Re: [cas-user] Install of CAS 6.4.4.2 includes log4j-jul-2.14.1.jar and log4j-jul-2.17.0.jar
Thanks for your reply, Jeffrey!
I got it all sorted.
I really appreciate this community!
Best Regards,
Rod
On Fri., Jan. 7, 2022, 8:29 p.m. Jeffrey Ramsay,
wrote:
> Try this:
>
> bootWar {
> entryCompression = ZipEntryCompression.STORED
> overlays {
> cas {
> from
> "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war
> "
> provided = false
> excludes =
> ["WEB-INF/lib/log4j*2.12.*.jar","WEB-INF/lib/log4j*2.13.*.jar"]
> }
> }
> }
>
> -Jeff
>
> On Fri, Jan 7, 2022 at 2:01 PM Rod B wrote:
>
>> Hi,
>>
>> In test I downloaded the CAS Overlay for 6.4.4.2 here:
>> https://github.com/apereo/cas-overlay-template/archive/6.4.zip
>>
>> We have a very basic install and I built the cas.war file.
>>
>> When. I look at .../cas/WEB-INF/lib I notice there is to log4j-jul files:
>> log4j-jul-2.14.1.jar
>> log4j-jul-2.17.0.jar
>>
>> I've tried to exclude the old file in the build.gradle file:
>>
>> overlays {
>>
>> cas {
>> from
>> "org.apereo.cas:cas-server-webapp${project.appServer}:${project.'cas.version'}@war
>> provided = false
>> excludes = ["WEB-INF/lib/servlet-api-2*.jar"]
>> excludes = ["WEB-INF/lib/log4j-jul-2.14.1.jar"]
>>
>> }
>>
>> But the file remains.
>>
>> Fortunately it doesn't seem to be causing a problem, but I've experienced
>> issues when there are duplicate jar files of different versions.
>> Specifically log4j2 files.
>>
>> Is this something that can be fixed in the upstream?
>>
>> Also, is log4j2 going to be upgraded to 2.17.1 soon or do we need to use
>> the remediation steps referenced in this thread:
>>
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com
>>
>>
>> Many thanks!
>>
>> Rod
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a4676eac-89f5-405e-bbc3-3e8f586725b0n%40apereo.org
>>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOR%2Bp7uOjX2HPRMgNqebvYb3S%2B8EjN8J33V1yj%3DZVesVPg%40mail.gmail.com
>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOz46ZRD_Mx2Tcot%3DFRo9O%3DBi-etzw-H9hnGFWLHB6-Lfr5mLw%40mail.gmail.com.
[cas-user] ldaptive password policy request
Im getting the following error when authenticating a user against LDAP: [org.ldaptive.auth.Authenticator] authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resultCode=INSUFFICIENT_ACCESS_RIGHTS, matchedDN=, diagnosticMessage=The request control with Object Identifier (OID) "1.3.6.1.4.1.42.2.27.8.5.1" cannot be used due to insufficient access rights, referralURLs=[], messageID=3, controls=[]] Is there any way to stop ldaptive from requesting this OID attribute from ldap? I've already tried including cas-server-core-api-configuration-model dependency and setting cas.authn.ldap[0].passwordPolicy.enabled: false I don't wish to check for password policy and I don't want to involve another team to make changes to ldap. -psv -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e6d72761-69e4-430e-b887-f77b121d053cn%40apereo.org.
Re: [cas-user] Install of CAS 6.4.4.2 includes log4j-jul-2.14.1.jar and log4j-jul-2.17.0.jar
Try this:
bootWar {
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from
"org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war
"
provided = false
excludes =
["WEB-INF/lib/log4j*2.12.*.jar","WEB-INF/lib/log4j*2.13.*.jar"]
}
}
}
-Jeff
On Fri, Jan 7, 2022 at 2:01 PM Rod B wrote:
> Hi,
>
> In test I downloaded the CAS Overlay for 6.4.4.2 here:
> https://github.com/apereo/cas-overlay-template/archive/6.4.zip
>
> We have a very basic install and I built the cas.war file.
