cas-user@apereo.org<mailto:cas-user@apereo.org>
Subject: RE: [cas-user] Issue with LPPE and memcached ticket registry

Gary,

I don’t have an answer but I saw this same error yesterday when I was testing 
proxy authentication on my CAS 6.0.3 test setup.  In my case I haven’t 
configured LPPE.  I did try disabling it just now but that seemed to have no 
effect as the error still occurs.  In my case I am using spymemcache and not 
AWS Elasticache.  For now I have switched back to the default InMemory ticket 
registry and proxy authentication works fine with that.

If I figured out anything I will let you know and if you discover a solution 
please do report back.

Thanks!

From: cas-user@apereo.org<mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org] On Behalf Of Windham, Gary D - (windhamg)
Sent: Monday, April 29, 2019 9:28 AM
To: cas-user@apereo.org<mailto:cas-user@apereo.org>
Subject: [cas-user] Issue with LPPE and memcached ticket registry

Hi all,

I've been building/testing CAS v6.1.0 (HEAD), and was getting along fairly well 
until I ran into an error with LPPE and the memcached ticket registry I'm using.

I am using 389 Directory server for LDAP authentication and have password 
policy configured as follows:

# LDAP Password Policy Enforcement (LPPE) parameters
cas.authn.ldap[0].passwordPolicy.type=GENERIC
cas.authn.ldap[0].passwordPolicy.enabled=true
cas.authn.ldap[0].passwordPolicy.policyAttributes.accountLocked=javax.security.auth.login.AccountLockedException
cas.authn.ldap[0].passwordPolicy.loginFailures=6
cas.authn.ldap[0].passwordPolicy.warningAttributeValue=
cas.authn.ldap[0].passwordPolicy.warningAttributeName=
cas.authn.ldap[0].passwordPolicy.displayWarningOnMatch=true
cas.authn.ldap[0].passwordPolicy.warnAll=true
cas.authn.ldap[0].passwordPolicy.warningDays=30
cas.authn.ldap[0].passwordPolicy.accountStateHandlingEnabled=true
cas.authn.ldap[0].passwordPolicy.strategy=DEFAULT

I am using memcached (with AWS Elasticache support) and am using all of the 
defaults (just setting cas.ticket.registry.memcached.servers to the 
configuration endpoint node).

When I disable LPPE, everything works as expected--I can login, get a TGC, ST 
validation works, etc). When I enable LPPE and set my password expiration date 
to a threshold within 30 days, I get the expected "your password is about to 
expire" page, with the green "Continue" button. When I click that, I'm 
redirected to the CAS login page and the following errors appear in the log:

2019-04-29 01:10:22,684 ERROR 
[org.apereo.cas.ticket.registry.MemcachedTicketRegistry] - 
com.esotericsoftware.kryo.KryoException: 
com.esotericsoftware.kryo.KryoException: java.lang.IllegalArgumentException: 
Class is not registered: 
org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor
Note: To register this class use: 
kryo.register(org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor.class);

<...followed by big stack trace...>

Is there something I'm overlooking, or failed to add, in my config? Any 
pointers appreciated!

Thanks,
--Gary

--

Gary Windham

Principal Enterprise Systems Architect

University Information Technology Services

The University of Arizona



Email: windh...@email.arizona.edu<mailto:windh...@email.arizona.edu>

Office: +1 520 626 5981
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are s

[cas-user] Issue with LPPE and memcached ticket registry

[Windham, Gary D - (windhamg)]

Hi all,

I've been building/testing CAS v6.1.0 (HEAD), and was getting along fairly well 
until I ran into an error with LPPE and the memcached ticket registry I'm using.

I am using 389 Directory server for LDAP authentication and have password 
policy configured as follows:

# LDAP Password Policy Enforcement (LPPE) parameters
cas.authn.ldap[0].passwordPolicy.type=GENERIC
cas.authn.ldap[0].passwordPolicy.enabled=true
cas.authn.ldap[0].passwordPolicy.policyAttributes.accountLocked=javax.security.auth.login.AccountLockedException
cas.authn.ldap[0].passwordPolicy.loginFailures=6
cas.authn.ldap[0].passwordPolicy.warningAttributeValue=
cas.authn.ldap[0].passwordPolicy.warningAttributeName=
cas.authn.ldap[0].passwordPolicy.displayWarningOnMatch=true
cas.authn.ldap[0].passwordPolicy.warnAll=true
cas.authn.ldap[0].passwordPolicy.warningDays=30
cas.authn.ldap[0].passwordPolicy.accountStateHandlingEnabled=true
cas.authn.ldap[0].passwordPolicy.strategy=DEFAULT

I am using memcached (with AWS Elasticache support) and am using all of the 
defaults (just setting cas.ticket.registry.memcached.servers to the 
configuration endpoint node).

When I disable LPPE, everything works as expected--I can login, get a TGC, ST 
validation works, etc). When I enable LPPE and set my password expiration date 
to a threshold within 30 days, I get the expected "your password is about to 
expire" page, with the green "Continue" button. When I click that, I'm 
redirected to the CAS login page and the following errors appear in the log:

2019-04-29 01:10:22,684 ERROR 
[org.apereo.cas.ticket.registry.MemcachedTicketRegistry] - 
com.esotericsoftware.kryo.KryoException: 
com.esotericsoftware.kryo.KryoException: java.lang.IllegalArgumentException: 
Class is not registered: 
org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor
Note: To register this class use: 
kryo.register(org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor.class);

<...followed by big stack trace...>

Is there something I'm overlooking, or failed to add, in my config? Any 
pointers appreciated!

Thanks,
--Gary

--

Gary Windham

Principal Enterprise Systems Architect

University Information Technology Services

The University of Arizona



Email: windh...@email.arizona.edu

Office: +1 520 626 5981

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABpeFHGDx0-TPBmE-tMCmpfcgvr1eSUMhQF0xygfka%3DxXxzKVA%40mail.gmail.com.