[cas-user] Re: EchoingPrincipalResolver

Hi, Lucas, you are right, it works as expected, if no additional principal resolver is configured. As soon as I add an attributeRepoitory via e.g. cas.authn.attrributeRepository.ldap[0] properties, I get the error. In cas-4.2.7 I have: So my question is,

Re: [cas-user] Re: Upgrade CAS 3.5.2 to CAS 5.x

Hi Dmitriy , *Are you saying that CAS doesn't support multi tenancy and **separate** IDP per customer?. * Nag On Fri, Feb 9, 2018 at 6:03 PM, Dmitriy Kopylenko wrote: > So, few points. On the class names between 3 and 5 - you don’t have to > worry about it anymore

RE: [cas-user] CAS 5.2.2-snapshot identifies expired TGTs and erroneously reports they are deleted.

I did some more looking into how “EhCacheTicketRegistry.java” class is interfacing with Ehcache and not sure how this can be working for “cas.ticket.tgt.timeToKillInSeconds”. CAS gets an Element from Ehache within the getTicket() function. CAS then determines if it is expired. When CAS

Re: [cas-user] Stumped on attribute release in CAS 5.1

In the project in etc/cas/config there is a log4j.xml. When you say 'gradle to build CAS' do you mean the cas-gradle-overlay-template or cas proper? Use an overlay unless you are planning on developing CAS. https://github.com/apereo/ Ray On Fri, 2018-02-23 at 13:57 -0800, Toby Archer wrote:

Re: [cas-user] Stumped on attribute release in CAS 5.1

That sounds like a good idea. Pardon my ignorance, but I'm not sure where to place those logger definitions. I'm using gradle to build CAS and I don't see any xml files in the build process or in the configuration files. On Friday, February 23, 2018 at 3:39:31 PM UTC-6, rbon wrote: > > Toby, >

[cas-user] Re: pay forward?

Allright folks .. the support folks are good with it, and even said along the the lines that they'll make it happen if we're close but a tad shy it an still go. So we're good for 40. Ask your boss what you can do with yours .. and noodle up a feature that seams worthwhile. Our expire end of

Re: [cas-user] Stumped on attribute release in CAS 5.1

I'm using CAS-Flask because it's quick and easy to test with. I have it printing out all attributes it recieves from CAS, it is receiving none. So I expect to recieve a list of my name, last name, and email, but get nothing. But perhaps I'm testing

Re: [cas-user] Stumped on attribute release in CAS 5.1

Toby, You may need to adjust your service (service registry) to allow the attributes to be released. These log settings may be useful: Ray On Fri, 2018-02-23 at 12:36 -0800, Toby Archer wrote: I'm trying to figure out how to do attribute release and haven't

Re: [cas-user] CAS 5.2 -- Custom Authenticator and UserDetailsService

See: https://apereo.github.io/cas/5.2.x/installation/Configuration-Management-Extensions.html https://apereo.github.io/2017/02/21/cas-autocfg-strategy/ https://apereo.github.io/2016/06/26/survey-results/ And refer to Spring Boot docs. --Misagh > From: "Michael MacEachran"

Re: [cas-user] Stumped on attribute release in CAS 5.1

What do you expect to happen, and what is actually happen that you consider erroneous? How are you testing the attribute release bit? Not having verified every setting, your config below says: authenticate with ldap, fetch attributes from ldap and release 3 attributes to any and all

[cas-user] Stumped on attribute release in CAS 5.1

I'm trying to figure out how to do attribute release and haven't gotten anywhere. I've read all the pages like this one: https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html and tried searching this mailing list and followed instructions like in this one:

Re: [cas-user] Re: CAS5.2 Connect to LDAP

There are smarter (way smarter) LDAP people than me, but yeah, that's kind of it. Some LDAPs (like AD) will let you bind as the user him/herself to authenticate, others require you to use a special account to make the bind, and then authenticate the user. Although come to think of it, I think AD

Re: [cas-user] Re: CAS5.2 Connect to LDAP

Just to make sure I understand the LDAP and CAS connection properly, CAS is sending over a set of credentials to first access the LDAP correct? Is that the bindDN and bindCredential? Does it then search through the result query for userFilter for a match? Also, I'm a little confused about the

[cas-user] CAS 5.2 -- Custom Authenticator and UserDetailsService

It's been a few years since my last CAS deployment, and oh dear have things changed! I need to use my own AuthenticationManager and UserDetailsService. I see there is no more .xml configuration. So how do I add by own custom beans now? -- - Website: https://apereo.github.io/cas - Gitter

Re: [cas-user] CAS5 management

> Someone should pay you for them. Well, I have to write it up as part of my job anyway; I just decided to go a little further and make it available to world+dog. So I do get paid for the work. Glad you (and others) are finding them helpful. -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION

[cas-user] pay forward?

