RE: [cas-user] CAS-MFA (rc6) and Radius

2015-07-28 Thread Misagh Moayyed 
Sounds like a bug. Please open up an issue and we'll look into this. 

 

From: Michael O Holstein [mailto:michael.holst...@csuohio.edu] 
Sent: Monday, July 27, 2015 10:42 AM
To: cas-user@lists.jasig.org
Subject: Re:[cas-user] CAS-MFA (rc6) and Radius

 

Sorry to repost .. but even after picking through this over the weekend, I
still can't find why the principal doesn't seem to get transferred between
(RadiusAuthenticationHandler) back to (AuthenticationManagerImpl)

 

This is a vanilla install pulled from cas-mfa-rc6 .. 

 

Specifically, how this :

 

2015-07-27 13:01:26,822 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthent
icationHandler successfully authenticated [username: 1234567]

 

Goes to this :

 

2015-07-27 13:01:26,822 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved
principal null

 

The only place CredentialsToPrincipalResolver exists is here inside
deployerConfigContext.xml :

 













 

and also of interest .. the first stage (LDAP) is called with this :

 

org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrinci
palResolver

 

but the second stage (RADIUS) is called from here :

 

org.jasig.cas.authentication.AuthenticationManagerImpl

 

Removing the authn_method requiring 'radius-two-factor' .. and everything
(auth, release) works as it should.

 

Logging turned to 11 .. here is the relevent bits .. the username is
obfuscated below, but is of all-numeric form as shown.

 

2015-07-27 13:01:26,822 DEBUG
[net.unicon.cas.mfa.authentication.radius.JRadiusServerImpl] -
Authentication request succeeded for host: [debauh1.csuohio.edu] and
username [1234567]

2015-07-27 13:01:26,822 TRACE
[org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthen
ticationHandler] - Leaving method [authenticate] with return value [true].

2015-07-27 13:01:26,822 TRACE
[org.jasig.cas.authentication.principal.UsernamePasswordCredentials] -
Entering method [toString with arguments []

2015-07-27 13:01:26,822 TRACE
[org.jasig.cas.authentication.principal.UsernamePasswordCredentials] -
Leaving method [toString] with return value [[username: 1234567]].

2015-07-27 13:01:26,822 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthent
icationHandler successfully authenticated [username: 1234567]

2015-07-27 13:01:26,822 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved
principal null

2015-07-27 13:01:26,822 DEBUG
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
CredentialsToPrincipalResolver found but no principal returned.

2015-07-27 13:01:26,822 TRACE
[org.jasig.cas.authentication.AuthenticationManagerImpl] - Leaving method
[authenticate] with return value [null].

2015-07-27 13:01:26,822 TRACE
[org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio
n] - Entering method [getCode with arguments []

2015-07-27 13:01:26,822 TRACE
[org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio
n] - Leaving method [getCode] with return value
[error.authentication.credentials.bad].

2015-07-27 13:01:26,824 TRACE
[org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio
n] - Entering method [toString with arguments []

2015-07-27 13:01:26,824 TRACE
[org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio
n] - Entering method [getCode with arguments []

2015-07-27 13:01:26,824 TRACE
[org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio
n] - Leaving method [getCode] with return value
[error.authentication.credentials.bad].

2015-07-27 13:01:26,824 TRACE
[org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio
n] - Leaving method [toString] with return value
[error.authentication.credentials.bad].

2015-07-27 13:01:26,823 ERROR
[net.unicon.cas.mfa.web.flow.TerminatingMultiFactorAuthenticationViaFormAc
tion] - 

error.authentication.credentials.bad

at org.jasig.cas.authentication.hand

 

TIA,

 

Michael Holstein

Cleveland State University

 

  _  

From: Michael O Holstein mailto:michael.holst...@csuohio.edu> >
Sent: Friday, July 24, 2015 4:20 PM
To: cas-user@lists.jasig.org  
Subject: [cas-user] CAS-MFA (rc6) and Radius 

 

Any ideas as to what I've done wrong here? .. this worked fine in RC2 ..
but now I get a successful LDAP auth and a successful radiusOTP auth, but
somewhere in the mix the principal gets lost.

