ction by doing a BIND on it?
>
The passivator is not designed to solve the issue you're having. It is
meant to solve the problem where connections cannot be validated because
the entry they are bound as is not authorized to perform the validation
operation.
--Daniel Fisher
--
- Website: http
tionValidator=null, transportOptions={}],
> channel=[id: 0x560c13d8, L:/127.0.0.1:64781 <http://127.0.0.1:64781> -
> R:localhost/127.0.0.1:389 <http://127.0.0.1:389>]>*
>
Any localhost firewall rules that may be causing problems? What does the AD
logs say?
--Daniel Fish
authn.ldap[0].ldapUrl=ldaps://VDC.FQDN:636
> #cas.authn.ldap[0].startTLS=true
>
>
The keystore properties are used to configure authentication credentials.
To configure trust anchors you can use:
cas.authn.ldap[0].trust-store=
cas.authn.ldap[0].trust-store-password=
cas.authn.ldap[0].trus
On Thu, Nov 17, 2022 at 10:16 AM BenDDD wrote:
>
> But if I enable it, the service does not no longer starts:
>
LDAPS and startTLS are mutually exclusive. Either use a URL with ldaps://
or use ldap:// and set use-start-tls=true.
--Daniel Fisher
--
- Website: https://apereo.gith
n DEBUG to confirm the LDAP search results are
what you expect.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because
department,o=myorg".
>4. CAS attempts a BIND against this DN with the provided password.
>
>
It sounds like you need to set derefAliases to something other than the
default (NEVER).
https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#ldap-authenticat
tion
>
I can't say exactly because there are logs missing between 12:02 and 12:12,
but my best guess is that your validation search is timing out. It must
return within 5 seconds or the validation would fail in this manner. Check
your LDAP server logs for a rootDSE search for (objectClass=*). You m
n in
> error).
>
> The problem is with the class netty-transport-4.1.65.Final.jar . When i
> remove it, it's working.
>
Can you confirm whether you have conflicting netty jars in your classpath?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/a
and you should see why connection validation
failed. You're likely correct that you need to configure a bind connection
passivator.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contribu
LDAP logs to confirm.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "
ctory as part of the bean's initialization. Otherwise you should
change searchFactory to be a local variable. (It will be fairly inefficient
to create a pooled connection factory for each search operation.)
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https:/
ot;
>
>
Yes. Try removing the double quotes from the bind-credential property.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this mes
ver I'm unable to get the DN of the
> users LDAP entry to resolve.
>
I'm not too familiar with CAS configuration, but you want to enable the
DN_ATTRIBUTE_ENTRY handler:
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#ldap-search-entry-handlers
--Daniel F
a member of this groupOfMember
>
Can you put org.ldaptive in DEBUG to confirm the groupOfMember query is
happening?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo
On Thu, Jul 30, 2020 at 3:23 AM mohsen saeedi
wrote:
> Jul 30 11:24:40 SSO1 server[4213]: 2020-07-30 11:24:40,315 ERROR
> [org.ldaptive.pool.BlockingConnectionPool]
>
What error is reported here?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://
e using the same BIND.
>
In the absence of logs I really can't make a suggestion. Continue watching
the other thread and hopefully Eric will hit on a solution.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.g
lated. And notably, they are more than 15 minutes apart in
the logs.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because
r, data 52e, v4563
> ^@', ldapSDKVersion=4.0.12,
> revision=aaefc59e0e6d110bf3a8e8a029adb776f6d2ce28
>
Can you confirm the bind credentials work against all 4 directories?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidel
. During unsuccessful login ,bind will happen on both
> simultaneously which will result to account lock.
>
Can you post the CAS logs that show simultaneous binds?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidel
ion is returned to the pool. The
connection strategy defines how multiple URLs should be handled when a
connection is opened.
What do your logs say when the domain controller is rebooted?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Gu
t still shows
> the 3 three connections to ldap, so the OS still thinks the connections
> exists.
>
More evidence that you have a half open connection. What does netstat on
your directory report?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitt
s some other difference between
the JVMs. Something that would make TCP timeouts much shorter.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
On Wed, May 6, 2020 at 1:40 PM Baron Fujimoto wrote:
> On Tue, May 05, 2020 at 11:42:01PM -0400, Daniel Fisher wrote:
> >On Tue, May 5, 2020 at 11:15 PM Baron Fujimoto wrote:
> >
> >> We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for
> >> authe
That JNDI bug affects Java versions 9-13. And doesn't affect CAS unless
you've specifically enabled the JndiProvider. I believe the UnboundID
provider is enabled by default.
--Daniel Fisher
On Wed, May 6, 2020 at 11:48 AM Ray Bon wrote:
> Baron,
>
> I seem to recall a bug in the JVM
of Java (251), and after doing so noticed that the LDAP connections
> quickly begin to time out with the following error:
>
> javax.naming.NamingException: LDAP response read timed out, timeout
> used:-1ms
>
Do you have a responseTimeout duration configured?
