[cas-user] Re: DynamoDB as Service Registry Storage
CAS Release 5.2.3 did not fix the issues I encounter with services in DynamoDB. I would really like to know if people were able to use it! Le lundi 26 février 2018 16:46:31 UTC-5, Marc Dufour a écrit : > > Hello all, > > We're in the process of migrating our old 3.5.2 CAS setup to a more recent > version (5.2.2) and I'm testing different storage solutions for the service > registry. > > So far, I was not able to use DynamoDB, and was wondering if anyone had > success with it. I'm guessing that it should work, as it is available and > hopefully tested. > > I tried to create the table myself and let CAS-management or CAS create. > It can create it, but I'm not able to insert new services using the web app. > > I then tried to let CAS create the first service from JSON and it throws a > nice error and does not populate the database. > > It looks like that the table created has an numerical Primary key named id > which is not used by the insertion process and DynamoDB does not appreciate > that. Using DynamoDB for ticket registry seems to work fine so far. > > Anyone had success with DynamoDB as storage for service registry or has a > clue on fixing this problem? > > Thanks! > > 2018-02-26 19:19:18,596 ERROR [org.springframework.boot.SpringApplication] > - > org.springframework.beans.factory.BeanCreationException: Error creating > bean with name 'scopedTarget.serviceRegistryInitializer' defined in class > path resource > [org/apereo/cas/config/CasServiceRegistryInitializationConfiguration.class]: > Bean instantiation via factory method failed; nested exception is > org.springframework.beans.BeanInstantiationException: Failed to instantiate > [org.apereo.cas.services.ServiceRegistryInitializer]: Factory method > 'serviceRegistryInitializer' threw exception; nested exception is > com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException: The > provided key element does not match the schema (Service: AmazonDynamoDBv2; > Status Code: 400; Error Code: ValidationException; Request ID: ---EDITED---) > at > org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:599) > > ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1173) > > ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1067) > > ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513) > > ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483) > > ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] > at > org.springframework.beans.factory.support.AbstractBeanFactory$2.getObject(AbstractBeanFactory.java:345) > > ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] > at > org.springframework.cloud.context.scope.GenericScope$BeanLifecycleWrapper.getBean(GenericScope.java:359) > > ~[spring-cloud-context-1.2.4.RELEASE.jar!/:1.2.4.RELEASE] > at > org.springframework.cloud.context.scope.GenericScope.get(GenericScope.java:176) > > ~[spring-cloud-context-1.2.4.RELEASE.jar!/:1.2.4.RELEASE] > at > org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:340) > > ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] > at > org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) > > ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] > at > org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1078) > > ~[spring-context-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] > at > org.springframework.cloud.context.scope.refresh.RefreshScope.start(RefreshScope.java:121) > > ~[spring-cloud-context-1.2.4.RELEASE.jar!/:1.2.4.RELEASE] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_151] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_151] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > ~[?:1.8.0_151] > at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151] > at > org.springframework.context.event.ApplicationListenerMethodAdapter.doIn
[cas-user] Re: CAS 5.2 LDAP Quert and Output
You can restrict the users able to authenticate with CAS if you have to, I'm just saying that it may not be only way. Your reality is different than mine. As for the attributes: they are passed to the application, or in CAS terminology, the service. principalAttributeList contains the attributes available to CAS to pass to the service. When you create a service, you configure the AttributeReleasePolicy that tells CAS what attributes the application has access to (or released to it, in CAS language). See this https://apereo.github.io/cas/5.2.x/installation/Service-Management.html and this https://apereo.github.io/cas/5.2.x/integration/Attribute-Release.html. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0e3ced43-bf95-48a2-91bd-de9b2e4f6585%40apereo.org.
[cas-user] Re: CAS 5.2 LDAP Quert and Output
Atlassian has a nice paper on how to write LDAP filters: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html and should help you if you want to restrict the users able to authenticate with CAS. The way I see this, CAS should authenticate the user (wide open to the users and restricted to authorized apps only), and the application using CAS should authorize the user. That means the logic of who can use what should be in the application and not in CAS. This is why CAS has the possibility to return LDAP attributes to the application: are you a member of so and so groups? Then go ahead and use my application as an admin or as a user with specific roles. This is my point of view and it is based on my experience in my environment. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/87ad1bf3-1224-4b9a-932e-96af24719f39%40apereo.org.
Re: [cas-user] Re: CAS5.2 Connect to LDAP
sn is an attribute in the AD schema used to store the last name of the user. I did a quick search in Google and found this info that could help you: http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5e6694eb-47e6-4c11-a823-742449ba0720%40apereo.org.
[cas-user] Re: CAS 5.2 LDAP Quert and Output
Kevin, Have you tried to add more logs? I added this in my log config file to help debug my LDAP problems: As for the OU membership, maybe you could add that to the user filter. Le mardi 27 février 2018 11:11:12 UTC-5, Kevin Liu a écrit : > > Hello All, > > Is there a way to see the response that CAS gets back from LDAP? Also is > there a tutorial anywhere for specific LDAP queries from CAS? For example, > if I need to check to see if a member is part of a specific OU? > > Thanks, > Kevin > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b2ac6c4e-dde6-4215-9c34-0860bca41197%40apereo.org.