 

CredentialsToPrincipalResolver gets invoked (and works fine on primary
auth) .. how does it get lost during MFA?

 

2015-07-24 16:11:38,085 DEBUG
[net.unicon.cas.mfa.authentication.radius.JRadiusServerImpl] -
Authentication request succeeded for host: [myradius] and username
[bob123]

 

2015-07-24 16:11:38,085 INFO
[org.jasig.cas.a

RE: [cas-user] Attribute repository with multiple different sources

2015-07-28 Thread Tom O'Neill 
Geoff,

In the past with CAS 3.5.x I've used a merging attribute repository to 
implement the behavior you are describing.
Each attribute repository can have its own search filter and there are multiple 
strategies for how merging occurs when the attribute is available from both 
sources.
The options for attribute release in CAS 4 are outlined in the github hosted 
documentation:
http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html

Hopefully that helps!

Thanks,

    Tom O'Neill
    Senior Consultant
    Strata Information Group

-Original Message-
From: Whittaker, Geoffrey [mailto:geoff.whitta...@unf.edu] 
Sent: Monday, July 27, 2015 11:20 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] Attribute repository with multiple different sources

I'd thought of that, but was worried how cas might react.  I'll do a test
build of that and see what happens.  I'm Also looking at the possibility of
adding the CN field to the second LDAP source.  

Geoff 

-Original Message-
From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] 
Sent: Monday, July 27, 2015 9:23 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Attribute repository with multiple different sources

Geoffrey,

Can you just map both 'uid' and 'cn' to 'UDC_IDENTIFIER'?  I could see a
potential issue with that if one directory supports both attributes and
there would be some potential ambiguity about which attribute would actually
end up being mapped.

I am guessing there is likely to be a solution to this baked into CAS.

You can also handle this by manipulating the LDAP response before it reaches
CAS with an LDAP proxy.  Specifically, you could convert the 'cn' attribute
in the response of LDAP2 to 'uid'.
I wrote a blurb on setting up an LDAP proxy [1], though I am just noticing
that my code formatting was messed up.  A well-formatted code example can be
found on github[2].
This is a more heavy-handed approach, so I'd probably try experimenting with
CAS attribute mappings first.
  

Thanks,
Carl Waldbieser

[1] https://lifeonlayer7.wordpress.com/2015/07/18/ldap-proxy/
[2]
https://github.com/twisted/ldaptor/blob/master/docs/source/cookbook/ldap-pro
xy.rst

- Original Message -
From: "Geoffrey Whittaker" 
To: cas-user@lists.jasig.org
Sent: Monday, July 27, 2015 7:36:19 AM
Subject: [cas-user] Attribute repository with multiple different sources

I have CAS4 with two LDAP Auth Handlers.  The first is pointed at my local
Active Directory (LDAP1) which has my Employees, Staff, Faculty, etc..  The
second is pointed at another LDAP server (ldap2) which contains alumni,
parents, and other 'special' people.  

 

Currently, if the search of LDAP1 fails CAS falls through to LDAP2.  In the
past, it's been sufficient for those people only in LDAP2 to merely
authenticate.  Now, I need to get an attribute from that directory and map
it to the attribute map to the same field that LDAP1 would use.  The problem
is the name of the fields is different.  In LDAP1 the field is 'cn' in LDAP2
the field is 'uid'.  I somehow have to get that value from into a custom
Attribute field we called UDC_IDENTIFIER regardless of the directory.

 

Can I have more than one attribute repository, and if can someone point to
an example config?

 

 

 

Am I making this too complicated?  Is there another way to handle this?  

