Hello, I forgot to mention that I change the "cn" with "uid"
<bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:principalIdAttribute="uid" c:authenticator-ref="authenticator"> <property name="principalAttributeMap"> <map> <!-- | This map provides a simple attribute resolution mechanism. | Keys are LDAP attribute names, values are CAS attribute names. | Use this facility instead of a PrincipalResolver if LDAP is | the only attribute source. --> <entry key="uid" value="uid" /> </map> </property> </bean> Regards, Lutfi On Thu, Oct 29, 2015 at 6:00 PM, Lutfi Oduncuoglu <lutfioduncuo...@gmail.com > wrote: > Hello, > > I did your suggestions but problem still occurs. Now my .xml files are > looks like: > > <bean id="authenticationManager" > class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> > <constructor-arg> > <map> > <!-- > | IMPORTANT > | Every handler requires a unique name. > | If more than one instance of the same handler class > is configured, you must explicitly > | set its name to something other than its default name > (typically the simple class name). > --> > <entry key-ref="proxyAuthenticationHandler" > value-ref="proxyPrincipalResolver" /> > <entry key-ref="primaryAuthenticationHandler" > value-ref="primaryPrincipalResolver" /> > <entry key-ref="ldapAuthenticationHandler" > value-ref="usernamePasswordCredentialsResolver" /> > </map> > > and I added the bean <!-- Required for proxy ticket mechanism --> > <bean id="proxyPrincipalResolver" > > class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> > > <bean id="usernamePasswordCredentialsResolver" > > class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> > <!-- > | Resolves a principal from a credential using an attribute > repository that is configured to resolve > | against a deployer-specific store (e.g. LDAP). > --> > <bean id="primaryPrincipalResolver" > > class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" > > > <property name="attributeRepository" ref="attributeRepository" /> > </bean> > > Also I set TLS to off in cas.propeties. However, when I am trying to login > I sniffed the traffic on my ldap server with tcpdump and tailed the ldap > log file but there was nothing. CAS server doing no ldap search or bind. > CAS does not do anything with ldap. But I could see some logs during maven > process which are: > > > > Oct 29 16:58:11 ldap slapd[1236]: conn=1195 fd=20 ACCEPT from IP= > 10.6.16.16:40967 (IP=0.0.0.0:389) > Oct 29 16:58:11 ldap slapd[1236]: conn=1196 fd=21 ACCEPT from IP= > 10.6.16.16:40968 (IP=0.0.0.0:389) > Oct 29 16:58:11 ldap slapd[1236]: conn=1197 fd=22 ACCEPT from IP= > 10.6.16.16:40969 (IP=0.0.0.0:389) > Oct 29 16:58:11 ldap slapd[1236]: conn=1198 fd=23 ACCEPT from IP= > 10.6.16.16:40970 (IP=0.0.0.0:389) > Oct 29 16:58:11 ldap slapd[1236]: conn=1198 op=0 BIND > dn="cn=admin,dc=example,dc=com" method=128 > Oct 29 16:58:11 ldap slapd[1236]: conn=1198 op=0 BIND > dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 > Oct 29 16:58:11 ldap slapd[1236]: conn=1198 op=0 RESULT tag=97 err=0 text= > Oct 29 16:58:11 ldap slapd[1236]: conn=1199 fd=24 ACCEPT from IP= > 10.6.16.16:40971 (IP=0.0.0.0:389) > Oct 29 16:58:11 ldap slapd[1236]: conn=1199 op=0 BIND > dn="cn=admin,dc=example,dc=com" method=128 > Oct 29 16:58:11 ldap slapd[1236]: conn=1199 op=0 BIND > dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 > Oct 29 16:58:11 ldap slapd[1236]: conn=1199 op=0 RESULT tag=97 err=0 text= > Oct 29 16:58:11 ldap slapd[1236]: conn=1200 fd=25 ACCEPT from IP= > 10.6.16.16:40972 (IP=0.0.0.0:389) > Oct 29 16:58:11 ldap slapd[1236]: conn=1200 op=0 BIND > dn="cn=admin,dc=example,dc=com" method=128 > Oct 29 16:58:11 ldap slapd[1236]: conn=1200 op=0 BIND > dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 > Oct 29 16:58:11 ldap slapd[1236]: conn=1200 op=0 RESULT tag=97 err=0 text= > Oct 29 16:58:13 ldap slapd[1236]: conn=1195 fd=20 closed (connection lost) > > > I still got the same error on catalina.out. > > > > Regards > > > > On Thu, Oct 29, 2015 at 5:01 PM, Alex Bouskine <alex.bousk...