Re: [cas-user] CAS 6.6.8 - Authenticate using AD

2023-06-16 Thread Daniel Fisher
d=true], connectionValidator=null, transportOptions={}], > channel=[id: 0x560c13d8, L:/127.0.0.1:64781 <http://127.0.0.1:64781> - > R:localhost/127.0.0.1:389 <http://127.0.0.1:389>]>* > Any localhost firewall rules that may be causing problems? What does the AD logs say?

Re: [cas-user] CAS 6.6.12 LDAP error messages

2024-02-15 Thread Daniel Fisher
ction by doing a BIND on it? > The passivator is not designed to solve the issue you're having. It is meant to solve the problem where connections cannot be validated because the entry they are bound as is not authorized to perform the validation operation. --Daniel Fisher -- - Website:

Re: [cas-user] CAS won't start if LDAP connection fails

2019-07-26 Thread Daniel Fisher
tinue to try to reconnect to the > LDAP server in the background. I want the other authentication sources to > continue to work. > There is a property on the pool called 'failFastInitialize'. Hopefully it's exposed in the configuration somewhere, set it to false.

Re: [cas-user] cas 5.2.x leaking connections

2020-01-11 Thread Daniel Fisher
uthn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider I thought that CAS used the UnboundID provider by default, so I'm curious why you were impacted by this bug. (Another solution is to use Java 8) --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/aper

Re: [cas-user] cas 5.2.x leaking connections

2020-01-13 Thread Daniel Fisher
On Mon, Jan 13, 2020 at 11:26 AM Trenton D. Adams wrote: > We are using Java 8 though, and we are using the UnboundIDProvider. > Can you post some logs that demonstrate the problem? Both application logs and OS netstat logs would be useful. --Daniel Fisher -- - Website:

Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

2020-02-19 Thread Daniel Fisher
ssword=keystorepassword > > Try adding new properties: cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore cas.authn.ldap[0].trustStorePassword=truststorepassword Then import your CA into that truststore file. I'm not certain about the camel casing of those properties, but it should be something clo

Re: [cas-user] Secure Ldap (LDAPS) --(PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

2020-02-19 Thread Daniel Fisher
st store parameters? > The keystore is used for authentication material, the truststore is used for trust material. Putting trust material in the keystore file will not fix this issue. Also note that the default type is JKS, if you're using PKCS12 you'll need to set the trustStoreType p

Re: [cas-user] CAS with LDAP: ObjectGUID retrieved with attribute repository different than with authentication handler

2020-05-05 Thread Daniel Fisher
lers[0].type=OBJECT_GUID and cas.authn.attributeRepository.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID Do you get the string representation of the objectGUID and are they the same? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guide

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-05 Thread Daniel Fisher
sion of Java (251), and after doing so noticed that the LDAP connections > quickly begin to time out with the following error: > > javax.naming.NamingException: LDAP response read timed out, timeout > used:-1ms > Do you have a responseTimeout duration configured? --Dan

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-06 Thread Daniel Fisher
That JNDI bug affects Java versions 9-13. And doesn't affect CAS unless you've specifically enabled the JndiProvider. I believe the UnboundID provider is enabled by default. --Daniel Fisher On Wed, May 6, 2020 at 11:48 AM Ray Bon wrote: > Baron, > > I seem to recall a bug i

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-06 Thread Daniel Fisher
On Wed, May 6, 2020 at 1:40 PM Baron Fujimoto wrote: > On Tue, May 05, 2020 at 11:42:01PM -0400, Daniel Fisher wrote: > >On Tue, May 5, 2020 at 11:15 PM Baron Fujimoto wrote: > > > >> We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for > >>

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-07 Thread Daniel Fisher
ere is some other difference between the JVMs. Something that would make TCP timeouts much shorter. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG ---

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-15 Thread Daniel Fisher
that results in the timeout failures, netstat still shows > the 3 three connections to ldap, so the OS still thinks the connections > exists. > More evidence that you have a half open connection. What does netstat on your directory report? --Daniel Fisher -- - Website: https://apereo.