 

Thanks


--
You are currently subscribed to cas-user@lists.jasig.org as:
geoff.whitta...@unf.edu To unsubscribe, change settings or access archives,
see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: Re:[cas-user] Problem with JPA ticket Registry

2015-07-28 Thread Whittaker, Geoffrey 
For what it’s worth, I had lots of issues with JPA using MSSQL as the
backend for my CAS4 cluster.  We got lots of deadlocks that would frequently
take the system offline.  I was never able to fully solve that.

 

Finally, we went to ehcache for the ticket registries and while it’s not
persistent, I rarely if ever have to drop all the servers at once anyway.
It took a little tuning, but is working fine for us now.

 

Geoff 

 

From: Damiano Biagioli [mailto:d.biagi...@esc2.it] 
Sent: Wednesday, July 22, 2015 3:02 AM
To: cas-user@lists.jasig.org
Subject: Re: Re:[cas-user] Problem with JPA ticket Registry

 

Thanks for the reply! Do you have any documentation about the  configuration
of  redis and CAS ? 

 

Damiano 

  _  

Da: 魏军 mailto:wei...@opark.com> >
Inviato: mercoledì 22 luglio 2015 03.32
A: cas-user@lists.jasig.org  
Oggetto: Re:[cas-user] Problem with JPA ticket Registry 

 

I'm using a Redis server for TicketRegistry.

 

 

-- Original --

From:  "Damiano Biagioli"mailto:d.biagi...@esc2.it> >;

Date:  Tue, Jul 21, 2015 06:17 PM

To:  "cas-user"mailto:cas-user@lists.jasig.org>
>; 

Subject:  [cas-user] Problem with JPA ticket Registry

 

Hello Everyone, 

First , i'd like to thank  Stephan Arts  for his answers to my previous
questions  . I'm trying to create a clustered CAS deployment; therefore ,
all the nodes in the CAS cluster  need to  access the ticket present in the
ticketRegistry  . In order to achieve that objective , i' m trying to use a
JpaTicketRegistry as a shared ticket Registry betwwen the CAS cluster nodes
.Do you think it would be better to use EhCache or MemCached instead? I've
come across a weird (i think) problem on a single node test installation of
a CAS using JPATicketRegistry : the TGT are generated but they are not
inserted in the database , that  is ,in the hibernate logs  (that are
written inside the cas log ) , there are no "insert" , just "select" after a
TGT is created . Am i missing something ? i see no errors in the CAS logs
 I' m attaching my ticketRegistry.xml file (without passwords) and  some
CAS logs  ... i've found that other people have come across the same problem
in the past : 

 

https://groups.google.com/forum/#!topic/jasig-cas-user/lk2cY4TejIg

that  is , TGTs are created but are not inserted in the DB ... 

 

 

Thanks for any help,

Sorry for my poor english ,

Damiano 

-- 
You are currently subscribed to cas-user@lists.jasig.org
  as: wei...@opark.com
 
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
-- 
You are currently subscribed to cas-user@lists.jasig.org
  as: d.biagi...@esc2.it
 
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
 
-- 
You are currently subscribed to cas-user@lists.jasig.org
  as: geoff.whitta...@unf.edu
 
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user


smime.p7s
Description: S/MIME cryptographic signature

RE: [cas-user] Attribute repository with multiple different sources

2015-07-28 Thread Whittaker, Geoffrey 
Thanks Tom.  

That looks like just the ticket (pardon the pun).  Hopefully, I can
incorporate that without too much trouble.

Geoff 

-Original Message-
From: Tom O'Neill [mailto:one...@sigcorp.com] 
Sent: Tuesday, July 28, 2015 10:41 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] Attribute repository with multiple different sources

Geoff,

In the past with CAS 3.5.x I've used a merging attribute repository to
implement the behavior you are describing.
Each attribute repository can have its own search filter and there are
multiple strategies for how merging occurs when the attribute is available
from both sources.
The options for attribute release in CAS 4 are outlined in the github hosted
documentation:
http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html

Hopefully that helps!