>
> When. I look at .../cas/WEB-INF/lib I notice there is to log4j-jul files:
> log4j-jul-2.14.1.jar
> log4j-jul-2.17.0.jar
>
> I've tried to exclude the old file in the build.gradle file:
>
> overlays {
>
> cas {
> from
> "org.apereo.cas:cas-server-webapp${project.appServer}:${project.'cas.version'}@war
> provided = false
> excludes = ["WEB-INF/lib/servlet-api-2*.jar"]
> excludes = ["WEB-INF/lib/log4j-jul-2.14.1.jar"]
>
> }
>
> But the file remains.
>
> Fortunately it doesn't seem to be causing a problem, but I've experienced
> issues when there are duplicate jar files of different versions.
> Specifically log4j2 files.
>
> Is this something that can be fixed in the upstream?
>
> Also, is log4j2 going to be upgraded to 2.17.1 soon or do we need to use
> the remediation steps referenced in this thread:
>
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com
>
>
> Many thanks!
>
> Rod
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a4676eac-89f5-405e-bbc3-3e8f586725b0n%40apereo.org
>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOR%2Bp7uOjX2HPRMgNqebvYb3S%2B8EjN8J33V1yj%3DZVesVPg%40mail.gmail.com.
Re: [cas-user] Install of CAS 6.4.4.2 includes log4j-jul-2.14.1.jar and log4j-jul-2.17.0.jar
I did the patch remediation and the older file is now gone and we're at
log4j version 2.17.1
So, thank you community for all of your help!
Rod
On Fri., Jan. 7, 2022, 11:01 a.m. Rod B, wrote:
> Hi,
>
> In test I downloaded the CAS Overlay for 6.4.4.2 here:
> https://github.com/apereo/cas-overlay-template/archive/6.4.zip
>
> We have a very basic install and I built the cas.war file.
>
> When. I look at .../cas/WEB-INF/lib I notice there is to log4j-jul files:
> log4j-jul-2.14.1.jar
> log4j-jul-2.17.0.jar
>
> I've tried to exclude the old file in the build.gradle file:
>
> overlays {
>
> cas {
> from
> "org.apereo.cas:cas-server-webapp${project.appServer}:${project.'cas.version'}@war
> provided = false
> excludes = ["WEB-INF/lib/servlet-api-2*.jar"]
> excludes = ["WEB-INF/lib/log4j-jul-2.14.1.jar"]
>
> }
>
> But the file remains.
>
> Fortunately it doesn't seem to be causing a problem, but I've experienced
> issues when there are duplicate jar files of different versions.
> Specifically log4j2 files.
>
> Is this something that can be fixed in the upstream?
>
> Also, is log4j2 going to be upgraded to 2.17.1 soon or do we need to use
> the remediation steps referenced in this thread:
>
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com
>
>
> Many thanks!
>
> Rod
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a4676eac-89f5-405e-bbc3-3e8f586725b0n%40apereo.org
>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOz46ZSRNNVJ6o3RRTnAXE3mV9Rkwdkh9D8npWNU3dT6HPMn0A%40mail.gmail.com.
Re: [cas-user] Install of CAS 6.4.4.2 includes log4j-jul-2.14.1.jar and log4j-jul-2.17.0.jar
If it's any value to someone using CAS overlay 6.4.4.2 this is how the
changes all look:
gradle.properties:
log4j2.version=2.17.1
build.gradle:
dependencies {
...
// Log4j2 version 2.17.1 patch
implementation
"org.apache.logging.log4j:log4j-api:${project.'log4j2.version'}"
implementation
"org.apache.logging.log4j:log4j-core:${project.'log4j2.version'}"
implementation
"org.apache.logging.log4j:log4j-jcl:${project.'log4j2.version'}"
implementation
"org.apache.logging.log4j:log4j-jul:${project.'log4j2.version'}"
implementation
"org.apache.logging.log4j:log4j-layout-template-json:${project.'log4j2.version'}"
implementation
"org.apache.logging.log4j:log4j-slf4j18-impl:${project.'log4j2.version'}"
implementation
"org.apache.logging.log4j:log4j-web:${project.'log4j2.version'}"
...
}
...
overlays {
cas {
...
excludes = ["WEB-INF/lib/log4j-*-2.17.0.jar"]
...
