Re: [cas-user] pay forward?

If nobody else considered your kind offer I suppose cas multitenancy wins!! El lunes, 26 de febrero de 2018, Cheltenham, Chris < ccheltenham-...@philasd.org> escribió: > Hello Michael, > > > > > > I work for Philadelphia School District K thru 12. > > > > We may be interested in the hours of

Re: [cas-user] CAS PM JDBC 5.1.5 double query

send cas startup log 2018-02-26 21:04 GMT-03:00 : > It has to be reading my properties or else I could never switch between > MySQL and Oracle which I do all day long. It has to be something else. > > Bill > > Sent from a device. > > On Feb 26, 2018, at 7:59 AM, Man H

Re: [cas-user] CAS PM JDBC 5.1.5 double query

It has to be reading my properties or else I could never switch between MySQL and Oracle which I do all day long. It has to be something else. Bill Sent from a device. > On Feb 26, 2018, at 7:59 AM, Man H wrote: > > Cas is not reading your properties. Check where

Re: [cas-user] Re: CAS5.2 Connect to LDAP

So I've included an extra ldap index to get around multiple OUs. I can now authenticate users but only with their full name and not their sAMAccountName. For example, on the cas login screen, if I put my sAMAccountName kliu as the username and the associated password, I get denied but if I put

[cas-user] Re: CAS5.2 Connect to LDAP

Can you post your logs, cas.properties and pom.xml And I can have a look. Also try installing http://www.ldapadmin.org/ to do some testing --Matt On Friday, 23 February 2018 05:32:54 UTC+10, Kevin Liu wrote: > > Hello, > > I can't seem to make heads or tailed of getting CAS to talk to LDAP >

Re: [cas-user] CAS5.2 Connect to LDAP

Send me your POM and cas.properties In the mean time install ldapadmin http://www.ldapadmin.org/ I can help with working out your config. --Matt On 23 February 2018 at 05:32, Kevin Liu wrote: > Hello, > > I can't seem to make heads or tailed of getting CAS to talk to

Re: [cas-user] CAS5.2 Connect to LDAP

Send me your POM and cas.properties In the mean time install ldapadmin http://www.ldapadmin.org/ I can help with working out your config. --Matt On 23 February 2018 at 05:32, Kevin Liu wrote: > Hello, > > I can't seem to make heads or tailed of getting CAS to talk to

Re: [cas-user] Re: CAS5.2 Connect to LDAP

Since my DN is not fixed as I authenticate users at the Forest level, I could not use AD and used AUTHENTICATED instead, and used cas.authn.ldap[0].userFilter=(userPrincipalName={user}) as filter, with subtreeSearch set to true, and was able to authenticate on two different domains (but this

[cas-user] DynamoDB as Service Registry Storage

Hello all, We're in the process of migrating our old 3.5.2 CAS setup to a more recent version (5.2.2) and I'm testing different storage solutions for the service registry. So far, I was not able to use DynamoDB, and was wondering if anyone had success with it. I'm guessing that it should

Re: [cas-user] Re: CAS5.2 Connect to LDAP

Okay so I've changed my cas.properties to reflect what you're saying. I'm getting an error which requires me to input an dnFormat. Fair enough but looking at your documentation, it says to put %s which will get the username entered into the query. Does this mean that in your AD, your CN and

Re: [cas-user] Re: CAS5.2 Connect to LDAP

Correct. If you're using the AD type, you should be using cas.authn.ldap[0].userFilter: sAMAccountName={user} Putting "anything" in the username field and getting authenticated doesn't sound right. But if you're using AD and dnFormat, I'm almost positive that you DO NOT want to have a

Re: [cas-user] Re: CAS5.2 Connect to LDAP

No worries! Reading the documents again, it looks like I may confused a couple of things. AD Acive Directory - Users authenticate with sAMAccountName typically using a DN format. It says that it authenticates using the sAMAccountName which should get passed in if we use

Re: [cas-user] /cas/status/dashboard

I concur with Matthew. That was my issue too until I changed it. Then services started picking up. On Monday, February 26, 2018 at 2:37:37 PM UTC-6, David Curry wrote: > > But think of all the experience you're getting! :-) > > Seriously, I know the feeling. I think we've all been there before.

