Re: [cas-user] CAS 5: Changing the principal resolver in application.properties

[Erdal Gunyar]

Thanks, I think I see better the logic; but I've just tried and if I 
comment the attribute part of the LDAP authentication it fails to 
authenticate:

2016-10-18 16:27:33,579 DEBUG 
> [org.apereo.cas.authentication.LdapAuthenticationHandler] -  LDAP authentication for egunyar>
> 2016-10-18 16:27:33,607 DEBUG 
> [org.apereo.cas.authentication.LdapAuthenticationHandler] -  [org.ldaptive.auth.AuthenticationResponse@2012506855::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
>  
> resolvedDn=egunyar@COMPANY.LOCAL, ldapEntry=[dn=CN=GUNYAR 
> Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL[[displayName[GUNYAR 
> Erdal]], [cn[GUNYAR Erdal]]], responseControls=null, messageId=-1], 
> accountState=null, result=true, resultCode=SUCCESS, message=null, 
> controls=null]>
> 2016-10-18 16:27:33,611 DEBUG 
> [org.apereo.cas.authentication.LdapAuthenticationHandler] -  password policy to 
> [org.ldaptive.auth.AuthenticationResponse@2012506855::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
>  
> resolvedDn=egunyar@COMPANY.LOCAL, ldapEntry=[dn=CN=GUNYAR 
> Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL[[displayName[GUNYAR 
> Erdal]], [cn[GUNYAR Erdal]]], responseControls=null, messageId=-1], 
> accountState=null, result=true, resultCode=SUCCESS, message=null, 
> controls=null]>
> 2016-10-18 16:27:33,612 DEBUG 
> [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - 
> 
> 2016-10-18 16:27:33,613 DEBUG 
> [org.apereo.cas.authentication.LdapAuthenticationHandler] -  returned as result. Creating the final LDAP principal>
> 2016-10-18 16:27:33,614 DEBUG 
> [org.apereo.cas.authentication.LdapAuthenticationHandler] -  principal for egunyar based on CN=GUNYAR Erdal,OU=France,OU=COMPANY 
> Users,DC=COMPANY,DC=LOCAL>
> 2016-10-18 16:27:33,615 ERROR 
> [org.apereo.cas.authentication.LdapAuthenticationHandler] -  id attribute uid is not found. CAS cannot construct the final authenticated 
> principal if it's unable to locate the attribute that is designated as the 
> principal id. Attributes available are [[displayName[GUNYAR Erdal]], 
> [cn[GUNYAR Erdal]]]>
> 2016-10-18 16:27:33,618 INFO 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
> 
> 2016-10-18 16:27:33,618 DEBUG 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>  egunyar>
> 2016-10-18 16:27:33,620 WARN 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>  authentication handler that supports [egunyar] of type 
> [UsernamePasswordCredential], which suggests a configuration problem.>
> 2016-10-18 16:27:33,622 DEBUG 
> [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] -  principal at audit point [execution(Authentication 
> org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(AuthenticationTransaction))]
>  
> with thrown exception 
> [org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 
> successes]>


The configuration being:

cas.authn.ldap[0].* ... 

# Except those which are commented:

# cas.authn.ldap[0].principalAttributeId=sAMAccountName
# cas.authn.ldap[0].principalAttributePassword=
# cas.authn.ldap[0].principalAttributeList=


cas.personDirectory.principalAttribute=sAMAccountName
cas.personDirectory.returnNull=false

cas.authn.attributeRepository.attributes.uid=sAMAccountName
cas.authn.attributeRepository.attributes.displayName=displayName
cas.authn.attributeRepository.attributes.cn=cn
cas.authn.attributeRepository.attributes.affiliation=department


cas.authn.attributeRepository.jdbc.* ...



Note that if I put back principalAttributeId, then the resolver will be the 
default LDAP stuff like the previous posts.

What could I be do wrong? :/
Maybe in the way I try to nuke the default LDAP resolver?

Erdal.