}
}
Cheers,
Rod
On Fri, Jan 7, 2022 at 11:01 AM Rod B wrote:
> Hi,
>
> In test I downloaded the CAS Overlay for 6.4.4.2 here:
> https://github.com/apereo/cas-overlay-template/archive/6.4.zip
>
> We have a very basic install and I built the cas.war file.
>
> When. I look at .../cas/WEB-INF/lib I notice there is to log4j-jul files:
> log4j-jul-2.14.1.jar
> log4j-jul-2.17.0.jar
>
> I've tried to exclude the old file in the build.gradle file:
>
> overlays {
>
> cas {
> from
> "org.apereo.cas:cas-server-webapp${project.appServer}:${project.'cas.version'}@war
> provided = false
> excludes = ["WEB-INF/lib/servlet-api-2*.jar"]
> excludes = ["WEB-INF/lib/log4j-jul-2.14.1.jar"]
>
> }
>
> But the file remains.
>
> Fortunately it doesn't seem to be causing a problem, but I've experienced
> issues when there are duplicate jar files of different versions.
> Specifically log4j2 files.
>
> Is this something that can be fixed in the upstream?
>
> Also, is log4j2 going to be upgraded to 2.17.1 soon or do we need to use
> the remediation steps referenced in this thread:
>
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com
>
>
> Many thanks!
>
> Rod
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a4676eac-89f5-405e-bbc3-3e8f586725b0n%40apereo.org
>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOz46ZQprk3rqLB0Sxhq7CApQ7%3DGM7q7-xJO9oDJ26Rd0gPDDg%40mail.gmail.com.
[cas-user] Install of CAS 6.4.4.2 includes log4j-jul-2.14.1.jar and log4j-jul-2.17.0.jar
Hi,
In test I downloaded the CAS Overlay for 6.4.4.2 here:
https://github.com/apereo/cas-overlay-template/archive/6.4.zip
We have a very basic install and I built the cas.war file.
When. I look at .../cas/WEB-INF/lib I notice there is to log4j-jul files:
log4j-jul-2.14.1.jar
log4j-jul-2.17.0.jar
I've tried to exclude the old file in the build.gradle file:
overlays {
cas {
from
"org.apereo.cas:cas-server-webapp${project.appServer}:${project.'cas.version'}@war
provided = false
excludes = ["WEB-INF/lib/servlet-api-2*.jar"]
excludes = ["WEB-INF/lib/log4j-jul-2.14.1.jar"]
}
But the file remains.
Fortunately it doesn't seem to be causing a problem, but I've experienced
issues when there are duplicate jar files of different versions.
Specifically log4j2 files.
Is this something that can be fixed in the upstream?
Also, is log4j2 going to be upgraded to 2.17.1 soon or do we need to use
the remediation steps referenced in this thread:
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com
Many thanks!
Rod
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a4676eac-89f5-405e-bbc3-3e8f586725b0n%40apereo.org.
Re: [cas-user] UnauthorizedServiceException due to mismatched ACS Url
Peter,
You can use samltracer to see the saml being sent. You can verify the ACS.
If the ACS in the request does not match the metadata, the unauthorized service
error should always be thrown.
It should be logged at warn, I would think.
Ray
On Fri, 2022-01-07 at 05:17 -0800, Peter Barnes wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
We recently had an issue with a service provider generating errors for an
unauthorized service that we could not identify.
When performing SSO if there was no established session on cas the user could
successfully authenticate and the SSO flow would successfully complete for the
SP. However if there was already an established cas session i.e. the user
already logging into a different SP, when attempting SSO for the initial SP it
generates the unauthorized service error.
In both cases the flow is started using SP initiated using the exact same url.
There were no errors/warnings in the cas logs to give any indication as to what
was at fault, it wasn't until we enabled debug logging that we found the
following.
Resolved [org.apereo.cas.support.saml.SamlException: Assertion consumer service
[https://xxx/saml2/auth/login] cannot be located in metadata
[[https://x/employee/saml2/post]]] to ModelAndView
[view="casServiceErrorView";
model={rootCauseException=org.apereo.cas.services.UnauthorizedServiceException:
}]
Using this we identified that the consumer url in the saml request did not
match the consumer url in the metadata and we were able to workaround the issue.