Re: [cas-user] Passvators and Connection Strategy 6.1.6

2020-05-18 Thread Daniel Fisher
ection is returned to the pool. The connection strategy defines how multiple URLs should be handled when a connection is opened. What do your logs say when the domain controller is rebooted? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas

Re: [cas-user] Account get locked in first failed login attempt

2020-05-20 Thread Daniel Fisher
. During unsuccessful login ,bind will happen on both > simultaneously which will result to account lock. > Can you post the CAS logs that show simultaneous binds? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidel

Re: [cas-user] Passvators and Connection Strategy 6.1.6

2020-05-22 Thread Daniel Fisher
ityContext error, data 52e, v4563 > ^@', ldapSDKVersion=4.0.12, > revision=aaefc59e0e6d110bf3a8e8a029adb776f6d2ce28 > Can you confirm the bind credentials work against all 4 directories? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/aper

Re: [cas-user] Passvators and Connection Strategy 6.1.6

2020-05-22 Thread Daniel Fisher
se two errors are related. And notably, they are more than 15 minutes apart in the logs. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this

Re: [cas-user] Account get locked in first failed login attempt

2020-05-22 Thread Daniel Fisher
the same BIND. > In the absence of logs I really can't make a suggestion. Continue watching the other thread and hopefully Eric will hit on a solution. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://

Re: [cas-user] CAS 5.2/5.3 cas.util.LdapUtils try connect to localhost for LDAP

2020-07-30 Thread Daniel Fisher
On Thu, Jul 30, 2020 at 3:23 AM mohsen saeedi wrote: > Jul 30 11:24:40 SSO1 server[4213]: 2020-07-30 11:24:40,315 ERROR > [org.ldaptive.pool.BlockingConnectionPool] > What error is reported here? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://

Re: [cas-user] CAS Management + LDAP roles

2020-08-18 Thread Daniel Fisher
er is a member of this groupOfMember > Can you put org.ldaptive in DEBUG to confirm the groupOfMember query is happening? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https:

Re: [cas-user] Forcing CAS to reconnect to LDAP

2016-02-12 Thread Daniel Fisher
exception handler is wired by default. It's behavior can be controlled by setting operationExceptionResultCodes on the ProviderConfig. The JndiProviderConfig comes with some sensible defaults. But as I mentioned, I don't think that's the right solution to this problem. --Daniel Fishe

Re: [cas-user] ldap trusted certs error: java.io.IOException: Empty input

2016-02-26 Thread Daniel Fisher
icatesCredentialReader.java:31) > I would expect a different credential reader to be used if you are using cacerts for trust. What does your LDAP SSL configuration look like? --Daniel Fisher -- You received this message because you are subscribed to the Google Groups "CAS Community"

Re: [cas-user] ldap trusted certs error: java.io.IOException: Empty input

2016-02-27 Thread Daniel Fisher
ustedCert=file:///c:/java/jre7/lib/security/cacerts > > ldap.trustedCert=file:///c:/Program > Files/Java/jdk1.7.0_21/jre/lib/security/cacerts > This configuration is for a PEM or DER encoded certificate(s). Use the following for keystores: And in your case, using the d

Re: [cas-user] question ldap auth ssl config upgrade 4.0.4 to 4.2

2016-04-14 Thread Daniel Fisher
p:keyStoreType="${sslConfig.keyStoreType}" > > p:keyStorePassword="${sslConfig.keyStorePassword}" /> > > > > > What are you using this keystore for? TLS client authentication? Manager binds with SASL for DN resolutio

Re: [cas-user] ldaptive documentation missing

2016-04-21 Thread Daniel Fisher
; > > The ldaptive document returns a 404: > > http://www.ldaptive.org/schema/spring-ext.xsd > > I've added spring-ext-1.1.0.xsd and spring-ext.xsd. The non-versioned file name will always point to the latest tagged version. --Daniel Fisher -- You received this message be

Re: [cas-user] ldaptive documentation missing

2016-10-13 Thread Daniel Fisher
7;m not sure what to make of this. I didn't think that URN needed to be reachable, but I added an index.html just in case. If this problem is some quirkiness with github pages then it may take some time to reproduce. --Daniel Fisher -- CAS gitter chatroom: https://gitter.im/apereo/cas CAS maili

