Re: [cas-user] Can I make use of XML attributes in a serviceValidate response for authorization control?

2018-02-22 Thread David Hawes 
On Thu, Feb 22, 2018 at 4:14 PM, Bryan K. Walton  wrote:
> We have a mod_auth_cas installation where the CAS server on the other
> end is sending us XML attributes in their response.  I don't have any
> details on their CAS server version.  What I do know is that we are
> using the serviceValidate url for validation.  The CAS server, in
> question, does NOT have a samlValidate url option for us.
>
> When a user authenticates to our application, we get a validation
> response from their CAS server that looks like this:
>
> [Thu Feb 22 14:41:23.833837 2018] [:debug] [pid 21153]
> mod_auth_cas.c(1838): [client 10.1.88.60:39852] Validation response:
>  xmlns:cas="http://www.yale.edu/tp/cas;>jdoe
>
> As long as we use require valid-user, everything is fine, and users gain
> access to the application.
>
> My question, can mod_auth_cas work with these XML attributes
> for authorization control, without having access to a samlValidate url
> option?  For example, we would like to instruct Apache to limit access
> to those users who have "Staff" in the the "" element.

mod_auth_cas supports SAML attributes with /samlValidate and CASv2
attributes with /serviceValidate (note that you must use git master
for this support).

The payload above does not look like what I would expect, which is
outlined here:

https://apereo.github.io/cas/5.1.x/protocol/CAS-Protocol-Specification.html#255-attributes-cas-30

It will not be parsed correctly and you will not be able to use those
values for authorization without modifying mod_auth_cas.
/serviceValidate in mod_auth_cas expects .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wA%2BKFUxDmmB160KEKN7SEB6-n6zVA4Jk8Ny%2BTkTbuAkCQ%40mail.gmail.com.

[cas-user] CAS 5.1.6 cluster with ehcache hang

2018-02-22 Thread Duane Booher 
Hi, we are running CAS 5.1.6 with a two host ehcache cluster. When we 
shutdown one of the two hosts, then the remaining host hangs and stops 
processing CAS login requests. Then when we start the down host back up, 
all of the CAS login requests work fine.

Any ideas what might be going on here?

Thanks,
Duane

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0eb9ba1-712a-44cc-abb7-3af84adafb91%40apereo.org.

Re: [cas-user] Re: CAS5.2 Connect to LDAP

2018-02-22 Thread David Curry 
My guess would be you don't have enough privileges to see everything you
need to see, but that's just a guess. Your question goes beyond my level of
AD/LDAP knowledge, but I've always been under the impression that
everything has to have a DN.


David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.


On Feb 22, 2018 16:43, "Kevin Liu"  wrote:

> Correct me if I'm wrong but looking at the directory, not everyone has a
> DN. Some users are only members of a group it looks like. Is this because
> my account doesn't have high enough priveledge to see everyone? But at the
> very least I should be able to see myself right? Or is possible for not
> every user to have their own DN.
>
> On Thursday, February 22, 2018 at 3:25:03 PM UTC-6, David Curry wrote:
>>
>> If you look up a user in your directory, what does the DN for that user
>> look like? That's what the dnFormat should look like, except that you
>> replace the username with a "%s" for CAS to fill in.
>>
>> So, for example, the DN for our accounts looks like this:
>>
>> cn=gnarls,ou=TNSUsers,dc=tns,dc=newschool,dc=edu
>>
>>
>> (where "gnarls" is the username) so dnFormat looks like this:
>>
>> cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu
>>
>>
>> Also, if you're really going against AD, you probably want to change
>>
>> cas.authn.ldap[0].userFilter=cn={user}
>>
>>
>> to
>>
>> cas.authn.ldap[0].userFilter=sAMAccountName={user}
>>
>>
>> --Dave
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> 
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Thu, Feb 22, 2018 at 4:01 PM, Kevin Liu  wrote:
>>
>>> So it looks like it's because I'm missing a dnFormat value? I'm not
>>> exactly sure how I should format my dnFormat? Could I get some help?
>>>
>>> On Thursday, February 22, 2018 at 2:47:47 PM UTC-6, David Curry wrote:

 I don't see an error there? Did your copy and paste not capture
 everything.

 --Dave


 --

 DAVID A. CURRY, CISSP
 *DIRECTOR OF INFORMATION SECURITY*
 INFORMATION TECHNOLOGY

 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
 
 +1 212 229-5300 x4728 • david.cu...@newschool.edu

 [image: The New School]

 On Thu, Feb 22, 2018 at 3:43 PM, Kevin Liu  wrote:

> I tried following that but this is my error still:
>
> 2018-02-22 14:40:41,986 DEBUG [org.apereo.cas.configuration.
> support.CasConfigurationJasyptDecryptor] -  algorithm [PBEWithMD5AndTripleDES]>
> 2018-02-22 14:40:41,995 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  located inside [class path resource [application.yml]]>
> 2018-02-22 14:40:41,996 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  standalone configuration directory at [/etc/cas3/config]>
> 2018-02-22 14:40:41,997 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  configuration files at [/etc/cas3/config] that match the pattern
> [(cas|standalone|application-cas|a
> 2018-02-22 14:40:42,009 INFO [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  files found at [/etc/cas3/config] are [[/etc/cas3/config/application.yml,
> /etc/cas3/config/cas.pro
> 2018-02-22 14:40:42,019 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  configuration file [/etc/cas3/config/application.yml]>
> 2018-02-22 14:40:42,042 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  [[info.description]] in YAML file [/etc/cas3/config/application.yml]>
> 2018-02-22 14:40:42,044 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  configuration file [/etc/cas3/config/cas.properties]>
> 2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch,
> cas.adminPagesSecurity.loginUrl, cas.adm
> 2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch,
> cas.adminPagesSecurity.loginUrl, cas
> 2018-02-22 14:40:42,102 INFO 
> [org.apereo.cas.web.CasWebApplicationServletInitializer]
> - 
>

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-22 Thread Matthew Uribe 
My thanks to all who have responded. I finally spotted the issue. In the 
logs, I found this:

 https://testssbxe.aims.edu:8444/Ba
nnerGeneralSsb/j_spring_cas_security_check] does not match supplied service 
[org.apereo.cas.support.saml.authentication.principal.SamlService@640edaac[id=https://testssbxe
1.aims.edu:8444/BannerGeneralSsb/j_sprin
g_cas_security_check,originalUrl=https://testssbxe1.aims.edu:8444/BannerGeneralSsb/j_spring_cas_security_check,artifactId=ST-AAHn21AEQFRQnJ3kjH1H/VWjCTCumXuhWQiE3Cx/WAPhxR97XJp/xtY9,principal=,loggedOutAlr
eady=false,format=XML]]> 

 

That "1" really does not stand out very well, and is a product of our load 
balanced setup. At first I thought I needed to make the regex in the 
service definition match either URL, but in the end found that the issue 
was in the BannerGeneralSsb_configuration.groovy file. I changed 
the serviceUrl to reflect the 1, and have had a successful login!

Thanks again.

On Thursday, February 22, 2018 at 9:10:24 AM UTC-7, Greg Booth wrote:
>
> Matthew,
>
> Here is our service definition:
>
> {
>   @class: org.apereo.cas.services.RegexRegisteredService
>   id: 
>   name: Banner
>   description: Self-Service
>   logo: https://www.mtu.edu/images/mtu-logo.png
>   serviceId: https://(www\.)?bannerweb.mtu.edu(:443)?/.*
>   attributeReleasePolicy: {
> @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
> allowedAttributes: ["java.util.ArrayList", ["UDC_IDENTIFIER", 
> "michigantechRIDM"]]
>   }
> }
>
> On Thu, Feb 22, 2018 at 9:26 AM, Matthew Uribe  > wrote:
>
>> Thanks Travis. That's the track I've been on. Can you tell me whether 
>> this service definition looks anything like what you ended up with?
>>
>>
>> {
>>   @class:   org.apereo.cas.services.RegexRegisteredService
>>   serviceId:^
>> https://ban9server.school.edu:8444/BannerGeneralSsb(\z|/.*)
>>   name: TEST General SSB XE
>>   id:   12345
>>   attributeReleasePolicy: 
>>   {
>> @class:
>>  org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
>> allowedAttributes:
>> {
>>   @class:   java.util.TreeMap
>>   UDC_IDENTIFIER:   UDC_IDENTIFIER
>> }
>>   }
>>   "evaluationOrder" :   5
>> }
>>
>>
>> On Wednesday, February 21, 2018 at 5:18:20 PM UTC-7, Travis Schmidt wrote:
>>>
>>> I am helping a team with this exact issue right now.  Don't know 
>>> anything about the banner side of things, but I had to map the attribute 
>>> they were looking for to UDC_IDENTIFIER in the Service Registry for it to 
>>> work.
>>>
>>> On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe  
>>> wrote:
>>>
 Hello Community,

 I am wondering whether anyone has had success with Banner 9 and CAS 
 5.2.x 

 We have been using the Luminis delivered CAS 3.5.2, but are interested 
 in the features available in 5, such as SAML2 IdP, and MFA using Duo. I 
 have deployed CAS 5.2.0, included cas-server-support-ldap and 
 cas-server-support-saml 
 dependencies, and setup a service for one of our Banner 9 apps, but 
 haven't 
 been able to successfully access the application. I can access the CAS 
 Dashboard, as well as the CAS-Management webapp, but the Banner apps are 
 beyond me at this point. Right now, when I navigate to the Banner 9 app, I 
 am redirected to the CAS login page. After logging in successfully, the 
 browser gives me an error: "HTTP Status 403 - No assertions found".

