I'm guessing that it just doesn't exist anymore. Browsing from
https://repo.spring.io/snapshot/
They don't have anything for Duo that is obvious. It was a SNAPSHOT dependency,
and thus shouldn't have been used in anything released. I see in my pom:
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-duo</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<artifactId>duo_client_java</artifactId>
<groupId>com.github.duosecurity</groupId>
</exclusion>
</exclusions>
</dependency>
Which removes the snapshot one.
I have
<dependency>
<groupId>com.duosecurity</groupId>
<artifactId>duo-client</artifactId>
<version>0.2.1</version>
</dependency>
However, 0.2.1 isn't in central. I think I grabbed it from their GitHub,
compiled, and put it in my own Maven repo. They do have 0.3.0 in Maven Central.
No idea if it is compatible or not.
Their source is here:
https://github.com/duosecurity/duo_client_java
But obviously they can't be trusted to tag their releases. The only tag they
have is 0.2.2, despite the fact they have 0.3.0 in Central. So you probably
need to get git version from them, build, and reference locally. mvn install on
a local project will stick it in your local .m2 cache dir, making it available
as a dependency.
On Thu, 2021-01-28 at 11:19 -1000, Baron Fujimoto wrote:
[Forking this thread to separate the ldaptive and maven repo issues]
Per that spring-io advisory, it says, "The /snapshot, /milestone, and /release
repositories will remain available, but please fetch our releases from a
central repository". The only reference I see in our pom.xml to spring-io is:
<repositories>
…
<repository>
<id>spring-milestones</id>
<url>https://repo.spring.io/milestone</url>
</repository>
</repositories>
Would updating or supplementing with something else resolve these errors?
Unfortunately, my experience with maven and these build strategies is pretty
limited to what I've used to successfully build CAS in the past. I'll happily
RTFM if someone could kindly point me to the appropriate FM that would explain
this or how to pursue the other suggested strategies.
On Thu, Jan 28, 2021 at 2:39 AM Jeffrey Miller
<[email protected]<mailto:[email protected]>> wrote:
For the Duo dependency, spring updated their use for artifacts in their repo
and now libs-release (and probably libs-snapshot) is no longer available
publicly
https://spring.io/blog/2020/10/29/notice-of-permissions-changes-to-repo-spring-io-fall-and-winter-2020
On Wednesday, January 27, 2021 at 8:52:32 PM UTC-5 richard.frovarp wrote:
For the Duo jar, you should put them in your own local repo? Or maybe the cache
dir? I know that by default it feels like you have to hunt through a variety
of external repos to find that dependency. I run a local Nexus install for us
so I only have to hunt down once.
For the LDAP problems, I think on the Shib list they say don't use the JNDI
LDAP connector, in particular with JDK 11. But even then, I don't think the 1.8
JNDI provider is that great. So, you may be able to move over to the UnboundID
provider and have better success? To determine what version is being used, I
would recommend looking at what is in your resulting build artifact. I'm
building to a war, and therefore the place for me to look to see what is being
placed in the war file. So if the file is present in the lib dir where you are
running it, it might be using. I don't remember if there is an authoritative
way the JRE loads libs or not. I generally assume that if there are two in the
classpath, it is going to randomly load out of one of them. It's probably
deterministic in some way, but if you have to ask about load order, you're
probably in a space you don't want to be in.
I know that with overlays I've had trouble getting the version I want to be the
only one. I don't think the normal Maven rules for dependency versions fully
apply for overlays. You're best off putting excludes in to ensure the version
you don't want is excluded.
You can also exclude out of the overlay, and I see that I'm doing that. I just
don't remember why I'm doing that. I have spring and log4j in those excludes.
I'm excluding Duo out of a normal dependency section. I have a different GAV
bringing that dependency in.
We're using the UnboundID provider.
________________________________
From: [email protected] <[email protected]> on behalf of Baron Fujimoto
<[email protected]>
Sent: Wednesday, January 27, 2021 19:06
To: CAS Users <[email protected]>
Subject: [cas-user] CAS 5.0.x newer ldaptive?
I'm working with Oracle to troubleshoot a bug we've encountered with their JDK
(1.8u231+) and LDAP errors. According to their analysis, they're claiming that
the problem lies with the ldaptive library being used by this old (I know)
version of CAS. More specifically that the subsequent JDKs adhere to spec, and
the ldaptive library appears to be testing for unspecified behaviour. They are
recommending I try a newer version of the ldaptive library which does not
appear to have the same code.
I added the following to our pom.xml:
<dependency>
<groupId>org.ldaptive</groupId>
<artifactId>ldaptive</artifactId>
<version>2.0.1</version>
</dependency>
When I ran "mvn clean package" I think it looked like it was including the
2.0.1 version of ldaptive in the build. However, it seems like I'm still seeing
LDAP problems. When I try to login, it will often result in the errors such as
the following being logged:
2021-01-27 12:10:56,974 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP
authentication for baron>
2021-01-27 12:10:56,986 WARN [org.ldaptive.pool.BlockingConnectionPool] -
<connection failed check out validation:
org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@4b6106ff>
2021-01-27 12:10:56,989 ERROR
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<LdapAuthenticationHandler: Unexpected LDAP error (Details: Validation of
connection failed)>
Eventually the validation succeeds, then so does the authentication.
How can I verify which version of ldaptive is being used by CAS? I don't think
I saw anything indicating this in the logs. If I search for ldaptive in my
overlay work directory I find the following:
=====
$ grep -ilr ldaptive .
