Re: [cas-user] CAS 5.2.x

Thanks David, Thats a bit eye opening, the orders and different authorizing entites. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: "David Curry"

[cas-user] CAS 5.2.x Could not update the account password

I am using CAS 5.2.x. For reset password, I get the reset password email and from the link I can get to the reset password page where I enter my new password and retype it but I get this error on the browser "Could not update the account password" and nothing in the server log. I am using LDAP

Re: [cas-user] CAS 5.2.x

It's a pain in the butt, mostly. :-) One of these days we're going to consolidate everything into the One True Active Directory and get rid of the second directory, which will make our lives easier in all sorts of ways, but that's still somewhere out on the horizon. The use of two AD configs

Re: [cas-user] CAS 5.2.x

Good for you David, We are still using LDAP with almost 200k users and maybe 30 attributes. Its complicated. Maybe M$ will loosen the cost of AD for a k-12 school district. Would be nice. === Thank You; Chris Cheltenham Technology Services The School

Re: [cas-user] CAS 5.2.x

We're also using Shibboleth today, and we're also planning to drop it in favor of CAS' SAML2 support. I have played a bit with using CAS as the IdP and it seems to work in my limited testing against the Shibboleth SP (mod_auth_shib) on Apache HTTPD. My project this month is to actually move what

[cas-user] Re: CAS 5.2.x

For Dave's docs: We too have been working on using cas 5.2's saml2 capabilities to replace a full shibboleth. Not quite there yet, but still working on it. FWIW - We use apache's mod_ajp to front tomcat and these lines are what we use in proxy_ajp.conf: ProxyPass /cas

Re: [cas-user] CAS 5.2.x

David, Unfortunately that did not make a difference when I built the cas.war with gradle. When I used maven I got the same list you have. [root@devcas5 lib]# ll | grep ldap -rw-r- 1 root root 14296 Feb 8 11:02 cas-server-support-ldap-5.2.2.jar -rw-r- 1 root root 35536 Feb 8 11:02

Re: [cas-user] CAS 5.2.x

David, Would you be able to share your Cas 5 cas.properties section? please make sure and blank out like passwords. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From:

Re: [cas-user] CAS 5.2.x

Yes I hear you. I got talked into using gradle by a senior co worker but I am scrapping that. I am not a developer and I am trying to understand the developers environment. I think NOW after Mr Curry helped me with the pom.xml I am now in cas.properties hell. There are just so many options

Re: [cas-user] Cas - Unauthorized

Hi, I'm getting the error only if I turn on CASValidateSAML and using the CASValidateURL with samilValidate endpoint. Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password),

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

Hi David, I'm using mod_auth_cas configured to use the "samlValidate" endpoint. When I turn on CASValidateSAML and configure saml endpoint I'm getting the following error Authorization Required This server could not verify that you are authorized to access the document requested. Either you

[cas-user] how do I capture audit log trail for unauthorized users who are denied access to a service in an accessStrategy configuration of one of my JSON files?

For one of my services, I have the following accessStrategy defined in my JSON file: ---begin--- "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled" : true, "unauthorizedRedirectUrl" :

Re: [cas-user] how do I capture audit log trail for unauthorized users who are denied access to a service in an accessStrategy configuration of one of my JSON files?

Carl, This already should be in log4j2: Ray On Thu, 2018-02-08 at 13:06 -0800, crdaudt wrote: For one of my services, I have the following accessStrategy defined in my JSON file: ---begin--- "accessStrategy" : { "@class" :

Re: [cas-user] Cas - Unauthorized

Hello, I am using CAS on development server and soon I'll be shifting to production. I am using mod_auth_cas as client and I am running CAS server and CAS Client in same machine. Should I create certificates for both tomcat(CAS Server) and apache(CAS Client) or only tomcat(keystore) is fine? In

Re: [cas-user] CAS 5.2.x

I'm afraid Gradle is a complete mystery to me. Hopefully someone else can jump in. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School]

RE: [cas-user] cas-management 5.x cas-management.log java.io.IOException: Permission denied

Hi Travis, Thank you for that information. I thought I was overriding the log4j.xml files by putting them in etc/cas/config for each overlay but I just noticed I’m not. The reason the cas log4j works for me without permission error is because it sets baseDir to /etc/cas/logs.