 I figure the problem is either in my service registry, or that I maybe 
 need to import the CAS certificate into a keystore somewhere on the Banner 
 9 server. Since I don't see anything related to a cert import in the 
 Banner 
 9 install guides, I'm focused on the first of these two possibilities, but 
 after 2 days of going in circles I've run out of ideas and would eagerly 
 accept the advice of this community.

 Thank you,
 Matt

 -- 
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 --- 
 You received this message because you are subscribed to the Google 
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to cas-user+u...@apereo.org.
 To view this discussion on the web visit 
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb5596089%40apereo.org
  
 
 .

>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>>

Re: [cas-user] Re: CAS5.2 Connect to LDAP

2018-02-22 Thread Kevin Liu 
Correct me if I'm wrong but looking at the directory, not everyone has a 
DN. Some users are only members of a group it looks like. Is this because 
my account doesn't have high enough priveledge to see everyone? But at the 
very least I should be able to see myself right? Or is possible for not 
every user to have their own DN.

On Thursday, February 22, 2018 at 3:25:03 PM UTC-6, David Curry wrote:
>
> If you look up a user in your directory, what does the DN for that user 
> look like? That's what the dnFormat should look like, except that you 
> replace the username with a "%s" for CAS to fill in.
>
> So, for example, the DN for our accounts looks like this:
>
> cn=gnarls,ou=TNSUsers,dc=tns,dc=newschool,dc=edu
>
>
> (where "gnarls" is the username) so dnFormat looks like this:
>
> cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu
>
>
> Also, if you're really going against AD, you probably want to change
>
> cas.authn.ldap[0].userFilter=cn={user}
>
>
> to
>
> cas.authn.ldap[0].userFilter=sAMAccountName={user}
>
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Thu, Feb 22, 2018 at 4:01 PM, Kevin Liu  > wrote:
>
>> So it looks like it's because I'm missing a dnFormat value? I'm not 
>> exactly sure how I should format my dnFormat? Could I get some help?
>>
>> On Thursday, February 22, 2018 at 2:47:47 PM UTC-6, David Curry wrote:
>>>
>>> I don't see an error there? Did your copy and paste not capture 
>>> everything.
>>>
>>> --Dave
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
>>> 
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>
>>> [image: The New School]
>>>
>>> On Thu, Feb 22, 2018 at 3:43 PM, Kevin Liu  wrote:
>>>
 I tried following that but this is my error still:

 2018-02-22 14:40:41,986 DEBUG 
 [org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 
 
 2018-02-22 14:40:41,995 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - >>> [application.yml]]>
 2018-02-22 14:40:41,996 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - 
 2018-02-22 14:40:41,997 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - >>> pattern [(cas|standalone|application-cas|a
 2018-02-22 14:40:42,009 INFO 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - >>> [[/etc/cas3/config/application.yml, /etc/cas3/config/cas.pro
 2018-02-22 14:40:42,019 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - 
 2018-02-22 14:40:42,042 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - >>> [/etc/cas3/config/application.yml]>
 2018-02-22 14:40:42,044 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - 
 2018-02-22 14:40:42,046 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - >>> cas.adminPagesSecurity.loginUrl, cas.adm
 2018-02-22 14:40:42,046 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - >>> cas.authn.ldap[0].subtreeSearch, cas.adminPagesSecurity.loginUrl, cas
 2018-02-22 14:40:42,102 INFO 
 [org.apereo.cas.web.CasWebApplicationServletInitializer] - >>> profiles are active: standalone>
 2018-02-22 14:40:45,698 WARN 
 [org.apereo.cas.config.CasCoreTicketsConfiguration] - >>> used as the persistence storage for retrieving and managing tickets. 
 Tickets that are issued during runtime will be LOST
 2018-02-22 14:40:45,701 INFO 
 [org.apereo.cas.configuration.support.Beans] - >>> encryption/signing is turned off. This MAY NOT be safe in a clustered 
 production environment. Consider using other choices to han
 2018-02-22 14:40:49,283 DEBUG 
 [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - >>> authentication execution plan [CasCoreAuthenticationHandlersConfiguration]>
 2018-02-22 14:40:49,289 DEBUG 
 [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - >>> authentication execution plan [CasCoreAuthenticationHandlersConfiguration]>
 2018-02-22 14:40:49,318 DEBUG 
 [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
 >>> principal resolver [org.apereo.cas.authenticat
 2018-02-22 14:40:49,324 DEBUG 
 [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - >>>

Re: [cas-user] Re: CAS5.2 Connect to LDAP

2018-02-22 Thread David Curry 
If you look up a user in your directory, what does the DN for that user
look like? That's what the dnFormat should look like, except that you
replace the username with a "%s" for CAS to fill in.

So, for example, the DN for our accounts looks like this:

cn=gnarls,ou=TNSUsers,dc=tns,dc=newschool,dc=edu


(where "gnarls" is the username) so dnFormat looks like this:

cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu


Also, if you're really going against AD, you probably want to change

cas.authn.ldap[0].userFilter=cn={user}


to

cas.authn.ldap[0].userFilter=sAMAccountName={user}


--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Feb 22, 2018 at 4:01 PM, Kevin Liu  wrote:

> So it looks like it's because I'm missing a dnFormat value? I'm not
> exactly sure how I should format my dnFormat? Could I get some help?
>
> On Thursday, February 22, 2018 at 2:47:47 PM UTC-6, David Curry wrote:
>>
>> I don't see an error there? Did your copy and paste not capture
>> everything.
>>
>> --Dave
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> 
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Thu, Feb 22, 2018 at 3:43 PM, Kevin Liu  wrote:
>>
>>> I tried following that but this is my error still:
>>>
>>> 2018-02-22 14:40:41,986 DEBUG [org.apereo.cas.configuration.
>>> support.CasConfigurationJasyptDecryptor] - >> algorithm [PBEWithMD5AndTripleDES]>
>>> 2018-02-22 14:40:41,995 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> located inside [class path resource [application.yml]]>
>>> 2018-02-22 14:40:41,996 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> standalone configuration directory at [/etc/cas3/config]>
>>> 2018-02-22 14:40:41,997 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> configuration files at [/etc/cas3/config] that match the pattern
>>> [(cas|standalone|application-cas|a
>>> 2018-02-22 14:40:42,009 INFO [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> found at [/etc/cas3/config] are [[/etc/cas3/config/application.yml,
>>> /etc/cas3/config/cas.pro
>>> 2018-02-22 14:40:42,019 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> configuration file [/etc/cas3/config/application.yml]>
>>> 2018-02-22 14:40:42,042 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> [[info.description]] in YAML file [/etc/cas3/config/application.yml]>
>>> 2018-02-22 14:40:42,044 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> configuration file [/etc/cas3/config/cas.properties]>
>>> 2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch,
>>> cas.adminPagesSecurity.loginUrl, cas.adm
>>> 2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch,
>>> cas.adminPagesSecurity.loginUrl, cas
>>> 2018-02-22 14:40:42,102 INFO 
>>> [org.apereo.cas.web.CasWebApplicationServletInitializer]
>>> - 
>>> 2018-02-22 14:40:45,698 WARN 
>>> [org.apereo.cas.config.CasCoreTicketsConfiguration]
>>> - >> managing tickets. Tickets that are issued during runtime will be LOST
>>> 2018-02-22 14:40:45,701 INFO [org.apereo.cas.configuration.support.Beans]
>>> - >> in a clustered production environment. Consider using other choices to han
>>> 2018-02-22 14:40:49,283 DEBUG 
>>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration]
>>> - >> Configuration]>
>>> 2018-02-22 14:40:49,289 DEBUG 
>>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration]
>>> - >> Configuration]>
>>> 2018-02-22 14:40:49,318 DEBUG [org.apereo.cas.authentication
>>> .DefaultAuthenticationEventExecutionPlan] - >> [HttpBasedServiceCredentialsAuthenticationHandler] principal resolver
>>> [org.apereo.cas.authenticat
>>> 2018-02-22 14:40:49,324 DEBUG 
>>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration]
>>> - >> Configuration]>
>>> 2018-02-22 14:40:49,333 DEBUG [org.apereo.cas.authentication
>>> .DefaultAuthenticationEventExecutionPlan] - >> populator [org.apereo.cas.authentication.metadata.SuccessfulHandlerMet
>>> aDataPopulator@77551b65[or
>>> 2018-02-22 14:40:49,342 DEBUG [org.apereo.cas.authentication
>>> .DefaultAuthenticationEventExecutionPlan] - >> populator

Re: [cas-user] Re: CAS5.2 Connect to LDAP

2018-02-22 Thread Kevin Liu 
So it looks like it's because I'm missing a dnFormat value? I'm not exactly 
sure how I should format my dnFormat? Could I get some help?