./target/cas.war
./target/war/work/org.apereo.cas/cas-server-webapp/WEB-INF/classes/log4j2.xml
./target/war/work/org.apereo.cas/cas-server-webapp/WEB-INF/lib/person-directory-impl-1.8.4.jar
./target/war/work/org.apereo.cas/cas-server-webapp/WEB-INF/lib/ldaptive-1.2.0.jar
./target/war/work/org.apereo.cas/cas-server-webapp/WEB-INF/lib/ldaptive-beans-1.2.0.jar
./target/cas/WEB-INF/classes/log4j2.xml
./target/cas/WEB-INF/lib/person-directory-impl-1.8.4.jar
./target/cas/WEB-INF/lib/ldaptive-1.2.0.jar
./target/cas/WEB-INF/lib/ldaptive-beans-1.2.0.jar
./target/cas/WEB-INF/lib/ldaptive-beans-2.0.1.jar
./target/cas/WEB-INF/lib/ldaptive-2.0.1.jar
./pom.xml
./etc/cas/config/log4j2.xml
=====
I see an ldaptive-2.0.1.jar and ldaptive-beans-2.0.1.jar, but also
ldaptive-1.2.0.jar and ldaptive-beans-1.2.0.jar. The 1.2.0 versions are always
present after the build even if I delete them first, so something must be
re-including them. How can I ensure that the new ldaptive is used in place of
the old one?
Unrelated, but I'm also seeing the following errors in the build now that
weren't present when I originally built this long ago:
Downloading:
https://repo.spring.io/libs-snapshot/com/github/duosecurity/duo_client_java/-SNAPSHOT/maven-metadata.xml
[WARNING] Could not transfer metadata
com.github.duosecurity:duo_client_java:-SNAPSHOT/maven-metadata.xml from/to
spring-libs-snapshots (https://repo.spring.io/libs-snapshot): Not authorized ,
ReasonPhrase:Unauthorized.
[WARNING] Failure to transfer
com.github.duosecurity:duo_client_java:-SNAPSHOT/maven-metadata.xml from
https://repo.spring.io/libs-snapshot was cached in the local repository,
resolution will not be reattempted until the update interval of
spring-libs-snapshots has elapsed or updates are forced. Original error: Could
not transfer metadata
com.github.duosecurity:duo_client_java:-SNAPSHOT/maven-metadata.xml from/to
spring-libs-snapshots (https://repo.spring.io/libs-snapshot): Not authorized ,
ReasonPhrase:Unauthorized.
Downloading:
https://repo.spring.io/libs-snapshot/com/github/duosecurity/duo_client_java/duo-client/-SNAPSHOT/maven-metadata.xml
[WARNING] Could not transfer metadata
com.github.duosecurity.duo_client_java:duo-client:-SNAPSHOT/maven-metadata.xml
from/to spring-libs-snapshots (https://repo.spring.io/libs-snapshot): Not
authorized , ReasonPhrase:Unauthorized.
[WARNING] Failure to transfer
com.github.duosecurity.duo_client_java:duo-client:-SNAPSHOT/maven-metadata.xml
from https://repo.spring.io/libs-snapshot was cached in the local repository,
resolution will not be reattempted until the update interval of
spring-libs-snapshots has elapsed or updates are forced. Original error: Could
not transfer metadata
com.github.duosecurity.duo_client_java:duo-client:-SNAPSHOT/maven-metadata.xml
from/to spring-libs-snapshots (https://repo.spring.io/libs-snapshot): Not
authorized , ReasonPhrase:Unauthorized.
Downloading:
https://repo.spring.io/libs-snapshot/com/github/duosecurity/duo_client_java/duo-example-admin/-SNAPSHOT/maven-metadata.xml
[WARNING] Could not transfer metadata
com.github.duosecurity.duo_client_java:duo-example-admin:-SNAPSHOT/maven-metadata.xml
from/to spring-libs-snapshots (https://repo.spring.io/libs-snapshot): Not
authorized , ReasonPhrase:Unauthorized.
[WARNING] Failure to transfer
com.github.duosecurity.duo_client_java:duo-example-admin:-SNAPSHOT/maven-metadata.xml
from https://repo.spring.io/libs-snapshot was cached in the local repository,
resolution will not be reattempted until the update interval of
spring-libs-snapshots has elapsed or updates are forced. Original error: Could
not transfer metadata
com.github.duosecurity.duo_client_java:duo-example-admin:-SNAPSHOT/maven-metadata.xml
from/to spring-libs-snapshots (https://repo.spring.io/libs-snapshot): Not
authorized , ReasonPhrase:Unauthorized.
Downloading:
https://repo.spring.io/libs-snapshot/com/github/duosecurity/duo_client_java/duo-client-all/-SNAPSHOT/maven-metadata.xml
[WARNING] Could not transfer metadata
com.github.duosecurity.duo_client_java:duo-client-all:-SNAPSHOT/maven-metadata.xml
from/to spring-libs-snapshots (https://repo.spring.io/libs-snapshot): Not
authorized , ReasonPhrase:Unauthorized.
It seems prudent to resolve these build errors as well.
--
Baron Fujimoto <[email protected]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL20VkUPAgFORD_Jb-nNaoNK_EiZb3uc_BfN8KF8gSyThg%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL20VkUPAgFORD_Jb-nNaoNK_EiZb3uc_BfN8KF8gSyThg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a361cc6-a099-4a45-86c6-d479db055159n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a361cc6-a099-4a45-86c6-d479db055159n%40apereo.org?utm_medium=email&utm_source=footer>.
--
Baron Fujimoto <[email protected]<mailto:[email protected]>> :: UH Information
Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/05fd5ce42b51d57cf0596f93f48f74a87f6349d3.camel%40ndsu.edu.
