Re: [cas-user] CAS 4 LPPE Active Directory, accountState=null
Daniel, Here's the full trace of the authentication request for my castester user. Thanks, Mike On Fri, Jul 24, 2015 at 4:59 PM, Daniel Fisher dfis...@vt.edu wrote: On Fri, Jul 24, 2015 at 7:03 PM, Mike Seiler michaelsei...@fuller.edu wrote: When I log in with my own user account, I also get the accountState=null in the logs, and I am not part of the same group as castester. Can you put the org.ldaptive package in debug and post those logs? --Daniel Fisher -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user 2015-07-28 08:44:09,481 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP authentication for castester+password 2015-07-28 08:44:09,481 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - resolve user=castester 2015-07-28 08:44:09,481 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - searching for DN using userFilter 2015-07-28 08:44:09,481 TRACE [org.ldaptive.pool.BlockingConnectionPool] - waiting on pool lock for check out 0 2015-07-28 08:44:09,482 TRACE [org.ldaptive.pool.BlockingConnectionPool] - retrieve available connection from pool of size 3 2015-07-28 08:44:09,482 TRACE [org.ldaptive.pool.BlockingConnectionPool] - waiting on pool lock for retrieve available 0 2015-07-28 08:44:09,482 TRACE [org.ldaptive.pool.BlockingConnectionPool] - retrieved available connection: org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@28d996bb 2015-07-28 08:44:09,482 TRACE [org.ldaptive.pool.BlockingConnectionPool] - no activator configured 2015-07-28 08:44:09,484 DEBUG [org.ldaptive.SearchOperation] - execute request=[org.ldaptive.SearchRequest@-410124487::baseDn=ou=fuller,DC=id,DC=fuller,DC=edu, searchFilter=[org.ldaptive.SearchFilter@1877340396::filter=(sAMAccountName={user}), parameters={user=castester}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@685291700::config=[org.ldaptive.ConnectionConfig@327780318::ldapUrl=ldaps://id.fuller.edu, connectTimeout=3000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@598195920::credentialConfig=[org.ldaptive.ssl.X509CredentialConfig@1427787790::trustCertificates=file:/etc/cas/id_app.pem, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@1856427390::bindDn=admin_acco...@id.fuller.edu, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@742803039::metadata=[ldapUrl=ldaps://id.fuller.edu, count=1], environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, java.naming.ldap.version=3}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@778154098::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@71315edf, controlProcessor=org.ldaptive.provider.ControlProcessor@7bb841e8, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@39b61dae] 2015-07-28 08:44:09,486 TRACE [org.ldaptive.provider.jndi.JndiConnection] - reading search result: CN=CAS Tester 55508: null:null:No attributes 2015-07-28 08:44:09,486 TRACE
Re: [cas-user] Cas 4.0.3 and AD Config
Chris, I just set up CAS with AD as well, and while I started with the first bit of code, I ended up getting it to work with the second bit of code called LDAP Requiring Authenticated Search. I also noticed that I had to change the DN of the authenticating user to the ldapad...@domain.com instead of the cn=LDAP Admin... etc. I'll forward you the email string to cas-users that helped me get it set up. The LDAP portion of my cas.properties file is below: # # General properties # ldap.url=ldaps://ad_server.fuller.edu # LDAP connection timeout in milliseconds ldap.connectTimeout=3000 # Whether to use StartTLS (probably needed if not SSL connection) ldap.useStartTLS=false # # LDAP connection pool configuration # ldap.pool.minSize=3 ldap.pool.maxSize=10 ldap.pool.validateOnCheckout=false ldap.pool.validatePeriodically=true ldap.pool.blockWaitTime=3000 ldap.pool.validatePeriod=300 ldap.pool.prunePeriod=300 ldap.pool.idleTime=600 # # Authentication # # Base DN of users to be authenticated ldap.baseDn=ou=fuller,DC=id,DC=fuller,DC=edu # Manager DN for authenticated searches ldap.authn.managerDn=admin_acco...@id.fuller.edu # Manager password for authenticated searches ldap.authn.managerPassword=admin_password # Search filter used for configurations that require searching for DNs ldap.authn.searchFilter=(sAMAccountName={user}) # Domain Setting ldap.domain=fuller.edu ldap.trustedCert=file:/etc/cas/id_app.pem And I'm attaching the final deployer file as well. Hopefully that can help you out. Mike On Fri, Jul 24, 2015 at 12:08 PM, Chris Irwin chris.ir...@sadasystems.com wrote: Guess I should have said, i'm trying to authenticate to Active Directory. Chris -- *From:* Chris Irwin *Sent:* Friday, July 24, 2015 3:06 PM *To:* cas-user@lists.jasig.org *Subject:* Cas 4.0.3 and AD Config Please forgive me up front as i'm a CAS newbie. I have a Windows Server 2012 R2 server running Tomcat 8. This seems to be working fine. I have pulled down the CAS 4.0.3 war file from the maven repository and installed it. Again this went fine, I can hit the logon page with no issues. Now i'm following the directions on http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html CAS - LDAP Authentication CAS - Single Sign-On for the Web Read more... http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html I have added the following to my pom.xml: dependency groupIdorg.jasig.cas/groupId artifactIdcas-server-support-ldap/artifactId version${cas.version}/version /dependency as well as the suggested code for my deployerConfigContext.xml and cas.properties (attached). Now i'm getting the following error when I start the services: Caused by: java.lang.ClassNotFoundException: org.jasig.cas.authentication.support.UpnSearchEntryResolver at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1305) at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1157) at org.springframework.util.ClassUtils.forName(ClassUtils.java:257) at org.springframework.beans.factory.support.AbstractBeanDefinition.resolveBeanClass(AbstractBeanDefinition.java:416) at org.springframework.beans.factory.support.AbstractBeanFactory.doResolveBeanClass(AbstractBeanFactory.java:1302) at org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1273) ... 73 more I have attached all files and logs for review. Any help would be greatly appreciated! -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user ?xml version=1.0 encoding=UTF-8? !-- Licensed
Re: [cas-user] CAS 4 LPPE Active Directory, accountState=null
Thanks Daniel Misagh, Just to be certain, I rebuilt with 4.0.3; I was already using Ldaptive 1.0.6. My authentication response handler is in fact set to the *ActiveDirectoryAuthenticationResponseHandler* in my deployer file. Since I'm using the main AD server to test this out, the Windows admin made a separate group policy with a 1 day expiration on passwords; my castester user is the only person in that group and the only user that the policy applies to. Can/does CAS distinguish between group policies, or only apply the policy for the entire OU? My logs come back with accountState=null for the castester user. When I log in with my own user account, I also get the accountState=null in the logs, and I am not part of the same group as castester. Should the AD always come back with an accountState? If so, should I have the Windows admin double check the set up? On Fri, Jul 24, 2015 at 11:34 AM, Misagh Moayyed mmoay...@unicon.net wrote: Not sure the issue is related to the fix in 4.0.3 The log indicates that no account state is passed back to CAS. Is your configuration using the ActiveDirectory response handler? That might be relevant in passing back the account state over to CAS. Something like this perhaps: bean id=authenticator class=org.ldaptive.auth.Authenticator c:resolver-ref=dnResolver c:handler-ref=authHandler property name=authenticationResponseHandlers util:list bean class=org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler / /util:list /property /bean *From:* Daniel Fisher [mailto:dfis...@vt.edu] *Sent:* Friday, July 24, 2015 10:56 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] CAS 4 LPPE Active Directory, accountState=null On Thu, Jul 23, 2015 at 3:37 PM, Mike Seiler michaelsei...@fuller.edu wrote: I'm trying to get LPPE working with the new CAS 4.0 server, but am finding that the policies don't seem to be enforced, even though I have set the maximum password age (on the AD side) to 1 day. Are you using the latest version? (4.0.3) The release notes indicate fixes related LPPE. --Daniel Fisher -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS 4 LPPE Active Directory, accountState=null
I'm trying to get LPPE working with the new CAS 4.0 server, but am finding that the policies don't seem to be enforced, even though I have set the maximum password age (on the AD side) to 1 day. My question: is this a misconfiguration on my part (CAS), or a problem with the AD server not sending the proper details to Ldaptive? And what else can I do to troubleshoot and determine where the communication is breaking down? The AD server is Windows Server 2012 R2. My *cas.properties* file for LPPE is as follows: password.policy.warnAll=true password.policy.warningDays=14 *Catalina.out* My test user successfully logs in but is not warned that password is about to expire: 2015-07-23 11:59:17,714 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying password policy to [org.ldaptive.auth.AuthenticationResponse@14851959 38::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, ldapEntry=[dn=CN=CAS Tester 55508,ou=fuller,DC=id,DC=fuller,DC=edu[[lastLogonTimestamp[130820850247901100]] , [countryCode[0]], [givenName[CAS]], [whenChanged[20150723003024.0Z]], [memberOf[CN=castest,OU=groups,OU=fuller,DC=id,DC=fuller,DC=edu, CN=LibraryMembers,OU=groups,OU= fuller,DC=id,DC=fuller,DC=edu]], [instanceType[0]], [codePage[0]], [dSCorePropagationData[1601010100.0Z]], [uSNCreated[1223840]], [uSNChanged[1223840]], [badPwdCoun t[0]], [whenCreated[20150723002824.0Z]], [description[CAS]], [name[CAS Tester 55508]], [objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=id,DC=fuller,DC=edu]], [o bjectClass[organizationalPerson, person, user, top]], [mail[ castes...@fuller.edu]], [sn[Tester]], *[userAccountControl[512]]*, [sAMAccountType[805306368]], *[pwdLastSet[13* *0820850169765345]]*, [badPasswordTime[0]], [distinguishedName[CN=CAS Tester 55508,OU=fuller,DC=id,DC=fuller,DC=edu]], [cn[CAS Tester 55508]], [primaryGroupID[513]], [sAM AccountName[castester]], [objectSid[^A^E^@^@^@^@^@^E^U^@^@^@��^Z2�Zy��^_Uz^F^@^@]], [accountExpires[1309610880]], [userPrincipalName[ castes...@fuller.edu]], [o bjectGUID[Rءџ��O�8jRIP^W�]], [displayName[CAS Tester 55508]]], *responseControls=null*, messageId=-1], *accountState=null*, result=true, resultCode=SUCCESS, message=null, c ontrols=null] 2015-07-23 11:59:17,714 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] -* Account state not defined* 2015-07-23 11:59:17,715 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - Handling null 2015-07-23 11:59:17,715 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - No LDAP error mapping defined for null 2015-07-23 11:59:17,715 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - Account state warning not defined -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Using session_id() variabel as Global Session variable.