Re: [cas-user] CAS Ldaptive connectTimeout java.time.Duration

2016-10-17 Thread Daniel Fisher
properties in your config you'll also need to change to duration syntax. --Daniel Fisher -- CAS gitter chatroom: https://gitter.im/apereo/cas CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html CAS documentation website: https://apereo.github.io/cas CAS project website:

Re: [cas-user] CAS Ldaptive connectTimeout java.time.Duration

2016-10-17 Thread Daniel Fisher
vert 3000 to a duration. In this case, 3000 == PT3S > > I don't understand how to force the data type to integer. Is ldaptive > 1.1.x compatible with CAS 4.2.6? > I'm not sure about which versions are compatible where, Misgah can take that one. --Daniel Fisher -- CAS gitt

Re: [cas-user] LDAP DN Value from LDAP

2020-12-01 Thread Daniel Fisher
However I'm unable to get the DN of the > users LDAP entry to resolve. > I'm not too familiar with CAS configuration, but you want to enable the DN_ATTRIBUTE_ENTRY handler: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#ldap-search-entry-handl

Re: [cas-user] Re: CAS connect active directory

2020-12-17 Thread Daniel Fisher
ot; > > Yes. Try removing the double quotes from the bind-credential property. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this mes

Re: [cas-user] CAS memory leak issue in Production : CAS 6.3.2

2021-05-05 Thread Daniel Fisher
lizing searchFactory as part of the bean's initialization. Otherwise you should change searchFactory to be a local variable. (It will be fairly inefficient to create a pooled connection factory for each search operation.) --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitt

Re: [cas-user] Ldap AbsctractConnectionPool failed validation

2021-08-25 Thread Daniel Fisher
heck your LDAP logs to confirm. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Gro

Re: [cas-user] LDAP connexion/pool configuration

2022-01-05 Thread Daniel Fisher
EBUG and you should see why connection validation failed. You're likely correct that you need to configure a bind connection passivator. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Co

Re: [cas-user] Re: CAS 6.4 / Netty errors

2022-01-06 Thread Daniel Fisher
t even in > error). > > The problem is with the class netty-transport-4.1.65.Final.jar . When i > remove it, it's working. > Can you confirm whether you have conflicting netty jars in your classpath? --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom:

Re: [cas-user] LDAP connexion/pool configuration

2022-01-06 Thread Daniel Fisher
n > I can't say exactly because there are logs missing between 12:02 and 12:12, but my best guess is that your validation search is timing out. It must return within 5 seconds or the validation would fail in this manner. Check your LDAP server logs for a rootDSE search for (objectClass=*).

Re: [cas-user] CAS LDAP authentication with OpenLDAP aliases?

2022-05-19 Thread Daniel Fisher
department,o=myorg". >4. CAS attempts a BIND against this DN with the provided password. > > It sounds like you need to set derefAliases to something other than the default (NEVER). https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#ldap-authenticat

Re: [cas-user] CAS 6.1.7 attribute for person A released during Person B login

2022-10-18 Thread Daniel Fisher
BUG to confirm the LDAP search results are what you expect. --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are

Re: [cas-user] Deprecated LDAP settings in 6.6.2

2022-11-17 Thread Daniel Fisher
On Thu, Nov 17, 2022 at 10:16 AM BenDDD wrote: > > But if I enable it, the service does not no longer starts: > LDAPS and startTLS are mutually exclusive. Either use a URL with ldaps:// or use ldap:// and set use-start-tls=true. --Daniel Fisher -- - Website: https://apereo.gith

Re: [cas-user] CAS 6.6.3 - LDAPS

2023-03-29 Thread Daniel Fisher
authn.ldap[0].ldapUrl=ldaps://VDC.FQDN:636 > #cas.authn.ldap[0].startTLS=true > > The keystore properties are used to configure authentication credentials. To configure trust anchors you can use: cas.authn.ldap[0].trust-store= cas.authn.ldap[0].trust-store-password= cas.authn.ldap[0].trus

Re: [cas-user] CAS 6.1.x Ldaps configuration problem

2019-01-25 Thread Daniel Fisher
This appears to be a bug in JNDI code that manifests with an NPE in the ldaptive thread local code. I've filed an issue, but there isn't a resolution yet. Work arounds include: * Use startTLS * Use the UnboundID provider * Use Java 8 (versions 9-12 are all affected) --Daniel Fisher O