On Thursday, February 22, 2018 at 2:47:47 PM UTC-6, David Curry wrote:
>
> I don't see an error there? Did your copy and paste not capture everything.
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Thu, Feb 22, 2018 at 3:43 PM, Kevin Liu  > wrote:
>
>> I tried following that but this is my error still:
>>
>> 2018-02-22 14:40:41,986 DEBUG 
>> [org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 
>> 
>> 2018-02-22 14:40:41,995 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > [application.yml]]>
>> 2018-02-22 14:40:41,996 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - 
>> 2018-02-22 14:40:41,997 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > pattern [(cas|standalone|application-cas|a
>> 2018-02-22 14:40:42,009 INFO 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > [[/etc/cas3/config/application.yml, /etc/cas3/config/cas.pro
>> 2018-02-22 14:40:42,019 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - 
>> 2018-02-22 14:40:42,042 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > [/etc/cas3/config/application.yml]>
>> 2018-02-22 14:40:42,044 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - 
>> 2018-02-22 14:40:42,046 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > cas.adminPagesSecurity.loginUrl, cas.adm
>> 2018-02-22 14:40:42,046 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > cas.authn.ldap[0].subtreeSearch, cas.adminPagesSecurity.loginUrl, cas
>> 2018-02-22 14:40:42,102 INFO 
>> [org.apereo.cas.web.CasWebApplicationServletInitializer] - > profiles are active: standalone>
>> 2018-02-22 14:40:45,698 WARN 
>> [org.apereo.cas.config.CasCoreTicketsConfiguration] - > used as the persistence storage for retrieving and managing tickets. 
>> Tickets that are issued during runtime will be LOST
>> 2018-02-22 14:40:45,701 INFO [org.apereo.cas.configuration.support.Beans] 
>> - > in a clustered production environment. Consider using other choices to han
>> 2018-02-22 14:40:49,283 DEBUG 
>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - > authentication execution plan [CasCoreAuthenticationHandlersConfiguration]>
>> 2018-02-22 14:40:49,289 DEBUG 
>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - > authentication execution plan [CasCoreAuthenticationHandlersConfiguration]>
>> 2018-02-22 14:40:49,318 DEBUG 
>> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
>> > principal resolver [org.apereo.cas.authenticat
>> 2018-02-22 14:40:49,324 DEBUG 
>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - > authentication execution plan [CasCoreAuthenticationMetadataConfiguration]>
>> 2018-02-22 14:40:49,333 DEBUG 
>> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
>> > [org.apereo.cas.authentication.metadata.SuccessfulHandlerMetaDataPopulator@77551b65[or
>> 2018-02-22 14:40:49,342 DEBUG 
>> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
>> > [org.apereo.cas.authentication.metadata.RememberMeAuthenticationMetaDataPopulator@3838
>> 2018-02-22 14:40:49,350 DEBUG 
>> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
>> > [org.apereo.cas.authentication.metadata.AuthenticationCredentialTypeMetaDataPopulator@
>> 2018-02-22 14:40:49,350 DEBUG 
>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - > authentication execution plan [LdapAuthenticationConfiguration]>
>> 2018-02-22 14:40:49,355 DEBUG 
>> [org.apereo.cas.authentication.CoreAuthenticationUtils] - > attributes are defined>
>> 2018-02-22 14:40:49,355 DEBUG 
>> [org.apereo.cas.config.LdapAuthenticationConfiguration] - > mapped principal attributes [{}] for [ldap://alpha.beta.gamma:389]...>
>> 2018-02-22 14:40:49,357 DEBUG 
>> [org.apereo.cas.config.LdapAuthenticationConfiguration] - > authenticator for [ldap://alpha.beta.gamma:389] and baseDn 
>> [dc=beta,dc=gamma]>
>> 2018-02-22 14:40:49,375 DEBUG [org.apereo.cas.util.LdapUtils] - > active directory authenticator for [ldap://alpha.beta.gamma:389]>
>> 2018-02-22 14:40:49,377 WARN 
>> [org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext]
>>  
>> - > attempt: org.springframewor
>> 2018-02-22 14:40:49,378 WARN 
>>

Re: [cas-user] Re: CAS5.2 Connect to LDAP

2018-02-22 Thread David Curry 
I don't see an error there? Did your copy and paste not capture everything.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Feb 22, 2018 at 3:43 PM, Kevin Liu  wrote:

> I tried following that but this is my error still:
>
> 2018-02-22 14:40:41,986 DEBUG [org.apereo.cas.configuration.support.
> CasConfigurationJasyptDecryptor] -  [PBEWithMD5AndTripleDES]>
> 2018-02-22 14:40:41,995 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  inside [class path resource [application.yml]]>
> 2018-02-22 14:40:41,996 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  configuration directory at [/etc/cas3/config]>
> 2018-02-22 14:40:41,997 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  files at [/etc/cas3/config] that match the pattern
> [(cas|standalone|application-cas|a
> 2018-02-22 14:40:42,009 INFO [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  [/etc/cas3/config] are [[/etc/cas3/config/application.yml,
> /etc/cas3/config/cas.pro
> 2018-02-22 14:40:42,019 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  [/etc/cas3/config/application.yml]>
> 2018-02-22 14:40:42,042 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  [[info.description]] in YAML file [/etc/cas3/config/application.yml]>
> 2018-02-22 14:40:42,044 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  [/etc/cas3/config/cas.properties]>
> 2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch,
> cas.adminPagesSecurity.loginUrl, cas.adm
> 2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch,
> cas.adminPagesSecurity.loginUrl, cas
> 2018-02-22 14:40:42,102 INFO [org.apereo.cas.web.
> CasWebApplicationServletInitializer] -  active: standalone>
> 2018-02-22 14:40:45,698 WARN 
> [org.apereo.cas.config.CasCoreTicketsConfiguration]
> -  managing tickets. Tickets that are issued during runtime will be LOST
> 2018-02-22 14:40:45,701 INFO [org.apereo.cas.configuration.support.Beans]
> -  in a clustered production environment. Consider using other choices to han
> 2018-02-22 14:40:49,283 DEBUG [org.apereo.cas.config.
> CasCoreAuthenticationConfiguration] -  execution plan [CasCoreAuthenticationHandlersConfiguration]>
> 2018-02-22 14:40:49,289 DEBUG [org.apereo.cas.config.
> CasCoreAuthenticationConfiguration] -  execution plan [CasCoreAuthenticationHandlersConfiguration]>
> 2018-02-22 14:40:49,318 DEBUG [org.apereo.cas.authentication.
> DefaultAuthenticationEventExecutionPlan] -  HttpBasedServiceCredentialsAuthenticationHandler] principal resolver
> [org.apereo.cas.authenticat
> 2018-02-22 14:40:49,324 DEBUG [org.apereo.cas.config.
> CasCoreAuthenticationConfiguration] -  execution plan [CasCoreAuthenticationMetadataConfiguration]>
> 2018-02-22 14:40:49,333 DEBUG [org.apereo.cas.authentication.
> DefaultAuthenticationEventExecutionPlan] -  populator [org.apereo.cas.authentication.metadata.
> SuccessfulHandlerMetaDataPopulator@77551b65[or
> 2018-02-22 14:40:49,342 DEBUG [org.apereo.cas.authentication.
> DefaultAuthenticationEventExecutionPlan] -  populator [org.apereo.cas.authentication.metadata.
> RememberMeAuthenticationMetaDataPopulator@3838
> 2018-02-22 14:40:49,350 DEBUG [org.apereo.cas.authentication.
> DefaultAuthenticationEventExecutionPlan] -  populator [org.apereo.cas.authentication.metadata.
> AuthenticationCredentialTypeMetaDataPopulator@
> 2018-02-22 14:40:49,350 DEBUG [org.apereo.cas.config.
> CasCoreAuthenticationConfiguration] -  execution plan [LdapAuthenticationConfiguration]>
> 2018-02-22 14:40:49,355 DEBUG 
> [org.apereo.cas.authentication.CoreAuthenticationUtils]
> - 
> 2018-02-22 14:40:49,355 DEBUG [org.apereo.cas.config.
> LdapAuthenticationConfiguration] -  attributes [{}] for [ldap://alpha.beta.gamma:389]...>
> 2018-02-22 14:40:49,357 DEBUG [org.apereo.cas.config.
> LdapAuthenticationConfiguration] -  [ldap://alpha.beta.gamma:389] and baseDn [dc=beta,dc=gamma]>
> 2018-02-22 14:40:49,375 DEBUG [org.apereo.cas.util.LdapUtils] -  active directory authenticator for [ldap://alpha.beta.gamma:389]>
> 2018-02-22 14:40:49,377 WARN [org.springframework.boot.context.embedded.
> AnnotationConfigEmbeddedWebApplicationContext] -  during context initialization - cancelling refresh attempt:
> org.springframewor
> 2018-02-22 14:40:49,378 WARN [com.ryantenney.metrics.
> spring.config.annotation.MetricsConfigurerAdapter] -  reporter>
>

Re: [cas-user] Re: CAS5.2 Connect to LDAP

2018-02-22 Thread Kevin Liu 
I tried following that but this is my error still:

2018-02-22 14:40:41,986 DEBUG 
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 