How are you accessing $_SESSION on each additional page? Or is index.php your front controller? On Thu, Jul 23, 2015 at 12:36 PM, Andi Zulfadli andi.zulfa...@gmail.com wrote: Dear Master. Please Your Help. I am using phpCAS Client 1.3.3 with simple authentication to CAS server with LDAP backend. and i have successfull authentication and get return ticket / session id variabel. ex: ST-404-sKkVIrpxuedp52YOtjGs-caspoliupgacid my problem is, i want to use the ticket / session id variabel as global session variabel and use the session for build other page in my application. I do not know what the cause why in other pages session is not readable. plese your help. Thank you. My index.php Code : _ // Load the settings from the central config file require_once 'config.php'; // Load the CAS lib require_once $phpcas_path . 'CAS.php'; // Enable debugging phpCAS::setDebug(); // Initialize phpCAS phpCAS::client(CAS_VERSION_2_0, 'cas.poliupg.ac.id', 8443, $cas_context); phpCAS::handleLogoutRequests(true, cas.poliupg.ac.id); phpCAS::setNoCasServerValidation(); // force CAS authentication phpCAS::forceAuthentication(); // logout if desired if (isset($_REQUEST['logout'])) { session_destroy(); phpCAS::logout(); } // for this test, simply print that the authentication was successfull $_SESSION['id'] = session_id(); $_SESSION['username'] = phpCAS::getUser(); $_SESSION['name'] = session_name(); $_SESSION['version'] = phpCAS::getVersion(); _ -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Help with CAS 4.0 AD
Thank you all for your suggestions and help. I touch CAS maybe once a year when changes are needed, so I'm not very savvy. By setting the log values to TRACE I was able to determine that CAS was never initiating the ldap search (as Daniel pointed out) and figure out what was causing that. The authentication *succeeded* after the following: 1) Using the 2nd option (LDAP Requiring Authenticated Search), and fixing differences in the sample code and my cas.properties file (e.g. ldap.managerDn vs ldap.authn.managerDn) 2) changing the the managerDN to the admin_acco...@id.fuller.edu -- in the 3.5.2 installation, I used the full CN=CASADMIN, etc... 3) setting useStartTLS=false 4) setting searchFilter to (sAMAccountName={user}) -- anything else seems to fail The response from the server (in catalina.out) contains all the attributes I'm hoping to get (and then some), so it seems that the attribute mapping is working as well. I'll find out more when I modify the authorization plugins for our external apps to pull the CAS attributes list. *SSL* It seems that disabling/enabling the sslConfig bean makes no difference in my config; the certs are stored in the default keystore as well, so both methods build and authenticate. In the interest of helping fellow Google searchers down the road, I've attached my LDAP properties section of the cas.properties file below: # # General properties # ldap.url=ldaps://id.fuller.edu # LDAP connection timeout in milliseconds ldap.connectTimeout=3000 # Whether to use StartTLS (probably needed if not SSL connection) ldap.useStartTLS=false # # LDAP connection pool configuration # ldap.pool.minSize=3 ldap.pool.maxSize=10 ldap.pool.validateOnCheckout=false ldap.pool.validatePeriodically=true ldap.pool.blockWaitTime=3000 ldap.pool.validatePeriod=300 ldap.pool.prunePeriod=300 ldap.pool.idleTime=600 # # Authentication # # Base DN of users to be authenticated ldap.baseDn=ou=fuller,DC=id,DC=fuller,DC=edu # Manager DN for authenticated searches ldap.authn.managerDn=admin_acco...@id.fuller.edu # Manager password for authenticated searches ldap.authn.managerPassword=admin_password # Search filter used for configurations that require searching for DNs ldap.authn.searchFilter=(sAMAccountName={user}) # Domain Setting ldap.domain=fuller.edu ldap.trustedCert=file:/etc/cas/id_app.pem and am attaching my current deployerConfigContext.xml file to this email. Thanks again, Mike On Tue, Jun 30, 2015 at 3:27 PM, Mike Seiler michaelsei...@fuller.edu wrote: Thank you Mihai and John. I will try those things first thing in the morning and get back to you with all the additional logs and details. Mike On Tue, Jun 30, 2015 at 3:22 PM, John Ryan jr...@redzone.co wrote: Mike, I think Daniel is on to something: we see no indication whatsoever in your log output that LDAP authentication is even being attempted. In your log4j.xml please dial way back everything (most especially org.springframework) to WARN except org.jasig and org.ldaptive (set both to TRACE). After you attempt to hit a CAS-ified application, we should then see a rich set of detail about CAS placing a service in FlowScope, generating a login ticket, etc. If everything is OK up to that point, we'll see an Attempting LDAP authentication message from org.jasig.cas.authentication.LdapAuthenticationHandler, followed by rich detail from org.ldaptive components as they interact with AD. FYI we're using CAS 4.0 with AD and it is working fine. The only differences that jump out to me from our configuration is that we don't use any of the ldap.authn properties at all, as we want to use the user's sAMAccountName. Also, one departure from the deployerConfigContext.xml at http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication is that we do not use an sslConfig bean. We use ldaps, the cert for our AD server is in the JVM's keystore, and things seem to work just fine without the sslConfig bean. But again, we see no indication an attempt at LDAP authentication is even being attempted. Updating log4j.xml with the suggested changes should at least make that clear. On 6/29/2015 9:26 PM, Daniel Fisher wrote: On Mon, Jun 29, 2015 at 1:28 PM, Mike Seiler michaelsei...@fuller.edu wrote: Any further suggestions on what might be causing the system to fail to authenticate users? Bind with manager password works. Certificates validate. sAMAccountName is set as the search filter. Any suggestions would be appreciated. I didn't see the LDAP authentication component being exercised. Your LDAP pools initialize correctly, but the authentication handler does not appear to use them. I don't know enough about the v4 config
Re: [cas-user] Help with CAS 4.0 AD
Thanks John, I'll keep that in mind about the p3 endpoint when I get to the next step of this project. Mike On Wed, Jul 1, 2015 at 8:52 AM, John Ryan jr...@redzone.co wrote: Great to hear, Mike. A piece of advice for returning attributes: not sure if it is better documented now than when I was stumbling around with it, but make sure you call the p3 endpoint on service validation (.../cas/p3/serviceValidate?...). This invokes the CAS 3.0 protocol, and works very, very well for returning attributes. John RedZone Software On 7/1/2015 8:46 AM, Mike Seiler wrote: Thank you all for your suggestions and help. I touch CAS maybe once a year when changes are needed, so I'm not very savvy. By setting the log values to TRACE I was able to determine that CAS was never initiating the ldap search (as Daniel pointed out) and figure out what was causing that. The authentication *succeeded* after the following: 1) Using the 2nd option (LDAP Requiring Authenticated Search), and fixing differences in the sample code and my cas.properties file (e.g. ldap.managerDn vs ldap.authn.managerDn) 2) changing the the managerDN to the admin_acco...@id.fuller.edu admin_acco...@id.fuller.edu -- in the 3.5.2 installation, I used the full CN=CASADMIN, etc... 3) setting useStartTLS=false 4) setting searchFilter to (sAMAccountName={user}) -- anything else seems to fail The response from the server (in catalina.out) contains all the attributes I'm hoping to get (and then some), so it seems that the attribute mapping is working as well. I'll find out more when I modify the authorization plugins for our external apps to pull the CAS attributes list. *SSL* It seems that disabling/enabling the sslConfig bean makes no difference in my config; the certs are stored in the default keystore as well, so both methods build and authenticate. In the interest of helping fellow Google searchers down the road, I've attached my LDAP properties section of the cas.properties file below: # # General properties # ldap.url=ldaps://id.fuller.edu # LDAP connection timeout in milliseconds ldap.connectTimeout=3000 # Whether to use StartTLS (probably needed if not SSL connection) ldap.useStartTLS=false # # LDAP connection pool configuration # ldap.pool.minSize=3 ldap.pool.maxSize=10 ldap.pool.validateOnCheckout=false ldap.pool.validatePeriodically=true ldap.pool.blockWaitTime=3000 ldap.pool.validatePeriod=300 ldap.pool.prunePeriod=300 ldap.pool.idleTime=600 # # Authentication # # Base DN of users to be authenticated ldap.baseDn=ou=fuller,DC=id,DC=fuller,DC=edu # Manager DN for authenticated searches ldap.authn.managerDn=admin_acco...@id.fuller.edu # Manager password for authenticated searches ldap.authn.managerPassword=admin_password # Search filter used for configurations that require searching for DNs ldap.authn.searchFilter=(sAMAccountName={user}) # Domain Setting ldap.domain=fuller.edu ldap.trustedCert=file:/etc/cas/id_app.pem and am attaching my current deployerConfigContext.xml file to this email. Thanks again, Mike On Tue, Jun 30, 2015 at 3:27 PM, Mike Seiler michaelsei...@fuller.edu wrote: Thank you Mihai and John. I will try those things first thing in the morning and get back to you with all the additional logs and details. Mike On Tue, Jun 30, 2015 at 3:22 PM, John Ryan jr...@redzone.co jr...@redzone.co wrote: Mike, I think Daniel is on to something: we see no indication whatsoever in your log output that LDAP authentication is even being attempted. In your log4j.xml please dial way back everything (most especially org.springframework) to WARN except org.jasig and org.ldaptive (set both to TRACE). After you attempt to hit a CAS-ified application, we should then see a rich set of detail about CAS placing a service in FlowScope, generating a login ticket, etc. If everything is OK up to that point, we'll see an Attempting LDAP authentication message from org.jasig.cas.authentication.LdapAuthenticationHandler, followed by rich detail from org.ldaptive components as they interact with AD. FYI we're using CAS 4.0 with AD and it is working fine. The only differences that jump out to me from our configuration is that we don't use any of the ldap.authn properties at all, as we want to use the user's sAMAccountName. Also, one departure from the deployerConfigContext.xml at http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication is that we do not use an sslConfig bean. We use ldaps, the cert for our AD server is in the JVM's
