Re: [cas-user] CAS 6.6.12 LDAP error messages

ction by doing a BIND on it? > The passivator is not designed to solve the issue you're having. It is meant to solve the problem where connections cannot be validated because the entry they are bound as is not authorized to perform the validation operation. --Daniel Fisher -- - Website: http

Re: [cas-user] CAS 6.6.8 - Authenticate using AD

tionValidator=null, transportOptions={}], > channel=[id: 0x560c13d8, L:/127.0.0.1:64781 <http://127.0.0.1:64781> - > R:localhost/127.0.0.1:389 <http://127.0.0.1:389>]>* > Any localhost firewall rules that may be causing problems? What does the AD logs say? --Daniel Fish

Re: [cas-user] CAS 6.6.3 - LDAPS

authn.ldap[0].ldapUrl=ldaps://VDC.FQDN:636 > #cas.authn.ldap[0].startTLS=true > > The keystore properties are used to configure authentication credentials. To configure trust anchors you can use: cas.authn.ldap[0].trust-store= cas.authn.ldap[0].trust-store-password= cas.authn.ldap[0].trus

Re: [cas-user] Deprecated LDAP settings in 6.6.2

On Thu, Nov 17, 2022 at 10:16 AM BenDDD wrote: > > But if I enable it, the service does not no longer starts: > LDAPS and startTLS are mutually exclusive. Either use a URL with ldaps:// or use ldap:// and set use-start-tls=true. --Daniel Fisher -- - Website: https://apereo.gith

Re: [cas-user] CAS 6.1.7 attribute for person A released during Person B login

n DEBUG to confirm the LDAP search results are what you expect. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because

Re: [cas-user] CAS LDAP authentication with OpenLDAP aliases?

department,o=myorg". >4. CAS attempts a BIND against this DN with the provided password. > > It sounds like you need to set derefAliases to something other than the default (NEVER). https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#ldap-authenticat

Re: [cas-user] LDAP connexion/pool configuration

tion > I can't say exactly because there are logs missing between 12:02 and 12:12, but my best guess is that your validation search is timing out. It must return within 5 seconds or the validation would fail in this manner. Check your LDAP server logs for a rootDSE search for (objectClass=*). You m

Re: [cas-user] Re: CAS 6.4 / Netty errors

n in > error). > > The problem is with the class netty-transport-4.1.65.Final.jar . When i > remove it, it's working. > Can you confirm whether you have conflicting netty jars in your classpath? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/a

Re: [cas-user] LDAP connexion/pool configuration

and you should see why connection validation failed. You're likely correct that you need to configure a bind connection passivator. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contribu

Re: [cas-user] Ldap AbsctractConnectionPool failed validation

LDAP logs to confirm. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "

Re: [cas-user] CAS memory leak issue in Production : CAS 6.3.2

ctory as part of the bean's initialization. Otherwise you should change searchFactory to be a local variable. (It will be fairly inefficient to create a pooled connection factory for each search operation.) --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https:/

Re: [cas-user] Re: CAS connect active directory

ot; > > Yes. Try removing the double quotes from the bind-credential property. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this mes

Re: [cas-user] LDAP DN Value from LDAP

ver I'm unable to get the DN of the > users LDAP entry to resolve. > I'm not too familiar with CAS configuration, but you want to enable the DN_ATTRIBUTE_ENTRY handler: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#ldap-search-entry-handlers --Daniel F

Re: [cas-user] CAS Management + LDAP roles

a member of this groupOfMember > Can you put org.ldaptive in DEBUG to confirm the groupOfMember query is happening? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo

Re: [cas-user] CAS 5.2/5.3 cas.util.LdapUtils try connect to localhost for LDAP

On Thu, Jul 30, 2020 at 3:23 AM mohsen saeedi wrote: > Jul 30 11:24:40 SSO1 server[4213]: 2020-07-30 11:24:40,315 ERROR > [org.ldaptive.pool.BlockingConnectionPool] > What error is reported here? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://

Re: [cas-user] Account get locked in first failed login attempt

e using the same BIND. > In the absence of logs I really can't make a suggestion. Continue watching the other thread and hopefully Eric will hit on a solution. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.g