2018-02-22 14:40:41,995 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-02-22 14:40:41,996 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-02-22 14:40:41,997 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-02-22 14:40:42,042 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-02-22 14:40:42,044 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-02-22 14:40:42,046 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-02-22 14:40:45,698 WARN 
[org.apereo.cas.config.CasCoreTicketsConfiguration] - 
2018-02-22 14:40:49,289 DEBUG 
[org.apereo.cas.config.CasCoreAuthenticationConfiguration] - 
2018-02-22 14:40:49,318 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 

2018-02-22 14:40:49,333 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 

2018-02-22 14:40:49,355 DEBUG 
[org.apereo.cas.authentication.CoreAuthenticationUtils] - 
2018-02-22 14:40:49,355 DEBUG 
[org.apereo.cas.config.LdapAuthenticationConfiguration] - ldap://alpha.beta.gamma:389]...>
2018-02-22 14:40:49,357 DEBUG 
[org.apereo.cas.config.LdapAuthenticationConfiguration] - ldap://alpha.beta.gamma:389] and baseDn 
[dc=beta,dc=gamma]>
2018-02-22 14:40:49,375 DEBUG [org.apereo.cas.util.LdapUtils] - ldap://alpha.beta.gamma:389]>
2018-02-22 14:40:49,377 WARN 
[org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext]
 
- 
org.springframework.beans.factory.BeanCreationNotAllowedException: Error 
creating bean with name 'casMetricsConfiguration': Singleton bean creation 
not allowed while singletons of this factory are in destruction (Do not re
at 
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:216)
 
~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]


On Thursday, February 22, 2018 at 2:36:17 PM UTC-6, David Curry wrote:
>
> You might find the examples here helpful:
>
>
> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_overview.html
>
> There's an Active Directory configuration (two, actually) and an LDAP 
> configuration. Authentication and attribute retrieval.
>
> If those don't help, then please post the relevant line(s) from the log 
> file showing the error, and, if you have it turned on, debug messages.
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Thu, Feb 22, 2018 at 2:46 PM, Kevin Liu  > wrote:
>
>> I've now changed it to this:
>>
>>
>> #AD Configurations
>> cas.authn.ldap[0].type=AD
>> cas.authn.ldap[0].ldapUrl=ldap://alpha.beta.gamma:389
>> #cas.authn.ldap[0].connectionStrategy=
>> cas.authn.ldap[0].useSsl=false
>> cas.authn.ldap[0].useStartTls=false
>> cas.authn.ldap[0].connectTimeout=5000
>> cas.authn.ldap[0].subtreeSearch=true
>>
>> cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
>> cas.authn.ldap[0].userFilter=cn={user}
>> cas.authn.ldap[0].bindDn=user@beta.gamma
>> cas.authn.ldap[0].bindCredential=userPassword
>>
>> Still not working with the same error.
>>
>>
>>
>> On Thursday, February 22, 2018 at 1:32:54 PM UTC-6, Kevin Liu wrote:
>>>
>>> Hello,
>>>
>>> I can't seem to make heads or tailed of getting CAS to talk to LDAP
>>>
>>> I know my LDAP is working because using the following command, I can see 
>>> all LDAP entries:
>>>
>>> ldapsearch -x -h alpha.beta.gamma -D user@beta.gamma -W -b 
>>> "dc=beta,dc=gamma" 
>>>
>>> My assumption is that since these credentials are being accepted by 
>>> LDAP, I just have to configure CAS to use them. Is this correct?
>>>
>>> So far, my cas.properties contains the following:
>>>
>>> cas.authn.ldap[0].order: 0
>>> cas.authn.ldap[0].name: LDAP
>>> cas.authn.ldap[0].type: AD
>>> cas.authn.ldap[0].ldapUrl: ldap://alpha.beta.gamma:389
>>> cas.authn.ldap[0].baseDn: dc=di2e,dc=civ
>>>
>>> This is not working as I get a ton of errors saying that CAS has not 
>>> connected to LDAP.
>>>
>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>>

Re: [cas-user] Re: CAS5.2 Connect to LDAP

2018-02-22 Thread David Curry 
You might find the examples here helpful:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_overview.html

There's an Active Directory configuration (two, actually) and an LDAP
configuration. Authentication and attribute retrieval.

If those don't help, then please post the relevant line(s) from the log
file showing the error, and, if you have it turned on, debug messages.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Feb 22, 2018 at 2:46 PM, Kevin Liu  wrote:

> I've now changed it to this:
>
>
> #AD Configurations
> cas.authn.ldap[0].type=AD
> cas.authn.ldap[0].ldapUrl=ldap://alpha.beta.gamma:389
> #cas.authn.ldap[0].connectionStrategy=
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].subtreeSearch=true
>
> cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
> cas.authn.ldap[0].userFilter=cn={user}
> cas.authn.ldap[0].bindDn=user@beta.gamma
> cas.authn.ldap[0].bindCredential=userPassword
>
> Still not working with the same error.
>
>
>
> On Thursday, February 22, 2018 at 1:32:54 PM UTC-6, Kevin Liu wrote:
>>
>> Hello,
>>
>> I can't seem to make heads or tailed of getting CAS to talk to LDAP
>>
>> I know my LDAP is working because using the following command, I can see
>> all LDAP entries:
>>
>> ldapsearch -x -h alpha.beta.gamma -D user@beta.gamma -W -b
>> "dc=beta,dc=gamma"
>>
>> My assumption is that since these credentials are being accepted by LDAP,
>> I just have to configure CAS to use them. Is this correct?
>>
>> So far, my cas.properties contains the following:
>>
>> cas.authn.ldap[0].order: 0
>> cas.authn.ldap[0].name: LDAP
>> cas.authn.ldap[0].type: AD
>> cas.authn.ldap[0].ldapUrl: ldap://alpha.beta.gamma:389
>> cas.authn.ldap[0].baseDn: dc=di2e,dc=civ
>>
>> This is not working as I get a ton of errors saying that CAS has not
>> connected to LDAP.
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/1cdff6f8-36ef-4acd-a5b4-
> ef1b55fa6691%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPjdhS8PUHrSU6v3Y9KoxA-Bd9aZ2ano4O-p%2BUgLqabYQ%40mail.gmail.com.

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

2018-02-22 Thread Dmitriy Kopylenko 
The main “bug tracker” for CAS project is an open pull request ;-)

May I suggest you first try 5.3.0-RC3-SNAPSHOT…

D.


From: Brian Davidson 
Reply: cas-user@apereo.org 
Date: February 22, 2018 at 3:03:46 PM
To: cas-user@apereo.org 
Subject:  Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy  

Do we need to open an issue in a bug tracker?  If so, where?

Any suggestions where to start poking in the code to try to debug this some 
more?  As best we can tell it’s throwing an exception in Spring web flow (which 
unfortunately we haven’t used so we’ve got a learning curve there).  And it 
looks like there’s a CAS plugin for web flow, so I’m hoping that might be a 
good place to put some debugging code.

Thanks,

Brian

On Feb 10, 2018, at 12:48 PM, Man H  wrote:

Indeed!!

El sábado, 10 de febrero de 2018, Dmitriy Kopylenko  
escribió:
Thanks for confirming. Sounds like a bug to me.

D.




On Sat, Feb 10, 2018 at 12:01 PM -0500, "Brian Davidson"  
wrote:

I have tried that.  Duo works when I disable the bypass facility.  When I 
enable it, if bypass script returns false, single factor works and I don’t get 
a 500 error. If the groovy script returns true, I get the 500 error. 

So, the Duo integration is working.  The bypass groovy script definitely is 
getting called, and it definitely should return a boolean, not a string.

2018-02-09 15:04:55,638 DEBUG 
[org.springframework.webflow.engine.impl.FlowExecutionImpl] - 

Seems like Spring web flow with the duo flow is not happy with something when 
the bypass script is in place, but it’s fine when bypass isn’t in place.

Thanks!

Brian

On Feb 10, 2018, at 11:38 AM, Dmitriy Kopylenko  wrote:

Let me suggest to get the Groovy script out of equation completely. Switch this 
groovy bypass off, and try to perform entire duo 2 factor authentication 
transaction. If it completes successfully and then you again enable groovy 
bypass and then after it you get the failures that you are seeing, then the 
problem indeed is somewhere in that bypass facility.

Cheers,
D.




On Sat, Feb 10, 2018 at 11:29 AM -0500, "Brian Davidson"  
wrote:

Switching the function to return a String instead of a boolean, I get:

2018-02-10 11:25:06,033 ERROR [org.apereo.cas.util.ScriptingUtils] - 
java.lang.ClassCastException: Result [mfa-duo is of type class java.lang.String 
when we were expecting class java.lang.Boolean

…

2018-02-10 11:25:06,952 ERROR 
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - 

java.lang.NullPointerException: null
at 
org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass.shouldMultifactorAuthenticationProviderExecute(GroovyMultifactorAuthenticationProviderBypass.java:40)
 ~[cas-server-core-authentication-mfa-5.2.2-SNAPSHOT.jar:5.2.2-SNAPSHOT]

…





On Feb 10, 2018, at 10:14 AM, Man H  wrote:

Try returning string "mfa-duo" or null

El sábado, 10 de febrero de 2018, Brian Davidson  escribió:
I changed it from info to warn:

2018-02-10 08:54:07,061 WARN 
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - 


On Feb 10, 2018, at 8:43 AM, Man H  wrote:

Could you try this

def boolean run(final Object... args){
    def authentication = args[0]
    def principal = args[1]
    def service = args[2]
    def provider = args[3]
    def logger = args[4]
    def httpRequest = args[5]
    
    logger.info("Evaluating principal attributes ${principal.attributes}")

return true
}


El sábado, 10 de febrero de 2018, Brian Davidson  escribió:
Removed that dependency and still git the same 500 error and same stack trace.