Re: [cas-user] Help with CAS 4.0 AD
The AD is set to allow global search by all authenticated users; any thing else (resetting password, etc) requires the administrator credentials - but we don't use the Password Manager in CAS - we do that externally via other apps. All we need is to determine that a user's account authenticates and pass the attributes on to other applications. I'm using the deployerConfigContext defined here: http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication (The first code sample, which says The following configuration authenticates users by sAMAccountName without performing a search, which requires manager/administrator credentials in most cases. It is therefore the most performant and secure solution for the typical Active Directory deployment.) *From the command line:* I am able to do an ldapsearch using my own credentials (and looking up another user), and, of course, I am also able to do a search for another user using the Admin credentials: ldapsearch -x -H ldaps://id.fuller.edu -b ou=fuller,dc=id,dc=fuller,dc=edu -D admin_acco...@id.fuller.edu -w admin_password (sAMAccountName=michaelseiler) cn sn displayName sAMAccountName pwdLastSet lastLogon mail memberof With either the admin credentials or my own, I get all requested data back from the server, but with CAS the validation of my own personal account credentials fails, and all I can seem to get from the error logs is that my own personal credentials are invalid -- even though I can use them from the command line and retrieve data for any user. It seems that this is a configuration error in CAS, but the error logs are insufficient to help debug this. Setting up a proxy to track down issues is beyond my knowledge. If there is other documentation on setting up CAS 4.0 with LDAP that doesn't use the Maven overlay method or the cut-and-paste code from the above URL, I'd be happy to try that out at this point. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Help with CAS 4.0 AD
Carl, Our current CAS server (3.5.2) simply binds as the manager and then authenticates the user from the AD with a search. To me, that first paragraph sample code seems to suggest that it does the same thing - using only the manager credentials to authenticate the user. Thanks, Mike On Tue, Jun 30, 2015 at 1:17 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, I did notice this while going over the instructions: The following configuration authenticates users by sAMAccountName without performing a search, which requires manager/administrator credentials in most cases. Is that something special you can do in A/D since sAMAccountName is guarunteed to be unique in the domain? With typical LDAP authN, you need to do a search to get the full DN and then BIND as that DN. Still poking around ... Thanks, Carl - Original Message - From: Mike Seiler michaelsei...@fuller.edu To: cas-user@lists.jasig.org Sent: Tuesday, June 30, 2015 3:39:02 PM Subject: Re: [cas-user] Help with CAS 4.0 AD Here's my cas.properties info: # # General properties # ldap.url=ldaps://id.fuller.edu ldap.connectTimeout=3000 ldap.useStartTLS=false # # LDAP connection pool configuration # ldap.pool.minSize=3 ldap.pool.maxSize=10 ldap.pool.validateOnCheckout=false ldap.pool.validatePeriodically=true ldap.pool.blockWaitTime=3000 ldap.pool.validatePeriod=300 ldap.pool.prunePeriod=300 ldap.pool.idleTime=600 # # Authentication # # Base DN of users to be authenticated ldap.baseDn=ou=fuller,DC=id,DC=fuller,DC=edu # the CN=Users here because the CASADMIN is outside the ou we put our normal users into. ldap.authn.managerDN=CN=CASADMIN,CN=Users,DC=id,DC=fuller,DC=edu ldap.authn.managerPassword= ldap.domain=fuller.edu ldap.trustedCert=file:/etc/cas/id_app.pem # [The cut and paste deployer config doesn't actually use the below, but I modified them anyway] ldap.authn.searchFilter=(sAMAccountName=%s) ldap.authn.format=%s...@fuller.edu Thanks for taking a looking at this. On Tue, Jun 30, 2015 at 12:06 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, Could you post the non-sensitive parts of your LDAP configuration? We are using CAS 3.x and usin OpenLDAP so it is not necessarily a good match, but our settings look like: # == LDAP Authentication settings == ldap.authentication.filter=uid=%u ldap.authentication.server.urls=ldaps://ldap.lafayette.edu ldap.authentication.basedn=O=lafayette ldap.authentication.manager.userdn=cn=casbrowser,o=lafayette ldap.authentication.manager.password=REDACTED ldap.authentication.ignorePartialResultException=true ldap.authentication.scope=2 ldap.authentication.jndi.connect.timeout=3000 ldap.authentication.jndi.read.timeout=3000 ldap.authentication.jndi.security.level=simple Thanks, Carl - Original Message - From: Mike Seiler michaelsei...@fuller.edu To: cas-user@lists.jasig.org Sent: Tuesday, June 30, 2015 2:44:32 PM Subject: Re: [cas-user] Help with CAS 4.0 AD The AD is set to allow global search by all authenticated users; any thing else (resetting password, etc) requires the administrator credentials - but we don't use the Password Manager in CAS - we do that externally via other apps. All we need is to determine that a user's account authenticates and pass the attributes on to other applications. I'm using the deployerConfigContext defined here: http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication (The first code sample, which says The following configuration authenticates users by sAMAccountName without performing a search, which requires manager/administrator credentials in most cases. It is therefore the most performant and secure solution for the typical Active Directory deployment.) *From the command line:* I am able to do an ldapsearch using my own credentials (and looking up another user), and, of course, I am also able to do a search for another user using the Admin credentials: ldapsearch -x -H ldaps://id.fuller.edu -b ou=fuller,dc=id,dc=fuller,dc=edu -D admin_acco...@id.fuller.edu -w admin_password (sAMAccountName=michaelseiler) cn sn displayName sAMAccountName pwdLastSet lastLogon mail memberof With either the admin credentials or my own, I get all requested data back from the server, but with CAS the validation of my own personal account credentials fails, and all I can seem to get from the error logs is that my own personal credentials are invalid -- even though I can use them from the command line and retrieve data for any user. It seems that this is a configuration error in CAS
Re: [cas-user] Help with CAS 4.0 AD
Here's my cas.properties info: # # General properties # ldap.url=ldaps://id.fuller.edu ldap.connectTimeout=3000 ldap.useStartTLS=false # # LDAP connection pool configuration # ldap.pool.minSize=3 ldap.pool.maxSize=10 ldap.pool.validateOnCheckout=false ldap.pool.validatePeriodically=true ldap.pool.blockWaitTime=3000 ldap.pool.validatePeriod=300 ldap.pool.prunePeriod=300 ldap.pool.idleTime=600 # # Authentication # # Base DN of users to be authenticated ldap.baseDn=ou=fuller,DC=id,DC=fuller,DC=edu # the CN=Users here because the CASADMIN is outside the ou we put our normal users into. ldap.authn.managerDN=CN=CASADMIN,CN=Users,DC=id,DC=fuller,DC=edu ldap.authn.managerPassword= ldap.domain=fuller.edu ldap.trustedCert=file:/etc/cas/id_app.pem # [The cut and paste deployer config doesn't actually use the below, but I modified them anyway] ldap.authn.searchFilter=(sAMAccountName=%s) ldap.authn.format=%s...@fuller.edu Thanks for taking a looking at this. On Tue, Jun 30, 2015 at 12:06 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, Could you post the non-sensitive parts of your LDAP configuration? We are using CAS 3.x and usin OpenLDAP so it is not necessarily a good match, but our settings look like: # == LDAP Authentication settings == ldap.authentication.filter=uid=%u ldap.authentication.server.urls=ldaps://ldap.lafayette.edu ldap.authentication.basedn=O=lafayette ldap.authentication.manager.userdn=cn=casbrowser,o=lafayette ldap.authentication.manager.password=REDACTED ldap.authentication.ignorePartialResultException=true ldap.authentication.scope=2 ldap.authentication.jndi.connect.timeout=3000 ldap.authentication.jndi.read.timeout=3000 ldap.authentication.jndi.security.level=simple Thanks, Carl - Original Message - From: Mike Seiler michaelsei...