Le mardi 18 octobre 2016 14:06:01 UTC+2, Misagh Moayyed a écrit :
>
> As I said earlier, this works for the LDAP attributes but doesn't merge 
> with the JDBC ones (no query sent).
>
> See this section: 
> https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes
>  
>
> > If no other attribute source is defined and if attributes are not 
> retrieved as part of primary authentication via LDAP….
>
> You are doing that; which is that you are getting attributes from LDAP as 
> part of authn. When you do, CAS disables external principal resolvers 
> because it is taught that attributes come from ldap directly. If you wish 
> to merge multiple sources, you need to disable that part and nuke out the 
> attributes and define attribute repository sources for each source via the 
> properties. That will activate merging.
>
> I can open an issue, I don't know what's the best process.
>
> https://github.com/apereo/cas/issues 
>
> Might be worth introducing flexibility into the configuration to allow 
> what you have defined. 
>
>
>

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS 

[cas-user] Cannot launch anymore CAS 5.0.0-RC4-SNAPSHOT

[Erdal Gunyar]

Hi guys!
Did I miss something this weekend? :) I not able to launch anymore CAS 
server after having updated the RC4 Snap.

I'm getting:

> 2016-10-24 12:09:51,542 ERROR 
> [org.springframework.boot.context.embedded.tomcat.TomcatStarter] -  starting Tomcat context. Exception: 
> org.springframework.beans.factory.UnsatisfiedDependencyException. Message: 
> Error creating bean with name 'casWebAppConfiguration': Unsatisfied 
> dependency expressed through field 'messageInterpolator'; nested exception 
> is org.springframework.beans.factory.BeanCreationException: Error creating 
> bean with name 'messageInterpolator' defined in class path resource 
> [org/apereo/cas/config/CasCoreUtilConfiguration.class]: Bean instantiation 
> via factory method failed; nested exception is 
> org.springframework.beans.BeanInstantiationException: Failed to instantiate 
> [javax.validation.MessageInterpolator]: Factory method 
> 'messageInterpolator' threw exception; nested exception is 
> java.util.ServiceConfigurationError: 
> javax.validation.spi.ValidationProvider: Error reading configuration file>
> 2016-10-24 12:09:51,636 WARN 
> [org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext]
>  
> -  attempt: org.springframework.context.ApplicationContextException: Unable to 
> start embedded container; nested exception is 
> org.springframework.boot.context.embedded.EmbeddedServletContainerException: 
> Unable to start embedded Tomcat>


Does anyone have an idea?

Cheers,

Erdal.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aa4a50cd-5313-4adc-8d58-68b1efbefde3%40apereo.org.

[cas-user] Re: CAS 5.0.0.RC3 - How to configure the delegation to another CAS server?

[Erdal Gunyar]

Hi,

I didn't get at all your use case, but to quickly answer to your questions :
- Configure: CAS 5 is basically "all by configuration":
https://apereo.github.io/cas/development/installation/Configuration-Properties.html

- Branding: use overlay mechanisms to make your own UI:
https://apereo.github.io/cas/development/installation/Maven-Overlay-Installation.html

Cheers,

Erdal.


Le samedi 22 octobre 2016 20:55:52 UTC+2, Lewis Henderson a écrit :
>
> All,
>
> I have a requirement to 'chain' two CAS servers.
>
> My issue is that I am integrating with a third party that use a CAS server 
> that I have no control over.
>
> I would like to use CAS as the security server into an OAuth2 
> micro-service network (CAS as OAuth2 Server) but redirect login to the 3rd 
> Party CAS server.
>
> I have looked through the code and it seems as though if I manage to get 
> it configured, it will show my login screen but with a link to the 
> configured delegate server.
>
> Two questions :-
>
>
>1. How do I configure this on my CAS server?
>2. If there is only one provider, would it be possible to redirect 
>there directly, showing their login screen without the need to show mine? 
>The reason for this is that theirs is branded with their logos etc...
>
>
> Cheers
>
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8065cad2-401a-4956-a98c-781be2e1dfe6%40apereo.org.

[cas-user] CAS 5.0.0 RC4-SNAPSHOT - Customize JBDC query with more than the username

[Erdal Gunyar]

Hi all,

Does anyone know if it is possible to customize the query of either the
JDBC authentication or te JDBC attribute repository with the callback URL?

The idea behind being to return different result depending on the site
which called CAS server.

I didn't see anything related to that, so maybe it's far from a best
practice...

Thanks,

*Erdal.*

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFCWW1ywHsnyRa%3DNTdHxGAGgq4qrwkYsTyCG6d%3DJ7hM3kvDNJQ%40mail.gmail.com.

[cas-user] CAS 5 - Is it possible to disable http (leaving only SSL) in the embedded tomcat?

[Erdal Gunyar]

Hello all!