On Feb 10, 2018, at 7:20 AM, Man H  wrote:

Why you hace this


      
            javax.servlet
            servlet-api
            2.5
            jar
        


El sábado, 10 de febrero de 2018, Brian Davidson  escribió:
Running on apache-tomcat-8.5.24, so that should be servlet v3.1.x.

Yes, this is CAS version 5.2.2.

CAS w/ Duo works with no bypass groovy script in place.  CAS  works with bypass 
groovy script that returns false.  We’re just getting the exception when the 
groovy script returns true.

Thanks again for all the help!




External
A CAS deployment may be deployed to any number of external servlet containers. 
The container MUST support the servlet specification v3.1.x at a minimum.

On Feb 10, 2018, at 6:37 AM, Man H  wrote:

Assuming you are on 5.2.2

El sábado, 10 de febrero de 2018, Brian Davidson  escribió:
I meant to add, our pom.xml has the following dependencies (in case we’re 
missing something):


        
            org.apereo.cas
            cas-server-webapp-${app.server}
         

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

2018-02-22 Thread Brian Davidson 
Do we need to open an issue in a bug tracker?  If so, where?

Any suggestions where to start poking in the code to try to debug this some 
more?  As best we can tell it’s throwing an exception in Spring web flow (which 
unfortunately we haven’t used so we’ve got a learning curve there).  And it 
looks like there’s a CAS plugin for web flow, so I’m hoping that might be a 
good place to put some debugging code.

Thanks,

Brian

> On Feb 10, 2018, at 12:48 PM, Man H  wrote:
> 
> Indeed!!
> 
> El sábado, 10 de febrero de 2018, Dmitriy Kopylenko  > escribió:
> Thanks for confirming. Sounds like a bug to me.
> 
> D.
> 
> 
> 
> 
> On Sat, Feb 10, 2018 at 12:01 PM -0500, "Brian Davidson"  > wrote:
> 
> I have tried that.  Duo works when I disable the bypass facility.  When I 
> enable it, if bypass script returns false, single factor works and I don’t 
> get a 500 error. If the groovy script returns true, I get the 500 error. 
> 
> So, the Duo integration is working.  The bypass groovy script definitely is 
> getting called, and it definitely should return a boolean, not a string.
> 
> 2018-02-09 15:04:55,638 DEBUG 
> [org.springframework.webflow.engine.impl.FlowExecutionImpl] -  handle [org.springframework.webflow.execution.FlowExecutionException: 
> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'] with root 
> cause [java.io .NotSerializableException: 
> org.springframework.core.io 
> .UrlResource]>
> 
> Seems like Spring web flow with the duo flow is not happy with something when 
> the bypass script is in place, but it’s fine when bypass isn’t in place.
> 
> Thanks!
> 
> Brian
> 
>> On Feb 10, 2018, at 11:38 AM, Dmitriy Kopylenko > > wrote:
>> 
>> Let me suggest to get the Groovy script out of equation completely. Switch 
>> this groovy bypass off, and try to perform entire duo 2 factor 
>> authentication transaction. If it completes successfully and then you again 
>> enable groovy bypass and then after it you get the failures that you are 
>> seeing, then the problem indeed is somewhere in that bypass facility.
>> 
>> Cheers,
>> D.
>> 
>> 
>> 
>> 
>> On Sat, Feb 10, 2018 at 11:29 AM -0500, "Brian Davidson" 
>> > wrote:
>> 
>> Switching the function to return a String instead of a boolean, I get:
>> 
>> 2018-02-10 11:25:06,033 ERROR [org.apereo.cas.util.ScriptingUtils] - > [mfa-duo is of type class java.lang.String when we were expecting class 
>> java.lang.Boolean>
>> java.lang.ClassCastException: Result [mfa-duo is of type class 
>> java.lang.String when we were expecting class java.lang.Boolean
>> 
>> …
>> 
>> 2018-02-10 11:25:06,952 ERROR 
>> [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass]
>>  - 
>> java.lang.NullPointerException: null
>>  at 
>> org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass.shouldMultifactorAuthenticationProviderExecute(GroovyMultifactorAuthenticationProviderBypass.java:40)
>>  ~[cas-server-core-authentication-mfa-5.2.2-SNAPSHOT.jar:5.2.2-SNAPSHOT]
>> 
>> …
>> 
>> 
>> 
>> 
>> 
>>> On Feb 10, 2018, at 10:14 AM, Man H >> > wrote:
>>> 
>>> Try returning string "mfa-duo" or null
>>> 
>>> El sábado, 10 de febrero de 2018, Brian Davidson >> > escribió:
>>> I changed it from info to warn:
>>> 
>>> 2018-02-10 08:54:07,061 WARN 
>>> [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass]
>>>  - >> cn:Brian Davidson, ctCalDefaultNoteReminder:0:0, ctCalDefaultReminder:0:10, 
>>> ctCalDefaultTaskReminder:0:0, ctCalDisplayPrefs:4:480:1080:1:30:190:2, 
>>> ctCalLanguageId:0, ctCalNotifMechanism:1, 
>>> ctCalOperatingPrefs:0:255:0:0:0:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440,
>>>  ctCalPasswordRequired:1, ctCalPublishedType:0, ctCalRefreshPrefs:1:60, 
>>> ctCalSMSTimeRange:0:0, ctCalSysopCanWritePassword:0, ctCalTimezone:0, 
>>> ctCalXItemId:10101:02238, eduPersonAffiliation:[member, staff], gecos:Brian 
>>> Davidson, gidNumber:5137, givenName:Brian, gmuBannerGUID:REDACTED, 
>>> gmuemployeestatus:C, gmugnumber:REDACTED, gmuMLPwdChanged:20170127190453Z, 
>>> gmurup:true, gmusecurityquiz:1487691778, homeDirectory:REDACTED, 
>>> iplanet-am-modifiable-by:cn=Top-level Admin Role,o=gmu.edu 
>>> , l:opted-in-201103021755, loginShell:/bin/bash, 
>>> mail:REDACTED, mailAllowedServiceAccess:-imap,pop,http,smtp:*, 
>>> mailAlternateAddress:REDACTED, mailDeliveryOption:mailbox, 
>>> mailHost:gmuedu.onmicrosoft.com , 
>>> mailQuota:1048576000, mailRoutingAddress:REDACTED, nsmsgDisallowAccess:imap 
>>> pop

[cas-user] Re: CAS5.2 Connect to LDAP

2018-02-22 Thread Kevin Liu 
I've now changed it to this:


#AD Configurations
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://alpha.beta.gamma:389
#cas.authn.ldap[0].connectionStrategy=
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
cas.authn.ldap[0].userFilter=cn={user}
cas.authn.ldap[0].bindDn=user@beta.gamma
cas.authn.ldap[0].bindCredential=userPassword

Still not working with the same error.



On Thursday, February 22, 2018 at 1:32:54 PM UTC-6, Kevin Liu wrote:
>
> Hello,
>
> I can't seem to make heads or tailed of getting CAS to talk to LDAP
>
> I know my LDAP is working because using the following command, I can see 
> all LDAP entries:
>
> ldapsearch -x -h alpha.beta.gamma -D user@beta.gamma -W -b 
> "dc=beta,dc=gamma" 
>
> My assumption is that since these credentials are being accepted by LDAP, 
> I just have to configure CAS to use them. Is this correct?
>
> So far, my cas.properties contains the following:
>
> cas.authn.ldap[0].order: 0
> cas.authn.ldap[0].name: LDAP
> cas.authn.ldap[0].type: AD
> cas.authn.ldap[0].ldapUrl: ldap://alpha.beta.gamma:389
> cas.authn.ldap[0].baseDn: dc=di2e,dc=civ
>
> This is not working as I get a ton of errors saying that CAS has not 
> connected to LDAP.
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1cdff6f8-36ef-4acd-a5b4-ef1b55fa6691%40apereo.org.

[cas-user] CAS5.2 Connect to LDAP

2018-02-22 Thread Kevin Liu 
Hello,

I can't seem to make heads or tailed of getting CAS to talk to LDAP

I know my LDAP is working because using the following command, I can see 
all LDAP entries:

ldapsearch -x -h alpha.beta.gamma -D user@beta.gamma -W -b 
"dc=beta,dc=gamma" 

My assumption is that since these credentials are being accepted by LDAP, I 
just have to configure CAS to use them. Is this correct?

So far, my cas.properties contains the following:

cas.authn.ldap[0].order: 0
cas.authn.ldap[0].name: LDAP
cas.authn.ldap[0].type: AD
cas.authn.ldap[0].ldapUrl: ldap://alpha.beta.gamma:389
cas.authn.ldap[0].baseDn: dc=di2e,dc=civ

This is not working as I get a ton of errors saying that CAS has not 
connected to LDAP.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b258f3d5-dc2d-431f-b305-477d3ebbda26%40apereo.org.