What we cannot identify is
1. Why is the behavior different based on existing/new session
2. Why is this not logged anywhere as an error? Using debug logging to find
this is not practical
Cas Version: 6.3.5
Assumed location of original error: SamlIdpUtils#207
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c39d17bc3d9cd39ca3e547680945c4aca3916abb.camel%40uvic.ca.
Re: [cas-user] Re: SAML2 bug: Unable to locate any signing credentials
Pablo,
Is the aai... service the same as super duper?
The aai... service is configured to have a per service signing / encryption
certs (this line in the log: Metadata directory location for
[aai_pionier_net_pl_test] is [/etc/cas/saml/aai_pionier_net_pl_test-1001] ).
https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#per-service
If the two services are different, then you will need two idp metadata and two
signing and 2 encryption certs (if you are using encryption).
Ray
On Thu, 2022-01-06 at 18:16 -0800, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Thanks for replying Ray,
Yes, I have that config and I see crt, keys, and idp-metadata created in it
that was auto-generated.
Error seems misleading it sounds like it is looking for sp metadata
signing credentials.
-psv
On Thursday, January 6, 2022 at 1:02:30 PM UTC-6 Ray Bon wrote:
Pablo,
The signing credentials are yours, not the service. They are not read out of
metadata since it requires the key. You set the location with (your cert and
key are stored in same location as metadata):
cas.authn.saml-idp.metadata.file-system.location=
Cas will generate the metadata and certs on start up, make sure cas can write
to the directory.
https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#file-system
Ray
On Wed, 2022-01-05 at 18:38 -0800, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Just saw this reply ...
That did not seem to work. I have my sp metata with x509 certs embedded. I have
my service definition like the following:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"description": "my super super service",
"serviceId" : "^https://my.super.duper.svc.com;, <-- entity id of my sp
metadata file
"name" : "super_duper",
"id" : 20210115134141,
"evaluationOrder" : 30,
"metadataLocation" : "file:/apps//cas/metadata/super_duper_metadata.xml",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "firstName","lastName"] ]
},
"signAssertions": true,
"signingCredentialType": X509
}
Still getting error:
Unable to locate any signing credentials for service [super_duper]
Do I need a separate crt somewhere instead of relying on the embbeded cert in
the sp metadata?
On Thursday, August 26, 2021 at 2:11:50 AM UTC-5 Marcin Roman wrote:
Entityid in metadata must match entityid in cas properties.
Use cas 6.3.4 or 6.4. i couldn't get it working with other versions
On Wed, Aug 25, 2021, 9:06 PM Pablo Vidaurri wrote:
Any solution or work around for this? Gettign the same issue on CAS 6.3.2. Only
way to get it to work is if i set my entityId to be same as hostname which will
not work in a production env.
On Monday, April 5, 2021 at 3:41:02 AM UTC-5 Marcin Roman wrote:
Hi, I have discovered yet another bug in SAML2 support in 6.3.4-SNAPSHOT and
6.4.0-SNAPSHOT.
It looks like SamlIdPMetadataResolver is provided with cas url instead of
entityId while resolving signing credentials.
cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create
SAMLObject for type: [interface org.opensaml.saml.saml2.core.Status] and QName:
[{urn:oasis:names:tc:SAML:2.0:protocol}Status]
cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create
SAMLObject for type: [interface org.opensaml.saml.saml2.core.StatusCode] and
QName: [{urn:oasis:names:tc:SAML:2.0:protocol}StatusCode]
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils]
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils] Logging
[org.opensaml.saml.saml2.core.impl.ResponseImpl]
cas_1 |
cas_1 | [https://aai.pionier.net.pl/test/module.php/saml/sp/saml2-acs.php/default-sp;
ID="_111942357346883584"
InResponseTo="_f23e8fe1993a1a61287f3d30288ee5700f936c0631"
IssueInstant="2021-04-05T07:55:18.827Z" Version="2.0">
cas_1 | https://login.umcs.pl/cas/idp/metadata
cas_1 |
cas_1 |
cas_1 |
cas_1 |
cas_1 | https://login.umcs.pl/cas/idp/metadata
cas_1 |
// DELETED
cas_1 |
cas_1 |
cas_1 | ]
cas_1 |
cas_1 |
cas_1 | DEBUG [org.apereo.cas.support.saml.SamlUtils]
cas_1 | DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder]
SAML entity id
[https://aai.pionier.net.pl/test/module.php/saml/sp/metadata.php/default-sp]
indicates that SAML responses should be signed
cas_1 | TRACE
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner]
Attempting to encode
Re: [cas-user] Re: CAS 6.4 / Netty errors
I don't see any conflict. But i found a solution. Until now, i was running CAS application with the tomcat of the distrib Debian 9. I tried to download from web and install apache tomcat 9 and it's working. i think i will stay like this. Thanks Le vendredi 7 janvier 2022 à 04:11:33 UTC+1, dfisher a écrit : > On Thu, Jan 6, 2022 at 10:03 AM hakim yahiaoui wrote: > >> thank you for your reply >> For the baseDn, it seems that Netty does'nt get the value for this >> parameter but it doesn't seem to be the problem. >> In the LDAP logs on LDAP server, i don't see any connection (not even in >> error). >> >> The problem is with the class netty-transport-4.1.65.Final.jar . When i >> remove it, it's working. >> > > Can you confirm whether you have conflicting netty jars in your classpath? > > --Daniel Fisher > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e03d0930-a290-4137-859b-6f2c441e9726n%40apereo.org.
