Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Chris Peck
All we do to build just the cas.war file is run this command in the directory with the pom.xml file & our src overlay directory: *mvn clean package* then it will poop out the warfile in *target/cas.war* We don't use their scripts. We keep the pom.xml file & our src overlay directory in git, when

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris
Thanks David, Thats a bit eye opening, the orders and different authorizing entites. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: "David Curry"

[cas-user] CAS 5.2.x Could not update the account password

2018-02-08 Thread casuser
I am using CAS 5.2.x. For reset password, I get the reset password email and from the link I can get to the reset password page where I enter my new password and retype it but I get this error on the browser "Could not update the account password" and nothing in the server log. I am using LDAP

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread David Curry
It's a pain in the butt, mostly. :-) One of these days we're going to consolidate everything into the One True Active Directory and get rid of the second directory, which will make our lives easier in all sorts of ways, but that's still somewhere out on the horizon. The use of two AD configs

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris
Good for you David, We are still using LDAP with almost 200k users and maybe 30 attributes. Its complicated. Maybe M$ will loosen the cost of AD for a k-12 school district. Would be nice. === Thank You; Chris Cheltenham Technology Services The School

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread David Curry
We're also using Shibboleth today, and we're also planning to drop it in favor of CAS' SAML2 support. I have played a bit with using CAS as the IdP and it seems to work in my limited testing against the Shibboleth SP (mod_auth_shib) on Apache HTTPD. My project this month is to actually move what

[cas-user] Re: CAS 5.2.x

2018-02-08 Thread William E.
For Dave's docs: We too have been working on using cas 5.2's saml2 capabilities to replace a full shibboleth. Not quite there yet, but still working on it. FWIW - We use apache's mod_ajp to front tomcat and these lines are what we use in proxy_ajp.conf: ProxyPass /cas

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris
David, Unfortunately that did not make a difference when I built the cas.war with gradle. When I used maven I got the same list you have. [root@devcas5 lib]# ll | grep ldap -rw-r- 1 root root 14296 Feb 8 11:02 cas-server-support-ldap-5.2.2.jar -rw-r- 1 root root 35536 Feb 8 11:02

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris
David, Would you be able to share your Cas 5 cas.properties section? please make sure and blank out like passwords. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From:

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris
Yes I hear you. I got talked into using gradle by a senior co worker but I am scrapping that. I am not a developer and I am trying to understand the developers environment. I think NOW after Mr Curry helped me with the pom.xml I am now in cas.properties hell. There are just so many options

Re: [cas-user] Cas - Unauthorized

2018-02-08 Thread Mukunthini Jeyakumar
Hi, I'm getting the error only if I turn on CASValidateSAML and using the CASValidateURL with samilValidate endpoint. Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password),

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

2018-02-08 Thread Mukunthini Jeyakumar
Hi David, I'm using mod_auth_cas configured to use the "samlValidate" endpoint. When I turn on CASValidateSAML and configure saml endpoint I'm getting the following error Authorization Required This server could not verify that you are authorized to access the document requested. Either you

[cas-user] how do I capture audit log trail for unauthorized users who are denied access to a service in an accessStrategy configuration of one of my JSON files?

2018-02-08 Thread crdaudt
For one of my services, I have the following accessStrategy defined in my JSON file: ---begin--- "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled" : true, "unauthorizedRedirectUrl" :

Re: [cas-user] how do I capture audit log trail for unauthorized users who are denied access to a service in an accessStrategy configuration of one of my JSON files?

2018-02-08 Thread Ray Bon
Carl, This already should be in log4j2: Ray On Thu, 2018-02-08 at 13:06 -0800, crdaudt wrote: For one of my services, I have the following accessStrategy defined in my JSON file: ---begin--- "accessStrategy" : { "@class" :

Re: [cas-user] upgrading to 5.2.2

2018-02-08 Thread David Curry
I'm not sure about the logging warnings, but the service registry message is a side effect of the way CAS starts up and wires all the modules together at run time. Basically, the message is being printed before the JPA registry modules are loaded. So it's true when it's printed, but a minute or so

[cas-user] upgrading to 5.2.2

2018-02-08 Thread Satnam Sarai
Hello, I noticed that CAS throwing following two warning.. 2018-02-08 15:48:54,324 WARN > [org.apereo.cas.web.report.util.ControllerUtils] - Logging configuration > cannot be found in the environment settings > 2018-02-08 15:49:13,607 WARN > [org.apereo.cas.web.report.util.ControllerUtils] -