Re: [cas-user] Passvators and Connection Strategy 6.1.6

lated. And notably, they are more than 15 minutes apart in the logs. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because

Re: [cas-user] Passvators and Connection Strategy 6.1.6

r, data 52e, v4563 > ^@', ldapSDKVersion=4.0.12, > revision=aaefc59e0e6d110bf3a8e8a029adb776f6d2ce28 > Can you confirm the bind credentials work against all 4 directories? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidel

Re: [cas-user] Account get locked in first failed login attempt

. During unsuccessful login ,bind will happen on both > simultaneously which will result to account lock. > Can you post the CAS logs that show simultaneous binds? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidel

Re: [cas-user] Passvators and Connection Strategy 6.1.6

ion is returned to the pool. The connection strategy defines how multiple URLs should be handled when a connection is opened. What do your logs say when the domain controller is rebooted? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Gu

Re: [cas-user] LDAP timeouts after Java upgrade

t still shows > the 3 three connections to ldap, so the OS still thinks the connections > exists. > More evidence that you have a half open connection. What does netstat on your directory report? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitt

Re: [cas-user] LDAP timeouts after Java upgrade

s some other difference between the JVMs. Something that would make TCP timeouts much shorter. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG ---

Re: [cas-user] LDAP timeouts after Java upgrade

On Wed, May 6, 2020 at 1:40 PM Baron Fujimoto wrote: > On Tue, May 05, 2020 at 11:42:01PM -0400, Daniel Fisher wrote: > >On Tue, May 5, 2020 at 11:15 PM Baron Fujimoto wrote: > > > >> We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for > >> authe

Re: [cas-user] LDAP timeouts after Java upgrade

That JNDI bug affects Java versions 9-13. And doesn't affect CAS unless you've specifically enabled the JndiProvider. I believe the UnboundID provider is enabled by default. --Daniel Fisher On Wed, May 6, 2020 at 11:48 AM Ray Bon wrote: > Baron, > > I seem to recall a bug in the JVM

Re: [cas-user] LDAP timeouts after Java upgrade

of Java (251), and after doing so noticed that the LDAP connections > quickly begin to time out with the following error: > > javax.naming.NamingException: LDAP response read timed out, timeout > used:-1ms > Do you have a responseTimeout duration configured? --Daniel F

Re: [cas-user] CAS with LDAP: ObjectGUID retrieved with attribute repository different than with authentication handler

lers[0].type=OBJECT_GUID and cas.authn.attributeRepository.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID Do you get the string representation of the objectGUID and are they the same? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guide

Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

the trust store parameters? > The keystore is used for authentication material, the truststore is used for trust material. Putting trust material in the keystore file will not fix this issue. Also note that the default type is JKS, if you're using PKCS12 you'll need to set the trustStoreType property.

Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

ssword=keystorepassword > > Try adding new properties: cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore cas.authn.ldap[0].trustStorePassword=truststorepassword Then import your CA into that truststore file. I'm not certain about the camel casing of those properties, but it should be something close to

Re: [cas-user] cas 5.2.x leaking connections

On Mon, Jan 13, 2020 at 11:26 AM Trenton D. Adams wrote: > We are using Java 8 though, and we are using the UnboundIDProvider. > Can you post some logs that demonstrate the problem? Both application logs and OS netstat logs would be useful. --Daniel Fisher -- - Website:

Re: [cas-user] cas 5.2.x leaking connections

ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider I thought that CAS used the UnboundID provider by default, so I'm curious why you were impacted by this bug. (Another solution is to use Java 8) --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - L

Re: [cas-user] CAS won't start if LDAP connection fails

continue to try to reconnect to the > LDAP server in the background. I want the other authentication sources to > continue to work. > There is a property on the pool called 'failFastInitialize'. Hopefully it's exposed in the configuration somewhere, set it to false. --Daniel Fish

Re: [cas-user] LDAP Threads

there a way to ensure that threads time out after some time > instead of getting stuck in limbo? Thank you. > What version of Java are you using? Java >=9 has a JNDI bug that orphans LDAP connections. You can configure CAS to use the UnboundID provider to work around this is