[cas-user] Moodle and CAS double login

2018-02-22 Thread cs.mahmud 
Hi, 

I am having a double login issue with Moodle and CAS (v4.0.1). You can 
reproduce the error by logging out of moodle, and try to immediately login 
back. The first login does nothing, and you are prompted for a login page 
again. The scenario and resolution  was also described in this blog post 
in https://www.unicon.net/about/blogs/moodles-race-with-cas-server . I 
tried the solution but I am getting errors "Invalid property 
'serviceManagerUrl' of bean class 
[org.jasig.cas.web.flow.TerminateWebSessionListener]: Bean property 
'serviceManagerUrl' is not writable or has an invalid setter method." Maybe 
because the resolution was written for CAS 3.5. 

Does anyone know what should be the solution for CAS 4 ? 

Thanks, 
Mahmudul Hasan 
University of Lethbridge

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/959f07c5-6499-49dd-ac57-bbae372c80ba%40apereo.org.

[cas-user] Re: OAuth Client Credentials Grant

2018-02-22 Thread Agustin Gregorio Moyano 
Hi Martin, if you read the documentation 

 you 
should use 

/oauth2.0/accessToken 

endpoint, not the authorization one.

Hope it helps.

Agustín.

>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0cebce18-8216-42c8-b692-c14ce96394fe%40apereo.org.

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-22 Thread Greg Booth 
Matthew,

Here is our service definition:

{
  @class: org.apereo.cas.services.RegexRegisteredService
  id: 
  name: Banner
  description: Self-Service
  logo: https://www.mtu.edu/images/mtu-logo.png
  serviceId: https://(www\.)?bannerweb.mtu.edu(:443)?/.*
  attributeReleasePolicy: {
@class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
allowedAttributes: ["java.util.ArrayList", ["UDC_IDENTIFIER",
"michigantechRIDM"]]
  }
}

On Thu, Feb 22, 2018 at 9:26 AM, Matthew Uribe 
wrote:

> Thanks Travis. That's the track I've been on. Can you tell me whether this
> service definition looks anything like what you ended up with?
>
>
> {
>   @class:   org.apereo.cas.services.RegexRegisteredService
>   serviceId:^https://ban9server.school.
> edu:8444/BannerGeneralSsb(\z|/.*)
>   name: TEST General SSB XE
>   id:   12345
>   attributeReleasePolicy:
>   {
> @class: org.apereo.cas.services.
> ReturnMappedAttributeReleasePolicy
> allowedAttributes:
> {
>   @class:   java.util.TreeMap
>   UDC_IDENTIFIER:   UDC_IDENTIFIER
> }
>   }
>   "evaluationOrder" :   5
> }
>
>
> On Wednesday, February 21, 2018 at 5:18:20 PM UTC-7, Travis Schmidt wrote:
>>
>> I am helping a team with this exact issue right now.  Don't know anything
>> about the banner side of things, but I had to map the attribute they were
>> looking for to UDC_IDENTIFIER in the Service Registry for it to work.
>>
>> On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe  wrote:
>>
>>> Hello Community,
>>>
>>> I am wondering whether anyone has had success with Banner 9 and CAS
>>> 5.2.x
>>>
>>> We have been using the Luminis delivered CAS 3.5.2, but are interested
>>> in the features available in 5, such as SAML2 IdP, and MFA using Duo. I
>>> have deployed CAS 5.2.0, included cas-server-support-ldap and 
>>> cas-server-support-saml
>>> dependencies, and setup a service for one of our Banner 9 apps, but haven't
>>> been able to successfully access the application. I can access the CAS
>>> Dashboard, as well as the CAS-Management webapp, but the Banner apps are
>>> beyond me at this point. Right now, when I navigate to the Banner 9 app, I
>>> am redirected to the CAS login page. After logging in successfully, the
>>> browser gives me an error: "HTTP Status 403 - No assertions found".
>>>
>>> I figure the problem is either in my service registry, or that I maybe
>>> need to import the CAS certificate into a keystore somewhere on the Banner
>>> 9 server. Since I don't see anything related to a cert import in the Banner
>>> 9 install guides, I'm focused on the first of these two possibilities, but
>>> after 2 days of going in circles I've run out of ideas and would eagerly
>>> accept the advice of this community.
>>>
>>> Thank you,
>>> Matt
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb55960
>>> 89%40apereo.org
>>> 
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/0550c55b-5029-4105-ade6-
> fb017b4d3b56%40apereo.org
> 
> .
>



-- 
Gregory Booth
Senior Systems Administrator & Technical Team Lead
IT Operations
Information Technology
Michigan Technological University
(906) 487-1797 <9064871797>
www.mtu.edu
www.it.mtu.edu

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit

[cas-user] [CAS 5.X] Proxy Mode and 5.2.x

2018-02-22 Thread Didier Capdevielle 
Hello CAS' Experts,
We have trouble using Proxy Mode (for UPortal) with CAS Server 5.2.x. 
SAME server (Debian Stretch ; OpenJDK 8 ; Tomcat8) and SAME configuration 
(except json-service-registry dependency and json location directory : 
different names). SAME Json files.
5.1.7 / 5.1.8 : NO problem with proxy mode (CAS 2 protocol) 
2018-02-22 16:35:02,692 DEBUG 
[org.apereo.cas.ticket.proxy.support.Cas20ProxyHandler] - Sent ProxyIou of 
[PGTIOU-*jIOaCR1nRg-cas-test] 
for service: [https://xx.xx/uPortal/CasProxyServlet]
2018-02-22 16:35:02,692 DEBUG 
[org.apereo.cas.web.AbstractServiceValidateController] - Successfully 
validated service ticket [ST-2-jML5LiuPAf2x4cQMZlbt-cas-test] for service 
[https://x.xx/uPortal/Login]

5.2.x : No error in logs but Impossible to have PGT Iou

What is changing in 5.2.x ?

Thanks in Advance,

Best regards.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7d5f257d-f07f-48aa-b99b-29f57611483e%40apereo.org.

Re: [cas-user] Re: CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-22 Thread Mary Lashinsky 
Looking for Java Developers with CAS experience in Torrance, California!
If you know anyone please contact me directly at m...@docmagic.com

On Thu, Feb 22, 2018 at 6:47 AM, William E.  wrote:

> We are on cas 5.2.2, banner 8 via ssomanager and banner 9 admin apps.
> Seems to work fine since we upgraded to cas 5.2.2 in late December.
>
> We populate the udcid in ldap from banner, then map it in cas as:
>
> cas.authn.attributeRepository.ldap[0].attributes.uahUDCID=UDC_IDENTIFIER
>
> Please note, without full BEIS the udcid in banner is not automatically
> populated when new users are created.  Our IDM calls a delivered BEIS
> component to populate any blank udcid values in banner before ldap
> provisioning since we don't use BEIS.
>
> IP_IDENTITY_DATA_EXPORT_UTIL.P_ASSIGN_UDCID();
>
>
> -William
>
> BEIS = Banner Enterprise Identity Services
>
>
> On Wednesday, February 21, 2018 at 5:46:21 PM UTC-6, Matthew Uribe wrote:
>>
>> Hello Community,
>>
>> I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x
>>
>> We have been using the Luminis delivered CAS 3.5.2, but are interested in
>> the features available in 5, such as SAML2 IdP, and MFA using Duo. I have
>> deployed CAS 5.2.0, included cas-server-support-ldap and 
>> cas-server-support-saml
>> dependencies, and setup a service for one of our Banner 9 apps, but haven't
>> been able to successfully access the application. I can access the CAS
>> Dashboard, as well as the CAS-Management webapp, but the Banner apps are
>> beyond me at this point. Right now, when I navigate to the Banner 9 app, I
>> am redirected to the CAS login page. After logging in successfully, the
>> browser gives me an error: "HTTP Status 403 - No assertions found".
>>
>> I figure the problem is either in my service registry, or that I maybe
>> need to import the CAS certificate into a keystore somewhere on the Banner
>> 9 server. Since I don't see anything related to a cert import in the Banner
>> 9 install guides, I'm focused on the first of these two possibilities, but
>> after 2 days of going in circles I've run out of ideas and would eagerly
>> accept the advice of this community.
>>
>> Thank you,
>> Matt
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/524db851-6ae3-4c5a-8670-
> 389faeda2356%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHiAW-Luxhas7%3D1y%2Btj8wJLBP4WxsJpEKRWZJBBk7-HzHcr0Ow%40mail.gmail.com.

Re: [cas-user] Re: CAS Client Location (PKIX path building failed)

2018-02-22 Thread Alexandre Adao 
Did you try to import the server's certificate into the jre cacerts
keystore?