Thanks,

    Tom O'Neill
    Senior Consultant
    Strata Information Group

-Original Message-
From: Whittaker, Geoffrey [mailto:geoff.whitta...@unf.edu]
Sent: Monday, July 27, 2015 11:20 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] Attribute repository with multiple different sources

I'd thought of that, but was worried how cas might react.  I'll do a test
build of that and see what happens.  I'm Also looking at the possibility of
adding the CN field to the second LDAP source.  

Geoff 

-Original Message-
From: Waldbieser, Carl [mailto:waldb...@lafayette.edu]
Sent: Monday, July 27, 2015 9:23 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Attribute repository with multiple different sources

Geoffrey,

Can you just map both 'uid' and 'cn' to 'UDC_IDENTIFIER'?  I could see a
potential issue with that if one directory supports both attributes and
there would be some potential ambiguity about which attribute would actually
end up being mapped.

I am guessing there is likely to be a solution to this baked into CAS.

You can also handle this by manipulating the LDAP response before it reaches
CAS with an LDAP proxy.  Specifically, you could convert the 'cn' attribute
in the response of LDAP2 to 'uid'.
I wrote a blurb on setting up an LDAP proxy [1], though I am just noticing
that my code formatting was messed up.  A well-formatted code example can be
found on github[2].
This is a more heavy-handed approach, so I'd probably try experimenting with
CAS attribute mappings first.
  

Thanks,
Carl Waldbieser

[1] https://lifeonlayer7.wordpress.com/2015/07/18/ldap-proxy/
[2]
https://github.com/twisted/ldaptor/blob/master/docs/source/cookbook/ldap-pro
xy.rst

- Original Message -
From: "Geoffrey Whittaker" 
To: cas-user@lists.jasig.org
Sent: Monday, July 27, 2015 7:36:19 AM
Subject: [cas-user] Attribute repository with multiple different sources

I have CAS4 with two LDAP Auth Handlers.  The first is pointed at my local
Active Directory (LDAP1) which has my Employees, Staff, Faculty, etc..  The
second is pointed at another LDAP server (ldap2) which contains alumni,
parents, and other 'special' people.  

 

Currently, if the search of LDAP1 fails CAS falls through to LDAP2.  In the
past, it's been sufficient for those people only in LDAP2 to merely
authenticate.  Now, I need to get an attribute from that directory and map
it to the attribute map to the same field that LDAP1 would use.  The problem
is the name of the fields is different.  In LDAP1 the field is 'cn' in LDAP2
the field is 'uid'.  I somehow have to get that value from into a custom
Attribute field we called UDC_IDENTIFIER regardless of the directory.

 

Can I have more than one attribute repository, and if can someone point to
an example config?

 

 

 

Am I making this too complicated?  Is there another way to handle this?  

 

Thanks


--
You are currently subscribed to cas-user@lists.jasig.org as:
geoff.whitta...@unf.edu To unsubscribe, change settings or access archives,
see http://www.ja-sig.org/wiki/display/JSG/cas-user

--
You are currently subscribed to cas-user@lists.jasig.org as:
geoff.whitta...@unf.edu To unsubscribe, change settings or access archives,
see http://www.ja-sig.org/wiki/display/JSG/cas-user



smime.p7s
Description: S/MIME cryptographic signature

Re: [cas-user] CAS 4 & LPPE & Active Directory, "accountState=null"

2015-07-28 Thread Mike Seiler 
Daniel,

Here's the full trace of the authentication request for my "castester" user.