Our annual contract with Unicon is going to renew here in a bit, and we have a bunch of unused consulting hours which are for features and whatnot. I'm sure if they're not cool with this I'll get told shortly but here's what I'm proposing .. I'll bet there's a couple others in the same boat ..

RE: [cas-user] CAS5 management

Oh right , you do have good docs. Thanks Someone should pay you for them. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: cas-user@apereo.org [mailto:cas-user@apereo.org] On

Re: [cas-user] CAS5 management

The /status endpoint (but not the endpoints underneath it) is only protected by an IP address pattern. You need to set the cas.adminPagesSecurity.ip property to a regular expression that matches the IP address(es) you want to allow access from. See

Re: [cas-user] Access Strategy not working???

I was going to ask about this: Apereo/Unicon, do you have a policy on what/when “breaking” changes are allowed between different versions? E.g. https://semver.org/ In addition to the registry location property change, I think we were also bit by a change from JSON to HJSON somewhere back there

Re: [cas-user] Re: CAS5.2 Connect to LDAP

I'm not sure what you mean by your LDAP is really a MSDN, but... If you're using the "AD" type, then you want (according to the documentation), this: cas.authn.ldap[0].userFilter=cn={user} to be: cas.authn.ldap[0].userFilter=sAMAccountName={user} And you should not need (and perhaps should

RE: [cas-user] CAS5 management

Oh ok , this is CentOs. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Ray Bon Sent: Friday, February 23, 2018 12:48

Re: [cas-user] CAS 5.2

Hi, I've known a CAS customisation where after logging in from no particular CASified service an attribute would be passed for a default redirect URL to then re redirect the user to a particular default service for that particular user (the thing is really just a little bit more complicated

Re: [cas-user] CAS 5.2

It is a property in cas.properties (or whatever file you are using for properties). If a login request does not have a service parameter, the redirect goes to this value. See, https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#views Ray On Fri, 2018-02-23 at 12:43

RE: [cas-user] Access Strategy not working???

Travis, Thanks! I think that worked. That is what I get for reading older documentation. I really wish bad lines would not be ignored. Makes me wonder what else I have entered might not be doing anything. Tim *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Travis

Re: [cas-user] CAS5 management

Chris, Check your service registry entry. Ray On Fri, 2018-02-23 at 12:33 -0500, Cheltenham, Chris wrote: David, Along the same lines, /cas/status says access denied. Is a different file? === Thank You; Chris Cheltenham Technology Services The School District of

Re: [cas-user] Re: CAS5.2 Connect to LDAP

I finally got it to talk to my LDAP! I've realized I should also put that my LDAP is really a MSDN. It is in a very limited capacity though. Here is my cas.properties and I hope someone can help me figure out how to expand the scope of authentication. My apologies about the obfuscation. #AD

RE: [cas-user] CAS 5.2

Ray, I appreciate that but I don’t know what you mean. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Ray Bon

Re: [cas-user] CAS 5.2

Chris, cas.view.defaultRedirectUrl= Ray On Fri, 2018-02-23 at 08:36 -0500, Cheltenham, Chris wrote: Hello Everyone, I am sure most folks change the default landing page AFTER you get login to work. It looks like it lands on a page called casGenericSuccessView.html. My question is how do

RE: [cas-user] CAS5 management

David, Along the same lines, /cas/status says access denied. Is a different file? === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: cas-user@apereo.org

Re: [cas-user] Access Strategy not working???

The property was changed in 5.2 to cas.serviceRegistry.json.location. 5.2 currently ignores unknown properties and falls back to default on this. I got bit by this on a deployment two weeks ago. Also the property names for webflow and tgc encryption were changed, so check those as well. On

RE: [cas-user] CAS5 management

Perfect David, I cannot tell you how many different combination of that user.properties files I tried to no avail. Thanks again === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571

[cas-user] Re: [CAS 5.X] Proxy Mode and 5.2.x

OK, I answer by myself. Found the solution by a colleague in a French list. Thanks a lot to him. I try to explain (sorry for my english) : Problem is in our UPortal behind a web front-end server. We have to add *allowedProxyChains *parameter in the web.xml of UPortal. CAS Server 5.2.x needs this

RE: [cas-user] CAS5 management

Thanks again David, Yeah I am sure its spring. I wasn’t; beating up anyone in particular. Mostly out of frustration that switching a few words around makes all the difference and I have no clue what the combination is. === Thank You; Chris Cheltenham

