d=true], connectionValidator=null, transportOptions={}],
> channel=[id: 0x560c13d8, L:/127.0.0.1:64781 <http://127.0.0.1:64781> -
> R:localhost/127.0.0.1:389 <http://127.0.0.1:389>]>*
>
Any localhost firewall rules that may be causing problems? What does the AD
logs say?
ction by doing a BIND on it?
>
The passivator is not designed to solve the issue you're having. It is
meant to solve the problem where connections cannot be validated because
the entry they are bound as is not authorized to perform the validation
operation.
--Daniel Fisher
--
- Website:
tinue to try to reconnect to the
> LDAP server in the background. I want the other authentication sources to
> continue to work.
>
There is a property on the pool called 'failFastInitialize'. Hopefully it's
exposed in the configuration somewhere, set it to false.
uthn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
I thought that CAS used the UnboundID provider by default, so I'm curious
why you were impacted by this bug.
(Another solution is to use Java 8)
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/aper
On Mon, Jan 13, 2020 at 11:26 AM Trenton D. Adams
wrote:
> We are using Java 8 though, and we are using the UnboundIDProvider.
>
Can you post some logs that demonstrate the problem? Both application logs
and OS netstat logs would be useful.
--Daniel Fisher
--
- Website:
ssword=keystorepassword
>
>
Try adding new properties:
cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore
cas.authn.ldap[0].trustStorePassword=truststorepassword
Then import your CA into that truststore file. I'm not certain about the
camel casing of those properties, but it should be something clo
st store parameters?
>
The keystore is used for authentication material, the truststore is used
for trust material. Putting trust material in the keystore file will not
fix this issue. Also note that the default type is JKS, if you're using
PKCS12 you'll need to set the trustStoreType p
lers[0].type=OBJECT_GUID
and
cas.authn.attributeRepository.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID
Do you get the string representation of the objectGUID and are they the
same?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guide
sion of Java (251), and after doing so noticed that the LDAP connections
> quickly begin to time out with the following error:
>
> javax.naming.NamingException: LDAP response read timed out, timeout
> used:-1ms
>
Do you have a responseTimeout duration configured?
--Dan
That JNDI bug affects Java versions 9-13. And doesn't affect CAS unless
you've specifically enabled the JndiProvider. I believe the UnboundID
provider is enabled by default.
--Daniel Fisher
On Wed, May 6, 2020 at 11:48 AM Ray Bon wrote:
> Baron,
>
> I seem to recall a bug i
On Wed, May 6, 2020 at 1:40 PM Baron Fujimoto wrote:
> On Tue, May 05, 2020 at 11:42:01PM -0400, Daniel Fisher wrote:
> >On Tue, May 5, 2020 at 11:15 PM Baron Fujimoto wrote:
> >
> >> We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for
> >>
ere is some other difference between
the JVMs. Something that would make TCP timeouts much shorter.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
that results in the timeout failures, netstat still shows
> the 3 three connections to ldap, so the OS still thinks the connections
> exists.
>
More evidence that you have a half open connection. What does netstat on
your directory report?
--Daniel Fisher
--
- Website: https://apereo.
ection is returned to the pool. The
connection strategy defines how multiple URLs should be handled when a
connection is opened.
What do your logs say when the domain controller is rebooted?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
. During unsuccessful login ,bind will happen on both
> simultaneously which will result to account lock.
>
Can you post the CAS logs that show simultaneous binds?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidel
ityContext error, data 52e, v4563
> ^@', ldapSDKVersion=4.0.12,
> revision=aaefc59e0e6d110bf3a8e8a029adb776f6d2ce28
>
Can you confirm the bind credentials work against all 4 directories?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/aper
se
two errors are related. And notably, they are more than 15 minutes apart in
the logs.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this
the same BIND.