@univ-lr.fr> > wrote: > >> Hi Lutfi, >> >> In your deployerConfigContext try to replace: >> <entry key-ref="ldapAuthenticationHandler" value="#{null}" /> >> by: >> <entry key-ref="ldapAuthenticationHandler" >> value-ref="usernamePasswordCredentialsResolver" /> >> >> and add the bean: >> <bean id="usernamePasswordCredentialsResolver" >> >> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> >> >> plus: >> <bean id="ldapAuthenticationHandler" >> ... >> p:principalIdAttribute="cn" >> ... >> <entry key="cn" value="cn" /> >> ... >> </bean> >> >> try with uid attribute instead of cn. >> >> an other option in cas.properties, try ldap.useStartTLS=false >> >> Regards, >> >> Alex >> >> Le 29/10/2015 14:57, Lutfi Oduncuoglu a écrit : >> >> Hello, >> >> I change those values before I added files to my mail. Actually while >> doing mvn package it connects to ldap and confirms the credential and other >> stuff. I can send those log if you want. >> >> Regards >> >> On Thu, Oct 29, 2015 at 4:47 PM, Christopher Myers < >> <cmy...@mail.millikin.edu>cmy...@mail.millikin.edu> wrote: >> >>> It looks like you might have just copied the config from the examples >>> without modifying it to fit your environment; for example, the >>> cas.properties file says that your LDAP server is >>> >>> ldap.url=ldap://localhost:389 >>> >>> and the deployerConfigContext file says that your base DN is >>> p:baseDn="ou=users,dc=example,dc=com" >>> >>> with bind credentials of >>> ldap.authn.baseDn=ou=Users,dc=example,dc=com >>> ldap.authn.managerDN=cn=admin,dc=example,dc=com >>> ldap.authn.managerPassword=qwerty123 >>> >>> so you might want to review the settings and make sure that they've been >>> tweaked for your environment. >>> >>> Chris >>> >>> >>> >>> >>> >>> Lutfi Oduncuoglu < <lutfioduncuo...@gmail.com> >>> lutfioduncuo...@gmail.com> 10/29/15 8:34 AM >>> >>> >>> Hello, >>> >>> I have just started to use CAS and I want to authenticate users over my >>> local ldap server. I did the exact configuration at >>> <http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html> >>> http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html. >>> I added that parts to deployerconfig.xml and cas.properties. Tomcat running >>> in ssl mode, so I connect CAS via https. >>> >>> However when I try to login CAS does not connect ldap. As you can see >>> from catalina.out >>> >>> 2015-10-29 15:31:20,466 INFO >>> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - >>> <AcceptUsersAuthenticationHandler failed authenticating deneme+password> >>> 2015-10-29 15:31:20,466 INFO >>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>> trail record BEGIN >>> ============================================================= >>> WHO: audit:unknown >>> WHAT: supplied credentials: [test+password] >>> ACTION: AUTHENTICATION_FAILED >>> APPLICATION: CAS >>> WHEN: Thu Oct 29 15:31:20 EET 2015 >>> CLIENT IP ADDRESS: 10.6.16.15 >>> SERVER IP ADDRESS: 10.6.16.16 >>> ============================================================= >>> >>> > >>> 2015-10-29 15:31:20,467 INFO >>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>> trail record BEGIN >>> ============================================================= >>> WHO: audit:unknown >>> WHAT: 1 errors, 0 successes >>> ACTION: TICKET_GRANTING_TICKET_NOT_CREATED >>> APPLICATION: CAS >>> WHEN: Thu Oct 29 15:31:20 EET 2015 >>> CLIENT IP ADDRESS: 10.6.16.15 >>> SERVER IP ADDRESS: 10.6.16.16 >>> ============================================================= >>> >>> > >>> 2015-10-29 15:31:21,039 INFO >>> [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered >>> services.