Re: [cas-user] Re: CAS5.2 Connect to LDAP
I only need these attributes, so I limit the size of what it returned.
As for the bindDN, it is a regular Domain user, not an admin. It should
only need read access to Active Directory.
Le mardi 27 février 2018 10:52:52 UTC-5, Kevin Liu a écrit :
>
> Marc, what is the sn,givenName,memberOf,cn? Rather what is the
> principalAttributeList?
> For your bindDN and bindCredentials, are you using an authenticating admin
> account or the user who's trying to get in?
>
> On Tuesday, February 27, 2018 at 7:54:08 AM UTC-6, Marc Dufour wrote:
>>
>>
>> Kevin, here are the properties that are working for me.
>>
>> cas.authn.ldap[0].order=0
>> cas.authn.ldap[0].name=AD
>> cas.authn.ldap[0].type=AUTHENTICATED
>> cas.authn.ldap[0].ldapUrl=ldaps://servername:3269
>> cas.authn.ldap[0].useSsl=true
>> cas.authn.ldap[0].connectTimeout=5000
>> cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=TLD
>> cas.authn.ldap[0].userFilter=(userPrincipalName={user})
>> cas.authn.ldap[0].subtreeSearch=true
>> cas.authn.ldap[0].principalAttributeList=sn,givenName,memberOf,cn
>> cas.authn.ldap[0].bindDn=DN of user
>> cas.authn.ldap[0].bindCredential=Password
>>
>> Le lundi 26 février 2018 17:41:37 UTC-5, Kevin Liu a écrit :
>>>
>>> So I've included an extra ldap index to get around multiple OUs. I can
>>> now authenticate users but only with their full name and not their
>>> sAMAccountName. For example, on the cas login screen, if I put my
>>> sAMAccountName kliu as the username and the associated password, I get
>>> denied but if I put Kevin Liu I can login. It doesn't seem like
>>> userFilter=sAMAccountName={name} get used as my sAMAccountName is kliu.
>>> Maybe I don't understand userFilter completely.
>>>
>>> Marc, what other properties did you have to add to cas.properties. Your
>>> situation sounds very similar to mine.
>>>
>>>
>>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d8a96be7-ab97-4eb4-80fe-6ca8d6cf%40apereo.org.
Re: [cas-user] Re: CAS5.2 Connect to LDAP
Kevin, here are the properties that are working for me.
cas.authn.ldap[0].order=0
cas.authn.ldap[0].name=AD
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://servername:3269
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=TLD
cas.authn.ldap[0].userFilter=(userPrincipalName={user})
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].principalAttributeList=sn,givenName,memberOf,cn
cas.authn.ldap[0].bindDn=DN of user
cas.authn.ldap[0].bindCredential=Password
Le lundi 26 février 2018 17:41:37 UTC-5, Kevin Liu a écrit :
>
> So I've included an extra ldap index to get around multiple OUs. I can now
> authenticate users but only with their full name and not their
> sAMAccountName. For example, on the cas login screen, if I put my
> sAMAccountName kliu as the username and the associated password, I get
> denied but if I put Kevin Liu I can login. It doesn't seem like
> userFilter=sAMAccountName={name} get used as my sAMAccountName is kliu.
> Maybe I don't understand userFilter completely.
>
> Marc, what other properties did you have to add to cas.properties. Your
> situation sounds very similar to mine.
>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8c9d342c-3ea9-4eb7-a743-5d107c1948b9%40apereo.org.
Re: [cas-user] Re: CAS5.2 Connect to LDAP
Since my DN is not fixed as I authenticate users at the Forest level, I
could not use AD and used AUTHENTICATED instead, and
used cas.authn.ldap[0].userFilter=(userPrincipalName={user}) as filter,
with subtreeSearch set to true, and was able to authenticate on two
different domains (but this is our setup, you should use sAMAccountName if
this is what you need).
Le lundi 26 février 2018 16:43:45 UTC-5, Kevin Liu a écrit :
>
> Okay so I've changed my cas.properties to reflect what you're saying.
>
> I'm getting an error which requires me to input an dnFormat. Fair enough
> but looking at your documentation, it says to put %s which will get the
> username entered into the query. Does this mean that in your AD, your CN
> and sAMAccountName are the same? If so, I don't understand why it would be
> neccessary to put a userFilter because otherwise you would be verifying
> twice right? Once via dNFormat and then again with the userFilter. Sorry if
> I'm just being dumb and not seeing things.
>
> On Monday, February 26, 2018 at 3:28:48 PM UTC-6, David Curry wrote:
>>
>> Correct. If you're using the AD type, you should be using
>>
>> cas.authn.ldap[0].userFilter: sAMAccountName={user}
>>
>> Putting "anything" in the username field and getting authenticated
>> doesn't sound right.