Re: [cas-user] Cas - Unauthorized

2018-02-08 Thread Ramakrishna G
Hello, I am using CAS on development server and soon I'll be shifting to production. I am using mod_auth_cas as client and I am running CAS server and CAS Client in same machine. Should I create certificates for both tomcat(CAS Server) and apache(CAS Client) or only tomcat(keystore) is fine? In

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread David Curry
I'm afraid Gradle is a complete mystery to me. Hopefully someone else can jump in. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School]

RE: [cas-user] cas-management 5.x cas-management.log java.io.IOException: Permission denied

2018-02-08 Thread SCHILENS, JEREMIAH
Hi Travis, Thank you for that information. I thought I was overriding the log4j.xml files by putting them in etc/cas/config for each overlay but I just noticed I’m not. The reason the cas log4j works for me without permission error is because it sets baseDir to /etc/cas/logs.

RE: [cas-user] Cas - Unauthorized

2018-02-08 Thread SCHILENS, JEREMIAH
Hello, I have a similar setup, though I’m using an F5 load balancer for ssl offload and using my own tomcat install instead of the embedded to serve the war file. These are the options I’ve found I needed, your mileage may vary: cas.server.http.secure=ture cas.server.httpProxy.enabled=true

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread David Curry
These could probably be shortened up in a couple of ways by: - combining the [0] and [2] Active Directory configs, which go against different OUs of the same directory (but are otherwise identical), and - performing attribute resolution as part of the authentication process, which you

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris
David, Thats really interesting actaully. Do you incorporate SAML2 proxy delegation in that properties file? We are using Shibboleth but plan to drop Shib and use SAML2 in CAS 5. === Thank You; Chris Cheltenham Technology Services The School District of

[cas-user] Re: CAS 4.2.7 login throttling not working

2018-02-08 Thread Meysam Shirazi
it's resolved by switching to 4.2.0! On Wednesday, February 7, 2018 at 10:21:06 PM UTC+3:30, Meysam Shirazi wrote: > > Any help?! > > On Tuesday, February 6, 2018 at 11:31:14 AM UTC+3:30, Meysam Shirazi wrote: >> >> Hello, >> >> I'm trying to use throttling on CAS 4.2.7 but it seems that it's

Re: [cas-user] Multiple Duo Instances

2018-02-08 Thread brian mancuso
Alright Misagh and Manfredo, I believe you're both putting me on the right track with this. Unfortunately, I haven't used a groovy script before and I'm having trouble getting it to get picked up by CAS. Could either of you help with this example? */etc/cas/selectiveDuo.groovy:* def String

[cas-user] Re: Problmes with Oauth grant type Password - CAS 5.1.4

2018-02-08 Thread Leo Pintos
Hi Anders! We made the configuration you told us and we got the next msg error [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] (default task-10) Grant type: [password] [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController]

Re: [cas-user] Cas - Unauthorized

2018-02-08 Thread Man H
Its not possible CA's won't work in SSO if it's over http El jueves, 8 de febrero de 2018, Ramakrishna G escribió: > Hello Man H, > > I am planning to use NGINX Load balancer over https. The load balancer > takes care of redirecting to CAS Server and CAS client in *http*. Do you >

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Uxío Prego
If you are using UNIX-like, do: $ 7z l cas_without_ldap_support.war >cas_without_ldap_support_listing $ 7z l cas_supposedly_with_ldap_support.war >cas_supposedly_with_ldap_support_listing $ diff cas_*_listing > [...]ldap[...] $ _ If you are not, you can easily get a Cygwin equivalent of that.

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris
David, Thank You !! === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: "David Curry" To: "cas-user" Sent: Thursday,

Re: [cas-user] Cas - Unauthorized

2018-02-08 Thread Man H
You will have to install it in both but this is not a CA's issue you will find more information in stack overflow etc about SSL tomcat apache configuration. If you install self signed certificate browser will challenge user to accept that as insecure. El jueves, 8 de febrero de 2018, Ramakrishna

Re: [cas-user] CAS 3.6 default-mobile-custom.css

2018-02-08 Thread Man H
You won't need it uses webjars El jueves, 8 de febrero de 2018, Matthew Hannay escribió: > > I am migrating from CAS 3.6 to 5.2.2 in 3.6 overlays it had > a default-mobile-custom.css > Does somthing equivilent exist in CAS5 .2.2 to date I have not found any > thing. >

Re: [cas-user] Cas - Unauthorized

2018-02-08 Thread Ramakrishna G
Hello Man H, I am planning to use NGINX Load balancer over https. The load balancer takes care of redirecting to CAS Server and CAS client in *http*. Do you recommend this approach? If yes then how do I enable SSO over http? For outside world it would be https but internally I am planning to