> >>> 2015-10-29 15:31:21,039 INFO >>> [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 1 services.> >>> >>> >>> My xml files are below. >>> >>> Thank you very much for help >>> >>> >>> pom.xml >>> >>> >>> <!-- >>> ~ Licensed to Jasig under one or more contributor license >>> ~ agreements. See the NOTICE file distributed with this work >>> ~ for additional information regarding copyright ownership. >>> ~ Jasig licenses this file to you under the Apache License, >>> ~ Version 2.0 (the "License"); you may not use this file >>> ~ except in compliance with the License. You may obtain a >>> ~ copy of the License at the following location: >>> ~ >>> ~ http://www.apache.org/licenses/LICENSE-2.0 >>> ~ >>> ~ Unless required by applicable law or agreed to in writing, >>> ~ software distributed under the License is distributed on an >>> ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY >>> ~ KIND, either express or implied. See the License for the >>> ~ specific language governing permissions and limitations >>> ~ under the License. >>> --> >>> >>> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi=" >>> http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" >>> http://maven.apache.org/POM/4.0.0 >>> http://maven.apache.org/maven-v4_0_0.xsd"> >>> <parent> >>> <groupId>org.jasig.cas</groupId> >>> <artifactId>cas-server</artifactId> >>> <version>4.0.0</version> >>> </parent> >>> <modelVersion>4.0.0</modelVersion> >>> <artifactId>cas-server-webapp</artifactId> >>> <packaging>war</packaging> >>> <name>Jasig CAS Web Application</name> >>> <dependencies> >>> <dependency> >>> <groupId>org.jasig.cas</groupId> >>> <artifactId>cas-server-webapp-support</artifactId> >>> <version>${project.version}</version> >>> <scope>compile</scope> >>> </dependency> >>> <dependency> >>> <groupId>org.springframework</groupId> >>> <artifactId>spring-expression</artifactId> >>> <version>${spring.version}</version> >>> <scope>runtime</scope> >>> </dependency> >>> <dependency> >>> <groupId>javax.servlet</groupId> >>> <artifactId>jstl</artifactId> >>> <version>1.1.2</version> >>> <type>jar</type> >>> <scope>runtime</scope> >>> </dependency> >>> <dependency> >>> <groupId>taglibs</groupId> >>> <artifactId>standard</artifactId> >>> <version>1.1.2</version> >>> <type>jar</type> >>> <scope>runtime</scope> >>> </dependency> >>> <dependency> >>> <groupId>org.jasig.cas</groupId> >>> <artifactId>cas-server-support-ldap</artifactId> >>> <version>4.0.0</version> >>> </dependency> >>> </dependencies> >>> >>> <build> >>> <plugins> >>> <plugin> >>> <groupId>org.apache.maven.plugins</groupId> >>> <artifactId>maven-war-plugin</artifactId> >>> <configuration> >>> <warName>cas</warName> >>> <webResources> >>> <resource> >>> <directory>${basedir}/src/main/webapp/WEB-INF</directory> >>> <filtering>true</filtering> >>> <targetPath>WEB-INF</targetPath> >>> <includes> >>> <include>**/web.xml</include> >>> </includes> >>> </resource> >>> </webResources> >>> </configuration> >>> </plugin> >>> </plugins> >>> </build> >>> >>> <properties> >>> <cs.dir>${project.parent.basedir}</cs.dir> >>> </properties> >>> </project> >>> >>> deployerConfigContext.xml >>> >>> >>> <?xml version="1.0" encoding="UTF-8"?> >>> <!-- >>> >>> Licensed to Jasig under one or more contributor license >>> agreements. See the NOTICE file distributed with this work >>> for additional information regarding copyright ownership. >>> Jasig licenses this file to you under the Apache License, >>> Version 2.0 (the "License"); you may not use this file >>> except in compliance with the License. You may obtain a >>> copy of the License at the following location: >>> >>> http://www.apache.org/licenses/LICENSE-2.0 >>> >>> Unless required by applicable law or agreed to in writing, >>> software distributed under the License is distributed on an >>> "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY >>> KIND, either express or implied. See the License for the >>> specific language governing permissions and limitations >>> under the License. >>> >>> --> >>> <!