@fuller.edu To: cas-user@lists.jasig.org Sent: Tuesday, June 30, 2015 2:44:32 PM Subject: Re: [cas-user] Help with CAS 4.0 AD The AD is set to allow global search by all authenticated users; any thing else (resetting password, etc) requires the administrator credentials - but we don't use the Password Manager in CAS - we do that externally via other apps. All we need is to determine that a user's account authenticates and pass the attributes on to other applications. I'm using the deployerConfigContext defined here: http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication (The first code sample, which says The following configuration authenticates users by sAMAccountName without performing a search, which requires manager/administrator credentials in most cases. It is therefore the most performant and secure solution for the typical Active Directory deployment.) *From the command line:* I am able to do an ldapsearch using my own credentials (and looking up another user), and, of course, I am also able to do a search for another user using the Admin credentials: ldapsearch -x -H ldaps://id.fuller.edu -b ou=fuller,dc=id,dc=fuller,dc=edu -D admin_acco...@id.fuller.edu -w admin_password (sAMAccountName=michaelseiler) cn sn displayName sAMAccountName pwdLastSet lastLogon mail memberof With either the admin credentials or my own, I get all requested data back from the server, but with CAS the validation of my own personal account credentials fails, and all I can seem to get from the error logs is that my own personal credentials are invalid -- even though I can use them from the command line and retrieve data for any user. It seems that this is a configuration error in CAS, but the error logs are insufficient to help debug this. Setting up a proxy to track down issues is beyond my knowledge. If there is other documentation on setting up CAS 4.0 with LDAP that doesn't use the Maven overlay method or the cut-and-paste code from the above URL, I'd be happy to try that out at this point. -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I
Re: [cas-user] Help with CAS 4.0 AD
Thanks Mearl, I'll take a look at implementing that method then instead of the first on the list. In my command line searches, I've made sure to pull the userPrincipalName and they do indeed come back as samaccountn...@fuller.edu. Mike On Tue, Jun 30, 2015 at 3:06 PM, Danner, Mearl jmdan...@samford.edu wrote: If you need the memberOf attribute you’ll need to use the authenticated bind plus search method. The method using only samaccountname does not return attributes. It only gives a yes/no on the authentication. The example shows an attribute map, but it will not do anything. In your case about the authentication of your userid you might need to look at your AD record to see if the userprinciplename is really your samaccountname@domain. It is that by default, but provisioning or an admin can change it. *From:* Mike Seiler [mailto:michaelsei...@fuller.edu] *Sent:* Tuesday, June 30, 2015 4:34 PM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Help with CAS 4.0 AD Carl, All of our users are in fact in one distinct OU in the AD (ou=fuller), and we then manage web access by the memberOf attribute in each of our individual external apps (e.g. StudentMembers, AlumMembers, EmployeeMembers, etc). Right now, these apps only get the username from CAS -- and not the full attributes list -- and then have to perform a separate query to the AD to get the membership attribute for the authorization portion of logging in to the particular app. I was hoping to bypass all that with v4.0's attribute mapping (among other added benefits), which is why I'm building out this new server. It would give us a smaller maintenance footprint (fewer firewall mods, fewer certificate installs, fewer network calls, etc.); I know that the attribute mapping is possible in 3.5 (with some additional modifications), so I may just revert back to tinkering with a test instance of the current set up instead. Thanks, Mike On Tue, Jun 30, 2015 at 2:03 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, I think the key part is without performing a search in the quote I pulled from the A/D section. I am not sure how that is possible in traditional LDAP unless all the accounts are in a single ou that has been configured beforehand. Our LDAP DIT is context-crazy aka bushy, with accounts for different departments in different ous. I am not sure how that would work using LDAP. Could just be something unclear in the text, though. Thanks, Carl - Original Message - From: Mike Seiler michaelsei...@fuller.edu To: cas-user@lists.jasig.org Sent: Tuesday, June 30, 2015 4:59:00 PM Subject: Re: [cas-user] Help with CAS 4.0 AD Carl, Our current CAS server (3.5.2) simply binds as the manager and then authenticates the user from the AD with a search. To me, that first paragraph sample code seems to suggest that it does the same thing - using only the manager credentials to authenticate the user. Thanks, Mike On Tue, Jun 30, 2015 at 1:17 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, I did notice this while going over the instructions: The following configuration authenticates users by sAMAccountName without performing a search, which requires manager/administrator credentials in most cases. Is that something special you can do in A/D since sAMAccountName is guarunteed to be unique in the domain? With typical LDAP authN, you need to do a search to get the full DN and then BIND as that DN. Still poking around ... Thanks, Carl - Original Message - From: Mike Seiler michaelsei...@fuller.edu To: cas-user@lists.jasig.org Sent: Tuesday, June 30, 2015 3:39:02 PM Subject: Re: [cas-user] Help with CAS 4.0 AD Here's my cas.properties info: # # General properties # ldap.url=ldaps://id.fuller.edu ldap.connectTimeout=3000 ldap.useStartTLS=false # # LDAP connection pool configuration # ldap.pool.minSize=3 ldap.pool.maxSize=10 ldap.pool.validateOnCheckout=false ldap.pool.validatePeriodically=true ldap.pool.blockWaitTime=3000 ldap.pool.validatePeriod=300 ldap.pool.prunePeriod=300 ldap.pool.idleTime=600 # # Authentication # # Base DN of users to be authenticated ldap.baseDn=ou=fuller,DC=id,DC=fuller,DC=edu # the CN=Users here because the CASADMIN is outside the ou we put our normal users into. ldap.authn.managerDN=CN=CASADMIN,CN=Users,DC=id,DC=fuller,DC=edu ldap.authn.managerPassword= ldap.domain=fuller.edu ldap.trustedCert=file:/etc/cas/id_app.pem # [The cut and paste deployer config doesn't actually use the below, but I modified them anyway] ldap.authn.searchFilter
Re: [cas-user] Help with CAS 4.0 AD
Thank you Mihai and John. I will try those things first thing in the morning and get back to you with all the additional logs and details. Mike On Tue, Jun 30, 2015 at 3:22 PM, John Ryan jr...@redzone.co wrote: Mike, I think Daniel is on to something: we see no indication whatsoever in your log output that LDAP authentication is even being attempted. In your log4j.xml please dial way back everything (most especially org.springframework) to WARN except org.jasig and org.ldaptive (set both to TRACE). After you attempt to hit a CAS-ified application, we should then see a rich set of detail about CAS placing a service in FlowScope, generating a login ticket, etc. If everything is OK up to that point, we'll see an Attempting LDAP authentication message from org.jasig.cas.authentication.LdapAuthenticationHandler, followed by rich detail from org.ldaptive components as they interact with AD. FYI we're using CAS 4.0 with AD and it is working fine. The only differences that jump out to me from our configuration is that we don't use any of the ldap.authn properties at all, as we want to use the user's sAMAccountName. Also, one departure from the deployerConfigContext.xml at http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication is that we do not use an sslConfig bean. We use ldaps, the cert for our AD server is in the JVM's keystore, and things seem to work just fine without the sslConfig bean. But again, we see no indication an attempt at LDAP authentication is even being attempted. Updating log4j.xml with the suggested changes should at least make that clear. On 6/29/2015 9:26 PM, Daniel Fisher wrote: On Mon, Jun 29, 2015 at 1:28 PM, Mike Seiler michaelsei...@fuller.edu wrote: Any further suggestions on what might be causing the system to fail to authenticate users? Bind with manager password works. Certificates validate. sAMAccountName is set as the search filter. Any suggestions would be appreciated. I didn't see the LDAP authentication component being exercised. Your LDAP pools initialize correctly, but the authentication handler does not appear to use them. I don't know enough about the v4 config to say what's wrong, but I would look for something fundamental in the authentication wiring, not in the LDAP config. --Daniel Fisher -- You are currently subscribed to cas-user@lists.jasig.org as: jr...@redzone.co To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- John Ryan / Senior Software Engineer / RedZone Software jr...@redzone.co / www.redzone.co -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user This transmission contains confidential information intended solely for the party identified above. If you receive this message in error, you must not use it or convey it to others. Please destroy it immediately and contact the sender at (303) 386-3955 or by return e-mail to the sender. -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Help with CAS 4.0 AD
Carl, All of our users are in fact in one distinct OU in the AD (ou=fuller), and we then manage web access by the memberOf attribute in each of our individual external apps (e.g. StudentMembers, AlumMembers, EmployeeMembers, etc). Right now, these apps only get the username from CAS -- and not the full attributes list -- and then have to perform a separate query to the AD to get the membership attribute for the authorization portion of logging in to the particular app. I was hoping to bypass all that with v4.0's attribute mapping (among other added benefits), which is why I'm building out this new server. It would give us a smaller maintenance footprint (fewer firewall mods, fewer certificate installs, fewer network calls, etc.); I know that the attribute mapping is possible in 3.5 (with some additional modifications), so I may just revert back to tinkering with a test instance of the current set up instead. Thanks, Mike On Tue, Jun 30, 2015 at 2:03 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, I think the key part is without performing a search in the quote I pulled from the A/D section. I am not sure how that is possible in traditional LDAP unless all the accounts are in a single ou that has been configured beforehand. Our LDAP DIT is context-crazy aka bushy, with accounts for different departments in different ous. I am not sure how that would work using LDAP. Could just be something unclear in the text, though. Thanks, Carl - Original Message - From: Mike Seiler michaelsei...@fuller.edu To: cas-user@lists.jasig.org Sent: Tuesday, June 30, 2015 4:59:00 PM Subject: Re: [cas-user] Help with CAS 4.0 AD Carl, Our current CAS server (3.5.2) simply binds as the manager and then authenticates the user from the AD with a search. To me, that first paragraph sample code seems to suggest that it does the same thing - using only the manager credentials to authenticate the user. Thanks, Mike On Tue, Jun 30, 2015 at 1:17 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, I did notice this while going over the instructions: The following configuration authenticates users by sAMAccountName without performing a search, which requires manager/administrator credentials in most cases. Is that something special you can do in A/D since sAMAccountName is guarunteed to be unique in the domain? With typical LDAP authN, you need to do a search to get the full DN and then BIND as that DN. Still poking around ... Thanks, Carl - Original Message - From: Mike Seiler michaelsei...@fuller.edu To: cas-user@lists.jasig.org Sent: Tuesday, June 30, 2015 3:39:02 PM Subject: Re: [cas-user] Help with CAS 4.0 AD Here's my cas.properties info: # # General properties # ldap.url=ldaps://id.fuller.edu ldap.connectTimeout=3000 ldap.useStartTLS=false # # LDAP connection pool configuration # ldap.pool.minSize=3 ldap.pool.maxSize=10 ldap.pool.validateOnCheckout=false ldap.pool.validatePeriodically=true ldap.pool.blockWaitTime=3000 ldap.pool.validatePeriod=300 ldap.pool.prunePeriod=300 ldap.pool.idleTime=600 # # Authentication # # Base DN of users to be authenticated ldap.baseDn=ou=fuller,DC=id,DC=fuller,DC=edu # the CN=Users here because the CASADMIN is outside the ou we put our normal users into. ldap.authn.managerDN=CN=CASADMIN,CN=Users,DC=id,DC=fuller,DC=edu ldap.authn.managerPassword= ldap.domain=fuller.edu ldap.trustedCert=file:/etc/cas/id_app.pem # [The cut and paste deployer config doesn't actually use the below, but I modified them anyway] ldap.authn.searchFilter=(sAMAccountName=%s) ldap.authn.format=%s...@fuller.edu Thanks for taking a looking at this. On Tue, Jun 30, 2015 at 12:06 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, Could you post the non-sensitive parts of your LDAP configuration? We are using CAS 3.x and usin OpenLDAP so it is not necessarily a good match, but our settings look like: # == LDAP Authentication settings == ldap.authentication.filter=uid=%u ldap.authentication.server.urls=ldaps://ldap.lafayette.edu ldap.authentication.basedn=O=lafayette ldap.authentication.manager.userdn=cn=casbrowser,o=lafayette ldap.authentication.manager.password=REDACTED ldap.authentication.ignorePartialResultException=true ldap.authentication.scope=2 ldap.authentication.jndi.connect.timeout=3000 ldap.authentication.jndi.read.timeout=3000 ldap.authentication.jndi.security.level=simple Thanks, Carl - Original Message - From: Mike Seiler michaelsei...@fuller.edu To: cas-user@lists.jasig.org
Re: [cas-user] Help with CAS 4.0 AD
Any further suggestions on what might be causing the system to fail to authenticate users? Bind with manager password works. Certificates validate. sAMAccountName is set as the search filter. Any suggestions would be appreciated. On Wed, Jun 24, 2015 at 8:26 AM, Mike Seiler michaelsei...@fuller.edu wrote: Daniel, Thanks for your your response. I redeployed so that my log files would be fresh. I've attached the localhost log, the cas.log, and the catalina.out file to this email. Catalina.out has an enormous amount of DEBUG info; I hope it doesn't get in the way. I also deleted things before the system started loading secure certificates and connecting to the AD server (if you need the entire log, let me know and I'll resend). The cas and localhost logs don't seem to contain much at all. If it helps shed some light, I built my system using this Git Repo: https://github.com/UniconLabs/simple-cas4-overlay-template And then added in the AD layer using this documentation: http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication Thanks, Mike On Wed, Jun 24, 2015 at 6:39 AM, Daniel Fisher dfis...@vt.edu wrote: On Tue, Jun 23, 2015 at 6:33 PM, Mike Seiler michaelsei...@fuller.edu wrote: Daniel, Thanks. I turned on the debug for Ldaptive, and got multiple lines of DEBUG, but none seems to indicate a full error that I can see. If I manually set useSSL to true (in deployerConfigContext), the application initializes fine and cas.log still shows authentication failed but there are no other errors to indicate that something is wrong either in catalina.out or cas.log. Sounds like your properties aren't being applied to the deployerConfigContext.xml. The lines containing the useSSL and useStartTLS: --- 2015-06-23 15:12:46,814 DEBUG [org.ldaptive.pool.BlockingConnectionPool] - initialized available queue: [org.ldaptive.pool.Queue@458045035::queueType=LIFO, queue=[org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@6a3096d4, org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@630eaf38, org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@2021f8cc ]] 2015-06-23 15:12:46,820 DEBUG [org.ldaptive.pool.BlockingConnectionPool] - prune pool task scheduled for [org.ldaptive.pool.BlockingConnectionPool@1188516673::name=null, poolConfig=[org.ldaptive.pool.PoolConfig@1654322364::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=300], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator@725194039 ::searchRequest=[org.ldaptive.SearchRequest@88681342::*baseDn=, searchFilter=*[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=0, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@397920599::prunePeriod=300, idleTime=600], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory@587430635 ::provider=org.ldaptive.provider.jndi.JndiProvider@397aec42, config=[org.ldaptive.ConnectionConfig@892141193::ldapUrl=ldap:// id.fuller.edu:636, connectTimeout=3000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@486207397 ::credentialConfig=[org.ldaptive.ssl.X509CredentialConfig@1427787790::trustCertificates=file:/etc/cas/id_app.pem, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], *useSSL=true, useStartTLS=false*, connectionInitializer=null]], initialized=false, availableCount=3, activeCount=0] Your connection pool initialized successfully. You're likely having DN resolution issues, which may be further indication that your properties aren't being applied. If you post an entire log from a single authentication attempt I can probably point to the problem. --Daniel Fisher -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- *Michael Seiler
[cas-user] Help with CAS 4.0 AD
Hello all, I'm running into problems authenticating with Active Directory in CAS 4.0. What I've done so far: 1) set up the CAS server using this documentation: http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication 2) Installed secure certificates in Tomcat for both SSL (on 8443) and the AD certificate 3) Installed the certs in the default Java Keystore as well - when things didn't work with only Tomcat certs 4) Updated my cas.properties file with the appropriate credentials and attributes. *The Problem:* CAS loads, but returns with Invalid Credentials for every attempt to log in (even though I can query the AD from the command line): *cas.log* file only shows: 2015-06-23 08:45:14,945 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - Setting path for cookies to: /cas/ 2015-06-23 08:45:14,945 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - Setting path for cookies to: /cas/ 2015-06-23 08:45:23,607 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: supplied credentials: [michaelseiler+password] ACTION: AUTHENTICATION_FAILED APPLICATION: CAS WHEN: Tue Jun 23 08:45:23 PDT 2015 CLIENT IP ADDRESS: 192.168.72.69 SERVER IP ADDRESS: 192.168.72.160 = *catalina.out* only shows the following: 2015-06-23 08:45:23,625 DEBUG [org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository] - Putting flow execution '[FlowExecutionImpl@7a9e803c flow = 'login', flowSessions = list[[FlowSessionImpl@5a8d59f8 flow = 'login', state = 'viewLoginForm', scope = map['service' - [null], 'warnCookieValue' - false, 'credential' - michaelseiler+password, 'ticketGrantingTicketId' - [null], 'viewScope' - map['commandName' - 'credential'], 'loginTicket' - 'LT-2-cVte4SctmZucdLkHSNzw0e3mbTgtpi-logintest.fuller.edu'' into repository *Debugging/Troubleshooting:* 1) The credentials I am using are correct, as I log in with those credentials currently. 2) From the command line with an *ldapsearch* I am able to retrieve the data concerning my account using the same credentials for Admin + Password that I set in the *cas.properties* file. It seems I'm missing something that is keeping my CAS install from actually talking to the AD server. I'm at a point where I'm going circular in my Google searches, so any help or pointers to additional resources would be appreciated. Thanks, Mike -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Help with CAS 4.0 AD
Thanks Carl, That was actually a leftover from testing. I had tried every option of connection setting, even the ones that don't make sense (like ldaps://host:389 and ldap://host:636); neither of those two worked, of course. However, even with ldaps://id.fuller.edu or ldaps:// id.fuller.edu:636 I still get Invalid Credentials. I've added DEBUG levels to most everything that pertains to LDAP, and I'm still not seeing any errors listed that seem to shed light. Just as additional info, I noticed that the cas.log in the production server shows the following: = WHO: [username: michaelseiler] WHAT: supplied credentials: [username: michaelseiler] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Tue Jun 23 22:19:05 PDT 2015 CLIENT IP ADDRESS: 65.129.164.219 SERVER IP ADDRESS: 192.168.72.137 = and the test server seems to be missing the username in the WHO section: = WHO: audit:unknown WHAT: supplied credentials: [michaelseiler+password] ACTION: AUTHENTICATION_FAILED APPLICATION: CAS WHEN: Tue Jun 23 21:09:15 PDT 2015 CLIENT IP ADDRESS: 192.168.72.69 SERVER IP ADDRESS: 192.168.72.160 = Not sure if that is an expected difference in CAS 4.0. or not. Thanks, Mike On Tue, Jun 23, 2015 at 4:09 PM, Carl Waldbieser cwaldbie...@gmail.com wrote: If you are running on port 636, that typically is ldaps. The initial tcp connection is encrypted using SSL/TLS and you would use STARTTLS=false and USETLS=true. The url scheme is ldaps://host:port/basedn for many ldap libraries (not sure about this one). Carl Waldbieser On Jun 23, 2015 6:33 PM, Mike Seiler michaelsei...@fuller.edu wrote: Daniel, Thanks. I turned on the debug for Ldaptive, and got multiple lines of DEBUG, but none seems to indicate a full error that I can see. In catalina.out there are a few lines about ldaptive that show the following: useSSL=false, useStartTLS=false,... etc. If I set the ldap.useStartTLS=true in my cas.properties, the application fails to load and tells me that TLS or SSL already in effect and then there's a cascading set of errors concerning initializing authentication handlers. If I set ldap.useStartTLS=false, then the application loads fine, but catalina.out shows that useSSL=false as well. If I manually set useSSL to true (in deployerConfigContext), the application initializes fine and cas.log still shows authentication failed but there are no other errors to indicate that something is wrong either in catalina.out or cas.log. The following is from catalina.out which tells me SSL is loading properly: --- 2015-06-23 15:12:46,290 DEBUG [org.ldaptive.ssl.AggregateTrustManager] - checkServerTrusted for sun.security.ssl.X509TrustManagerImpl@23802df5 succeeded 2015-06-23 15:12:46,290 DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier] - verifying hostname=id.fuller.edu against cert= 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier] - verifyDNS using subjectAltNames=[id-dc2.id.fuller.edu, id.fuller.edu, ID] 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier] - verifyDNS found hostname match: id.fuller.edu 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.AggregateTrustManager] - checkServerTrusted for org.ldaptive.ssl.HostnameVerifyingTrustManager@126d0169 succeeded 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.AggregateTrustManager] - invoking getAcceptedIssuers invoked for sun.security.ssl.X509TrustManagerImpl@23802df5 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.AggregateTrustManager] - invoking getAcceptedIssuers invoked for org.ldaptive.ssl.HostnameVerifyingTrustManager@126d0169 The lines containing the useSSL and useStartTLS: --- 2015-06-23 15:12:46,814 DEBUG [org.ldaptive.pool.BlockingConnectionPool] - initialized available queue: [org.ldaptive.pool.Queue@458045035::queueType=LIFO, queue=[org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@6a3096d4, org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@630eaf38, org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@2021f8cc ]] 2015-06-23 15:12:46,820 DEBUG [org.ldaptive.pool.BlockingConnectionPool] - prune pool task scheduled for [org.ldaptive.pool.BlockingConnectionPool@1188516673::name=null, poolConfig=[org.ldaptive.pool.PoolConfig@1654322364::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=300], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator@725194039 ::searchRequest=[org.ldaptive.SearchRequest@88681342::*baseDn=, searchFilter=*[org.ldaptive.SearchFilter@1642584434::filter
Re: [cas-user] Help with CAS 4.0 AD
Daniel, Thanks. I turned on the debug for Ldaptive, and got multiple lines of DEBUG, but none seems to indicate a full error that I can see. In catalina.out there are a few lines about ldaptive that show the following: useSSL=false, useStartTLS=false,... etc. If I set the ldap.useStartTLS=true in my cas.properties, the application fails to load and tells me that TLS or SSL already in effect and then there's a cascading set of errors concerning initializing authentication handlers. If I set ldap.useStartTLS=false, then the application loads fine, but catalina.out shows that useSSL=false as well. If I manually set useSSL to true (in deployerConfigContext), the application initializes fine and cas.log still shows authentication failed but there are no other errors to indicate that something is wrong either in catalina.out or cas.log. The following is from catalina.out which tells me SSL is loading properly: --- 2015-06-23 15:12:46,290 DEBUG [org.ldaptive.ssl.AggregateTrustManager] - checkServerTrusted for sun.security.ssl.X509TrustManagerImpl@23802df5 succeeded 2015-06-23 15:12:46,290 DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier] - verifying hostname=id.fuller.edu against cert= 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier] - verifyDNS using subjectAltNames=[id-dc2.id.fuller.edu, id.fuller.edu, ID] 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier] - verifyDNS found hostname match: id.fuller.edu 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.AggregateTrustManager] - checkServerTrusted for org.ldaptive.ssl.HostnameVerifyingTrustManager@126d0169 succeeded 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.AggregateTrustManager] - invoking getAcceptedIssuers invoked for sun.security.ssl.X509TrustManagerImpl@23802df5 2015-06-23 15:12:46,300 DEBUG [org.ldaptive.ssl.AggregateTrustManager] - invoking getAcceptedIssuers invoked for org.ldaptive.ssl.HostnameVerifyingTrustManager@126d0169 The lines containing the useSSL and useStartTLS: --- 2015-06-23 15:12:46,814 DEBUG [org.ldaptive.pool.BlockingConnectionPool] - initialized available queue: [org.ldaptive.pool.Queue@458045035::queueType=LIFO, queue=[org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@6a3096d4, org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@630eaf38, org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@2021f8cc ]] 2015-06-23 15:12:46,820 DEBUG [org.ldaptive.pool.BlockingConnectionPool] - prune pool task scheduled for [org.ldaptive.pool.BlockingConnectionPool@1188516673::name=null, poolConfig=[org.ldaptive.pool.PoolConfig@1654322364::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=300], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator@725194039 ::searchRequest=[org.ldaptive.SearchRequest@88681342::*baseDn=, searchFilter=*[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=0, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@397920599::prunePeriod=300, idleTime=600], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory@587430635 ::provider=org.ldaptive.provider.jndi.JndiProvider@397aec42, config=[org.ldaptive.ConnectionConfig@892141193::ldapUrl=ldap:// id.fuller.edu:636, connectTimeout=3000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@486207397 ::credentialConfig=[org.ldaptive.ssl.X509CredentialConfig@1427787790::trustCertificates=file:/etc/cas/id_app.pem, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], *useSSL=true, useStartTLS=false*, connectionInitializer=null]], initialized=false, availableCount=3, activeCount=0] I notice that the baseDN is empty, though I have that set in my cas.properties file as per the file sample on the Active Directory Installation page. Just to verify my credentials, I logged in on our current CAS 3.5.2 server using the same credentials I am trying on the new 4.0 server - both CAS servers access the same Active Directory. Thanks, Mike On Tue, Jun 23, 2015 at 12:33 PM, Daniel Fisher dfis...@vt.edu wrote: On Tue, Jun 23, 2015 at 12:01 PM, Mike Seiler michaelsei...@fuller.edu wrote: Hello all, I'm running into problems authenticating with Active Directory in CAS 4.0. What I've done so far: 1) set up the CAS server using this documentation: http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication 2