Re: [cas-user] CAS 6.1.x Ldaps configuration problem

This appears to be a bug in JNDI code that manifests with an NPE in the ldaptive thread local code. I've filed an issue, but there isn't a resolution yet. Work arounds include: * Use startTLS * Use the UnboundID provider * Use Java 8 (versions 9-12 are all affected) --Daniel Fisher On Fri, Jan

Re: [cas-user] LDAP attributes

format. > Did you try this property? cas.authn.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG

Re: [cas-user] Problem with 5.1.6 - LDAP derefAlias

deal. --Daniel Fisher On Thu, Nov 30, 2017 at 12:40 AM, Marc K. <marc.ko...@its.thm.de> wrote: > Hi, > > i recently updated our CAS 3.x with some modifications to the new Apereo > CAS 5.1.6. After messing around with tons of property i'm currently facing > the problem of users

Re: [cas-user] CAS 5.0.5 - LDAP check out validation failure results in failed authentication

.IllegalStateException: Connection is not open > Here's the connection validation failing, presumably because of the close passivator. There's definitely some strange stuff going on here. I see you changed your config and got it working, however it should be possible to get the behavior you want wi

Re: [cas-user] Issue with LDAP authentication: LDAP response read timed out

recommend you turn on periodic validation and then tweak the validate period for your environment. --Daniel Fisher -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.g

Re: [cas-user] Issue with LDAP authentication: LDAP response read timed out

ample,dc=org'])> > 2017-06-22 15:07:18,761 WARN [org.apereo.cas.authentication > .PolicyBasedAuthenticationManager] - Credentials may be incorrect or CAS cannot find authentication handler that > supports [t.benutzer] of type [UsernamePasswordCredential], which suggests > a config

Re: [cas-user] problem retrieving ldap attributes CAS 4.2.x

On Mon, Feb 20, 2017 at 4:30 PM, rbon wrote: > The attributes are released with 3.5.2.1 so it is not a user access issue. > I have double checked that 3.5.2.1 and 4.2.7 installs are connecting to the > same ldap with the same settings. > I have attached logs relating to the

Re: [cas-user] problem retrieving ldap attributes CAS 4.2.x

> Can someone please help me get LDAP attributes? > Put the org.ldaptive package in DEBUG and see what the logs say. If you're certain the attributes are being requested, confirm that the user has read access to those attributes. --Daniel Fisher -- - CAS gitter chatroom: https://gitter.

Re: [cas-user] CAS 4.2.7 and Active Directory

On Wed, Jan 18, 2017 at 10:41 AM, Ben Branch <bbra...@uco.edu> wrote: > # > > # Authentication > > # > > ldap.authn.searchFilter=sAMAccountName=%u > > > Try ldap.authn.searchFilt

Re: [cas-user] CAS Ldaptive connectTimeout java.time.Duration

ot about a half dozen other properties in your config you'll also need to change to duration syntax. --Daniel Fisher -- CAS gitter chatroom: https://gitter.im/apereo/cas CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html CAS documentation website: https://apereo.github.io/

Re: [cas-user] ldaptive documentation missing

t returns a 404 > I'm not sure what to make of this. I didn't think that URN needed to be reachable, but I added an index.html just in case. If this problem is some quirkiness with github pages then it may take some time to reproduce. --Daniel Fisher -- CAS gitter chatroom: https://gitter.im

Re: [cas-user] question ldap auth ssl config upgrade 4.0.4 to 4.2

eyStore}" > > p:keyStoreType="${sslConfig.keyStoreType}" > > p:keyStorePassword="${sslConfig.keyStorePassword}" /> > > > > > What are you using this keystore for? TLS client authentication? Man

Re: [cas-user] Forcing CAS to reconnect to LDAP

html (Operation Retry) That exception handler is wired by default. It's behavior can be controlled by setting operationExceptionResultCodes on the ProviderConfig. The JndiProviderConfig comes with some sensible defaults. But as I mentioned, I don't think that's the right solution to this problem.