-- >>> | deployerConfigContext.xml centralizes into one file some of the >>> declarative configuration that >>> | all CAS deployers will need to modify. >>> | >>> | This file declares some of the Spring-managed JavaBeans that make up a >>> CAS deployment. >>> | The beans declared in this file are instantiated at context >>> initialization time by the Spring >>> | ContextLoaderListener declared in web.xml. It finds this file because >>> this >>> | file is among those declared in the context parameter >>> "contextConfigLocation". >>> | >>> | By far the most common change you will need to make in this file is to >>> change the last bean >>> | declaration to replace the default authentication handler with >>> | one implementing your approach for authenticating usernames and >>> passwords. >>> +--> >>> >>> <beans xmlns="http://www.springframework.org/schema/beans" >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >>> xmlns:p="http://www.springframework.org/schema/p" >>> xmlns:c="http://www.springframework.org/schema/c" >>> xmlns:tx="http://www.springframework.org/schema/tx" >>> xmlns:util="http://www.springframework.org/schema/util" >>> xmlns:sec="http://www.springframework.org/schema/security" >>> xsi:schemaLocation=" >>> <http://www.springframework.org/schema/beans> >>> http://www.springframework.org/schema/beans >>> http://www.springframework.org/schema/beans/spring-beans-3.2.xsd >>> http://www.springframework.org/schema/tx >>> http://www.springframework.org/schema/tx/spring-tx-3.2.xsd >>> http://www.springframework.org/schema/security >>> http://www.springframework.org/schema/security/spring-security-3.2.xsd >>> http://www.springframework.org/schema/util >>> http://www.springframework.org/schema/util/spring-util.xsd"> >>> >>> <!-- >>> | The authentication manager defines security policy for >>> authentication by specifying at a minimum >>> | the authentication handlers that will be used to authenticate >>> credential. While the AuthenticationManager >>> | interface supports plugging in another implementation, the >>> default PolicyBasedAuthenticationManager should >>> | be sufficient in most cases. >>> +--> >>> <bean id="authenticationManager" >>> class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> >>> <constructor-arg> >>> <map> >>> <!-- >>> | IMPORTANT >>> | Every handler requires a unique name. >>> | If more than one instance of the same handler class >>> is configured, you must explicitly >>> | set its name to something other than its default >>> name (typically the simple class name). >>> --> >>> <entry key-ref="proxyAuthenticationHandler" >>> value-ref="proxyPrincipalResolver" /> >>> <entry key-ref="primaryAuthenticationHandler" >>> value-ref="primaryPrincipalResolver" /> >>> <entry key-ref="ldapAuthenticationHandler" >>> value="#{null}" /> >>> </map> >>> </constructor-arg> >>> >>> <!-- Uncomment the metadata populator to allow clearpass to >>> capture and cache the password >>> This switch effectively will turn on clearpass. >>> <property name="authenticationMetaDataPopulators"> >>> <util:list> >>> <bean >>> class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator" >>> c:credentialCache-ref="encryptedMap" /> >>> </util:list> >>> </property> >>> --> >>> >>> <!-- >>> | Defines the security policy around authentication. Some >>> alternative policies that ship with CAS: >>> | >>> | * NotPreventedAuthenticationPolicy - all credential must >>> either pass or fail authentication >>> | * AllAuthenticationPolicy - all presented credential must >>> be authenticated successfully >>> | * RequiredHandlerAuthenticationPolicy - specifies a handler >>> that must authenticate its credential to pass >>> --> >>> <property name="authenticationPolicy"> >>> <bean >>> class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> >>> </property> >>> </bean> >>> >>> <!