err sorry, for 6.1 the attributes are cas.authn.attributeRepository.expirationTime=0 cas.authn.attributeRepository.expirationTimeUnit=MINUTES
On Thursday, October 15, 2020 at 3:38:41 PM UTC-6 Samuel Lyons wrote: > We have solved an issue very similar to this and is probably this issue. > What happens is that there's a default attribute repository cache that > basically stores the username's hashCode (the username is in like a list > with one value or something like that and then it calls the hashCode() > method on it) as a key > https://github.com/apereo/person-directory/blob/2e1439bf804a2b93019b8e5846837fe2628abbd7/person-directory-impl/src/main/java/org/apereo/services/persondir/support/AttributeBasedCacheKeyGenerator.java#L326 > . > The method .hashCode does NOT guarantee unique values out of it. In fact > similar string have a higher probability of having the same hashCode but > this still can effect ones that are fairly different. To know if this is > your issue, take the username of both inidividuals and run a test java > program that calls the default .hashCode method on them and see if they > have the same value. The solution that was found was to turn the cache off > > cas.authn.attribute-repository.expiration-time=0 > cas.authn.attribute-repository.expiration-time-unit=MINUTES > > On Tuesday, October 13, 2020 at 11:51:02 AM UTC-6 [email protected] wrote: > >> That didn't solve it. >> >> But I found one customization: one line groovy script for fixing the >> username for google. >> >> I replaced it by another attribute provider. >> >> On Friday, October 9, 2020 at 9:53:42 AM UTC-3 Danilo Mendes wrote: >> >>> Thank you for your responses. >>> >>> It only customized the login form adding some warnings about usage. >>> >>> It doesnt have a proxy, or cache... At the beginning we had a load >>> balancer (haproxy) serving a CAS cluster, but, mitigating this issue, I >>> removed it for simplifying the installation and because it has an open >>> issue that I thought it might be related ( >>> https://github.com/haproxy/haproxy/issues/583). Since then I have only >>> one CAS working directly and the problem persists. >>> >>> After Richard's reply I extended my investigation to the LDAP server and >>> found that the node I was using was very old and unmaintained 389-ds. Then >>> I switched the config to a new one. >>> >>> Since that I have few hours without incidents. I hope it keeps like that. >>> >>> On Friday, October 9, 2020 at 8:33:35 AM UTC-3 [email protected] >>> wrote: >>> >>>> >>>> >>>> There’s not a caching proxy in front of your application is there? If >>>> so make sure caching is switched off, we’ve seen something similar and the >>>> cache was the problem. >>>> >>>> >>>> >>>> Duncan >>>> >>>> >>>> >>>> *From:* 'Richard Frovarp' via CAS Community <[email protected]> >>>> *Sent:* 08 October 2020 19:04 >>>> *To:* [email protected] >>>> *Subject:* Re: [cas-user] Wrong user authenticated >>>> >>>> >>>> >>>> Probably not? That sounds like code that is being hit somewhere that >>>> isn't thread safe. The built in LDAP code to CAS should be just fine with >>>> that respect. Assuming you're using a well supported LDAP server that >>>> wouldn't have thread issues? I don't know how a HTTP proxy would impact >>>> this. I guess the question is, do you have any custom code anywhere in the >>>> network or login flow? >>>> >>>> >>>> >>>> On Thu, 2020-10-08 at 14:59 -0300, Danilo Mendes wrote: >>>> >>>> My server is hosted on a vmware4 server and I`ve followed a lead about >>>> entropy and noted that /dev/random dont play well with VMs. >>>> >>>> >>>> >>>> Do any of you think it could be related? >>>> >>>> >>>> -- >>>> >>>> Danilo Mendes >>>> >>>> >>>> >>>> >>>> >>>> On Tue, Oct 6, 2020 at 11:06 AM Danilo Mendes <[email protected]> >>>> wrote: >>>> >>>> Hello, >>>> >>>> >>>> >>>> I have a 6.1.7.1 installation authenticating gsuite apps against a LDAP >>>> directory. It`s configured using standalone profile. >>>> >>>> >>>> >>>> Most of the time it works OK, but sometimes when two users tries to >>>> authenticate at the same time it sends wrong responses and User A opens >>>> User B account. >>>> >>>> >>>> >>>> Can you o help me debugging? Or to point a direction I can follow? >>>> >>>> >>>> >>>> Thank