Thanks,

Mike

On Fri, Jul 24, 2015 at 4:59 PM, Daniel Fisher  wrote:

> On Fri, Jul 24, 2015 at 7:03 PM, Mike Seiler 
> wrote:
>
>> When I log in with my own user account, I also get the accountState=null
>> in the logs, and I am not part of the same group as "castester."
>>
>
> Can you put the org.ldaptive package in debug and post those logs?
>
> --Daniel Fisher
>
>
> --
> You are currently subscribed to cas-user@lists.jasig.org as: 
> michaelsei...@fuller.edu
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>


-- 
*Michael Seiler*
--
Systems Integration Engineer
Fuller Theological Seminary
Phone: (970) 306-6105
michaelsei...@fuller.edu

*Fuller Summer Hours:* Please note that all Fuller offices will be closed
on Fridays from 7/3-8/28
*Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off,
and will be out of the office for vacation 7/31 - 8/31

*Please NOTE:*
I respond to email at 8 AM, 1PM, and at 4:30PM.  If you need more immediate
help, please contact TSS (626.584.5675) and they can route the issue to the
appropriate person.  If this is a business process life or death emergency,
you may call me at the above number.

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user
2015-07-28 08:44:09,481 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - 
2015-07-28 08:44:09,481 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 

2015-07-28 08:44:09,481 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 

2015-07-28 08:44:09,481 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 

2015-07-28 08:44:09,482 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 

2015-07-28 08:44:09,482 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 

2015-07-28 08:44:09,482 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 

2015-07-28 08:44:09,482 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 
2015-07-28 08:44:09,484 DEBUG [org.ldaptive.SearchOperation] - 
2015-07-28 08:44:09,486 TRACE [org.ldaptive.provider.jndi.JndiConnection] - 

2015-07-28 08:44:09,486 TRACE [org.ldaptive.provider.jndi.JndiConnection] - 

2015-07-28 08:44:09,486 TRACE [org.ldaptive.provider.jndi.JndiConnection] - 

2015-07-28 08:44:09,486 TRACE [org.ldaptive.SearchOperation] - 
2015-07-28 08:44:09,487 DEBUG [org.ldaptive.SearchOperation] - 
2015-07-28 08:44:09,487 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 
2015-07-28 08:44:09,487 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 

2015-07-28 08:44:09,487 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 

2015-07-28 08:44:09,487 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 

2015-07-28 08:44:09,487 DEBUG [org.ldaptive.auth.Authenticator] - 
2015-07-28 08:44:09,487 DEBUG 
[org.ldaptive.auth.PooledBindAuthenticationHandler] - 
2015-07-28 08:44:09,487 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 

2015-07-28 08:44:09,487 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 

2015-07-28 08:44:09,488 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 

2015-07-28 08:44:09,488 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 

2015-07-28 08:44:09,488 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 
2015-07-28 08:44:09,488 DEBUG [org.ldaptive.BindOperation] - 
2015-07-28 08:44:09,488 TRACE [org.ldaptive.provider.ControlProcessor] - 

2015-07-28 08:44:09,488 TRACE [org.ldaptive.provider.ControlProcessor] - 

2015-07-28 08:44:09,677 DEBUG [org.ldaptive.BindOperation] - 
2015-07-28 08:44:09,679 DEBUG 
[org.ldaptive.auth.PooledBindAuthenticationHandler] - 
2015-07-28 08:44:09,681 DEBUG [org.ldaptive.auth.SearchEntryResolver] - 

2015-07-28 08:44:09,681 DEBUG [org.ldaptive.SearchOperation] - 
2015-07-28 08:44:09,684 TRACE [org.ldaptive.provider.jndi.JndiConnection] - 

2015-07-28 08:44:09,684 TRACE [org.ldaptive.provider.jndi.JndiConnection] - 

2015-07-28 08:44:09,684 TRACE [org.ldaptive.provider.jndi.JndiConnection] - 

2015-07-28 08:44:09,687 TRACE [org.ldaptive.SearchOperation] - 
2015-07-28 08:44:09,688 DEBUG [org.ldaptive.SearchOperation] - 
2015-07-28 08:44:09,689 DEBUG [org.ldaptive.auth.SearchEntryResolver] - 

2015-07-28 08:44:09,690 TRACE [org.ldaptive.auth.Authenticator] - 
2015-07-28 08:44:09,690 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 
2015-07-28 08:44:09,690 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 