Re: [cas-user] CAS5 management

As for the cheesiness of it, I believe it's inherited from Spring Security (which is an alternative way you can protect the management webapp): https://docs.spring.io/spring-security/site/docs/2.0.x/reference/html/authentication-common-auth-services.html So blame them, not the CAS project. :-)

Re: [cas-user] CAS5 management

You still need the (unused) password in there, like this: ccheltenham-ext=notused,ROLE_ADMIN,enabled (and you don't really need the "enabled"). Note that "ccheltenham-ext" should then be a user that can authenticate via CAS, since you're protecting the management webapp with CAS. --Dave --

Re: [cas-user] CAS5 management

Admin pages is the /status/dashboard stuff (and all the things underneath). The access to that is controlled with a user.properties file as well. The format is what I gave you in the earlier email. So for casuser, it would be casuser=passwordnotused,ROLE_ADMIN or equivalently,

RE: [cas-user] CAS5 management

Ok I see David, So I tried this and still doesn’t work. ccheltenham-ext=ROLE_ADMIN,enabled I gotta say this is a really stupid and cheesy way to do this. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work #

Re: [cas-user] CAS5 management

Gnarls the Narwhal is The New School's mascot. https://www.newschool.edu/recreation/where-is-gnarls/ I wanted a "dummy" account to use in my CAS testing and documentation, and "casuser" was already taken, so... :-) --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY*

RE: [cas-user] CAS5 management

David, I honestly don’t know what you mean. What admin pages? And how should this be formatted? casuser=ROLE_ADMIN,enabled === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571

RE: [cas-user] CAS5 management

Thanks David, What is gnarls? === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David Curry Sent: Friday,

[cas-user] Access Strategy not working???

CAS users, Ok, I am on CAS 5.2 on Redhat 7. I have created a number of services stored in json files in /etc/cas/services. But I don’t think any of them are getting read by CAS. The CAS-Management creates them and puts them there. But I am not sure CAS is reading them there. My goal

Re: [cas-user] CAS5 management

Your users.properties file is not formatted correctly. It's the same format (and in fact can be the same file) as the one for the admin pages: # The syntax for each line is: # # username=password,grantedAuthority[,grantedAuthority][,enabled|disabled] # gnarls=passwordnotused,ROLE_ADMIN The above

[cas-user] CAS5 management

Hello Everyone, Still having problems with access denied on /cas-management I turned on DEBUG and I see this in the logs. 22T13:22:12.379-05:00[America/New_York], authenticationMethod=Employee-LDAP, successfulAuthenticationHandlers=Employee-LDAP,

Re: [cas-user] Re: CAS5.2 Connect to LDAP

Yes, that looks like your DN. But if CAS is not starting, it's something else. Are you using 5.2.2? Can you post your pom.xml and cas.log files as attachments? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212

[cas-user] Re: CAS5.2 Connect to LDAP

I should also mention that my error is preventing CAS from even loading. It's not that it's not authenticating but rather the system just won't start. On Friday, February 23, 2018 at 8:56:40 AM UTC-6, Kevin Liu wrote: > > For my own account, when I execute the LDAP query in my first post, I >

[cas-user] Re: CAS5.2 Connect to LDAP

For my own account, when I execute the LDAP query in my first post, I can't see my own DN but I can see what I'm a member of. Is the listed member field my DN? member: CN=Kevin Liu,OU=Delta,OU=Alpha,DC=Beta,DC=Gamma Would this be my DN? On Friday, February 23, 2018 at 6:17:22 AM UTC-6,

[cas-user] Re: EchoingPrincipalResolver

Which CAS version are you using? For CAS 5.2 the following config works with me: cas.authn.ldap[0].userFilter=(|(uid={user})(mail={user})) cas.authn.ldap[0].principalAttributeId=uid cas.authn.ldap[0].principalAttributeList=uid,mail Please, check if the parameters name that you are using are

Re: [cas-user] CAS 5.2

In theory, people shouldn't ever see that page, because they should be hitting the CAS server from an application, which they then get sent back to after authenticating. The only time you'll see this page is if go to "/cas/login" with no "?service=" parameter. And if you set the CAS server to

[cas-user] CAS 5.2

Hello Everyone, I am sure most folks change the default landing page AFTER you get login to work. It looks like it lands on a page called casGenericSuccessView.html. My question is how do you change that page? === Thank You; Chris Cheltenham

[cas-user] Re: CAS5.2 Connect to LDAP

On Thu, 22 Feb 2018 13:43:05 -0800 (PST) Kevin Liu wrote: > Correct me if I'm wrong but looking at the directory, not everyone > has a DN. Some users are only members of a group it looks like. I don't think so. DN is the ultimate identifier in LDAP/AD. As stated in MSDN: