Matt, I could figure out the “too many redirect error” issue. It turns out cookies saved on browser causes the issue. Clearing all cookies solved the issue. Per one of users, there are so many MOD_AUTH_CAS_S cookies. We realized that there are same named cookies for urls like ‘/’ ‘/jira/’ ‘/wiki/’. When the user tried to access /jira/, CAS redirected the user to CAS server and returned to the /jira/ after the ticket for ‘/’ is validated. However, the cookie for ‘/jira/’ was used to be verified at the level of MOD_AUTH_CAS when the user was returned, resulting that the user was redirected to the CAS server. That loop was on and on, resulting in the “too many redirect error”. We set up CASScope at root level before. But, I guess cookies for child levels were generated before we set up the CASScope.
BTW, we are having CAS logs with Debug level but we could not find any anomaly. So far, shared directory part looks working ok. I will keep posting any other update if I found any anomaly. Thanks, Doe From: Matt Smith [mailto:[email protected]] Sent: Thursday, March 03, 2016 11:23 AM To: Song, Doe-Hyun Cc: Waldbieser, Carl; [email protected] Subject: Re: [cas-user] Mod_Auth_Cas Timeout Synchronization on Two Apache Servers. It's tough to tell with just that logging. Any chance this issue is repeatable, and you could increase the log verbosity by setting "CASDebug On" and "LogLevel Debug" in your httpd.conf ? Generally, I see this pattern either when mod_auth_cas cannot write to the cookie cache, or if the client browser has conflicting cookies or a large time skew. The more detailed logs should provide some hints for that. -Matt Thank you, -Matt On Wed, Mar 2, 2016 at 1:39 PM, Song, Doe-Hyun <[email protected]<mailto:[email protected]>> wrote: Hello Matt, Just want to update and have a more question. It has been about a week running both servers with shared directory for cache. It seems stable except a couple of anomaly. Today, a user reported he had too many redirect error. I checked access log of apache on both servers and can see constant 302 redirect for the user. I wonder if the environment I have could cause the redirect loop issue. Access logs. Server 1. 10.10.10.20 - - [02/Mar/2016:13:02:05 -0500] "POST /cas//login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:06 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:06 -0500] "GET /?ticket=ST-44-XSJadVjVPpTIEhnYWRZP-cas02q.armada.net<http://ST-44-XSJadVjVPpTIEhnYWRZP-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:12 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:12 -0500] "GET /?ticket=ST-45-FhkaLiLYFYpeoOpp32wt-cas02q.armada.net<http://ST-45-FhkaLiLYFYpeoOpp32wt-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:12 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:12 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:13 -0500] "GET /?ticket=ST-47-3xRuhcSfI4WW0klBUzjh-cas02q.armada.net<http://ST-47-3xRuhcSfI4WW0klBUzjh-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:13 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:13 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:13 -0500] "GET /?ticket=ST-49-HfH4jfehrWf17nya2UvD-cas02q.armada.net<http://ST-49-HfH4jfehrWf17nya2UvD-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:14 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:14 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:14 -0500] "GET /?ticket=ST-51-desltaeZ2itviwuhJY1q-cas02q.armada.net<http://ST-51-desltaeZ2itviwuhJY1q-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:15 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:15 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:15 -0500] "GET /?ticket=ST-53-a4zMTIYzAbrvTzrN0Ilj-cas02q.armada.net<http://ST-53-a4zMTIYzAbrvTzrN0Ilj-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:15 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:16 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:16 -0500] "GET /?ticket=ST-55-Fd10iuIFdt1LwYRrcfDS-cas02q.armada.net<http://ST-55-Fd10iuIFdt1LwYRrcfDS-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:16 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:16 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:22 -0500] "GET /?ticket=ST-57-dfnHvHE5ecf9BjmpUcen-cas02q.armada.net<http://ST-57-dfnHvHE5ecf9BjmpUcen-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:22 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:22 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:22 -0500] "GET /?ticket=ST-59-OUyGT2hYbMzAeyu52Pgs-cas02q.armada.net<http://ST-59-OUyGT2hYbMzAeyu52Pgs-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:23 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:23 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:23 -0500] "GET /?ticket=ST-61-UfSyPdcgWLm9zO6L9pbl-cas02q.armada.net<http://ST-61-UfSyPdcgWLm9zO6L9pbl-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:23 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:23 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:24 -0500] "GET /?ticket=ST-63-FRoMZB7ZhGnNGMA5mXq6-cas02q.armada.net<http://ST-63-FRoMZB7ZhGnNGMA5mXq6-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:52 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:53 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:53 -0500] "GET /?ticket=ST-65-NzDggGC5ar2ycF3ZlhgL-cas02q.armada.net<http://ST-65-NzDggGC5ar2ycF3ZlhgL-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:53 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:54 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:54 -0500] "GET /?ticket=ST-67-pu52dYAXEebpGbBc6EK6-cas02q.armada.net<http://ST-67-pu52dYAXEebpGbBc6EK6-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:54 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:54 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - - [02/Mar/2016:13:02:54 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:55 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:55 -0500] "GET /?ticket=ST-71-Oew9ycoPIMObEzIGZPG5-cas02q.armada.net<http://ST-71-Oew9ycoPIMObEzIGZPG5-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:55 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:55 -0500] "GET / HTTP/1.1" 302 365 Server 2 10.10.10.20 - - [02/Mar/2016:13:02:06 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:10 -0500] "POST /support/zkau HTTP/1.1" 200 19 10.10.10.20 - - [02/Mar/2016:13:02:12 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:12 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:12 -0500] "GET /?ticket=ST-46-iDiRW3X7IZxBMEdLyKJb-cas02q.armada.net<http://ST-46-iDiRW3X7IZxBMEdLyKJb-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:12 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:13 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:13 -0500] "GET /?ticket=ST-48-N16Xg5cEsUm9GbtPUjNP-cas02q.armada.net<http://ST-48-N16Xg5cEsUm9GbtPUjNP-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:13 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:14 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:14 -0500] "GET /?ticket=ST-50-kpKWyk2CnoufFw4WqI91-cas02q.armada.net<http://ST-50-kpKWyk2CnoufFw4WqI91-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:14 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:15 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:15 -0500] "GET /?ticket=ST-52-5Pmfgm1BfH9JuXkz1ide-cas02q.armada.net<http://ST-52-5Pmfgm1BfH9JuXkz1ide-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:15 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:15 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:15 -0500] "GET /?ticket=ST-54-F211XMckYGpKwVga0CIT-cas02q.armada.net<http://ST-54-F211XMckYGpKwVga0CIT-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:16 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:16 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:16 -0500] "GET /?ticket=ST-56-qVni0B5daLJ5G3RUVhrb-cas02q.armada.net<http://ST-56-qVni0B5daLJ5G3RUVhrb-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:21 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:22 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:22 -0500] "GET /?ticket=ST-58-56VJrASYDpMohQDmV5fv-cas02q.armada.net<http://ST-58-56VJrASYDpMohQDmV5fv-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:22 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:23 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:23 -0500] "GET /?ticket=ST-60-zrHtLJpdCdPk2kavKasH-cas02q.armada.net<http://ST-60-zrHtLJpdCdPk2kavKasH-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:23 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:23 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:23 -0500] "GET /?ticket=ST-62-wyUcFaaONqYi1gAMSpjU-cas02q.armada.net<http://ST-62-wyUcFaaONqYi1gAMSpjU-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:24 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:24 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:53 -0500] "GET /?ticket=ST-64-fPDvxaVLfG7cOx5yOs69-cas02q.armada.net<http://ST-64-fPDvxaVLfG7cOx5yOs69-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:53 