Re: [cas-user] Re: CAS5.2 Connect to LDAP

Thanks, got it working! I hope you don't mind me picking your brain a little further. Do you have any experience with principalAttributeId fields? I'm wondering if I can first bind to LDAP, and then use username and password to authenticate instead and it looks like principalAttribute fields

Re: [cas-user] Stumped on attribute release in CAS 5.1

If you want to release attributes under CAS 2.0 protocol, here ( https://kogentadono.com/2017/08/30/attribute-release-cas-5-1-x-for-cas-2-0-protocol/) is a post I wrote up a while back. Also, attached is the file you'll need to put in your war overlay to make release work. It should live in

Re: [cas-user] /cas/status/dashboard

But think of all the experience you're getting! :-) Seriously, I know the feeling. I think we've all been there before. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 •

Re: [cas-user] Re: CAS5.2 Connect to LDAP

I haven't tried it myself, but you ought to be able to put cas.log.level back to "warn" and then add something like in the section (down around line 61). See the comment right there in the file for a little more info. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY*

RE: [cas-user] /cas/status/dashboard

I do , I will check everything again in the morning. Thanks for your help. It’s frustrating because I know it’s something stupid but I just don’t see it yet. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work #

Re: [cas-user] /cas/status/dashboard

Chris, I ran into the same problem. I added json files to /etc/cas/services but CAS was only reading those in the classpath/services directory. I found that my problem was in my cas.properties: Incorrect: cas.serviceRegistry.*config*.location: file:/etc/cas/services Correct:

Re: [cas-user] Re: CAS5.2 Connect to LDAP

I'm messing with the logger. Is it possible to have just LDAP debug codes output? If so, how? Cause I can't seem to be able to shut off the others without shutting off debug all together. On Monday, February 26, 2018 at 11:53:16 AM UTC-6, David Curry wrote: > > Well, you can start with

Re: [cas-user] /cas/status/dashboard

Do you have org.apereo.cas cas-server-support-json-service-registry ${cas.version} in pom.xml and cas.serviceRegistry.json.location:file:/etc/cas/services in cas.properties? If not, you need them. If so, then dig through the archives of this group in the

RE: [cas-user] /cas/status/dashboard

David, The only thing I can tell is that CAS is not seeing the json file from /etc/cas/services. I created two and they never show up loaded in the logs. Only the two default ones, I guess they are, show up. 2018-02-26 14:42:49,710 DEBUG

Re: [cas-user] /cas/status/dashboard

I think we've been through most of these at one time or another, but to assemble them all in one place... 1. You have all of these: # The /status endpoint is protected by IP address only. cas.adminPagesSecurity.ip: ...a valid regex to match your authorized addresses... # The

Re: [cas-user][CAS 5.X] Proxy Mode and 5.2.x

Hi, Didier. We're also experiencing some WebProxy and ClearPass issues with CAS 5.2.x and uPortal 4. What version of uPortal are you running? thanks, Luke OK, I answer by myself. Found the solution by a colleague in a French list. Thanks a lot to him. I try to explain (sorry for my english) :

[cas-user] /cas/status/dashboard

Hello, I have been stuggling with access denied on the dashboard - users.properties only has the following. ccheltenham-ext=passwordnotused,ROLE_ADMIN What else could I have misconfigured? === Thank You; Chris Cheltenham Technology

Re: [cas-user] Re: CAS5.2 Connect to LDAP

Well, you can start with log4j2.xml, and change warn to debug which will give you a lot of detail (all in cas.log) about what's going on. If that doesn't give you want you want, you can also (or instead) change to to get debugging from the LDAP code itself. As for your second

Re: [cas-user] Re: CAS5.2 Connect to LDAP

Thank you Dave for providing additonal insight! Just to add, my MSDN I was refering above is actually an Microsoft Active Directory Server which I'm using the LDAP protocol to talk to (at least that is my understanding). I've got a few more questions. Is it possible to see what the LDAP is

Re: [cas-user] Step by step guide for simple CAS server with OpenLDAP authentication

Glad you figured it out. Note that if you turn on debug logging for anything (in log4j2.xml), those messages will also go to cas.log. In my personal experience, the cas.log messages are more helpful than the catalina.out messages about 4 times out of 5. --Dave -- DAVID A. CURRY, CISSP

Re: [cas-user] Stumped on attribute release in CAS 5.1

Toby, It looks like your client is using CAS 2.0 protocol. Attribute release can be done with SAML 1.1 and CAS 3.0 protocol. Ray On Mon, 2018-02-26 at 07:41 -0800, Toby Archer wrote: With the addition of those loggers and a little tweeking I got some info that should be useful. Firstly:

Re: [cas-user] AssertionConsumerServiceIndex and AssertionConsumerServiceUrl

Ash, You could adjust the webflow and redirect user after TGT is sent and before ST is created. We did this to prompt user to update contact info through a custom app. Ray On Mon, 2018-02-26 at 05:40 -0800, Ash wrote: Not for logout, but during the login process. The Service Provider

[cas-user] Customizing webflows in cass5

I was trying to customize web-flows in cas5 using xml/annotation based configurations, i was facing issue (NoSuchWebflowFoundException) while registering new web-flows.As I was looking at the documentation of apereo found the below link to customize web-flows but couldn't get a clear

Re: [cas-user] Step by step guide for simple CAS server with OpenLDAP authentication

Do you get any log entries in cas.log? Sometimes those can be a little more informative than the ones in catalina.out. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 •

