[cas-user] problems with getting ldap support in cas 6.5.2

2022-04-16 Thread Anders Collstrup 
Hi,

I have a basic cas installation (installed using overlay-template running
in tomcat9 on a debian 11 machine.
Each time I try to configure ldap support to lookup users in Active
Directory deployment of root.war in my tomcat fails.

Active Directory is running with self signed certificate for ldaps support.
The certificate is placed in both
the certificated is added to trust with update-ca-certificates

ldapsearch works fine with following settings:
# TLS certificates (needed for GnuTLS)
TLS_CACERT  /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT always

my cas.properties:
##
# CAS ldap
#
cas.authn.ldap[0].type=DIRECT
cas.authn.ldap[0].ldap-url=ldaps://my-AD.domain.com
cas.authn.ldap[0].use-start-tls=true
cas.authn.ldap[0].dn-format=sAMAccountName=%s,ou=ORG,dc=domain,dc=com
cas.authn.ldap[0].base-dn=ou=ORG,dc=domain,dc=com
cas.authn.ldap[0].search-filter=sAMAccountName={user}
cas.authn.ldap[0].bind-dn=cn=ldaplookupuser,ou=ORG,dc=domain,dc=com
cas.authn.ldap[0].bind-credential=superserectpassword
cas.authn.ldap[0].principal-attribute-list=mail,sn,givenName,cn,name,sAMAccountName,memberOf

(if I comment out all the ldap stuff in cas.properties, then I can log in
with "casuser/Mellon")

dependencies in my build.gradle:
dependencies {
/**
* Do NOT modify the lines below or else you will risk breaking
dependency management.
*/
implementation
enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation
platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)

/**
 * CAS dependencies and modules may be listed here.
 *
 * There is no need to specify the version number for each dependency
 * since versions are all resolved and controlled by the dependency
management
 * plugin via the CAS bom.
 **/

implementation "org.apereo.cas:cas-server-support-ldap"
implementation "org.apereo.cas:cas-server-support-throttle"
implementation "org.apereo.cas:cas-server-support-json-service-registry"
implementation "org.apereo.cas:cas-server-core-api-configuration-model"
implementation "org.apereo.cas:cas-server-webapp-init"

if (project.hasProperty("casModules")) {
def dependencies = project.getProperty("casModules").split(",")
dependencies.each {
def projectsToAdd = rootProject.subprojects.findAll {project ->
project.name == "cas-server-core-${it}" || project.name ==
"cas-server-support-${it}"
}
projectsToAdd.each {implementation it}
}
}


Error:
Caused by:
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name 'serviceValidateController' defined in class path
resource
[org/apereo/cas/web/config/CasValidationConfiguration$CasValidationControllerConfiguration.class]:
Unsatisfied dependency expressed through method 'serviceValidateController'
parameter 1; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name 'defaultAuthenticationSystemSupport' defined in
class path resource
[org/apereo/cas/config/CasCoreAuthenticationSupportConfiguration$CasCoreAuthenticationSupportBaseConfiguration.class]:
Unsatisfied dependency expressed through method
'defaultAuthenticationSystemSupport' parameter 0; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name 'authenticationTransactionManager' defined in class
path resource
[org/apereo/cas/config/CasCoreAuthenticationConfiguration$CasCoreAuthenticationManagerConfiguration.class]:
Unsatisfied dependency expressed through method
'authenticationTransactionManager' parameter 0; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name 'casAuthenticationManager' defined in class path
resource
[org/apereo/cas/config/CasCoreAuthenticationConfiguration$CasCoreAuthenticationManagerConfiguration.class]:
Unsatisfied dependency expressed through method 'casAuthenticationManager'
parameter 2; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name 'authenticationEventExecutionPlan' defined in class
path resource
[org/apereo/cas/config/CasCoreAuthenticationConfiguration$CasCoreAuthenticationPlanConfiguration.class]:
Unsatisfied dependency expressed through method
'authenticationEventExecutionPlan' parameter 0; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name 'ldapAuthenticationEventExecutionPlanConfigurer'
defined in class path resource
[org/apereo/cas/config/LdapAuthenticationConfiguration$LdapAuthenticationPlanConfiguration.class]:
Unsatisfied dependency expressed through method
'ldapAuthenticationEventExecutionPlanConfigurer' parameter 0; nested
exception is org.springframework.beans.factory.BeanCreationException: Error
creating bean with name

Re: [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability

2021-12-11 Thread Anders Collstrup 
My fix was the following:

CAS 6.1 running on debian 10. All except CAS installed from standard repo's

created this file:
/usr/share/tomcat9/bin/setenv.sh

containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"

After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Dlog4j2.formatMsgNoLookups=True

On Fri, Dec 10, 2021 at 9:01 PM King, Robert  wrote:

> Just rolled out this mitigation to our servers, seems to be effective for
> CAS 6.3.x builds.
>
>
>
> Our environment for reference:
>
>
>
> - Standalone Tomcat
>
> - OpenJDK
>
> - CAS and CAS-Management as deployed jars
>
> - CAS and CAS-Mangement built from cas-overlay and cas-management-overlay
> repos.
>
>
>
> Mitigated by adding “-Dlog4j2.FormatMsgNoLookups=true” into the Tomcat
> startup in systemd tomcat.service file.
>
>
>
>
>
> *From:* 'Richard Frovarp' via CAS Community 
> *Sent:* Friday, December 10, 2021 3:29 PM
> *To:* cas-user@apereo.org
> *Subject:* [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability
>
>
>
> Maybe? The one that I've seen
>
> https://logging.apache.org/log4j/2.x/security.html
>
>
>
> says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to
> your JVM and not in the config file.
>
>
>
> On 12/10/21 12:55 PM, Mike Osterman wrote:
>
> Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in
> the log4j2.xml config file might do to trick.
>
>
>
> I'm guessing we'd do that somewhere here at the top?
>
>
>
> 
> 
> 
> 
> /etc/cas/logs
> 
> 
>
>
>
> On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community <
> cas-user@apereo.org> wrote:
>
> Using a new enough version of the JDK might also alleviate it? The other
> option is to throw the config option at the JDK to stop it from happening.
> That would seem to be easiest.
>
>
>
> On 12/10/21 12:36 PM, King, Robert wrote:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>
>
>
> Has anyone attempted to mitigate this CVE yet?
>
>
>
> There seems to be two possible approaches to mitigation:
>
>
>
> 1 The sledgehammer approach of removing the JndiLookup.class from the jar
> files:
>
>
>
> zip –q –d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class
>
>
>
> 2. Rebuild CAS and set “log4jVersion=2.15.0”
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca
> 
> .
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com
> 
> .
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
>

Re: [cas-user] log4j2 vulnerability

2021-12-11 Thread Anders Collstrup 
My fix was the following:

CAS 6.1 running on debian 10. All except CAS installed from standard repo's

created this file:
/usr/share/tomcat9/bin/setenv.sh

containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"

After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Dlog4j2.formatMsgNoLookups=True

On Fri, Dec 10, 2021 at 7:37 PM Manuel Cones  wrote:

> Hello, due the recent discovered log4j2 vulnerability, whats the way to
> mitigate it?
>
>
> should i add log4j2.formatMsgNoLookups=true to the cas.properties file?
>
> Thanks in Advance,
> Manuel.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2B%3DpjJ2JgE%2BOL7X4RibLSjWe8KQAKt13Q1npJj_g21VoCA%40mail.gmail.com.

[cas-user] Re: how to install cas-overlay-template latests release version?

2021-10-04 Thread Anders Collstrup 
Hi Dustin,

Thanks for the reply, it worked :-)

/Anders
fredag den 1. oktober 2021 kl. 16.55.07 UTC+2 skrev Dustin Luck:

> You can specify the branch in the git clone command:
>
> git clone https://github.com/apereo/cas-overlay-template -b 6.4
>
>
>
> On Thursday, September 30, 2021 at 11:52:42 PM UTC-7 anders.c...@gmail.com 
> wrote:
>
>> Hi,
>>
>> I want to update my CAS from version 6.1 to latest release version.
>> But when I issue:
>>
>> git clone https://github.com/apereo/cas-overlay-template
>>
>> I get version 6.5.0-SNAPSHOT
>>
>> If I try
>> git clone https://github.com/apereo/cas-overlay-template-6.4.0-RELEASE
>> Then I am asked for a username for github.
>>
>> What am I doing wrong?
>>
>> Regards
>> Anders
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a44a52a8-2ff9-42c2-956f-4194493aadf2n%40apereo.org.

[cas-user] how to install cas-overlay-template latests release version?

2021-10-01 Thread Anders Collstrup 
Hi,

I want to update my CAS from version 6.1 to latest release version.
But when I issue:

git clone https://github.com/apereo/cas-overlay-template

I get version 6.5.0-SNAPSHOT

If I try
git clone https://github.com/apereo/cas-overlay-template-6.4.0-RELEASE
Then I am asked for a username for github.

What am I doing wrong?

Regards
Anders

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2BmyBosUT8FXkKGShnVi32CCcr2LHhW9A2Gvy9MWP2DW9g%40mail.gmail.com.

[cas-user] Re: cas validation from apache

2021-09-22 Thread Anders Collstrup 
I found the solution. I was using apache 2.4

So the correct configuration was:

  Authtype CAS 
  Require user user1 user2 user3


/Anders

onsdag den 22. september 2021 kl. 10.45.52 UTC+2 skrev Anders Collstrup:

> Hi,
>
> I want to use use mod_auth_cas to give a handfull of users access to a 
> sensitive site.
> Only 4-5 users will have access.
>
> Is there anyway I can use someting like:
> 
>   Authtype CAS Require cas-attribute "username":user1,user2,user3 ?
> 
>
> And what is the attribute name CAS releases for "username"?
>
> /Anders
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe5f77fb-3a2d-4ca4-bfde-38a4b7c45c0fn%40apereo.org.

[cas-user] cas validation from apache

2021-09-22 Thread Anders Collstrup 
Hi,

I want to use use mod_auth_cas to give a handfull of users access to a 
sensitive site.
Only 4-5 users will have access.

Is there anyway I can use someting like:

  Authtype CAS Require cas-attribute "username":user1,user2,user3 ?


And what is the attribute name CAS releases for "username"?

/Anders

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0524befb-1313-437a-a11e-ae0be09553cdn%40apereo.org.