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:53 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:53 -0500] "GET /?ticket=ST-66-1TABEJZgVDaq7DAlf7DO-cas02q.armada.net<http://ST-66-1TABEJZgVDaq7DAlf7DO-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:54 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:54 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:54 -0500] "GET /?ticket=ST-68-JGYULb9DsEMl7ReEfSx0-cas02q.armada.net<http://ST-68-JGYULb9DsEMl7ReEfSx0-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:54 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - sme [02/Mar/2016:13:02:55 -0500] "GET /?ticket=ST-70-wfF7UYFSKDSv2gkjVcvb-cas02q.armada.net<http://ST-70-wfF7UYFSKDSv2gkjVcvb-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:55 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:55 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:55 -0500] "GET /?ticket=ST-72-0iFSgz3Ww9eMKZjjuW5J-cas02q.armada.net<http://ST-72-0iFSgz3Ww9eMKZjjuW5J-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:55 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:56 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:56 -0500] "GET /?ticket=ST-74-fZtQhynWa2h7gXbxsMHn-cas02q.armada.net<http://ST-74-fZtQhynWa2h7gXbxsMHn-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:02:56 -0500] "GET /cas/login?service=https%3a%2f%2f24tracc-test.armada.net<http://2f24tracc-test.armada.net>%2f HTTP/1.1" 302 - 10.10.10.20 - - [02/Mar/2016:13:02:57 -0500] "GET / HTTP/1.1" 302 365 10.10.10.20 - sme [02/Mar/2016:13:02:57 -0500] "GET /?ticket=ST-76-B76A9y4NVybrBdf2kITi-cas02q.armada.net<http://ST-76-B76A9y4NVybrBdf2kITi-cas02q.armada.net> HTTP/1.1" 302 307 10.10.10.20 - - [02/Mar/2016:13:03:00 -0500] "POST /zkau HTTP/1.1" 200 18 10.10.10.20 - - [02/Mar/2016:13:03:25 -0500] "POST /support/zkau HTTP/1.1" 200 18 From: Matt Smith [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, February 22, 2016 11:11 PM To: Song, Doe-Hyun Cc: Waldbieser, Carl; [email protected]<mailto:[email protected]> Subject: RE: [cas-user] Mod_Auth_Cas Timeout Synchronization on Two Apache Servers. Hi Doe, Unison is for syncing two distinct filesystems. If you are using a single shared filesystem, there is no need for syncing. Looking forward to hearing your results! -Matt On Feb 22, 2016 19:20, "Song, Doe-Hyun" <[email protected]<mailto:[email protected]>> wrote: Carl, It was the SE Linux issue. We allow httpd to access nfs file system. Matt, we launched both apaches. I will let you know if things work after several days running with the configuration. However, I wonder if we need to synchronize Sessions between two apaches as Christian did with unison? Please let me know if HA configuration for Apache is necessary. Thanks, Doe -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Waldbieser, Carl Sent: Monday, February 22, 2016 10:51 AM To: Song, Doe-Hyun Cc: [email protected]<mailto:[email protected]>; Matt Smith Subject: Re: [cas-user] Mod_Auth_Cas Timeout Synchronization on Two Apache Servers. Is SE Linux running? [root]# getenforce Enforcing If so, try turning off SE linux temporarily to test: [root]# setenforce 0 Test, then turn it back on: [root]# setenforce 1 If it worked in permissive mode, you can try the following to look at the audit log from the command line: [root]# sealert -a /var/log/audit/audit.log But you may need to install the package that has `sealert` for get what that is at the moment. Thanks, Carl ----- Original Message ----- From: "Song, Doe-Hyun" <[email protected]<mailto:[email protected]>> To: "waldbiec" <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]>, "Matt Smith" <[email protected]<mailto:[email protected]>> Sent: Monday, February 22, 2016 10:24:34 AM Subject: RE: [cas-user] Mod_Auth_Cas Timeout Synchronization on Two Apache Servers. Carl and Matt, Thanks for your help. Unfortunately, I can create the foo or foo2 files and apache is the user to run httpd. We use Red Hat. [root@webarms02q dhs]# su apache -s /bin/bash -c "touch /mnt/tnsag/cas/cas_cache/foo2" [root@webarms02q dhs]# cd /mnt/tnsag/cas/cas_cache [root@webarms02q cas_cache]# ll total 0 -rw-r--r--. 1 apache apache 0 Feb 22 10:11 foo -rw-r--r--. 