you. >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> - Website: *MailScanner has detected a possible fraud attempt from >>>> "eur01.safelinks.protection.outlook.com" claiming to be* >>>> https://apereo.github.io/cas >>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapereo.github.io%2Fcas&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395833552&sdata=gv9iY1GuiNK2xD3Kw5MoalQfp7Jn4R2QyGA0Hzu3%2F7s%3D&reserved=0> >>>> - Gitter Chatroom: *MailScanner has detected a possible fraud attempt >>>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>>> https://gitter.im/apereo/cas >>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitter.im%2Fapereo%2Fcas&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395843509&sdata=IhZb3tCKi2nNjYhq8t7mvm4A1qgVmBEaHsFkiRcks2Q%3D&reserved=0> >>>> - List Guidelines: *MailScanner has detected a possible fraud attempt >>>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>>> https://goo.gl/1VRrw7 >>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2F1VRrw7&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395843509&sdata=ZYWViAnDEovOpZSNb7HpXoOKSZbE9HTGY9geOosDKks%3D&reserved=0> >>>> - Contributions: *MailScanner has detected a possible fraud attempt >>>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>>> https://goo.gl/mh7qDG >>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fmh7qDG&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395853474&sdata=0Lhx3yQCAPcQX%2FywERDk3Anp%2FmFSo%2BAVNWUYelB7slo%3D&reserved=0> >>>> >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>>> To view this discussion on the web visit *MailScanner has detected a >>>> possible fraud attempt from "eur01.safelinks.protection.outlook.com" >>>> claiming to be* >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c03472f2-56d5-4357-9af6-94f4f045728fn%40apereo.org >>>> >>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fcas-user%2Fc03472f2-56d5-4357-9af6-94f4f045728fn%2540apereo.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395853474&sdata=gGL%2FnvjuCI3Yigr5AJ46WUZLq2o%2FqhShe3sBMiMExIk%3D&reserved=0> >>>> . >>>> >>>> -- >>>> - Website: *MailScanner has detected a possible fraud attempt from >>>> "eur01.safelinks.protection.outlook.com" claiming to be* >>>> https://apereo.github.io/cas >>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapereo.github.io%2Fcas&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395853474&sdata=%2Fxh1VxJSveY43EaRqmYEFY6HeJGRqf3ksKPO3SzVhWQ%3D&reserved=0> >>>> - Gitter Chatroom: *MailScanner has detected a possible fraud attempt >>>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>>> https://gitter.im/apereo/cas >>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitter.im%2Fapereo%2Fcas&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395863429&sdata=rKPdXvkPIyUeh0MzxjATyVN0aIRbkOSp%2BO0lO4tfh2k%3D&reserved=0> >>>> - List Guidelines: *MailScanner has detected a possible fraud attempt >>>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>>> https://goo.gl/1VRrw7 >>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2F1VRrw7&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395863429&sdata=VtK3jn%2B9advdjmkfUQCiwZjUQNpgX0hgtLaV7bpVyyk%3D&reserved=0> >>>> - Contributions: *MailScanner has detected a possible fraud attempt >>>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>>> https://goo.gl/mh7qDG >>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fmh7qDG&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395863429&sdata=xIKZR%2F9fioPv0ubk1t7gsjeyqbSAyw01MPvn80%2B4rt8%3D&reserved=0> >>>> >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>>> To view this discussion on the web visit *MailScanner has detected a >>>> possible fraud attempt from "eur01.safelinks.protection.outlook.com" >>>> claiming to be* >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/92192eff7187568875d6f6e91a2d5072a6de937b.camel%40ndsu.edu >>>> >>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fcas-user%2F92192eff7187568875d6f6e91a2d5072a6de937b.camel%2540ndsu.edu%3Futm_medium%3Demail%26utm_source%3Dfooter&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395873383&sdata=cOKa224dsbfpCTXMKxCX3M%2FzFofIJzAuq2s%2F3cnzcvA%3D&reserved=0> >>>> . >>>> >>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/04b881de-bafe-4893-b448-efebc65632afn%40apereo.org.