Re: [cas-user] LDAP Threads

2019-03-06 Thread Daniel Fisher
there a way to ensure that threads time out after some time > instead of getting stuck in limbo? Thank you. > What version of Java are you using? Java >=9 has a JNDI bug that orphans LDAP connections. You can configure CAS to use the UnboundID provider to work around this is

Re: [cas-user] CAS 4.2.7 and Active Directory

2017-01-18 Thread Daniel Fisher
On Wed, Jan 18, 2017 at 10:41 AM, Ben Branch wrote: > # > > # Authentication > > # > > ldap.authn.searchFilter=sAMAccountName=%u > > > Try ldap.authn.searchFilter=(sAMAccountName={user

Re: [cas-user] problem retrieving ldap attributes CAS 4.2.x

2017-02-19 Thread Daniel Fisher
please help me get LDAP attributes? > Put the org.ldaptive package in DEBUG and see what the logs say. If you're certain the attributes are being requested, confirm that the user has read access to those attributes. --Daniel Fisher -- - CAS gitter chatroom: https://gitter.im/apereo/cas - C

Re: [cas-user] problem retrieving ldap attributes CAS 4.2.x

2017-02-20 Thread Daniel Fisher
On Mon, Feb 20, 2017 at 4:30 PM, rbon wrote: > The attributes are released with 3.5.2.1 so it is not a user access issue. > I have double checked that 3.5.2.1 and 4.2.7 installs are connecting to the > same ldap with the same settings. > I have attached logs relating to the ldaptive search. > >F

Re: [cas-user] CAS 5.1.0 - How to authenticate user with SSHA LDAP password (was working with cas.authn.ldap[0].type=SASL)

2017-05-31 Thread Daniel Fisher
areAuthenticationHandler component does not support salted hashes. I don't know which set of CAS properties wires up the ldaptive authentication handler, but you want to use the PooledBindAuthenticationHandler. This way your directory will handle the work of comparing salted hashes. --Daniel Fis

Re: [cas-user] Issue with LDAP authentication: LDAP response read timed out

2017-06-22 Thread Daniel Fisher
> > 2017-06-22 15:07:18,761 WARN [org.apereo.cas.authentication > .PolicyBasedAuthenticationManager] - Credentials may be incorrect or CAS cannot find authentication handler that > supports [t.benutzer] of type [UsernamePasswordCredential], which suggests > a configuration proble

Re: [cas-user] Issue with LDAP authentication: LDAP response read timed out

2017-06-22 Thread Daniel Fisher
That's it, just wanted to make sure you're actually using a pool. Can you post your complete configuration? --Daniel Fisher On Thu, Jun 22, 2017 at 11:05 AM, David Hübner wrote: > What exactly are we talking about? > I have cas.authn.ldap[0].minPoolSize and maxPoolSize set to

Re: [cas-user] Issue with LDAP authentication: LDAP response read timed out

2017-06-22 Thread Daniel Fisher
c validation and then tweak the validate period for your environment. --Daniel Fisher -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project we

Re: [cas-user] CAS 5.0.5 - LDAP check out validation failure results in failed authentication

2017-07-10 Thread Daniel Fisher
s to see why validation is failing. --Daniel Fisher -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/

Re: [cas-user] CAS 5.0.5 - LDAP check out validation failure results in failed authentication

2017-07-11 Thread Daniel Fisher
alStateException: Connection is not open > Here's the connection validation failing, presumably because of the close passivator. There's definitely some strange stuff going on here. I see you changed your config and got it working, however it should be possible to get the behavior you wa

Re: [cas-user] Problem with 5.1.6 - LDAP derefAlias

2017-11-30 Thread Daniel Fisher
a big deal. --Daniel Fisher On Thu, Nov 30, 2017 at 12:40 AM, Marc K. wrote: > Hi, > > i recently updated our CAS 3.x with some modifications to the new Apereo > CAS 5.1.6. After messing around with tons of property i'm currently facing > the problem of users not able to

Re: [cas-user] LDAP attributes

2018-02-01 Thread Daniel Fisher
his property? cas.authn.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message bec