[cas-user] UnauthorizedServiceException due to mismatched ACS Url
We recently had an issue with a service provider generating errors for an
unauthorized service that we could not identify.
When performing SSO if there was no established session on cas the user
could successfully authenticate and the SSO flow would successfully
complete for the SP. However if there was already an established cas
session i.e. the user already logging into a different SP, when attempting
SSO for the initial SP it generates the unauthorized service error.
In both cases the flow is started using SP initiated using the exact same
url.
There were no errors/warnings in the cas logs to give any indication as to
what was at fault, it wasn't until we enabled debug logging that we found
the following.
Resolved [org.apereo.cas.support.saml.SamlException: Assertion consumer
service [https://xxx/saml2/auth/login] cannot be located in
metadata [[https://x/employee/saml2/post]]] to ModelAndView
[view="casServiceErrorView";
model={rootCauseException=org.apereo.cas.services.UnauthorizedServiceException:
}]
Using this we identified that the consumer url in the saml request did not
match the consumer url in the metadata and we were able to workaround the
issue.
What we cannot identify is
1. Why is the behavior different based on existing/new session
2. Why is this not logged anywhere as an error? Using debug logging to
find this is not practical
Cas Version: 6.3.5
Assumed location of original error: SamlIdpUtils#207
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/17efde5c-8426-4bcf-9036-75a6b169defdn%40apereo.org.
Re: [cas-user] LDAP connexion/pool configuration
Hi, Maybe something is missing in my setup in fact. Without working example I
tried to guess after the content of the "all-properties.ref" file. Here is
what I am using right now : cas.authn.ldap[0].base-dn: dc=MY,dc=DOMAIN
cas.authn.ldap[0].bind-dn: cn=casldap,dc=MY,dc=DOMAIN
cas.authn.ldap[0].bind-credential: BIND_CRED
cas.authn.ldap[0].dn-format: uid=%s,ou=people,dc=MY,dc=DOMAIN
cas.authn.ldap[0].enhance-with-entry-resolver: true
cas.authn.ldap[0].ldap-url: ldaps://ldap.my.domain:636
#cas.authn.ldap[0].page-size: 0
cas.authn.ldap[0].password-encoder.type: NONE
cas.authn.ldap[0].search-filter: (uid={user})
cas.authn.ldap[0].subtree-search: true
cas.authn.ldap[0].type: AUTHENTICATED
cas.authn.ldap[0].use-start-tls: false
#cas.authn.ldap[0].principal-attribute-list:
givenName,displayName,mail,eduPersonPrimaryAffiliation,eduPersonAffiliation,uid,supanncivilite,departmentNumber,insaGrhumVlan
cas.authn.ldap[0].principal-attribute-list: givenName,displayName,mail
#cas.authn.ldap[0].disable-pooling: true
cas.authn.ldap[0].principal-attribute-id: uid
#cas.authn.ldap[0].pool-passivator: bind
#cas.monitor.ldap[0].pool-passivator: BIND
#cas.monitor.ldap[0].bind-dn: cn=casldap,dc=MY,dc=DOMAIN
#cas.monitor.ldap[0].bind-credential: BIND_CRED
#cas.authn.ldap[0].minPoolSize=3
#cas.authn.ldap[0].maxPoolSize=10
#cas.authn.ldap[0].validateOnCheckout=true
#cas.authn.ldap[0].validatePeriodically=true
#cas.authn.ldap[0].validate-period=PT5M
#cas.authn.ldap[0].validate-timeout=PT5S
#cas.authn.ldap[0].fail-fast=false
#cas.authn.ldap[0].idle-time=PT10M