2015-07-28 08:44:09,690 TRACE [org.ldaptive.pool.BlockingConnectionPool] - 

2015-07-28 08:44:09,690 INFO [org.ldaptive.auth.Authenticator] - 

2015-07-28 08:44:09,691 DEBUG [org.ldaptive.auth.Authenticator] - 
2015-07-28 08:44:09,692 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - 
2015-07-28 08:44:09,692 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] -

Re: [cas-user] CAS SSO User stuck on Login Page

2015-07-28 Thread Juan Quintanilla 
Hi,

So after adding some more logging for tomcat and waiting to here back from 
users who have encountered the issue we were able to see that within the access 
logs for tomcat there is a post be made for the user. In this case the user 
reported that when they tried to access a particular site they encountered the 
issue of being stuck on the login page.  Below is the post from when the user 
entered their information and then immediately after there is another get for 
the login page which is consistent with what were seeing.  User enters the 
correct information but is redirected back onto the login page when they hit 
submit, and when bad credentials are entered no error message is displayed in 
the logs or for the user. 

The only thing I did notice is that in the post there was no jsessionid, right 
below is another session for user which did have a jessionid and everything 
seemed to go through fine. We are using F5 but currently only one web server is 
in the loop.  Once the browser is closed and cache is cleared they can log in 
with no problem.

- 192.168.150.254 - - [16/Jul/2015:16:34:59 -0400] POST 
/cas/login?service=https%3A%2F%2Fcasnew.fiu.edu%2Flogin%2F HTTP/1.1 ???>???s - 
https://CASserver.fiu.edu/cas/login?service=https%3A%2F%2Fcasnew.fiu.edu%2Flogin%2F
 Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
- 192.168.150.254 - - [16/Jul/2015:16:34:59 -0400] GET 
/cas/login?service=https%3A%2F%2Fcasnew.fiu.edu%2Flogin%2F HTTP/1.1 ???>???s 
5115 
https://CASserver.fiu.edu/cas/login?service=https%3A%2F%2Fcasnew.fiu.edu%2Flogin%2F
 Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
- 192.168.150.254 - - [16/Jul/2015:16:34:59 -0400] GET 
/cas/themes/default/images/mbg.png HTTP/1.1 ???>???s - 
https://CASserver.fiu.edu/cas/themes/default/cas.css Mozilla/5.0 (X11; Linux 
x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
- 192.168.150.254 - - [16/Jul/2015:16:34:59 -0400] GET /cas/login HTTP/1.1 
???>???s 3433 https://CASserver.fiu.edu/cas/themes/default/cas.css Mozilla/5.0 
(X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0




- 192.168.150.254 - - [16/Jul/2015:16:35:00 -0400] POST 
/cas/login;jsessionid=AF457B57EE11EB59AC21D945AE91A03D?service=https://shs-portal.fiu.edu/PyramedPortal/CAS
 HTTP/1.1 ???>???s - 
https://CASserver.fiu.edu/cas/login?service=https://shs-portal.fiu.edu/PyramedPortal/CAS
 Mozilla/5.0 (Linux; Android 5.0; SAMSUNG SM-G900T Build/LRX21T) 
AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 
Mobile Safari/537.36
- 192.168.150.254 - - [16/Jul/2015:16:35:00 -0400] GET 
/cas/serviceValidate?ticket=ST-103981-jhkc23bFgYbXeiIOQ42N-fiusso1.fiu.edu&service=https://shs-portal.fiu.edu/PyramedPortal/CAS
 HTTP/1.1 ???>???s 190 - -


___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu

From: Juan Quintanilla 
Sent: Monday, July 13, 2015 10:40 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS SSO User stuck on Login Page

I'm still working with our network team to verify what they see on their end.

___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu

From: Mailvaganam, Hari 
Sent: Saturday, July 11, 2015 1:33 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS SSO User stuck on Login Page

>So now I wondering if its still pertains to the F5 not properly allowing the 
>traffic back to the application.