-- Required for proxy ticket mechanism. --> >>> <bean id="proxyAuthenticationHandler" >>> >>> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" >>> p:httpClient-ref="httpClient" /> >>> >>> <!-- >>> | TODO: Replace this component with one suitable for your >>> enviroment. >>> | >>> | This component provides authentication for the kind of >>> credential used in your environment. In most cases >>> | credential is a username/password pair that lives in a system >>> of record like an LDAP directory. >>> | The most common authentication handler beans: >>> | >>> | * org.jasig.cas.authentication.LdapAuthenticationHandler >>> | * org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler >>> | * >>> org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler >>> | * >>> org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler >>> --> >>> <bean id="ldapAuthenticationHandler" >>> class="org.jasig.cas.authentication.LdapAuthenticationHandler" >>> p:principalIdAttribute="cn" >>> c:authenticator-ref="authenticator"> >>> <property name="principalAttributeMap"> >>> <map> >>> <!-- >>> | This map provides a simple attribute resolution >>> mechanism. >>> | Keys are LDAP attribute names, values are CAS attribute >>> names. >>> | Use this facility instead of a PrincipalResolver if >>> LDAP is >>> | the only attribute source. >>> --> >>> <entry key="cn" value="cn" /> >>> </map> >>> </property> >>> </bean> >>> >>> <bean id="authenticator" class="org.ldaptive.auth.Authenticator" >>> c:resolver-ref="dnResolver" >>> c:handler-ref="authHandler" /> >>> >>> <bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver" >>> p:baseDn="ou=users,dc=example,dc=com" >>> p:subtreeSearch="true" >>> p:allowMultipleDns="false" >>> p:connectionFactory-ref="searchPooledLdapConnectionFactory" >>> p:userFilter="uid={user}" /> >>> >>> <bean id="searchPooledLdapConnectionFactory" >>> class="org.ldaptive.pool.PooledConnectionFactory" >>> p:connectionPool-ref="searchConnectionPool" /> >>> >>> <bean id="searchConnectionPool" parent="abstractConnectionPool" >>> p:connectionFactory-ref="searchConnectionFactory" /> >>> >>> <bean id="searchConnectionFactory" >>> class="org.ldaptive.DefaultConnectionFactory" >>> p:connectionConfig-ref="searchConnectionConfig" /> >>> >>> <bean id="searchConnectionConfig" parent="abstractConnectionConfig" >>> p:connectionInitializer-ref="bindConnectionInitializer" /> >>> >>> <bean id="bindConnectionInitializer" >>> class="org.ldaptive.BindConnectionInitializer" >>> p:bindDn="cn=admin,dc=example,dc=com"> >>> <property name="bindCredential"> >>> <bean class="org.ldaptive.Credential" >>> c:password="password" /> >>> </property> >>> </bean> >>> >>> <bean id="abstractConnectionPool" abstract="true" >>> class="org.ldaptive.pool.BlockingConnectionPool" >>> init-method="initialize" >>> p:poolConfig-ref="ldapPoolConfig" >>> p:blockWaitTime="3000" >>> p:validator-ref="searchValidator" >>> p:pruneStrategy-ref="pruneStrategy" /> >>> >>> <bean id="abstractConnectionConfig" abstract="true" >>> class="org.ldaptive.ConnectionConfig" >>> p:ldapUrl="ldap://localhost:389" >>> p:connectTimeout="3000" >>> p:useStartTLS="false"/> >>> <!--p:sslConfig-ref="sslConfig" /--> >>> >>> <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig" >>> p:minPoolSize="3" >>> p:maxPoolSize="10" >>> p:validateOnCheckOut="false" >>> p:validatePeriodically="true" >>> p:validatePeriod="300" /> >>> >>> <!