#cas.authn.ldap[0].prune-period=PT2H
#cas.authn.ldap[0].block-wait-time=PT3S
#cas.authn.ldap[0].response-timeout=PT5S
#cas.authn.ldap[0].dn-format: uid=%s,dc=MY,dc=DOMAIN
cas.authn.ldap[0].validator.base-dn: dc=MY,dc=DOMAIN
cas.monitor.endpoints.ldap.bind-dn: cn=casldap,dc=MY,dc=DOMAIN Regards
Le 07-Jan-2022 06:34:49 +0100, dfis...@vt.edu a crit:
On Thu, Jan 6, 2022 at 9:16 AM wrote:
2022-01-06 12:02:24,879 INFO o.l.PooledConnectionFactory [main] pool
initialized [org.ldaptive.PooledConnectionFactory@1337741679::name=null,
minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false,
validateOnCheckOut=true, validatePeriodically=true,
activator=org.ldaptive.pool.AbstractConnectionPool$$Lambda$1787/0x0008409e8440@1acc768,
passivator=[org.ldaptive.pool.BindConnectionPassivator@628513353::bindRequest=org.ldaptive.SimpleBindRequest@952806663::controls=null,
dn=cn=casldap,dc=MY,dc=DOMAIN],
validator=[org.ldaptive.SearchConnectionValidator@365999192::validatePeriod=PT5M,
validateTimeout=PT5S,
searchRequest=org.ldaptive.SearchRequest@-670020831::controls=null, dn=,
scope=OBJECT, aliases=NEVER, sizeLimit=1, timeLimit=PT0S, typesOnly=false,
filter=org.ldaptive.filter.PresenceFilter@b262ac96, returnAttributes=[1.1],
binaryAttributes=null],
pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@140260642::prunePeriod=PT2H,
idleTime=PT10M], connectOnCreate=true,
connectionFactory=[org.ldaptive.DefaultConnectionFactory@415117829::transport=[org.ldaptive.transport.netty.ConnectionFactoryTransport@1876525009::channelType=class
io.netty.channel.socket.nio.NioSocketChannel,
ioWorkerGroup=io.netty.channel.nio.NioEventLoopGroup@12c78f36,
messageWorkerGroup=null, shutdownOnClose=true],
config=[org.ldaptive.ConnectionConfig@2077969769::ldapUrl=ldaps://ldap.my.domain:636,
connectTimeout=PT5S, responseTimeout=PT5S, reconnectTimeout=PT2M,
autoReconnect=true,
autoReconnectCondition=org.ldaptive.ConnectionConfig$$Lambda$1783/0x0008409c1440@129c760d,
autoReplay=true,
sslConfig=[org.ldaptive.ssl.SslConfig@908043384::credentialConfig=null,
trustManagers=null,
hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@180f33b2,
enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null, handshakeTimeout=PT1M], useStartTLS=false,
connectionInitializers=[org.ldaptive.BindConnectionInitializer@937346147::bindDn=cn=casldap,dc=MY,dc=DOMAIN,
bindSaslConfig=null, bindControls=null],
connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy@391e85df,
connectionValidator=null, transportOptions={}]], failFastInitialize=true,
initialized=true, availableCount=3, activeCount=0, blockWaitTime=PT3S]
2022-01-06 12:12:29,880 WARN o.l.PooledConnectionFactory
[PooledConnectionFactory@1337741679]
org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@861dc91
failed validationI can't say exactly because there are logs missing between
12:02 and 12:12, but my best guess is that your validation search is timing
out. It must return within 5 seconds or the validation would fail in this
manner. Check your LDAP server logs for a rootDSE search for (objectClass=*).
You may need to change your validation config to search on a different branch.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines:
