We recently upgraded from 5.0.2 to 5.0.3.1, but had to roll it back due
to strange LDAP attribute problems that appeared afterwards. A couple of
hours after the upgrade (strange right there that the problems didn't
manifest right away after the upgrade), we began receiving problem reports
that were traced back to applications not receiving expected attributes
from CAS upon successful authentication.
Previously we'd get attributes from our LDAP (389DS) like:
INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Authenticated principal [user1] and attributes {cn=Firstname Lastname,
eduPersonAffiliation=student, eduPersonOrgDN=uhm,
[email protected], givenName=Firstname,
LdapAuthenticationHandler.dn=uhEntry=*****,ou=People,dc=hawaii,dc=edu,
[email protected], sn=Lastname, attrFoo=Foo, attrBar=Bar, attrBaz=Baz} with
credentials [user1].>
But once the problems began, we'd only receive:
INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Authenticated principal [user1] and attributes
{LdapAuthenticationHandler.dn=uhEntry=*****,ou=People,dc=hawaii,dc=edu} with
credentials [user1].>
On the LDAP side of things, it looks like the exact same query. Only for
the first successful example, we get one result (n=1), and for the second,
no results (n=0, and no errors). Rolling back CAS to 5.0.2 fixes the
problem. We can see from our CAS logs that we'd occasionally see the n=0
results with 5.0.2 a few times a day, but it wasn't a permanent condition.
With 5.0.3 once we get the n=0 result, it will permanently return n=0. We
did not touch our LDAP service or our CAS configs for LDAP as part of the
upgrade.
Furthermore, before we rolled back the upgrade, our developers observed
that they were able to work around the problem by clearing cookies in
their browsers. We're still trying to wrap our heads around how this could
affect the LDAP queries/results as seen on the LDAP host.
Unfortunately, we have thus far been unable to replicate these problems
in our test environments. Nor have we been able to yet identify any other
significant differences between these environments.
Has anyone seen anything similar, or have any ideas what might be involved
here?
Aloha,
-baron
--
Baron Fujimoto <[email protected]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20170307022042.ytlhn4pn6qi4uw3m%40praenomen.mgt.hawaii.edu.