--Daniel F
lers[0].type=OBJECT_GUID
and
cas.authn.attributeRepository.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID
Do you get the string representation of the objectGUID and are they the
same?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guide
the trust store parameters?
>
The keystore is used for authentication material, the truststore is used
for trust material. Putting trust material in the keystore file will not
fix this issue. Also note that the default type is JKS, if you're using
PKCS12 you'll need to set the trustStoreType property.
ssword=keystorepassword
>
>
Try adding new properties:
cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore
cas.authn.ldap[0].trustStorePassword=truststorepassword
Then import your CA into that truststore file. I'm not certain about the
camel casing of those properties, but it should be something close to
On Mon, Jan 13, 2020 at 11:26 AM Trenton D. Adams
wrote:
> We are using Java 8 though, and we are using the UnboundIDProvider.
>
Can you post some logs that demonstrate the problem? Both application logs
and OS netstat logs would be useful.
--Daniel Fisher
--
- Website:
ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
I thought that CAS used the UnboundID provider by default, so I'm curious
why you were impacted by this bug.
(Another solution is to use Java 8)
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- L
continue to try to reconnect to the
> LDAP server in the background. I want the other authentication sources to
> continue to work.
>
There is a property on the pool called 'failFastInitialize'. Hopefully it's
exposed in the configuration somewhere, set it to false.
--Daniel Fish
there a way to ensure that threads time out after some time
> instead of getting stuck in limbo? Thank you.
>
What version of Java are you using?
Java >=9 has a JNDI bug that orphans LDAP connections.
You can configure CAS to use the UnboundID provider to work around
this is
This appears to be a bug in JNDI code that manifests with an NPE in the
ldaptive thread local code.
I've filed an issue, but there isn't a resolution yet.
Work arounds include:
* Use startTLS
* Use the UnboundID provider
* Use Java 8 (versions 9-12 are all affected)
--Daniel Fisher
On Fri, Jan
format.
>
Did you try this property?
cas.authn.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
deal.
--Daniel Fisher
On Thu, Nov 30, 2017 at 12:40 AM, Marc K. <marc.ko...@its.thm.de> wrote:
> Hi,
>
> i recently updated our CAS 3.x with some modifications to the new Apereo
> CAS 5.1.6. After messing around with tons of property i'm currently facing
> the problem of users
.IllegalStateException: Connection is not open
>
Here's the connection validation failing, presumably because of the close
passivator. There's definitely some strange stuff going on here. I see you
changed your config and got it working, however it should be possible to
get the behavior you want wi
recommend you turn on periodic validation and then tweak the validate
period for your environment.
--Daniel Fisher
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.g
ample,dc=org'])>
> 2017-06-22 15:07:18,761 WARN [org.apereo.cas.authentication
> .PolicyBasedAuthenticationManager] - Credentials may be incorrect or CAS cannot find authentication handler that
> supports [t.benutzer] of type [UsernamePasswordCredential], which suggests
> a config
On Mon, Feb 20, 2017 at 4:30 PM, rbon wrote:
> The attributes are released with 3.5.2.1 so it is not a user access issue.
> I have double checked that 3.5.2.1 and 4.2.7 installs are connecting to the
> same ldap with the same settings.
> I have attached logs relating to the
> Can someone please help me get LDAP attributes?
>
Put the org.ldaptive package in DEBUG and see what the logs say.
If you're certain the attributes are being requested, confirm that the user
has read access to those attributes.
--Daniel Fisher
--
- CAS gitter chatroom: https://gitter.
On Wed, Jan 18, 2017 at 10:41 AM, Ben Branch <bbra...@uco.edu> wrote:
> #
>
> # Authentication
>
> #
>
> ldap.authn.searchFilter=sAMAccountName=%u
>
>
>
Try ldap.authn.searchFilt
ot about a half dozen other properties in your config
you'll also need to change to duration syntax.
--Daniel Fisher
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/
t returns a 404
>
I'm not sure what to make of this. I didn't think that URN needed to be
reachable, but I added an index.html just in case. If this problem is some
quirkiness with github pages then it may take some time to reproduce.
--Daniel Fisher
--
CAS gitter chatroom: https://gitter.im
eyStore}"
>
> p:keyStoreType="${sslConfig.keyStoreType}"
>
> p:keyStorePassword="${sslConfig.keyStorePassword}" />
>
>
>
>
>
What are you using this keystore for? TLS client authentication? Man
html (Operation Retry)
That exception handler is wired by default. It's behavior can be controlled
by setting operationExceptionResultCodes on the ProviderConfig. The
JndiProviderConfig comes with some sensible defaults. But as I mentioned, I
don't think that's the right solution to this problem.
45 matches
Mail list logo