RE: [cas-user] Cas - Unauthorized

Hello, I have a similar setup, though I’m using an F5 load balancer for ssl offload and using my own tomcat install instead of the embedded to serve the war file. These are the options I’ve found I needed, your mileage may vary: cas.server.http.secure=ture cas.server.httpProxy.enabled=true

Re: [cas-user] CAS 5.2.x

These could probably be shortened up in a couple of ways by: - combining the [0] and [2] Active Directory configs, which go against different OUs of the same directory (but are otherwise identical), and - performing attribute resolution as part of the authentication process, which you

Re: [cas-user] CAS 5.2.x

David, Thats really interesting actaully. Do you incorporate SAML2 proxy delegation in that properties file? We are using Shibboleth but plan to drop Shib and use SAML2 in CAS 5. === Thank You; Chris Cheltenham Technology Services The School District of

[cas-user] Re: CAS 4.2.7 login throttling not working

it's resolved by switching to 4.2.0! On Wednesday, February 7, 2018 at 10:21:06 PM UTC+3:30, Meysam Shirazi wrote: > > Any help?! > > On Tuesday, February 6, 2018 at 11:31:14 AM UTC+3:30, Meysam Shirazi wrote: >> >> Hello, >> >> I'm trying to use throttling on CAS 4.2.7 but it seems that it's

Re: [cas-user] Multiple Duo Instances

Alright Misagh and Manfredo, I believe you're both putting me on the right track with this. Unfortunately, I haven't used a groovy script before and I'm having trouble getting it to get picked up by CAS. Could either of you help with this example? */etc/cas/selectiveDuo.groovy:* def String

[cas-user] Re: Problmes with Oauth grant type Password - CAS 5.1.4

Hi Anders! We made the configuration you told us and we got the next msg error [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] (default task-10) Grant type: [password] [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController]

Re: [cas-user] Cas - Unauthorized

Its not possible CA's won't work in SSO if it's over http El jueves, 8 de febrero de 2018, Ramakrishna G escribió: > Hello Man H, > > I am planning to use NGINX Load balancer over https. The load balancer > takes care of redirecting to CAS Server and CAS client in *http*. Do you >

Re: [cas-user] CAS 5.2.x

If you are using UNIX-like, do: $ 7z l cas_without_ldap_support.war >cas_without_ldap_support_listing $ 7z l cas_supposedly_with_ldap_support.war >cas_supposedly_with_ldap_support_listing $ diff cas_*_listing > [...]ldap[...] $ _ If you are not, you can easily get a Cygwin equivalent of that.

Re: [cas-user] CAS 5.2.x

David, Thank You !! === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: "David Curry" To: "cas-user" Sent: Thursday,

Re: [cas-user] Cas - Unauthorized

You will have to install it in both but this is not a CA's issue you will find more information in stack overflow etc about SSL tomcat apache configuration. If you install self signed certificate browser will challenge user to accept that as insecure. El jueves, 8 de febrero de 2018, Ramakrishna

Re: [cas-user] CAS 3.6 default-mobile-custom.css

You won't need it uses webjars El jueves, 8 de febrero de 2018, Matthew Hannay escribió: > > I am migrating from CAS 3.6 to 5.2.2 in 3.6 overlays it had > a default-mobile-custom.css > Does somthing equivilent exist in CAS5 .2.2 to date I have not found any > thing. >

Re: [cas-user] Cas - Unauthorized

Hello Man H, I am planning to use NGINX Load balancer over https. The load balancer takes care of redirecting to CAS Server and CAS client in *http*. Do you recommend this approach? If yes then how do I enable SSO over http? For outside world it would be https but internally I am planning to