Re: [cas-user] Logout using phpCAS
Ben, I have several PHP applications. The only way that I've found to completely kill the local application session is to explicitly set the local PHP session to null and destroy it, then call the phpCAS::logout() method. This ensures that any additional attempts to log in to the local application require authentication through CAS. session_destroy() only kills a current session if one has started, so that means that you have the odd requirement of calling session_start() just to call session_destroy() session_start(); session_destroy(); // If you really want to make sure it all dies $_SESSION= null; phpCAS::logout(); Mike On Thu, Feb 19, 2015 at 7:56 AM, Waldbieser, Carl waldb...@lafayette.edu wrote: Ben, I am not sure, as I don't have the code in front of me at the moment, but calling phpCAS::logout() essentially should stop the current execution and redirect you to the logout URL on your CAS server. If you need to work around a bug, you could probably kill the local session and do the redirect directly in PHP. Thanks, Carl - Original Message - From: Benjamin Cherian benjamin.cher...@villanova.edu To: cas-user@lists.jasig.org Sent: Thursday, February 19, 2015 10:12:45 AM Subject: Re: [cas-user] Logout using phpCAS That's what I thought, but the documentation (https://wiki.jasig.org/display/CASC/phpCAS+logout), says that the logout() method will kill the current PHP session. So that assumes they application does not need to call session_destroy(). But if they do call session_destroy() before the phpCAS::logout(), will that cause any issues with the logout? I'd test it out myself, but I don't have access to the application, nor any current PHP applications to test with at the moment. On 2/19/15, 9:57 AM, Waldbieser, Carl waldb...@lafayette.edu wrote: Ben, Likely, you also have some kind of PHP session for the application. = Generally speaking, logging out of CAS SSO does *NOT* log you out of any application sessions. = So you might want to clear any normal PHP session prior to calling `phpCAS::logout()`. Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Benjamin Cherian benjamin.cher...@villanova.edu To: cas-user@lists.jasig.org Sent: Thursday, February 19, 2015 9:28:51 AM Subject: [cas-user] Logout using phpCAS We have a vendor using phpCAS to implement SSO with our CAS server. They created a custom login page to handle CAS. Login works fine, but logout is currently an issue. Currently when we logout, phpCAS::logout() is called and we are redirected to the CAS logout page. When I try to go to any URL within the application, I'm not logged in. When I go to another CAS enabled application, I am not logged in. But when I go back to the custom CAS login page, I am logged back in without being prompted for login credentials. No interaction occurs between the application and the CAS servers, so it is all within the client and the application at this point of re-entry. Is this acceptable behavior for CAS, or is there something more that needs to be done to be fully logged out of the application? Thanks, Ben -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: benjamin.cher...@villanova.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS Unavailable Error with casGenericSuccess.jsp
Hello, We've modified the casGenericSuccess.jsp page to provide a small number of common tasks for people once they've logged in. This works fine on the first login - they see the little link farm with their username. But if someone comes back to the page, they get a generic error stating CAS is Unvailable. Since they are logged in with an appropriate ticket, shouldn't they get the login success page again? Is there an easy fix for this that I am overlooking? Thanks, Mike -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Unavailable Error with casGenericSuccess.jsp
The cas log only states that I was successfully authenticated, and the catalina log doesn't have anything beyond startup logs. CAS Log: 2015-01-29 11:01:12,654 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: [username: michaelseiler] WHAT: supplied credentials: [username: michaelseiler] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Thu Jan 29 11:01:12 PST 2015 CLIENT IP ADDRESS: 192.168.72.69 SERVER IP ADDRESS: 192.168.72.137 = 2015-01-29 11:01:12,683 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: [username: michaelseiler] WHAT: TGT-1-06FMI1BkceCkoXkzktnuA9cEBc3T29bB4t4vuBdoyiHaDEoYfW-login.fuller.edu ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Thu Jan 29 11:01:12 PST 2015 CLIENT IP ADDRESS: 192.168.72.69 SERVER IP ADDRESS: 192.168.72.137 = I used the following to retrieve the User's Principal in the view: https://github.com/Unicon/cas-addons/wiki/Authenticated-Principal-in-Generic-Success-Login-View As I'm looking at it again, I'm assuming that after the initial login (on-entry), the flow changes, and I would need to specify another end-state for returning visitors? end-state id=viewGenericLoginSuccess view=casLoginGenericSuccessView on-entry evaluate expression=authenticationSupport.getAuthenticatedPrincipalFrom(requestScope.ticketGrantingTicketId) result=requestScope.principal/ /on-entry /end-state On Thu, Jan 29, 2015 at 11:17 AM, Misagh Moayyed mmoay...@unicon.net wrote: What do the CAS server logs tell you? Some of those tasks you have added probably assume an input to operate on that may not be there. Hard to say without logs. *From:* Mike Seiler [mailto:michaelsei...@fuller.edu] *Sent:* Thursday, January 29, 2015 12:04 PM *To:* cas-user@lists.jasig.org *Subject:* [cas-user] CAS Unavailable Error with casGenericSuccess.jsp Hello, We've modified the casGenericSuccess.jsp page to provide a small number of common tasks for people once they've logged in. This works fine on the first login - they see the little link farm with their username. But if someone comes back to the page, they get a generic error stating CAS is Unvailable. Since they are logged in with an appropriate ticket, shouldn't they get the login success page again? Is there an easy fix for this that I am overlooking? Thanks, Mike -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Unavailable Error with casGenericSuccess.jsp
I'm using the Unicon maven overlay with CAS 3.5.2 - I'm planning on upgrading to 4 in a month or so, but at the moment we're launching our new login system, so I'm just tweaking the current build. After setting debug levels, Localhost error log showed the following on second load: Jan 29, 2015 2:03:36 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [cas] in context with path [/cas] threw exception [Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing [AnnotatedAction@20d15464 targetAction = [EvaluateAction@efb8211 expression = authenticationSupport.getAuthenticatedPrincipalFrom(requestScope.ticketGrantingTicketId), resultExpression = requestScope.principal], attributes = map[[empty]]] in state 'viewGenericLoginSuccess' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause java.lang.NullPointerException: Null key is not allowed! I'm assuming the expression evaluates to null because there is no need to invoke granting a ticket after a user has already logged in(?). Is it possible then to evaluate the principal id from existing tickets? On Thu, Jan 29, 2015 at 11:57 AM, Misagh Moayyed mmoay...@unicon.net wrote: What CAS server version are you using? And was there anything in your “localhost” tomcat log file? This probably fails because your “requestScope.principal” ends up being null on subsequent attempts. If you enable the webflow logs to DEBUG you should be able to observe what that expression is doing. *From:* Mike Seiler [mailto:michaelsei...@fuller.edu] *Sent:* Thursday, January 29, 2015 12:40 PM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] CAS Unavailable Error with casGenericSuccess.jsp The cas log only states that I was successfully authenticated, and the catalina log doesn't have anything beyond startup logs. CAS Log: 2015-01-29 11:01:12,654 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: [username: michaelseiler] WHAT: supplied credentials: [username: michaelseiler] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Thu Jan 29 11:01:12 PST 2015 CLIENT IP ADDRESS: 192.168.72.69 SERVER IP ADDRESS: 192.168.72.137 = 2015-01-29 11:01:12,683 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: [username: michaelseiler] WHAT: TGT-1-06FMI1BkceCkoXkzktnuA9cEBc3T29bB4t4vuBdoyiHaDEoYfW-login.fuller.edu ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Thu Jan 29 11:01:12 PST 2015 CLIENT IP ADDRESS: 192.168.72.69 SERVER IP ADDRESS: 192.168.72.137 = I used the following to retrieve the User's Principal in the view: https://github.com/Unicon/cas-addons/wiki/Authenticated-Principal-in-Generic-Success-Login-View As I'm looking at it again, I'm assuming that after the initial login (on-entry), the flow changes, and I would need to specify another end-state for returning visitors? end-state id=viewGenericLoginSuccess view=casLoginGenericSuccessView on-entry evaluate expression=authenticationSupport.getAuthenticatedPrincipalFrom(requestScope.ticketGrantingTicketId) result=requestScope.principal/ /on-entry /end-state On Thu, Jan 29, 2015 at 11:17 AM, Misagh Moayyed mmoay...@unicon.net wrote: What do the CAS server logs tell you? Some of those tasks you have added probably assume an input to operate on that may not be there. Hard to say without logs. *From:* Mike Seiler [mailto:michaelsei...@fuller.edu] *Sent:* Thursday, January 29, 2015 12:04 PM *To:* cas-user@lists.jasig.org *Subject:* [cas-user] CAS Unavailable Error with casGenericSuccess.jsp Hello, We've modified the casGenericSuccess.jsp page to provide a small number of common tasks for people once they've logged in. This works fine on the first login - they see the little link farm with their username. But if someone comes back to the page, they get a generic error stating CAS is Unvailable. Since they are logged in with an appropriate ticket, shouldn't they get the login success page again? Is there an easy fix for this that I am overlooking? Thanks, Mike -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person
