RE: [cas-user] LPPE expired password flow

2015-04-24 Thread Misagh Moayyed 
Yes you should be able to set providers with CAS4. What I don’t know for 
sure is, whether it would help with this particular problem, but seems 
nonetheless something you may want to set.



The solution is probably something that you need to configure with your ldap 
source. It is returning the wrong flag, or as Daniel mentioned, you may want 
to experiment with grace logins.



From: Raymond Drew Walker [mailto:ray.wal...@nau.edu]
Sent: Thursday, April 23, 2015 1:52 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] LPPE expired password flow



I had pretty much the same thing written up… (good to know I’m on the right 
track!) at least for the affect of the 
“org.ldaptive.DefaultConnectionFactory” based bean. This did not work.



I should mention that I’m running CAS 4.0.0. Is your posted solution 
expected to work on this version?



-- 

Raymond Walker
Software Systems Engineer StSp.
ITS Northern Arizona University



From: Misagh Moayyed
Reply-To: "cas-user@lists.jasig.org  "
Date: Tuesday, April 21, 2015 at 11:06 AM
To: "cas-user@lists.jasig.org  "
Subject: RE: [cas-user] LPPE expired password flow



I’ll attempt to update our docs, but for the time being, this should work 
for you:

https://github.com/Jasig/cas/blob/master/cas-server-support-ldap/src/test/resources/ldap-context.xml#L42



You’ll also need to make sure the ldaptive-unboundid dependency is available 
to CAS in your pom.





org.ldaptive

ldaptive-unboundid

${ldaptive.version}

runtime







From: Raymond Drew Walker [mailto:ray.wal...@nau.edu]
Sent: Tuesday, April 21, 2015 10:53 AM
To: cas-user@lists.jasig.org 
Subject: Re: [cas-user] LPPE expired password flow



Misagh,



I’m still looking into options for the UnboundID response modification.



Ldaptive’s documentation is lacking in the area of provider specification, 
at least for Spring.



Rather, it’s only mentioned as a JVM property setting: 
http://www.ldaptive.org/docs/guide/providers#TOC-UnboundID-Provider



If possible, I’d rather opt to configuring this in the 
deployerConfigContext.xml. Is this possible? If so, how? I’ve tried a few 
different attempts to make this happen, but have been unsuccessful as of 
yet.

-- 

Raymond Walker
Software Systems Engineer StSp.
ITS Northern Arizona University



From: Misagh Moayyed
Reply-To: "cas-user@lists.jasig.org  "
Date: Tuesday, April 21, 2015 at 9:16 AM
To: "cas-user@lists.jasig.org  "
Subject: RE: [cas-user] LPPE expired password flow



So it looks like, judging by your logs, that CAS is handling the error 
correctly. In both cases, the error that is returned from the authentication 
event is password-expired. This may be an issue with your UnboundID 
provider.



In your DefaultConnectionFactory, are you specifying the provider as 
UnboundID? That might help better translate the error for CAS.



From: Raymond Drew Walker [mailto:ray.wal...@nau.edu]
Sent: Tuesday, April 21, 2015 8:47 AM
To: cas-user@lists.jasig.org 
Subject: Re: [cas-user] LPPE expired password flow



Misagh,



The answer to your first question is yes.



Our authn source is LDAP (UnboundID).



The login-webflow.xml is stock so there is no transition config to post 
(unless I’m misunderstanding your request.)



>From what I can tell from the logs, difference between the two scenarios is 
only contained the extended LDAP response information, not any response 
codes.



The logs look something like this:



Good password & Expired (note: “LDAP: error code 49 - Rejecting a bind 
request for user X=X,ou=people,dc=nau,dc=edu because that user's password is 
expired")

2015-04-08 13:34:36,777 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: 
[org.ldaptive.auth.AuthenticationResponse@1168138181::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
 
ldapEntry=[dn=X=X,ou=people,dc=nau,dc=edu[]], 
accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@602907193::accountWarnings=null,
 
accountErrors=[PASSWORD_EXPIRED]], result=false, 
resultCode=INVALID_CREDENTIALS, 
message=javax.naming.AuthenticationException: [LDAP: error code 49 - 
Rejecting a bind request for user X=X,ou=people,dc=nau,dc=edu because that 
user's password is expired], 
controls=[[org.ldaptive.control.PasswordPolicyControl@1215014544::criticality=false,
 
timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]]

2015-04-08 13:34:36,778 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying password 
policy to 
[org.ldaptive.auth.AuthenticationResponse@1168138181::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
 
ldapEntry=[dn=naueduregid=X,ou=people,dc=nau,dc=edu[]], 
accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@602907193::accountWarnings

RE: [cas-user] login throttling using DB in CAS 4.0.0

2015-04-24 Thread Misagh Moayyed 
I don't think you have. You are probably experiencing this issue:

https://github.com/Jasig/cas/pull/455 

 

Are you able to try 4.1-SNAPSHOT? This should not happen anymore.