On Thu, Feb 22, 2018 at 9:32 AM, Kevin Liu  wrote:

> Double checked and even reimported the certs to all keystores. Still same
> issue. I'm at a total loss. I might try localhosts as the host name to see
> if that'll work.
>
> On Wednesday, February 21, 2018 at 7:07:44 PM UTC-6, rbon wrote:
>>
>> Kevin,
>>
>> Could it be a problem with the certificate? Perhaps misspelled hosts
>> names.
>>
>> Ray
>>
>> On Tue, 2018-02-20 at 08:10 -0800, Kevin Liu wrote:
>>
>> This is the error I keep getting:
>>
>> Error: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: 
>> sun.security.validator.ValidatorException: PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
>> valid certification path to requested target
>>
>>
>> On Tuesday, February 20, 2018 at 9:59:04 AM UTC-6, Kevin Liu wrote:
>>
>> I'm running into a PKIX path building failed and in the documentation it
>> lists this: "The problem here is that the CAS *client* does not trust
>> the certificate presented by the CAS server; most often this occurs because
>> of using a *self-signed certificate* on the CAS server. "
>>
>> I'm currently using tomcat to run cas vanila server. What would be the
>> CAS client in this scenario?
>>
>> --
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems2507218831 <(250)%20721-8831> | CLE 
>> 019 | rb...@uvic.ca
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/c83a226a-8e7f-429b-8e80-
> 8dc1f3cb6f8a%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BNhJ3BHiKO4bqrQz1t1G1xnKwZJn6%2BDpP3PvPB%3DUPbWaYK38w%40mail.gmail.com.

Re: [cas-user] CAS5.2 LDAP Types

2018-02-22 Thread Kevin Liu 
Thank you! I somehow completely missed that on that page.

On Thursday, February 22, 2018 at 8:40:27 AM UTC-6, David Curry wrote:
>
> The descriptions are here:
>
>
> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-authentication-1
>
> There's also some more detailed stuff about each method in the ldaptive 
> documentation, but you have to kind of hunt for it. I found it once about a 
> year ago, but of course I didn't save the link... :-(
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Thu, Feb 22, 2018 at 9:34 AM, Kevin Liu  > wrote:
>
>> Can someone explain to me the different LDAP types? I don't exactly 
>> understand the purpose of AD, Authenticated, Anonymous, or DIrect. If there 
>> is documentation somewhere, that would be appreciated too.
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac3bfd50-ec22-43e6-b642-a7b372716486%40apereo.org
>>  
>> 
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/60c540a8-b669-4a8a-a08b-5465c67856a7%40apereo.org.

[cas-user] Re: CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-22 Thread William E. 
We are on cas 5.2.2, banner 8 via ssomanager and banner 9 admin apps.  
Seems to work fine since we upgraded to cas 5.2.2 in late December.

We populate the udcid in ldap from banner, then map it in cas as:

cas.authn.attributeRepository.ldap[0].attributes.uahUDCID=UDC_IDENTIFIER

Please note, without full BEIS the udcid in banner is not automatically 
populated when new users are created.  Our IDM calls a delivered BEIS 
component to populate any blank udcid values in banner before ldap 
provisioning since we don't use BEIS.

IP_IDENTITY_DATA_EXPORT_UTIL.P_ASSIGN_UDCID();


-William

BEIS = Banner Enterprise Identity Services


On Wednesday, February 21, 2018 at 5:46:21 PM UTC-6, Matthew Uribe wrote:
>
> Hello Community,
>
> I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x 
>
> We have been using the Luminis delivered CAS 3.5.2, but are interested in 
> the features available in 5, such as SAML2 IdP, and MFA using Duo. I have 
> deployed CAS 5.2.0, included cas-server-support-ldap and 
> cas-server-support-saml 
> dependencies, and setup a service for one of our Banner 9 apps, but haven't 
> been able to successfully access the application. I can access the CAS 
> Dashboard, as well as the CAS-Management webapp, but the Banner apps are 
> beyond me at this point. Right now, when I navigate to the Banner 9 app, I 
> am redirected to the CAS login page. After logging in successfully, the 
> browser gives me an error: "HTTP Status 403 - No assertions found".
>
> I figure the problem is either in my service registry, or that I maybe 
> need to import the CAS certificate into a keystore somewhere on the Banner 
> 9 server. Since I don't see anything related to a cert import in the Banner 
> 9 install guides, I'm focused on the first of these two possibilities, but 
> after 2 days of going in circles I've run out of ideas and would eagerly 
> accept the advice of this community.
>
> Thank you,
> Matt
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/524db851-6ae3-4c5a-8670-389faeda2356%40apereo.org.

Re: [cas-user] CAS5.2 LDAP Types

2018-02-22 Thread David Curry 
The descriptions are here:

https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-authentication-1

There's also some more detailed stuff about each method in the ldaptive
documentation, but you have to kind of hunt for it. I found it once about a
year ago, but of course I didn't save the link... :-(

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Feb 22, 2018 at 9:34 AM, Kevin Liu  wrote:

> Can someone explain to me the different LDAP types? I don't exactly
> understand the purpose of AD, Authenticated, Anonymous, or DIrect. If there
> is documentation somewhere, that would be appreciated too.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/ac3bfd50-ec22-43e6-b642-
> a7b372716486%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANbkUaSm_J4sjZqX%2BmF8VYUtywCPFSw_MPBJy%2Bsc_R%2Byw%40mail.gmail.com.

[cas-user] CAS5.2 LDAP Types

2018-02-22 Thread Kevin Liu 
Can someone explain to me the different LDAP types? I don't exactly 
understand the purpose of AD, Authenticated, Anonymous, or DIrect. If there 
is documentation somewhere, that would be appreciated too.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac3bfd50-ec22-43e6-b642-a7b372716486%40apereo.org.

Re: [cas-user] Re: CAS Client Location (PKIX path building failed)

2018-02-22 Thread Kevin Liu 
Double checked and even reimported the certs to all keystores. Still same 
issue. I'm at a total loss. I might try localhosts as the host name to see 
if that'll work.

On Wednesday, February 21, 2018 at 7:07:44 PM UTC-6, rbon wrote:
>
> Kevin,
>
> Could it be a problem with the certificate? Perhaps misspelled hosts names.
>
> Ray
>
> On Tue, 2018-02-20 at 08:10 -0800, Kevin Liu wrote:
>
> This is the error I keep getting: 
>
> Error: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target
>
>
> On Tuesday, February 20, 2018 at 9:59:04 AM UTC-6, Kevin Liu wrote: 
>
> I'm running into a PKIX path building failed and in the documentation it 
> lists this: "The problem here is that the CAS *client* does not trust the 
> certificate presented by the CAS server; most often this occurs because of 
> using a *self-signed certificate* on the CAS server. " 
>
> I'm currently using tomcat to run cas vanila server. What would be the CAS 
> client in this scenario?
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c83a226a-8e7f-429b-8e80-8dc1f3cb6f8a%40apereo.org.

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-22 Thread Matthew Uribe 
Thanks Greg. I've got all the following attributes listed in by 
cas.properties. When I look in /cas/status/ssosessions I see all of these 
attributes in the TGT. That's why I was thinking it must be something to do 
with the way the attributes are released in the service definition.

cas.authn.attributeRepository.ldap[0].attributes.cn:cn
cas.authn.attributeRepository.ldap[0].attributes.displayName:   displayName
cas.authn.attributeRepository.ldap[0].attributes.givenName: givenName
cas.authn.attributeRepository.ldap[0].attributes.mail:  mail
cas.authn.attributeRepository.ldap[0].attributes.sn:sn
cas.authn.attributeRepository.ldap[0].attributes.udcid: UDC_IDENTIFIER
cas.authn.attributeRepository.ldap[0].attributes.uid:   uid


On Wednesday, February 21, 2018 at 5:50:36 PM UTC-7, Greg Booth wrote:
>
> Specifically, in cas.properties:
>
> cas.authn.attributeRepository.ldap[0].attributes.udcid=UDC_IDENTIFIER
>
>
> On Wed, Feb 21, 2018 at 7:48 PM, Greg Booth  
> wrote:
>
>> We also had to map UDC_IDENTIFIER to get it to work, although we are on 
>> CAS 5.1.5.
>>
>> On Wed, Feb 21, 2018 at 7:18 PM, Travis Schmidt > > wrote:
>>
>>> I am helping a team with this exact issue right now.  Don't know 
>>> anything about the banner side of things, but I had to map the attribute 
>>> they were looking for to UDC_IDENTIFIER in the Service Registry for it to 
>>> work.
>>>
>>> On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe >> > wrote:
>>>
 Hello Community,

 I am wondering whether anyone has had success with Banner 9 and CAS 
 5.2.x 

 We have been using the Luminis delivered CAS 3.5.2, but are interested 
 in the features available in 5, such as SAML2 IdP, and MFA using Duo. I 
 have deployed CAS 5.2.0, included cas-server-support-ldap and 
 cas-server-support-saml 
 dependencies, and setup a service for one of our Banner 9 apps, but 
 haven't 
 been able to successfully access the application. I can access the CAS 
 Dashboard, as well as the CAS-Management webapp, but the Banner apps are 
 beyond me at this point. Right now, when I navigate to the Banner 9 app, I 
 am redirected to the CAS login page. After logging in successfully, the 
 browser gives me an error: "HTTP Status 403 - No assertions found".

 I figure the problem is either in my service registry, or that I maybe 
 need to import the CAS certificate into a keystore somewhere on the Banner 
 9 server. Since I don't see anything related to a cert import in the 
 Banner 
 9 install guides, I'm focused on the first of these two possibilities, but 
 after 2 days of going in circles I've run out of ideas and would eagerly 
 accept the advice of this community.