>>
>> But if you're using AD and dnFormat, I'm almost positive that you DO NOT
>> want to have a "bindDn" or "bindCredential" in there. Those are for the
>> AUTHENTICATED (and other) types, not for the AD type.
>>
>> --Dave
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Mon, Feb 26, 2018 at 4:14 PM, Kevin Liu wrote:
>>
>>> No worries! Reading the documents again, it looks like I may confused a
>>> couple of things.
>>> AD Acive Directory - Users authenticate with sAMAccountName typically
>>> using a DN format.
>>> It says that it authenticates using the sAMAccountName which should get
>>> passed in if we use cas.authn.ldap[0].userFilter=sAMAccountName={user}
>>> correct?
>>> Right now, I can put anything in the username field and it gets
>>> authenticated. That can't be right?
>>>
>>> On Monday, February 26, 2018 at 3:11:51 PM UTC-6, David Curry wrote:
Sorry, I don't. But some other folks on the list have been doing other
kinds of logins, so maybe they do.
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
[image: The New School]
On Mon, Feb 26, 2018 at 3:54 PM, Kevin Liu wrote:
> Thanks, got it working!
>
> I hope you don't mind me picking your brain a little further. Do you
> have any experience with principalAttributeId fields? I'm wondering if I
> can first bind to LDAP, and then use username and password to
> authenticate
> instead and it looks like principalAttribute fields might be it.
>
> On Monday, February 26, 2018 at 2:36:13 PM UTC-6, David Curry wrote:
>>
>> I haven't tried it myself, but you ought to be able to put
>> cas.log.level back to "warn" and then add something like
>>
>> > includeLocation="true"/>
>>
>>
>> in the section (down around line 61). See the comment
>> right there in the file for a little more info.
>>
>> --Dave
>>
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Mon, Feb 26, 2018 at 3:23 PM, Kevin Liu
>> wrote:
>>
>>> I'm messing with the logger. Is it possible to have just LDAP debug
>>> codes output? If so, how? Cause I can't seem to be able to shut off the
>>> others without shutting off debug all together.
>>>
>>> On Monday, February 26, 2018 at 11:53:16 AM UTC-6, David Curry wrote:
Well, you can start with log4j2.xml, and change
warn
to
debug
which will give you a lot of detail (all in cas.log) about what's
going on. If that doesn't give you want you want, you can also (or
instead)
change
to
to get debugging from the LDAP
[cas-user] DynamoDB as Service Registry Storage
Hello all, We're in the process of migrating our old 3.5.2 CAS setup to a more recent version (5.2.2) and I'm testing different storage solutions for the service registry. So far, I was not able to use DynamoDB, and was wondering if anyone had success with it. I'm guessing that it should work, as it is available and hopefully tested. I tried to create the table myself and let CAS-management or CAS create. It can create it, but I'm not able to insert new services using the web app. I then tried to let CAS create the first service from JSON and it throws a nice error and does not populate the database. It looks like that the table created has an numerical Primary key named id which is not used by the insertion process and DynamoDB does not appreciate that. Using DynamoDB for ticket registry seems to work fine so far. Anyone had success with DynamoDB as storage for service registry or has a clue on fixing this problem? Thanks! 2018-02-26 19:19:18,596 ERROR [org.springframework.boot.SpringApplication] - org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'scopedTarget.serviceRegistryInitializer' defined in class path resource [org/apereo/cas/config/CasServiceRegistryInitializationConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas.services.ServiceRegistryInitializer]: Factory method 'serviceRegistryInitializer' threw exception; nested exception is com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException: The provided key element does not match the schema (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: ValidationException; Request ID: ---EDITED---) at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:599) ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1173) ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1067) ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513) ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483) ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory$2.getObject(AbstractBeanFactory.java:345) ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at org.springframework.cloud.context.scope.GenericScope$BeanLifecycleWrapper.getBean(GenericScope.java:359) ~[spring-cloud-context-1.2.4.RELEASE.jar!/:1.2.4.RELEASE] at org.springframework.cloud.context.scope.GenericScope.get(GenericScope.java:176) ~[spring-cloud-context-1.2.4.RELEASE.jar!/:1.2.4.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:340) ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) ~[spring-beans-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1078) ~[spring-context-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at org.springframework.cloud.context.scope.refresh.RefreshScope.start(RefreshScope.java:121) ~[spring-cloud-context-1.2.4.RELEASE.jar!/:1.2.4.RELEASE] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_151] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_151] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_151] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151] at org.springframework.context.event.ApplicationListenerMethodAdapter.doInvoke(ApplicationListenerMethodAdapter.java:256) ~[spring-context-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at org.springframework.context.event.ApplicationListenerMethodAdapter.processEvent(ApplicationListenerMethodAdapter.java:177) ~[spring-context-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at org.springframework.context.event.ApplicationListenerMethodAdapter.onApplicationEvent(ApplicationListenerMethodAdapter.java:140) ~[spring-context-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:172) ~[spring-context-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] at