Anything in the firewall logs? Or/and set F5 to verbose logging?
___
From: Juan Quintanilla [jquin...@fiu.edu]
Sent: Friday, July 10, 2015 09:29
To: cas-user@lists.jasig.org
Cc: Joseph Wong
Subject: Re: [cas-user] CAS SSO User stuck on Login Page

Hi,

I will be changing the logging for the tomcat access logs so that I can see a 
little more details.  Regarding the ldap logs we checked and it seems that 
during the time when the user is having this issue on the CAS login page there 
is no entries in our Ldap logs for an authentication attempt.  So it seems that 
I would probably not find a post in the access logs. The only entry that I 
found for this particular user was after they closed their browser and tried 
logging in again which did generate an error on the login page for invalid 
credentials and once the correct credentials were entered they were able to 
access the page.

So the next check is to see if there is a post being made in the access logs 
for tomcat. Would there not being enough ldap connections in the pool display 
an error in the cas.log? Or what could cause the page to go dead between tomcat 
and CAS.  So now I wondering if its still pertains to the F5 not properly 
allowing the traffic back to the application. We are removing one of the 
webservers from the loop so that traffic can go to one server but any other 
tips or suggestions would be greatly appreciated.

___
Juan Quintanilla
UTS - E

[cas-user] Mod_Auth_Cas - Exclude Folder

2015-07-28 Thread Joel Levin 
Hi List.

Currently we have 'www.example.com/foobar' protected by CAS - is it
possible to continue to allow all sub-directories to be CAS protected bar 1?

i.e. - we would have the following 
www.example.com/foobar/jane(CAS protected)
www.example.com/foobar/james  (NOT CAS protected)
www.example.com/foobar/joseph(CAS protected)
www.example.com/foobar/joshua(CAS protected)


I am getting a bit tripped by the simultaneous Apache and CAS
configurations - would you have any tips on path to take? Thanks.

 
SSLRequireSSL
Options ExecCGI
*AllowOverride None*
*Order allow,deny*
*Allow from all*
AuthType CAS
*CASScope /*
CASRenew Off
CASGateway Off
CASCookie MOD_AUTH_CAS
CASSecureCookie MOD_AUTH_CAS_S
CASGatewayCookie MOD_AUTH_CAS_G
CASAuthNHeader None
require valid-user


Thank you.

JL

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Mod_Auth_Cas - Exclude Folder

2015-07-28 Thread Milt Epstein 
Don't have any definitive answers, but I'd think you'd be able to do
something like this, say with .htaccess files, Files, and/or
FilesMatch directives (but the devil's in the details).

Milt Epstein
Programmer in Computational Genomics
Institute for Genomic Biology (IGB)
University of Illinois at Urbana-Champaign (UIUC)
mepst...@illinois.edu


On Tue, 28 Jul 2015, Joel Levin wrote:

> Hi List.
> 
> Currently we have 'www.example.com/foobar' protected by CAS - is it possible
> to continue to allow all sub-directories to be CAS protected bar 1?
> 
> i.e. - we would have the following 
> www.example.com/foobar/jane    (CAS protected)
> www.example.com/foobar/james  (NOT CAS protected)
> www.example.com/foobar/joseph    (CAS protected)
> www.example.com/foobar/joshua    (CAS protected)
> 
> 
> I am getting a bit tripped by the simultaneous Apache and CAS configurations
> - would you have any tips on path to take? Thanks.
> 
>  
>         SSLRequireSSL
>         Options ExecCGI
>         AllowOverride None
>         Order allow,deny
>         Allow from all
>         AuthType CAS
>         CASScope /
>         CASRenew Off
>         CASGateway Off
>         CASCookie MOD_AUTH_CAS
>         CASSecureCookie MOD_AUTH_CAS_S
>         CASGatewayCookie MOD_AUTH_CAS_G
>         CASAuthNHeader None
>         require valid-user
> 
> 
> Thank you.
> 
> JL
> 
> -- 
> You are currently subscribed to cas-user@lists.jasig.org as: mepstein@illino
> is.edu
> To unsubscribe, change settings or access archives, see http://www.ja-sig.or
> g/wiki/display/JSG/cas-user
> 
> 
-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Mod_Auth_Cas - Exclude Folder

2015-07-28 Thread Neil Sabol 
Hi JL,

Right - to second what Milt mentions, you just need a single Satisfy Any 
directive associated with foobar/james.