Re: [cas-user] AssertionConsumerServiceIndex and AssertionConsumerServiceUrl

Cas is not multitenant. See https://groups.google.com/a/apereo.org/d/msgid/cas-user/20C889EBD5E2E103.107C4E6D-3607-4BC8-8345-C8AE71F48935%40mail.outlook.com?utm_medium=email_source=footer among others. 2018-02-26 10:40 GMT-03:00 Ash : > > Not for logout, but

[cas-user] CAS 5.2 - SAML2 SLO

I am trying to use SAML2 with CAS 5.2. I have it setup as the idp and I have two services connected to it. Everything works as expected with one service - but the second service does not receive a POST to its logout url when signing out of CAS. Steps: Sign in to both applications. Only first

Re: [cas-user] Stumped on attribute release in CAS 5.1

With the addition of those loggers and a little tweeking I got some info that should be useful. Firstly: 2018-02-26 15:36:46,731 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 2018-02-26 15:36:46,731 DEBUG

Re: [cas-user] Step by step guide for simple CAS server with OpenLDAP authentication

Hi David, Yep, already got that. On 26/02/2018 14:35, David Curry wrote: > Sami, > > Do you have the LDAP dependency in pom.xml? > >         >             org.apereo.cas >             cas-server-support-ldap >             ${cas.version} >         > > --Dave > > > -- > > DAVID A. CURRY, CISSP >

Re: [cas-user] Dashboard

Chris, In the URL you posted: https://devcas5.philasd.org/cas/status/$%7Bcas.server.prefix%7D /login?service=https%3A%2F%2Fdevcas5.philasd.org%2Fcas%2Fstatus%2Fdashboard what is this part: $%7Bcas.server.prefix%7D supposed to do? Looks like maybe you have a typo somehwere. The URL should

RE: [cas-user] Dashboard

Actually I did not figure out my issue If anyone know why I am getting page not found /satatus/dashboard please see below … === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From:

RE: [cas-user] Dashboard

I think I figured out that yes I do need a service Jason for the dashboard. Please disregard. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: cas-user@apereo.org

Re: [cas-user] Step by step guide for simple CAS server with OpenLDAP authentication

Sami, Do you have the LDAP dependency in pom.xml? org.apereo.cas cas-server-support-ldap ${cas.version} --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003

[cas-user] Dashboard

Using David Curry's dashboard instructions I seem to have either missed something. I get PAGE Not Found at this url https://devcas5.philasd.org/cas/status/$%7Bcas.server.prefix%7D/login?serv ice=https%3A%2F%2Fdevcas5.philasd.org%2Fcas%2Fstatus%2Fdashboard Don't I need a

[cas-user] Re: Can I make use of XML attributes in a serviceValidate response for authorization control?

On Thu, Feb 22, 2018 at 06:04PM -0500, Dawid Hawes wrote: >> for authorization control, without having access to a samlValidate url >> option? For example, we would like to instruct Apache to limit access >> to those users who have "Staff" in the the "" element. > >mod_auth_cas supports SAML

Re: [cas-user] Step by step guide for simple CAS server with OpenLDAP authentication

I've been following this guide throughout https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html, and everything has been going smoothly so far; up to the part where I needed to add the ldap authentication. The log says cas is deployed with errors. Catalina logs:

Re: [cas-user] AssertionConsumerServiceIndex and AssertionConsumerServiceUrl

Not for logout, but during the login process. The Service Provider supports multiple tenants and we would like CAS to redirect the user to a different URL based on tenant. Thanks, Ash On Saturday, February 24, 2018 at 2:32:41 PM UTC-6, Manfredo Hopp wrote: > > Why you need more than one

Re: [cas-user] CAS PM JDBC 5.1.5 double query

Cas is not reading your properties. Check where they are fetched El lunes, 26 de febrero de 2018, William Jojo escribió: > Manfredo, > > Hibernate is not posting to my logs. Turned on cas.jdbc.showSql and > cas.jdbc.genDdl. Also added org.hibernate, org.hibernate.SQL and >

Re: [cas-user] CAS 3.5.2 returning mail as user name

I don't know. Uxío Prego Madiva Soluciones CL / SERRANO GALVACHE 56 BLOQUE ABEDUL PLANTA 4 28033 MADRID +34 917 56 84 94 www.madiva.com www.bbva.com The activity of email inboxes can be systematically tracked by colleagues, business partners and third parties. Turn off automatic loading of

Re: [cas-user] CAS PM JDBC 5.1.5 double query

Manfredo, Hibernate is not posting to my logs. Turned on cas.jdbc.showSql and cas.jdbc.genDdl. Also added org.hibernate, org.hibernate.SQL and org.hibernate.type.descriptor.sql to the log4j2.xml for both debug and trace. Nothing. This is built using Maven and our own Tomcat server. Bill On

[cas-user] CAS - adding JWT Authentication issue

Hi Everyone, I would like to add the possibility to use JWT Authentication to my CAS Server, i followed this link https://apereo.github.io/cas/4.2.x/installation/JWT-Authentication.html but it's not working. Im using CAS Version 4.2.7 and Java Version : 1.8.0_40, i followed this steps below