--bean id="sslConfig" class="org.ldaptive.ssl.SslConfig"> >>> <property name="credentialConfig"> >>> <bean class="org.ldaptive.ssl.X509CredentialConfig" >>> p:trustCertificates="${ldap.trustedCert}" /> >>> </property> >>> </bean--> >>> >>> <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy" >>> p:prunePeriod="300" >>> p:idleTime="600" /> >>> >>> <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" /> >>> >>> <bean id="authHandler" >>> class="org.ldaptive.auth.PooledBindAuthenticationHandler" >>> p:connectionFactory-ref="bindPooledLdapConnectionFactory" /> >>> >>> <bean id="bindPooledLdapConnectionFactory" >>> class="org.ldaptive.pool.PooledConnectionFactory" >>> p:connectionPool-ref="bindConnectionPool" /> >>> >>> <bean id="bindConnectionPool" parent="abstractConnectionPool" >>> p:connectionFactory-ref="bindConnectionFactory" /> >>> >>> <bean id="bindConnectionFactory" >>> class="org.ldaptive.DefaultConnectionFactory" >>> p:connectionConfig-ref="bindConnectionConfig" /> >>> >>> <bean id="bindConnectionConfig" parent="abstractConnectionConfig" /> >>> >>> <bean id="primaryAuthenticationHandler" >>> >>> class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler"> >>> <property name="users"> >>> <map> >>> <entry key="casuser" value="Mellon"/> >>> </map> >>> </property> >>> </bean> >>> >>> <!-- Required for proxy ticket mechanism --> >>> <bean id="proxyPrincipalResolver" >>> >>> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> >>> >>> <!-- >>> | Resolves a principal from a credential using an attribute >>> repository that is configured to resolve >>> | against a deployer-specific store (e.g. LDAP). >>> --> >>> <bean id="primaryPrincipalResolver" >>> >>> class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" >>> > >>> <property name="attributeRepository" ref="attributeRepository" /> >>> </bean> >>> >>> <!-- >>> Bean that defines the attributes that a service may return. This >>> example uses the Stub/Mock version. A real implementation >>> may go against a database or LDAP server. The id should remain >>> "attributeRepository" though. >>> +--> >>> <bean id="attributeRepository" >>> class="org.jasig.services.persondir.support.StubPersonAttributeDao" >>> p:backingMap-ref="attrRepoBackingMap" /> >>> >>> <util:map id="attrRepoBackingMap"> >>> <entry key="uid" value="uid" /> >>> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" >>> /> >>> <entry key="groupMembership" value="groupMembership" /> >>> </util:map> >>> >>> <!-- >>> Sample, in-memory data store for the ServiceRegistry. A real >>> implementation >>> would probably want to replace this with the JPA-backed >>> ServiceRegistry DAO >>> The name of this bean should remain "serviceRegistryDao". >>> +--> >>> <bean id="serviceRegistryDao" >>> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" >>> p:registeredServices-ref="registeredServicesList" /> >>> >>> <util:list id="registeredServicesList"> >>> <bean class="org.jasig.cas.services.RegexRegisteredService" >>> p:id="0" p:name="HTTP and IMAP" p:description="Allows >>> HTTP(S) and IMAP(S) protocols" >>> p:serviceId="^(https?|imaps?)://.*" >>> p:evaluationOrder="10000001" /> >>> <!-- >>> Use the following definition instead of the above to further >>> restrict access >>> to services within your domain (including sub domains). >>> Note that example.com must be replaced with the domain you wish >>> to permit. >>> This example also demonstrates the configuration of an attribute >>> filter >>> that only allows for attributes whose length is 3. >>> --> >>> <!-- >>> <bean class="org.jasig.cas.services.RegexRegisteredService"> >>> <property name="id" value="1" /> >>> <property name="name" value="HTTP and IMAP on example.com" >>> /> >>> <property name="description" value="Allows HTTP(S) and >>> IMAP(S) protocols on example.com" /> >>> <property name="serviceId" >>> value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" /> >>> <property name="evaluationOrder" value="0" /> >>> <property name="attributeFilter"> >>> <bean >>> class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter" >>> c:regex="^\w{3}$" /> >>> </property> >>> </bean> >>> --> >>> </util:list> >>> >>> <bean id="auditTrailManager" >>> class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> >>> >>> <bean id="healthCheckMonitor" >>> class="org.jasig.cas.monitor.HealthCheckMonitor" >>> p:monitors-ref="monitorsList" /> >>> >>> <util:list id="monitorsList"> >>> <bean class="org.jasig.cas.monitor.MemoryMonitor" >>> p:freeMemoryWarnThreshold="10" /> >>> <!