The question is quite simple: is it possible to disable http (leaving only 
SSL) in the embedded tomcat?

Like for the AJP mode, I've tried (never know): server.http.enabled=false
But nothing changed.

Do someone have any hint?


Thanks,

Erdal.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/859d8c5f-2083-4dbf-9c6f-24f7190cda61%40apereo.org.

[cas-user] Re: CAS 5 - Is it possible to disable http (leaving only SSL) in the embedded tomcat?

[Erdal Gunyar]

More precision:

Actually all I have for the server is:
server.name=https://domain.com
server.port=443
server.context-path=/cas

And it still opens http on 8080 (looks like to default value).

By the way, removing context path value or puttin "/" in it will break the 
start up but that's another story :)

Erdal.

Le mercredi 23 novembre 2016 16:12:28 UTC+1, Erdal Gunyar a écrit :
>
> Hello all!
>
> The question is quite simple: is it possible to disable http (leaving only 
> SSL) in the embedded tomcat?
>
> Like for the AJP mode, I've tried (never know): server.http.enabled=false
> But nothing changed.
>
> Do someone have any hint?
>
>
> Thanks,
>
> Erdal.
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c6ade2f3-3630-48a8-a3d5-d4aa4f66ecdf%40apereo.org.

[cas-user] CAS 5 - Embedded Tomcat's cache size?

[Erdal Gunyar]

Hello all,

I keep getting WARNs from Catalina saying that cache is not sufficient (you 
all must get that if you're using embedded Tomcat 8 w/ catalina logs set 
higher than OFF level in log4j).
I'm wondering in my case if that's not a cause of why CAS server is quite 
slow.

Do someone know how to increase this cache?

Like the first answer here (for an external Tomcat):
http://stackoverflow.com/questions/26893297/tomcat-8-throwing-org-apache-catalina-webresources-cache-getresource-unable-to

Cheers,


Erdal.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/82dc115d-8b05-41b3-a7f7-e42170da0bc9%40apereo.org.

Re: [cas-user] CAS 5 - Is it possible to disable http (leaving only SSL) in the embedded tomcat?

[Erdal Gunyar]

Hello Misagh!

I did indeed read too quickly this part, when I read "AJP" I thought all 
settings there were about AJP connection ^^

Thank you!

Erdal.


Le mercredi 23 novembre 2016 17:05:03 UTC+1, Misagh Moayyed a écrit :
>
> The answer is also quite simple. Wrong setting.
>
>
> https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html#embedded-tomcat-httpajp
>  
>
>  
>
> --Misagh
>
>  
>
> *From:* cas-...@apereo.org  [mailto:cas-...@apereo.org 
> ] *On Behalf Of *Erdal Gunyar
> *Sent:* Wednesday, November 23, 2016 8:12 AM
> *To:* CAS Community <cas-...@apereo.org >
> *Subject:* [cas-user] CAS 5 - Is it possible to disable http (leaving 
> only SSL) in the embedded tomcat?
>
>  
>
> Hello all!
>
>  
>
> The question is quite simple: is it possible to disable http (leaving only 
> SSL) in the embedded tomcat?
>
>  
>
> Like for the AJP mode, I've tried (never know): 
> *server.http.enabled=false*
>
> But nothing changed.
>
>  
>
> Do someone have any hint?
>
>  
>
>  
>
> Thanks,
>
>  
>
> Erdal.
>
>  
>
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/859d8c5f-2083-4dbf-9c6f-24f7190cda61%40apereo.org
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/859d8c5f-2083-4dbf-9c6f-24f7190cda61%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf457ba1-8a85-4d0b-82cf-c8ce9f978452%40apereo.org.

Re: [cas-user] What are the exact steps to configure CAS 5.0.0 RC1 to use LDAP?

[Erdal Gunyar]

I don't know where did you get the path in the end of:
cas.authn.ldap[0].ldapUrl=ldap://ldapserver.company.com:389/
*dc=company,dc=com* 


But that saved me from hours of Google digging!
Thanks a lot! :)

Erdal.