1 apache apache 0 Feb 22 10:14 foo2 [root@webarms02q cas_cache]# ps aux | grep httpd apache 307 0.0 0.1 422616 14900 ? Sl 08:32 0:01 /usr/sbin/httpd apache 310 0.0 0.1 422616 14896 ? Sl 08:32 0:02 /usr/sbin/httpd apache 313 0.0 0.1 422616 14924 ? Sl 08:32 0:01 /usr/sbin/httpd apache 366 0.0 0.1 422616 14828 ? Sl 08:57 0:00 /usr/sbin/httpd root 646 0.0 0.0 110172 848 pts/0 S+ 10:14 0:00 grep httpd root 21988 0.0 0.1 266112 14436 ? Ss Feb19 0:21 /usr/sbin/httpd apache 31507 0.0 0.1 422616 14936 ? Sl 01:58 0:03 /usr/sbin/httpd apache 32360 0.0 0.1 422616 14924 ? Sl 05:49 0:02 /usr/sbin/httpd apache 32432 0.0 0.1 422616 14900 ? Sl 06:10 0:02 /usr/sbin/httpd apache 32637 0.0 0.1 422616 14908 ? Sl 07:43 0:02 /usr/sbin/httpd apache 32642 0.0 0.1 422616 14940 ? Sl 07:43 0:02 /usr/sbin/httpd apache 32707 0.0 0.1 422616 14920 ? Sl 08:03 0:02 /usr/sbin/httpd apache 32756 0.0 0.1 422616 14908 ? Sl 08:27 0:01 /usr/sbin/httpd apache 32759 0.0 0.1 422616 14840 ? Sl 08:28 0:01 /usr/sbin/httpd [root@webarms02q cas_cache]# cat /etc/issue Red Hat Enterprise Linux Server release 6.5 (Santiago) Kernel \r on an \m [root@webarms02q cas_cache]# uname -a Linux webarms02q 2.6.32-431.5.1.el6.x86_64 #1 SMP Fri Jan 10 14:46:43 EST 2014 x86_64 x86_64 x86_64 GNU/Linux [root@webarms02q cas_cache]# uname -r 2.6.32-431.5.1.el6.x86_64 -----Original Message----- From: Waldbieser, Carl [mailto:[email protected]<mailto:[email protected]>] Sent: Friday, February 19, 2016 4:08 PM To: Song, Doe-Hyun Cc: [email protected]<mailto:[email protected]>; Matt Smith Subject: Re: [cas-user] Mod_Auth_Cas Timeout Synchronization on Two Apache Servers. Yes, and make sure that is the user running the web service: # ps aux | grep httpd The user will need permissions down every folder. If all else fails, are you runnning SE Linux? That can sometimes restrict access to files. Thanks, Carl ----- Original Message ----- From: "Matt Smith" <[email protected]<mailto:[email protected]>> To: "Song, Doe-Hyun" <[email protected]<mailto:[email protected]>> Cc: "waldbiec" <[email protected]<mailto:[email protected]>>, [email protected]<mailto:[email protected]> Sent: Friday, February 19, 2016 3:46:35 PM Subject: Re: [cas-user] Mod_Auth_Cas Timeout Synchronization on Two Apache Servers. Can you confirm that the Apache user can write to that directory ? # su apache -s /bin/bash -c "touch /mnt/tnsag/cas/cas_cache/foo" -Matt On Fri, Feb 19, 2016 at 3:29 PM, Song, Doe-Hyun <[email protected]<mailto:[email protected]>> wrote: > Unfortunately, apache owns the directory. > > > [root@webarms01q cas]# pwd > /mnt/tnsag/cas > [root@webarms01q cas]# ll > drwxr-xr-x. 2 apache apache 4096 Feb 19 12:40 cas_cache > > -----Original Message----- > From: Waldbieser, Carl > [mailto:[email protected]<mailto:[email protected]>] > Sent: Friday, February 19, 2016 2:48 PM > To: Song, Doe-Hyun > Cc: christian folini; [email protected]<mailto:[email protected]>; > [email protected]<mailto:[email protected]> > Subject: Re: [cas-user] Mod_Auth_Cas Timeout Synchronization on Two Apache > Servers. > > That typically means the path doesn't exist or the web user (apache?) > doesn't have permission to read/write in that folder. > > Thanks, > Carl Waldbieser > ITS Systems Programmer > Lafayette College > > ----- Original Message ----- > From: "Song, Doe-Hyun" <[email protected]<mailto:[email protected]>> > To: "christian folini" > <[email protected]<mailto:[email protected]>>, > [email protected]<mailto:[email protected]> > Cc: [email protected]<mailto:[email protected]> > Sent: Friday, February 19, 2016 2:41:38 PM > Subject: RE: [cas-user] Mod_Auth_Cas Timeout Synchronization on Two Apache > Servers. > > Matt and Christian, > > Thanks for your help. I tried to implement it and had interesting error. > > Switch the cache directory to network directory. > > #CASCookiePath /var/cache/mod_auth_cas/ > CASCookiePath /mnt/tnsag/cas/cas_cache/ > > Then, I have the following error. > [root@webarms02q cas_cache]# /etc/init.d/httpd restart > Stopping httpd: [ OK ] > Starting httpd: Syntax error on line 7 of /etc/httpd/conf.d/cas.conf: > MOD_AUTH_CAS: CASCookiePath '/mnt/tnsag/cas/cas_cache/' is not a directory > or does not end in a trailing '/'! > [FAILED] > > Thanks, > Doe > > > > From: [email protected]<mailto:[email protected]> > [mailto:[email protected]<mailto:[email protected]>] > Sent: Wednesday, February 17, 2016 1:41 AM > To: [email protected]<mailto:[email protected]>; Song, Doe-Hyun > Cc: [email protected]<mailto:[email protected]> > Subject: AW: [cas-user] Mod_Auth_Cas Timeout Synchronization on Two Apache > Servers. > > Hi guys, > > We used to run two identical apaches using mod_auth_cas behind a > loadbalancer. > So both apaches would be called > www.example.com<http://www.example.com><http://www.example.com> > and