{Disarmed} RE: [cas-user] Wrong user authenticated

2020-10-09 Thread 'Duncan Brannen' via CAS Community 
 

There’s not a caching proxy in front of your application is there? If so make 
sure caching is switched off, we’ve seen something similar and the cache was 
the problem.

 

Duncan

 

From: 'Richard Frovarp' via CAS Community  
Sent: 08 October 2020 19:04
To: cas-user@apereo.org
Subject: Re: [cas-user] Wrong user authenticated

 

Probably not? That sounds like code that is being hit somewhere that isn't 
thread safe. The built in LDAP code to CAS should be just fine with that 
respect. Assuming you're using a well supported LDAP server that wouldn't have 
thread issues? I don't know how a HTTP proxy would impact this. I guess the 
question is, do you have any custom code anywhere in the network or login flow?

 

On Thu, 2020-10-08 at 14:59 -0300, Danilo Mendes wrote:

My server is hosted on a vmware4 server and I`ve followed a lead about entropy 
and noted that /dev/random dont play well with VMs. 

 

Do any of you think it could be related? 




-- 

Danilo Mendes

 

 

On Tue, Oct 6, 2020 at 11:06 AM Danilo Mendes mailto:djmen...@gmail.com> > wrote:

Hello, 

 

I have a 6.1.7.1 installation authenticating gsuite apps against a LDAP 
directory. It`s configured using standalone profile.

 

Most of the time it works OK, but sometimes when two users tries to 
authenticate at the same time it sends wrong responses and User A opens User B 
account.

 

Can you o help me debugging? Or to point a direction I can follow? 

 

Thank you.

 

 

-- 
- Website: https://apereo.github.io/cas 

 
- Gitter Chatroom: https://gitter.im/apereo/cas 

 
- List Guidelines: https://goo.gl/1VRrw7 

 
- Contributions: https://goo.gl/mh7qDG 

 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org  .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c03472f2-56d5-4357-9af6-94f4f045728fn%40apereo.org
 

 .

-- 
- Website: https://apereo.github.io/cas 

 
- Gitter Chatroom: https://gitter.im/apereo/cas 

 
- List Guidelines: https://goo.gl/1VRrw7 

 
- Contributions: https://goo.gl/mh7qDG 

 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails

[cas-user] CAS-management-webapp spring boot/beans version compatibility with mongo/json service registry

2019-03-29 Thread Duncan Brannen 
 

Afternoon All,

We're having some issues upgrading from Cas 5.2 to 5.3 (or
6.x) in that while we can get CAS up and running ok, 

as soon as we try to run the management webapp with either mongo or json
service registries then they won't deploy in tomcat.

 

The error in the tomcat logs is

"More than one fragment with the name [spring_web] was found. This is not
legal with relative ordering. See section 8.2.2 2c of the Servlet
specification for details. Consider using absolute ordering."

 

and seems to be due to having 2 copies or spring boot and/or beans
libraries.

 

After 5.3.0-RC4 I can't find any version of the management webapp with the
same boot/beans version pair as any of the CAS mongo/json service registry
plugins.

 

I've tried adding in  to the pom.xml file but still can't seem to
get that compiled war to just have one version of the spring libraries.

 

Strangely, despite not including the mongo dependency, as soon as I create a
management.properties file the cas-management app starts looking for a mongo
database.

(without complaining about spring_web) is this normal?

 

Thanks,

Duncan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DB7PR06MB428401B5C45CB5162CB1EC9ED05A0%40DB7PR06MB4284.eurprd06.prod.outlook.com.


smime.p7s
Description: S/MIME cryptographic signature

RE: [cas-user] CAS Overlay LDAP error code 49

2018-05-28 Thread Duncan Brannen 

Hi Alex,
   Error code 49 is wrong username / password.

Can you bind from the command line ok with the DN and password below using 
ldapsearch or similar?

Should it be ou=Users in the DN instead of cn=Users?  The xxx in cn=xxx should 
be your username not your domain name.

Lastly, you’re binding insecurely and sending passwords in plain text.  Does 
your ldap server support that?
You should really be using startTLS or LDAPS if sending passwords about.


Cheers,
Duncan

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of alex
Sent: 28 May 2018 08:37
To: CAS Community 
Subject: [cas-user] CAS Overlay LDAP error code 49

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://ldap.staff.tigerbrokers.com:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=dc=staff,dc=tigerbrokers,dc=com
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].bindDn=cn=xx,cn=Users,dc=staff,dc=tigerbrokers,dc=com
cas.authn.ldap[0].bindCredential=xx


cn=xx ,bindCredential=xx   is my ldap domain name and password,not the 
ldap server name and password, Thx!