Re: [cas-user] Cas - Unauthorized

You could do that in previous versions < 4.1 o 4.2 I am not sure El jueves, 8 de febrero de 2018, Ramakrishna G escribió: > Hello Man H, > > I am planning to use NGINX Load balancer over https. The load balancer > takes care of redirecting to CAS Server and CAS client in *http*. Do

Re: [cas-user] CAS 5.2.x

$ jar tvf cas.war | grep ldap WEB-INF/lib/cas-server-support-ldap-5.2.2.jar WEB-INF/lib/cas-server-support-ldap-core-5.2.2.jar WEB-INF/lib/ldaptive-1.2.3.jar WEB-INF/lib/ldaptive-beans-1.2.3.jar WEB-INF/lib/ldaptive-unboundid-1.2.3.jar WEB-INF/lib/unboundid-ldapsdk-4.0.1.jar

Re: [cas-user] Multiple Duo Instances

Start a new thread with full information such as version pom properties startup log with debug set etc ... El jueves, 8 de febrero de 2018, brian mancuso escribió: > Alright Misagh and Manfredo, I believe you're both putting me on the right > track with this. Unfortunately,

Re: [cas-user] Multiple Duo Instances

In version 5.2 this should be cas.authn.mfa.providerSelectorGroovyScript=file:/etc/cas/wathever.groovy El jueves, 8 de febrero de 2018, brian mancuso escribió: > Alright Misagh and Manfredo, I believe you're both putting me on the right > track with this. Unfortunately, I

Re: [cas-user] Multiple Duo Instances

Hey Manfredo, I'm actually trying to go with the bypass vs the provider selector: Shown Here . I'm hoping to simplify the environment to only one Duo instance with the use of an LDAP attribute

Re: [cas-user] CAS 5.2.x

David, I have the following jars. Is this sufficient for ldap support? [root@devcas5 lib]# pwd /opt/tcat/webapps/cas/WEB-INF/lib [root@devcas5 lib]# ll | grep ldap -rw-r- 1 root root 35536 Jan 26 13:26 cas-server-support-ldap-core-5.2.2.jar -rw-r- 1 root root 802456 Nov 27 11:40

Re: [cas-user] CAS 5.2.x

this is an Ldap error check your properties probably baseDn 2018-02-08 12:00 GMT-03:00 Cheltenham, Chris : > David, > > I have the following jars. > Is this sufficient for ldap support? > > [root@devcas5 lib]# pwd > /opt/tcat/webapps/cas/WEB-INF/lib > [root@devcas5

Re: [cas-user] CAS 5.2.x

I do not see this one: cas-server-support-ldap-5.2.2.jar which, I believe, is the one you need. I don't pretend to be an expert on these things. But when I build from the Maven overlay with this dependency included in pom.xml: org.apereo.cas

Re: [cas-user] CAS 5.2.x

Man, The basedn is correct in cas.properties. This search returns data so you can see the base dn. ldapsearch -H "ldaps://testldap.philasd.net" -x -w 'x' -LLL -b "dc=philasd,dc=org" -D "uid=shibauth,ou=svc_accts,dc=philasd,dc=org" "uid=ccheltenham-ext" [root@devcas5 config]# cat

Re: [cas-user] CAS 5.2.x

With debug you can see if cas gets connected to Ldap 2018-02-08 12:27 GMT-03:00 Cheltenham, Chris : > Man, > > The basedn is correct in cas.properties. > > > This search returns data so you can see the base dn. > ldapsearch -H "ldaps://testldap.philasd.net" -x -w

Re: [cas-user] CAS 5.2.x

I mean startup log and relevant log relating connection to LDAP. there is a constant poll to ldap looged 2018-02-08 12:41 GMT-03:00 Cheltenham, Chris : > Man, > > Here is the debug info and the error. > > [root@devcas5 logs]# tail catalina.out > 2018-02-08