We use .htaccess (proper AllowOverrides set in main httpd conf), so ours would 
look like this.

.htaccess in foobar folder:
---
AuthType CAS
require valid-user


.htaccess in foobar/james folder:
---
Satisfy Any


I'm sure that is translatable into Directory and Location directives also.

Thanks,
-Neil

-Original Message-
From: Milt Epstein [mailto:mepst...@illinois.edu] 
Sent: Tuesday, July 28, 2015 12:48 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Mod_Auth_Cas - Exclude Folder

Don't have any definitive answers, but I'd think you'd be able to do something 
like this, say with .htaccess files, Files, and/or FilesMatch directives (but 
the devil's in the details).

Milt Epstein
Programmer in Computational Genomics
Institute for Genomic Biology (IGB)
University of Illinois at Urbana-Champaign (UIUC) mepst...@illinois.edu


On Tue, 28 Jul 2015, Joel Levin wrote:

> Hi List.
> 
> Currently we have 'www.example.com/foobar' protected by CAS - is it 
> possible to continue to allow all sub-directories to be CAS protected bar 1?
> 
> i.e. - we would have the following  www.example.com/foobar/jane    
> (CAS protected) www.example.com/foobar/james  (NOT CAS protected) 
> www.example.com/foobar/joseph    (CAS protected) 
> www.example.com/foobar/joshua    (CAS protected)
> 
> 
> I am getting a bit tripped by the simultaneous Apache and CAS 
> configurations
> - would you have any tips on path to take? Thanks.
> 
>  
>         SSLRequireSSL
>         Options ExecCGI
>         AllowOverride None
>         Order allow,deny
>         Allow from all
>         AuthType CAS
>         CASScope /
>         CASRenew Off
>         CASGateway Off
>         CASCookie MOD_AUTH_CAS
>         CASSecureCookie MOD_AUTH_CAS_S
>         CASGatewayCookie MOD_AUTH_CAS_G
>         CASAuthNHeader None
>         require valid-user
> 
> 
> Thank you.
> 
> JL
> 
> --
> You are currently subscribed to cas-user@lists.jasig.org as: 
> mepstein@illino is.edu To unsubscribe, change settings or access 
> archives, see http://www.ja-sig.or g/wiki/display/JSG/cas-user
> 
> 
--
You are currently subscribed to cas-user@lists.jasig.org as: nssa...@unm.edu To 
unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] need CAS clients for Microsoft Platform

2015-07-28 Thread Mahantesh Prasad Katti 
Thanks Misgah. I have downloaded the libraries. In case I need additional 
information, I will post the same on the forum.

Regards
Prasad

From: Misagh Moayyed [mailto:mmoay...@unicon.net]
Sent: Monday, July 27, 2015 4:15 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] need CAS clients for Microsoft Platform

See https://wiki.jasig.org/display/CASC/ISAPI+Filter

From: Mahantesh Prasad Katti [mailto:mahantesh.ka...@indecomm.net]
Sent: Monday, July 27, 2015 2:08 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] need CAS clients for Microsoft Platform

Hi All,

I am in the process of enabling CAS authentication for cognos. As part of this 
planning to write some ISAPI filter that invoke CAS ticket validation logic. 
Need some info on this.


1.   Where can I download the CAS clients for windows platform  that I can 
embed in ISAPI filter [is this correct 
http://downloads.jasig.org/cas-clients/dotnet/ ] ?

2.   Is there some sample implementation that I can reference?

Regards
Prasad



--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
mmoay...@unicon.net

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--

You are currently subscribed to cas-user@lists.jasig.org as: 
mahantesh.ka...@indecomm.net

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user