[https://lh3.googleusercontent.com/-AsmHvzkNS0c/WwuxEXITzwI/AIQ/VhPrI0g9lJ4ZeJCNcLLyhwzrisziMqqggCLcBGAs/s1600/Snip20180528_1.png]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d79f2de-8ca2-4413-ad47-0776b50b2793%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DB3PR06MB0908F1F979560C72C51E23EDD06E0%40DB3PR06MB0908.eurprd06.prod.outlook.com.

Re: [cas-user] CAS Logging {really log4j2 questions}

2018-04-24 Thread Duncan Brannen 
 

Hi All,

    In case anyone else is wondering, it looks like there is a 
default 10MB size on the SizeBasedTriggeringPolicy

(See 
https://github.com/apache/logging-log4j2/blob/master/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/SizeBasedTriggeringPolicy.java
 )

 

Dave, I’ve CC’d you as the instructions at 

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_configure-logging-settings.html

 

will cause loss of data if I’m not mistaken.  Leaving in the 
SizeBasedTriggeringPolicy line will roll the logs at 10MB and combined with the

removal of the -%i from the filepattern =”%d{-MM-dd-HH}-%i.log” line will 
cause logs to be overwritten every 10MB rather than incrementing

a sequence number. Leaving in the -%i seems a nice safety net anyway as if logs 
ever roll unexpectedly you’ll not overwrite anything.

 

 

 

I’ve not found why the TGT’s are not masked when logged to a socket rather than 
a file though. Anyone? We’re running CAS 5.2.3

 

Cheers,

    Duncan

 

 

 

From: <cas-user@apereo.org> on behalf of Duncan Brannen <d...@st-andrews.ac.uk>
Reply-To: <cas-user@apereo.org>
Date: Friday, 20 April 2018 at 09:50
To: "cas-user@apereo.org" <cas-user@apereo.org>
Subject: [cas-user] CAS Logging {really log4j2 questions}

 

 

Morning All,

First, thanks to Dave from the New School for producing the 
deployment guide it was a great help for us migrating

from CAS 3 -> CAS 5 which we’ve recently done.

 

I’ve a couple of issues with logging I wouldn’t mind throwing out here.

 

1/.

 

I set a TimeBasedTriggeringPolicy of a day (via interval of 1 and pattern of 
yyy-MM-dd ) and removed the size=10 MB” from the SizeBasedTriggeringPolicy in 
our

Log4j2.xml file but noticed our logs were rolling still at 10/11MB when we left 
in the  line.  

 

Without it the just roll daily as expected.  I’m not sure if this is something 
unique to us and haven’t found any log4j2 docs that imply there’s a default

if it’s left in without a value.  Can anyone else clarify if the 
SizeBasedTriggeringPolicy should be removed or this is a local issue.

 

2/.

 

I created another Appender and AsyncLogger to send logs to our ELS stack via 
logstash.  Our TGT’s are not being ’d our in those logs.  Given the

below configs, the TGT’s are obfuscated in cas_json.log but not in logstash.  
Is this as expected / do I need to do the obfuscation in logstash?

 

Cheers,

Duncan

 

 















 

 







 









 

 



   

   



 

 

 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7102A04D-14F7-48C0-B54A-AAEB755B0DFF%40st-andrews.ac.uk.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/48698196-76D7-46B7-BE54-3B1A76647DEF%40st-andrews.ac.uk.


smime.p7s
Description: S/MIME cryptographic signature

[cas-user] CAS Logging {really log4j2 questions}

2018-04-20 Thread Duncan Brannen 
 

Morning All,

    First, thanks to Dave from the New School for producing the 
deployment guide it was a great help for us migrating

from CAS 3 -> CAS 5 which we’ve recently done.

 

I’ve a couple of issues with logging I wouldn’t mind throwing out here.

 

1/.

 

I set a TimeBasedTriggeringPolicy of a day (via interval of 1 and pattern of 
yyy-MM-dd ) and removed the size=10 MB” from the SizeBasedTriggeringPolicy in 
our

Log4j2.xml file but noticed our logs were rolling still at 10/11MB when we left 
in the  line.  

 

Without it the just roll daily as expected.  I’m not sure if this is something 
unique to us and haven’t found any log4j2 docs that imply there’s a default

if it’s left in without a value.  Can anyone else clarify if the 
SizeBasedTriggeringPolicy should be removed or this is a local issue.

 

2/.

 

I created another Appender and AsyncLogger to send logs to our ELS stack via 
logstash.  Our TGT’s are not being ’d our in those logs.  Given the

below configs, the TGT’s are obfuscated in cas_json.log but not in logstash.  
Is this as expected / do I need to do the obfuscation in logstash?

 

Cheers,

    Duncan

 

 















 

 







 









 

 



   

   



 

 

 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7102A04D-14F7-48C0-B54A-AAEB755B0DFF%40st-andrews.ac.uk.


smime.p7s
Description: S/MIME cryptographic signature