Le mercredi 24 août 2016 08:02:23 UTC+2, Sascha Müller a écrit :
>
> Ok. So here's a full rundown of what I've done so far including config 
> files and log. Hope that helps.
>
> First of all I've cloned the repository of the CAS war overlay and 
> switched to branch 5.0. Then I've generated a certificate (thekeystore) and 
> put it into '/etc/cas/'. When I run cas, https seems to be working fine.
> Next I changed the cas.properties to
>
> cas.server.name=https://localhost:8443
>> cas.server.prefix=https://localhost:8443/cas
>
> cas.adminPagesSecurity.ip=127\.0\.0\.1
>> logging.config=file:/etc/cas/config/log4j2.xml
>> # cas.serviceRegistry.config.location: classpath:/services
>> cas.authn.accept.users= 
>
> ### LDAP settings ###
>> cas.authn.ldap[0].useSsl=false
>> cas.authn.ldap[0].useStartTls=false
>> cas.authn.ldap[0].ldapUrl=ldap://
>> ldapserver.company.com:389/dc=company,dc=com
>> cas.authn.ldap[0].dnFormat=uid=%s,ou=Users,dc=company,dc=com
>> cas.authn.ldap[0].baseDn=dc=company,dc=com
>> cas.authn.ldap[0].connectTimeout=5000
>> cas.authn.ldap[0].principalAttributeId=uid
>> cas.authn.ldap[0].principalAttributePassword=
>> cas.authn.ldap[0].minPoolSize=3
>> cas.authn.ldap[0].maxPoolSize=10
>> cas.authn.ldap[0].validateOnCheckout=true
>> cas.authn.ldap[0].validatePeriodically=true
>> cas.authn.ldap[0].validatePeriod=600
>> cas.authn.ldap[0].failFast=true
>> cas.authn.ldap[0].idleTime=5000
>> cas.authn.ldap[0].prunePeriod=5000
>> cas.authn.ldap[0].blockWaitTime=5000
>
>  
> I got assured by our systems department, that these settings should be ok. 
> I did not touch 'application.yml' or any other file (except the pom.xml, 
> which I attached alongside the cas.log).
>
> Now, when I run "./build.sh clean package" & "./build.sh run" the server 
> starts up, but login fails with the message
>
> 2016-08-24 07:47:01,453 WARN 
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>> > authentication handler that supports [sam] of type 
>> [UsernamePasswordCredential], which suggests a configuration problem.>
>>
>
> If you need anything else, please let me know.
>
> Thanks in advance.
>
>  
>
> Am Mittwoch, 24. August 2016 06:00:37 UTC+2 schrieb Misagh Moayyed:
>>
>> Without knowing what you have so far, it’s very difficult to say. Either 
>> you have misplaced the configuration, or you have misdefined the property 
>> keys.
>>
>> -- 
>> Misagh
>>
>> From: Sascha Müller 
>> Reply: Sascha Müller 
>> Date: August 23, 2016 at 7:59:31 AM
>> To: CAS Community 
>> Subject:  [cas-user] What are the exact steps to configure CAS 5.0.0 RC1 
>> to use LDAP? 
>>
>> Hey everybody, 
>>
>> I tried to configure LDAP login through CAS 5.0.0 RC1 for more or less 4 
>> days now.
>> As far as I understand the documentation, all I have to do is:
>>
>>
>>- add the dependency *cas-server-support-ldap* to my pom.xml and
>>- configure ldap support via cas.properties (like url, baseDn etc.).
>>
>>
>> But when I try to login, I get the following message on the console:
>>
>> Cannot find authentication handler that supports [username] of type 
>>> [UsernamePasswordCredential], which suggests a configuration problem.
>>>
>>
>>  
>> I get the strong feeling I'm missing something really important here...
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To post to this group, send email to cas-...@apereo.org.
>> Visit this group at 
>> https://groups.google.com/a/apereo.org/group/cas-user/.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/51f27ef4-59b9-4b3e-9cf6-e6908bf3d98d%40apereo.org
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>>
>>

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 

[cas-user] CAS 5.0.0-RC3 - AttributeDao using applications.properties

[Erdal Gunyar]

Hello all,

I'm trying to implement a mergingPersonAttributeDao but CAS-5-like using 
applications.properties (like the default LDAP or JDBC dao) rather than 
describing fully the Daos.

Something like:























(Final goal as you should have guessed, is to add new attributes coming 
from an SQL DB on top of LDAP attributes given by the authentication 
handler).

Do you know if it is possible?

Looks like I'm missing something... I'm wondering if I'm even on the good 
way to do it ^^

Thanks.

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c8f4461-144b-4731-bfa4-9469cff2f632%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.