Re: [cas-user] Cas - Unauthorized

2018-02-08 Thread Man H
You could do that in previous versions < 4.1 o 4.2 I am not sure El jueves, 8 de febrero de 2018, Ramakrishna G escribió: > Hello Man H, > > I am planning to use NGINX Load balancer over https. The load balancer > takes care of redirecting to CAS Server and CAS client in *http*. Do

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread David Curry
$ jar tvf cas.war | grep ldap WEB-INF/lib/cas-server-support-ldap-5.2.2.jar WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar WEB-INF/lib/ldaptive-1.2.3.jar WEB-INF/lib/ldaptive-beans-1.2.3.jar WEB-INF/lib/ldaptive-unboundid-1.2.3.jar WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar

[cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris
Hello folks, I think I have been confusing everyone with too much incongruent information. If I may I will ask things in a more logical manner. I an still not able to connect with CAS 5 via LDAP. My first question is , how do I know the ldap dependency was built into the cas.war file?

Re: [cas-user] Multiple Duo Instances

2018-02-08 Thread Man H
Start a new thread with full information such as version pom properties startup log with debug set etc ... El jueves, 8 de febrero de 2018, brian mancuso escribió: > Alright Misagh and Manfredo, I believe you're both putting me on the right > track with this. Unfortunately,

Re: [cas-user] Multiple Duo Instances

2018-02-08 Thread Man H
In version 5.2 this should be cas.authn.mfa.providerSelectorGroovyScript=file:/etc/cas/wathever.groovy El jueves, 8 de febrero de 2018, brian mancuso escribió: > Alright Misagh and Manfredo, I believe you're both putting me on the right > track with this. Unfortunately, I

Re: [cas-user] Multiple Duo Instances

2018-02-08 Thread brian mancuso
Hey Manfredo, I'm actually trying to go with the bypass vs the provider selector: Shown Here . I'm hoping to simplify the environment to only one Duo instance with the use of an LDAP attribute

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris
David, I have the following jars. Is this sufficient for ldap support? [root@devcas5 lib]# pwd /opt/tcat/webapps/cas/WEB-INF/lib [root@devcas5 lib]# ll | grep ldap -rw-r- 1 root root 35536 Jan 26 13:26 cas-server-support-ldap-core-5.2.2.jar -rw-r- 1 root root 802456 Nov 27 11:40

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Man H
this is an Ldap error check your properties probably baseDn 2018-02-08 12:00 GMT-03:00 Cheltenham, Chris : > David, > > I have the following jars. > Is this sufficient for ldap support? > > [root@devcas5 lib]# pwd > /opt/tcat/webapps/cas/WEB-INF/lib > [root@devcas5

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread David Curry
I do not see this one: cas-server-support-ldap-5.2.2.jar which, I believe, is the one you need. I don't pretend to be an expert on these things. But when I build from the Maven overlay with this dependency included in pom.xml: org.apereo.cas

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris
David, These are my my pom.xml dependencies. Its funny we are all kind of guessing , that's why we are here I suppose. I certainly am guessing. org.apereo.cas cas-server-support-ldap org.apereo.cas cas-server-webapp${app.server} ${cas.version} war runtime

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris
Man, The basedn is correct in cas.properties. This search returns data so you can see the base dn. ldapsearch -H "ldaps://testldap.philasd.net" -x -w 'x' -LLL -b "dc=philasd,dc=org" -D "uid=shibauth,ou=svc_accts,dc=philasd,dc=org" "uid=ccheltenham-ext" [root@devcas5 config]# cat

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Man H
With debug you can see if cas gets connected to Ldap 2018-02-08 12:27 GMT-03:00 Cheltenham, Chris : > Man, > > The basedn is correct in cas.properties. > > > This search returns data so you can see the base dn. > ldapsearch -H "ldaps://testldap.philasd.net" -x -w

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Cheltenham, Chris
Man, Here is the debug info and the error. [root@devcas5 logs]# tail catalina.out 2018-02-08 10:08:50,014 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 2018-02-08 10:08:50,014 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 2018-02-08

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread Man H
I mean startup log and relevant log relating connection to LDAP. there is a constant poll to ldap looged 2018-02-08 12:41 GMT-03:00 Cheltenham, Chris : > Man, > > Here is the debug info and the error. > > [root@devcas5 logs]# tail catalina.out > 2018-02-08

Re: [cas-user] CAS 5.2.x

2018-02-08 Thread David Curry
Try changing what you have: org.apereo.cas cas-server-support-ldap to this: org.apereo.cas cas-server-support-ldap ${cas.version} I'm pretty sure you have to have a version in there, so Maven knows