 

From: Jason [mailto:jasoncha...@gmail.com] 
Sent: Thursday, April 23, 2015 7:49 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] login throttling using DB in CAS 4.0.0

 

I added the following in deployerConfigContext.xml,

 

 

 



  



 



 



 

and revised the cas-servlet.xml to,

 









   







 

After that, I made a few failed logins, and found that the database is
storing the following entries,

 


AUD_USER  

AUD_CLIENT_IP  

AUD_SERVER_IP  

AUD_RESOURCE  

AUD_ACTION  

APPLIC_CD  

AUD_DATE
   


audit:unknown

127.0.0.1

127.0.0.1

supplied credentials: [userid+password]

AUTHENTICATION_FAILED

CAS

2015-04-23 10:27:23.505


audit:unknown

127.0.0.1

127.0.0.1

1 errors, 0 successes

TICKET_GRANTING_TICKET_NOT_CREATED

CAS

2015-04-23 10:27:23.505

 

while the throttling query in
InspektrThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter
.execeedsThreshold() method is passing username "[username: userid]",
which doesn't match the username stored in the database, so it's not able
to throttle the login.

 

I would like to know if there is anything I might miss in the
configuration. Thanks.

 
-- 
You are currently subscribed to cas-user@lists.jasig.org
  as: mmoay...@unicon.net
 
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] CAS 4.0.1 and Inspektr audit logging

2015-04-24 Thread Maxwell, Gary 
We are curious to find out if anyone has been successful in writing audit 
information to the database using Inspektr with Cas 4.x?

Thanks
- Gary


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS 4.0.1 and Inspektr audit logging

2015-04-24 Thread Misagh Moayyed 
Yes, as a matter of simple exercise though to chase down a possible bug
last night. It was pretty simple to set up. 

 

Did you need instructions?

 

From: Maxwell, Gary [mailto:maxwel...@fortlewis.edu] 
Sent: Friday, April 24, 2015 7:24 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] CAS 4.0.1 and Inspektr audit logging

 

We are curious to find out if anyone has been successful in writing audit
information to the database using Inspektr with Cas 4.x?

 

Thanks

- Gary 

 

 
-- 
You are currently subscribed to cas-user@lists.jasig.org
  as: mmoay...@unicon.net
 
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CASifying web applications

2015-04-24 Thread Milt Epstein 
I believe you said you're using CAS 4.0.x/4.x.  I'll just add that you
may need the latest version of mod_auth_cas with that, which I believe
isn't yet the official release.  If you have any trouble/questions
with that, you can ask on this list or on the mod_auth_cas_dev list
(or just search those lists).

Milt Epstein
Programmer in Computational Genomics
Institute for Genomic Biology (IGB)
University of Illinois at Urbana-Champaign (UIUC)
mepst...@illinois.edu


On Thu, 23 Apr 2015, Paul B. Henson wrote:

> On Thu, Apr 23, 2015 at 02:37:47PM -0700, Andrew Morgan wrote:
> 
> > I have several Perl apps that I wanted to CASify.  I looked at a few of 
> > the Perl modules for CAS and didn't like what I saw, so I used 
> > mod_auth_cas instead.  I'm very happy with mod_auth_cas.  It's very easy 
> > to check $ENV{'REMOTE_USER'} in Perl.  :)
> 
> Unfortunately, I've got one mod_perl app that needs to accept proxy
> auth, and another that needs to initiate it, so mod_auth_cas isn't going
> to cut it for those :(. But thanks for the opinion of mod_auth_cas, that
> will handle a lot of our needs.
> 
> 
> -- 
> Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
> Operating Systems and Network Analyst  |  hen...@cpp.edu
> California State Polytechnic University  |  Pomona CA 91768
> 
> -- 
> You are currently subscribed to cas-user@lists.jasig.org as: 
> mepst...@illinois.edu
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user
> 

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CASifying web applications

2015-04-24 Thread Paul B. Henson 
> From: Milt Epstein
> Sent: Friday, April 24, 2015 7:38 AM
> 
> I believe you said you're using CAS 4.0.x/4.x.  I'll just add that you
> may need the latest version of mod_auth_cas with that, which I believe
> isn't yet the official release.

Actually, we're not; I was just using the existence of the newer CAS protocol 
and the lack of any recent changes in some of the CAS clients as an argument 
that they might not be maintained. But thanks for the tip, I will keep that in 
mind. We will probably upgrade by the end of the year.

Thanks...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  hen...@cpp.edu
California State Polytechnic University  |  Pomona CA 91768



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user