both cookies had the > same name. So s2 would overwrite the cookie of s1. > > We would keep the sessions in sync on the two apache servers with the help > of > unison. This worked just fine as far as mod_auth_cas is concerned. > > We eventually moved away because of issues with unison and because the > pressing > need for the feature went away too. > > Just my 2 cents. > > Christian Folini > > > > Von: [email protected]<mailto:[email protected]> > [mailto:[email protected]<mailto:[email protected]>] Im Auftrag von Matt > Smith > Gesendet: Montag, 15. Februar 2016 23:54 > An: Song, Doe-Hyun > Cc: [email protected]<mailto:[email protected]> > Betreff: RE: [cas-user] Mod_Auth_Cas Timeout Synchronization on Two Apache > Servers. > > > Yes, that is what should occur. But please note that while I think this > should work, you may experience things we did not anticipate in the > design. I would love to get your results, though, if you do attempt this. > On Feb 15, 2016 16:40, "Song, Doe-Hyun" > <[email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>>> wrote: > Matt, > > If so, can we have one cookie for both instances? Currently one cookie per > apache is created, meaning two cookies with different name with S1 and S2 > suffix. > > Thanks, > Doe > > From: Matt Smith > [mailto:[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>] > Sent: Monday, February 15, 2016 4:20 PM > To: Song, Doe-Hyun > Cc: > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> > Subject: Re: [cas-user] Mod_Auth_Cas Timeout Synchronization on Two Apache > Servers. > > Hello, > > This is an interesting use-case, and not one that the mod_auth_cas team > has designed for. I have heard of deployers pointing CASCookiePath at a > shared network location for fault tolerance, but I'm thinking that may also > work for this use-case. Would you be able to try configuring CASCookiePath > to shared storage, e.g., NFS, and see if this meets your requirements? > This would allow each instance to use exactly the same cookie information. > > -Matt > > On Fri, Feb 12, 2016 at 2:40 PM, Song, Doe-Hyun > <[email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>>> wrote: > CAS Community, > > We use Mod_Auth_Cas for our CAS Client. We have Mod_Auth_Cas on two apache > servers respectively. Each Apache is invoked randomly through Load Balancer > up front with a single URL. > > Each Mod_Auth_Cas generates Cookie as Mod_Auth_Cas_S1 for S1 instance and > Mod_Auth_Cas_S2 for S2 instance. I can see two cookies from my browser. > > Because of some reasons, I would like to synchronize timeout of those two > instances. Timeout could be different if S1 is invoked at 1:00PM and S2 is > invoked at 1:10PM. > > FYI, CAS Server uses Ehcache to synchronize tickets between two CAS > Servers. > > Thanks, > > Doe Song > > > > > The information contained in this e-mail and any attachments is > confidential and > > intended only for the recipient. If you are not the intended recipient, the > > information contained in this message may not be used, copied, or > forwarded to > > third parties or otherwise distributed for any other purpose. Please > notify the > > sender if you received this e-mail in error and delete the e-mail and its > > attachments promptly. Nothing in this e-mail may be used or deemed to > form the > > basis of a contractual or any other legally binding obligation unless > separately > > confirmed in writing by an authorized representative of ARMADA. > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > [email protected]<mailto:cas-user%[email protected]><mailto: > [email protected]<mailto:cas-user%[email protected]>>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > > > > -- > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> > PGP: E2144AD8 > > > > > > The information contained in this e-mail and any attachments is > confidential and > > intended only for the recipient. If you are not the intended recipient, the > > information contained in this message may not be used, copied, or > forwarded to > > third parties or otherwise distributed for any other purpose. Please > notify the > > sender if you received this e-mail in error and delete the e-mail and its > > attachments promptly. Nothing in this e-mail may be used or deemed to > form the > > basis of a contractual or any other legally binding obligation unless > separately > > confirmed in writing by an authorized representative of ARMADA. > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > [email protected]<mailto:cas-user%[email protected]><mailto: > [email protected]<mailto:cas-user%[email protected]>>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > > > > The information contained in this e-mail and any attachments is > confidential and > intended only for the recipient. If you are not the intended recipient, the > information contained in this message may not be used, copied, or > forwarded to > third parties or otherwise distributed for any other purpose. Please > notify the > sender if you received this e-mail in error and delete the e-mail and its > attachments promptly. Nothing in this e-mail may be used or deemed to > form the > basis of a contractual or any other legally binding obligation unless > separately > confirmed in writing by an authorized representative of ARMADA. > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > [email protected]<mailto:cas-user%[email protected]>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > > > > The information contained in this e-mail and any attachments is > confidential and > intended only for the recipient. If you are not the intended recipient, the > information contained in this message may not be used, copied, or > forwarded to > third parties or otherwise distributed for any other purpose. Please > notify the > sender if you received this e-mail in error and delete the e-mail and its > attachments promptly. Nothing in this e-mail may be used or deemed to > form the > basis of a contractual or any other legally binding obligation unless > separately > confirmed in writing by an authorized representative of ARMADA. > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > [email protected]<mailto:cas-user%[email protected]>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > -- [email protected]<mailto:[email protected]> PGP: E2144AD8 The information contained in this e-mail and any attachments is confidential and intended only for the recipient. If you are not the intended recipient, the information contained in this message may not be used, copied, or forwarded to third parties or otherwise distributed for any other purpose. Please notify the sender if you received this e-mail in error and delete the e-mail and its attachments promptly. Nothing in this e-mail may be used or deemed to form the basis of a contractual or any other legally binding obligation unless separately confirmed in writing by an authorized representative of ARMADA. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:cas-user%[email protected]>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. The information contained in this e-mail and any attachments is confidential and intended only for the recipient. If you are not the intended recipient, the information contained in this message may not be used, copied, or forwarded to third parties or otherwise distributed for any other purpose. Please notify the sender if you received this e-mail in error and delete the e-mail and its attachments promptly. Nothing in this e-mail may be used or deemed to form the basis of a contractual or any other legally binding obligation unless separately confirmed in writing by an authorized representative of ARMADA. The information contained in this e-mail and any attachments is confidential and intended only for the recipient. If you are not the intended recipient, the information contained in this message may not be used, copied, or forwarded to third parties or otherwise distributed for any other purpose. Please notify the sender if you received this e-mail in error and delete the e-mail and its attachments promptly. Nothing in this e-mail may be used or deemed to form the basis of a contractual or any other legally binding obligation unless separately confirmed in writing by an authorized representative of ARMADA. -- [email protected]<mailto:[email protected]> PGP: E2144AD8 The information contained in this e-mail and any attachments is confidential and intended only for the recipient. If you are not the intended recipient, the information contained in this message may not be used, copied, or forwarded to third parties or otherwise distributed for any other purpose. Please notify the sender if you received this e-mail in error and delete the e-mail and its attachments promptly. Nothing in this e-mail may be used or deemed to form the basis of a contractual or any other legally binding obligation unless separately confirmed in writing by an authorized representative of ARMADA. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