-- >>> NOTE >>> The following ticket registries support SessionMonitor: >>> * DefaultTicketRegistry >>> * JpaTicketRegistry >>> Remove this monitor if you use an unsupported registry. >>> --> >>> <bean class="org.jasig.cas.monitor.SessionMonitor" >>> p:ticketRegistry-ref="ticketRegistry" >>> p:serviceTicketCountWarnThreshold="5000" >>> p:sessionCountWarnThreshold="100000" /> >>> </util:list> >>> </beans> >>> >>> >>> and cas.properties file >>> >>> # >>> # Licensed to Jasig under one or more contributor license >>> # agreements. See the NOTICE file distributed with this work >>> # for additional information regarding copyright ownership. >>> # Jasig licenses this file to you under the Apache License, >>> # Version 2.0 (the "License"); you may not use this file >>> # except in compliance with the License. You may obtain a >>> # copy of the License at the following location: >>> # >>> # http://www.apache.org/licenses/LICENSE-2.0 >>> # >>> # Unless required by applicable law or agreed to in writing, >>> # software distributed under the License is distributed on an >>> # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY >>> # KIND, either express or implied. See the License for the >>> # specific language governing permissions and limitations >>> # under the License. >>> # >>> >>> server.name= <http://localhost:8080>http://localhost:8080 >>> server.prefix=${server.name}/cas >>> # IP address or CIDR subnet allowed to access the /status URI of CAS >>> that exposes health check information >>> cas.securityContext.status.allowedSubnet=127.0.0.1 >>> >>> >>> cas.themeResolver.defaultThemeName=cas-theme-default >>> cas.viewResolver.basename=default_views >>> >>> ## >>> # Unique CAS node name >>> # host.name is used to generate unique Service Ticket IDs and >>> SAMLArtifacts. This is usually set to the specific >>> # hostname of the machine running the CAS node, but it could be any >>> label so long as it is unique in the cluster. >>> host.name=cas01.example.org >>> >>> ## >>> # Database flavors for Hibernate >>> # >>> # One of these is needed if you are storing Services or Tickets in an >>> RDBMS via JPA. >>> # >>> # database.hibernate.dialect=org.hibernate.dialect.OracleDialect >>> # database.hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect >>> # database.hibernate.dialect=org.hibernate.dialect.HSQLDialect >>> >>> ## >>> # CAS Logout Behavior >>> # WEB-INF/cas-servlet.xml >>> # >>> # Specify whether CAS should redirect to the specified service parameter >>> on /logout requests >>> # cas.logout.followServiceRedirects=false >>> >>> ## >>> # Single Sign-On Session Timeouts >>> # Defaults sourced from >>> WEB-INF/spring-configuration/ticketExpirationPolices.xml >>> # >>> # Maximum session timeout - TGT will expire in maxTimeToLiveInSeconds >>> regardless of usage >>> # tgt.maxTimeToLiveInSeconds=28800 >>> # >>> # Idle session timeout - TGT will expire sooner than >>> maxTimeToLiveInSeconds if no further requests >>> # for STs occur within timeToKillInSeconds >>> # tgt.timeToKillInSeconds=7200 >>> >>> ## >>> # Service Ticket Timeout >>> # Default sourced from >>> WEB-INF/spring-configuration/ticketExpirationPolices.xml >>> # >>> # Service Ticket timeout - typically kept short as a control against >>> replay attacks, default is 10s. You'll want to >>> # increase this timeout if you are manually testing service ticket >>> creation/validation via tamperdata or similar tools >>> # st.timeToKillInSeconds=10 >>> >>> ## >>> # Single Logout Out Callbacks >>> # Default sourced from >>> WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml >>> # >>> # To turn off all back channel SLO requests set slo.disabled to true >>> # slo.callbacks.disabled=false >>> >>> ## >>> # Service Registry Periodic Reloading Scheduler >>> # Default sourced from >>> WEB-INF/spring-configuration/applicationContext.xml >>> # >>> # Force a startup delay of 2 minutes. >>> # service.registry.quartz.reloader.startDelay=120000 >>> # >>> # Reload services every 2 minutes >>> # service.registry.quartz.reloader.repeatInterval=120000 >>> >>> ## >>> # Log4j >>> # Default sourced from >>> WEB-INF/spring-configuration/log4jConfiguration.xml: >>> # >>> # It is often time helpful to externalize log4j.xml to a system path to >>> preserve settings between upgrades. >>> # e.g. log4j.config.location=/etc/cas/log4j.xml >>> # log4j.config.location=classpath:log4j.xml >>> # >>> # log4j refresh interval in millis >>> # log4j.refresh.interval=60000 >>> >>> ## >>> # Password Policy >>> # >>> # Warn all users of expiration date regardless of warningDays value. >>> password.policy.warnAll=false >>> >>> # Threshold number of days to begin displaying password expiration >>> warnings. >>> password.policy.warningDays=30 >>> >>> # URL to which the user will be redirected to change the passsword. >>> password.policy.url=https://password.example.edu/change >>> >>> #======================================== >>> # General properties >>> #======================================== >>> ldap.url=ldap://localhost:389 >>> >>> # LDAP connection timeout in milliseconds >>> ldap.connectTimeout=3000 >>> >>> # Whether to use StartTLS (probably needed if not SSL connection) >>> ldap.useStartTLS=true >>> >>> #======================================== >>> # LDAP connection pool configuration >>> #======================================== >>> ldap.pool.minSize=3 >>> ldap.pool.maxSize=10 >>> ldap.pool.validateOnCheckout=false >>> ldap.pool.validatePeriodically=true >>> >>> # Amount of time in milliseconds to block on pool exhausted condition >>> # before giving up. >>> ldap.pool.blockWaitTime=3000 >>> >>> # Frequency of connection validation in seconds >>> # Only applies if validatePeriodically=true >>> ldap.pool.validatePeriod=300 >>> >>> # Attempt to prune connections every N seconds >>> ldap.pool.prunePeriod=300 >>> >>> # Maximum amount of time an idle connection is allowed to be in >>> # pool before it is liable to be removed/destroyed >>> ldap.pool.idleTime=600 >>> >>> #======================================== >>> # Authentication >>> #======================================== >>> >>> # Base DN of users to be authenticated >>> ldap.authn.baseDn=ou=Users,dc=example,dc=com >>> >>> # Manager DN for authenticated searches >>> #ldap.authn.managerDN=uid=manager,ou=Users,dc=example,dc=org >>> ldap.authn.managerDN=cn=admin,dc=example,dc=com >>> >>> # Manager password for authenticated searches >>> ldap.authn.managerPassword=qwerty123 >>> >>> # Search filter used for configurations that require searching for DNs >>> #ldap.authn.searchFilter=(&(uid={user})(accountState=active)) >>> ldap.authn.searchFilter=(uid={user}) >>> >>> # Search filter used for configurations that require searching for DNs >>> #ldap.authn.format=uid=%s,ou=Users,dc=example,dc=org >>> ldap.authn.format=uid=%s,ou=users,dc=example,dc=com >>> #ldap.authn.format=%s...@example.com >>> >>> -- >>> You are currently subscribed to cas-user@lists.jasig.org as: >>> cmy...@mail.millikin.edu >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> -- >>> You are currently subscribed to cas-user@lists.jasig.org as: >>> lutfioduncuo...@gmail.com >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> alex.bousk...@univ-lr.fr >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> lutfioduncuo...@gmail.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user