Re: [cas-user] Extra Attributes from Active Directory
Carl, Thanks for your response. I'm seeing in the log that it is trying to access the readExtraAttributesCas20() method, but not retrieving anything: 1D89 .|||||cas:serviceResponse xmlns:cas=' http://www.yale.edu/tp/cas' 1D89 .||||| cas:authenticationSuccess 1D89 .||||| cas:usermichaelseiler/cas:user 1D89 .||||| 1D89 .||||| 1D89 .||||| /cas:authenticationSuccess 1D89 .|||||/cas:serviceResponse 1D89 .||||| [CurlRequest.php:82] 1D89 .||||= true 1D89 .|||= true 1D89 .|||= CAS_Client::_readExtraAttributesCas20(DOMNodeList) [Client.php:2813] 1D89 .||||Testing for rubycas style attributes [Client.php:2923] I've updated the casServiceValidationSuccess.jsp to include the additional user attributes, but it doesn't appear to be retrieving and sending them. I've also modified deployerConfigContext.xml to use the LdapPersonAttributeDao in the attributeRepository. What else do I need to do to enable them at the server? Thanks for your help. Mike On Thu, Jan 8, 2015 at 12:10 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, Try turning on debug output in the client with something like `phpCAS::setDebug($debug_file);`. Then you can see if the attributes are being returned. If not, you may need to enable them at the server. Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Mike Seiler michaelsei...@fuller.edu To: cas-user@lists.jasig.org Sent: Thursday, January 8, 2015 2:23:08 PM Subject: [cas-user] Extra Attributes from Active Directory I'm currently attempting to extract additional attributes using the information found here: https://wiki.jasig.org/display/casum/attributes#Attributes-AccessingattributesusingtheCASclientforjava And then trying to pull the data with phpCAS::getAttribute() in my web application. None of my efforts to extract attributes via their keys seems to be working, and I'm hoping someone has some history with this. I'm using the Unicon CAS Overlay to build my app, and am using Active Directory. I'm successfully authenticating, but pulling additional attributes is still failing for me. -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Extra Attributes from Active Directory
I'm currently attempting to extract additional attributes using the information found here: https://wiki.jasig.org/display/casum/attributes#Attributes-AccessingattributesusingtheCASclientforjava And then trying to pull the data with phpCAS::getAttribute() in my web application. None of my efforts to extract attributes via their keys seems to be working, and I'm hoping someone has some history with this. I'm using the Unicon CAS Overlay to build my app, and am using Active Directory. I'm successfully authenticating, but pulling additional attributes is still failing for me. -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] LPPE and Warning Redirect
I just set up a CAS server with the LPPE and am able to redirect the user to change a password, but somehow am missing how to modify login-webflow.xml and lppe-configuration.xml to warn a user that their password is about to expire. The end-state (in login-webflow.xml) for showWarningView is casLoginConfirmView which the notes say is defined in *default_views.properties*; however, this default_views file is not in the repository I cloned. Where should this file go, and how must I set the properties? -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Extractor Errors after Install
the test account isn’t locked etc. …and what CAS version are you testing? If none of that is any help, do please post/attach the log here where you see the “credentials bad” error *From:* Mike Seiler [mailto:michaelsei...@fuller.edu] *Sent:* Tuesday, May 27, 2014 9:58 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Extractor Errors after Install Misagh, I am using CAS with Active Directory. We are trying to implement a CAS Password Manager that I found on GitHub. So far I've been able to confirm that the Certificates are appropriately installed, and that CAS can speak with the AD server. When these messages occur, I am attempting to log in as my test user, which returns a credentials bad note in the cas.log, as well as these Extractor messages. However, command line searches using my test user's username and password return valid results from AD, so I know that the credentials are valid. If CAS is unable to parse the response, then I suppose that this is causing the credentials bad message? Thanks, Mike On Tue, May 27, 2014 at 9:38 AM, Misagh Moayyed mmoay...@unicon.net wrote: These are not errors, per se. These are simply informational messages logged at the DEBUG level. What they indicate is that CAS is unable to parse the incoming request. How are you accessing the CAS server and what are you trying to accomplish? *From:* Mike Seiler [mailto:michaelsei...@fuller.edu] *Sent:* Tuesday, May 27, 2014 9:10 AM *To:* cas-user@lists.jasig.org *Subject:* [cas-user] Extractor Errors after Install Hello all, I just installed CAS, and it seems everything was set up properly, but I keep receiving the following errors: 2014-05-23 14:45:25,894 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not generate service. 2014-05-23 14:45:25,894 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not generate service. My Google searches have not resulted in an answer that solves this. Does anyone have some insight? Thanks, Mike -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Extractor Errors after Install
Hello all, I just installed CAS, and it seems everything was set up properly, but I keep receiving the following errors: 2014-05-23 14:45:25,894 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not generate service. 2014-05-23 14:45:25,894 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not generate service. My Google searches have not resulted in an answer that solves this. Does anyone have some insight? Thanks, Mike -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Extractor Errors after Install
Misagh, I am using CAS with Active Directory. We are trying to implement a CAS Password Manager that I found on GitHub. So far I've been able to confirm that the Certificates are appropriately installed, and that CAS can speak with the AD server. When these messages occur, I am attempting to log in as my test user, which returns a credentials bad note in the cas.log, as well as these Extractor messages. However, command line searches using my test user's username and password return valid results from AD, so I know that the credentials are valid. If CAS is unable to parse the response, then I suppose that this is causing the credentials bad message? Thanks, Mike On Tue, May 27, 2014 at 9:38 AM, Misagh Moayyed mmoay...@unicon.net wrote: These are not errors, per se. These are simply informational messages logged at the DEBUG level. What they indicate is that CAS is unable to parse the incoming request. How are you accessing the CAS server and what are you trying to accomplish? *From:* Mike Seiler [mailto:michaelsei...@fuller.edu] *Sent:* Tuesday, May 27, 2014 9:10 AM *To:* cas-user@lists.jasig.org *Subject:* [cas-user] Extractor Errors after Install Hello all, I just installed CAS, and it seems everything was set up properly, but I keep receiving the following errors: 2014-05-23 14:45:25,894 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not generate service. 2014-05-23 14:45:25,894 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not generate service. My Google searches have not resulted in an answer that solves this. Does anyone have some insight? Thanks, Mike -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS - Active Directory setup
Hello all, I've just set up the Unicon maven overlay, and tied my CAS server to my Active Directory. I'm now getting the following error with my test user (in *cas.log*): = WHO: [username: gktesterton] WHAT: error.authentication.credentials.bad ACTION: TICKET_GRANTING_TICKET_NOT_CREATED APPLICATION: CAS WHEN: Thu May 22 15:17:03 PDT 2014 CLIENT IP ADDRESS: SERVER IP ADDRESS: = However, I know that credentials are valid, as I modified the password for the user myself. There are no other errors in the cas.log anywhere. *catalina.out* has no errors; all errors concerning SSL were resolved previously. Is there a setting on Active Directory I might be missing? Any hint in the right direction would be appreciated. Thanks, Mike -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user