 Thank you,
 Matt

 -- 
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 --- 
 You received this message because you are subscribed to the Google 
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to cas-user+u...@apereo.org .
 To view this discussion on the web visit 
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb5596089%40apereo.org
  
 
 .

>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org .
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEasSNK33m-WXAVmDYsQKX3CFDrV4kEesKkgrecBx01Nqw%40mail.gmail.com
>>>  
>>> 
>>> .
>>>
>>
>>
>>
>> -- 
>> Gregory Booth
>> Senior Systems Administrator & Technical Team Lead
>> IT Operations
>> Information Technology
>> Michigan Technological University
>> (906) 487-1797
>> www.mtu.edu
>> www.it.mtu.edu
>>
>
>
>
> -- 
> Gregory Booth
> Senior Systems Administrator & Technical Team Lead
> IT Operations
> Information Technology
> Michigan Technological University
> (906) 487-1797
> www.mtu.edu
> www.it.mtu.edu
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---

[cas-user] Re: CAS installation

2018-02-22 Thread Kevin Liu 
Strongly recommend following this:
https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_authentication_config-ad-auth-properties.html

On Thursday, February 22, 2018 at 8:02:01 AM UTC-6, Hippolyte wrote:
>
> Hello everyone,
>
> I would like to install the latest version of the CAS but I can not find any 
> documentation indicating the procedure to follow.
>
> Can you help me ?
>
>
> Thanks you !
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/73eae69f-29b5-4243-9907-0efc52eafece%40apereo.org.

Re: [cas-user] CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-22 Thread Matthew Uribe 
Thanks Travis. That's the track I've been on. Can you tell me whether this 
service definition looks anything like what you ended up with?


{
  @class:   org.apereo.cas.services.RegexRegisteredService
  serviceId:
^https://ban9server.school.edu:8444/BannerGeneralSsb(\z|/.*)
  name: TEST General SSB XE
  id:   12345
  attributeReleasePolicy: 
  {
@class:
 org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes:
{
  @class:   java.util.TreeMap
  UDC_IDENTIFIER:   UDC_IDENTIFIER
}
  }
  "evaluationOrder" :   5
}


On Wednesday, February 21, 2018 at 5:18:20 PM UTC-7, Travis Schmidt wrote:
>
> I am helping a team with this exact issue right now.  Don't know anything 
> about the banner side of things, but I had to map the attribute they were 
> looking for to UDC_IDENTIFIER in the Service Registry for it to work.
>
> On Wed, Feb 21, 2018 at 3:46 PM Matthew Uribe  > wrote:
>
>> Hello Community,
>>
>> I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x 
>>
>> We have been using the Luminis delivered CAS 3.5.2, but are interested in 
>> the features available in 5, such as SAML2 IdP, and MFA using Duo. I have 
>> deployed CAS 5.2.0, included cas-server-support-ldap and 
>> cas-server-support-saml 
>> dependencies, and setup a service for one of our Banner 9 apps, but haven't 
>> been able to successfully access the application. I can access the CAS 
>> Dashboard, as well as the CAS-Management webapp, but the Banner apps are 
>> beyond me at this point. Right now, when I navigate to the Banner 9 app, I 
>> am redirected to the CAS login page. After logging in successfully, the 
>> browser gives me an error: "HTTP Status 403 - No assertions found".
>>
>> I figure the problem is either in my service registry, or that I maybe 
>> need to import the CAS certificate into a keystore somewhere on the Banner 
>> 9 server. Since I don't see anything related to a cert import in the Banner 
>> 9 install guides, I'm focused on the first of these two possibilities, but 
>> after 2 days of going in circles I've run out of ideas and would eagerly 
>> accept the advice of this community.
>>
>> Thank you,
>> Matt
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/56930314-153c-4426-8eda-3f9bb5596089%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0550c55b-5029-4105-ade6-fb017b4d3b56%40apereo.org.

[cas-user] CAS installation

2018-02-22 Thread Hippolyte 


Hello everyone,

I would like to install the latest version of the CAS but I can not find any 
documentation indicating the procedure to follow.

Can you help me ?


Thanks you !

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a457507a-0d17-42b7-97ee-33e118b84b1a%40apereo.org.

Re: [cas-user] Problem integrating CAS 5.2.0 with ORCID and FACEBOOK.

2018-02-22 Thread Neha Gupta 
Hello Jérôme,

I have written a mail to ORCID support and below is the reply from them: -

*When do you get that error message? Is it when you try to exchange the 6
digit code for an access token? (I tried the link you sent and I'm able to
authorize and see the 6 digit authorization code) If so, can you please
send the full call you are using to exchange the code for an access token?*

Request you to please answer the question or should i raise it in PAC4j
support.

Thanks a lot for your support.


Regards
Neha Gupta



On Wed, Feb 14, 2018 at 5:06 PM, Jérôme LELEU  wrote:

> Hi,
>
> The problem happens at the pac4j level, but it is not because of pac4j.
> The identity provider returns a specific error which makes authentication
> impossible.
>
> There must be some bad configuration: maybe you have public key and secret
> while you need member ones. It definitely feels like a functional error.
>
> Thanks.
> Best regards,
> Jérôme
>
>
> On Tue, Feb 13, 2018 at 10:53 AM, Neha Gupta 
> wrote:
>
>> Hello Jérôme,
>>
>> Request you to please elaborate in more detail about how can i run these
>> testcases.
>>
>> I tried to solve the problem in pac4j (i.e. correcting the URL) but after
>> that i am getting below error (Traces and Snapshot attached): -
>>
>> org.pac4j.core.exception.TechnicalException:
>> com.github.scribejava.core.model.OAuth2AccessTokenErrorResponse: {
>>   "error" : "invalid_request",
>>   "error_description" : "Public members are not allowed to use the
>> Members API"
>> }
>>
>> Request you to please give me more detail about the issue i.e. the place
>> of its occurence whether the problem is at CAS side or pac4j side and how
>> can i proceed further.
>>
>> Regards
>> Neha Gupta
>>
>> On Fri, Feb 2, 2018 at 4:46 PM, Jérôme LELEU  wrote:
>>
>>> Hi,
>>>
>>> Before fixing things in CAS, you should start to make it work in pac4j
>>> and run successfully a manual test like these ones:
>>> https://github.com/pac4j/pac4j/tree/master/pac4j-oauth
>>> /src/test/java/org/pac4j/oauth/run
>>> Thanks.
>>> Best regards,
>>> Jérôme
>>>
>>>
>>> On Thu, Feb 1, 2018 at 4:03 PM, Neha Gupta 
>>> wrote:
>>>
 Hello Jérôme,

 Thanks a lot for support.

 So finally i was able to compile pac4j with the required changes but
 still not able to access ORCID login page. Still same problem is coming
 "There has been a problem with the server. If this problem persists please
 contact administrator"

 After looking into the CAS traces i found out that the URL which CAS is
 building has "/" at the end of authorise and because of this ORCID login
 page is not getting displayed.

 URL which CAS is building is below and is not accessible: -

 http://www.orcid.org/oauth/authorize*/*?client_id=APP-UPW3FFH0
 8YVI6YUJ=%2Fa
 uthenticate%2Fread-limited_type=code_uri=http%3A%2F%
 2Fidiv-dev1.inf-bb.uni-jena.de%3A8080%2Fcas%2Flogi
 n%3Fclient_name%3Dorcid#show_login


 The below URL after removing / is accessible: -

 http://www.orcid.org/oauth/authorize?client_id=APP-UPW3FFH08
 YVI6YUJ=%2Fa
 uthenticate%2Fread-limited_type=code_uri=http%3A%2F%
 2Fidiv-dev1.inf-bb.uni-jena.de%3A8080%2Fcas%2Flogi
 n%3Fclient_name%3Dorcid#show_login

 Looking forward for your support on this.


 Thanks and Regards
 Neha Gupta




 On Wed, Jan 31, 2018 at 11:13 AM, Jérôme LELEU 
 wrote:

> Hi,
>
> OK. So let's take problems in order:
>
> - regarding the AbstractMethodError error, it certainly comes from
> the fact that you don't have the same version of pac4j-core and the other
> pac4j-* modules (check that with a "mvn dependency:tree" or
> "gradlew dependencies"). It should be 2.2.1 for all modules to use the
> latest version.
>
> - regarding the Illegal key size error, either it comes from the key
> size you use or from the fact you haven't installed the unlimited strength
> policy for your JDK.
>
> We don't use the v2 API as I don't see any v2.0 text in the URL we
> use. I remember taking a look at this integration, but it wasn't really
> easy to test it. It might be easier with the version 2.
>
> Your contribution will be welcome.
>
> Thanks.
> Best regards,
> Jérôme
>
>
> On Tue, Jan 30, 2018 at 1:36 PM, Neha Gupta 
> wrote:
>
>> Hello  Jérôme,
>>
>> Thanks a lot for update. I tried making changes in the file you
>> suggested but always not able to access CAS login page after that as CAS 
>> is
>> throwing some error. Traces(CASTraces.txt) attached.
>> Request you to please help me on this.
>>
>> Also when i tried to package the complete pac4j package i am getting
>> error in JWT. Traces attached(Pac4jTraces.txt)