>
In the absence of logs I really can't make a suggestion. Continue watching
the other thread and hopefully Eric will hit on a solution.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://
On Thu, Jul 30, 2020 at 3:23 AM mohsen saeedi
wrote:
> Jul 30 11:24:40 SSO1 server[4213]: 2020-07-30 11:24:40,315 ERROR
> [org.ldaptive.pool.BlockingConnectionPool]
>
What error is reported here?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://
er is a member of this groupOfMember
>
Can you put org.ldaptive in DEBUG to confirm the groupOfMember query is
happening?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https:
exception handler is wired by default. It's behavior can be controlled
by setting operationExceptionResultCodes on the ProviderConfig. The
JndiProviderConfig comes with some sensible defaults. But as I mentioned, I
don't think that's the right solution to this problem.
--Daniel Fishe
icatesCredentialReader.java:31)
>
I would expect a different credential reader to be used if you are using
cacerts for trust. What does your LDAP SSL configuration look like?
--Daniel Fisher
--
You received this message because you are subscribed to the Google Groups "CAS
Community"
ustedCert=file:///c:/java/jre7/lib/security/cacerts
>
> ldap.trustedCert=file:///c:/Program
> Files/Java/jdk1.7.0_21/jre/lib/security/cacerts
>
This configuration is for a PEM or DER encoded certificate(s). Use the
following for keystores:
And in your case, using the d
p:keyStoreType="${sslConfig.keyStoreType}"
>
> p:keyStorePassword="${sslConfig.keyStorePassword}" />
>
>
>
>
>
What are you using this keystore for? TLS client authentication? Manager
binds with SASL for DN resolutio
;
>
> The ldaptive document returns a 404:
>
> http://www.ldaptive.org/schema/spring-ext.xsd
>
>
I've added spring-ext-1.1.0.xsd and spring-ext.xsd.
The non-versioned file name will always point to the latest tagged version.
--Daniel Fisher
--
You received this message be
7;m not sure what to make of this. I didn't think that URN needed to be
reachable, but I added an index.html just in case. If this problem is some
quirkiness with github pages then it may take some time to reproduce.
--Daniel Fisher
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS maili
properties in your config
you'll also need to change to duration syntax.
--Daniel Fisher
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website:
vert 3000 to a duration. In this case, 3000 == PT3S
>
> I don't understand how to force the data type to integer. Is ldaptive
> 1.1.x compatible with CAS 4.2.6?
>
I'm not sure about which versions are compatible where, Misgah can take
that one.
--Daniel Fisher
--
CAS gitt
However I'm unable to get the DN of the
> users LDAP entry to resolve.
>
I'm not too familiar with CAS configuration, but you want to enable the
DN_ATTRIBUTE_ENTRY handler:
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#ldap-search-entry-handl
ot;
>
>
Yes. Try removing the double quotes from the bind-credential property.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this mes
lizing
searchFactory as part of the bean's initialization. Otherwise you should
change searchFactory to be a local variable. (It will be fairly inefficient
to create a pooled connection factory for each search operation.)
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitt
heck your LDAP logs to confirm.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Gro
EBUG and you should see why connection validation
failed. You're likely correct that you need to configure a bind connection
passivator.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Co
t even in
> error).
>
> The problem is with the class netty-transport-4.1.65.Final.jar . When i
> remove it, it's working.
>
Can you confirm whether you have conflicting netty jars in your classpath?
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom:
n
>
I can't say exactly because there are logs missing between 12:02 and 12:12,
but my best guess is that your validation search is timing out. It must
return within 5 seconds or the validation would fail in this manner. Check
your LDAP server logs for a rootDSE search for (objectClass=*).
department,o=myorg".
>4. CAS attempts a BIND against this DN with the provided password.
>
>
It sounds like you need to set derefAliases to something other than the
default (NEVER).
https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#ldap-authenticat
BUG to confirm the LDAP search results are
what you expect.
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are
On Thu, Nov 17, 2022 at 10:16 AM BenDDD wrote:
>
> But if I enable it, the service does not no longer starts:
>
LDAPS and startTLS are mutually exclusive. Either use a URL with ldaps://
or use ldap:// and set use-start-tls=true.
--Daniel Fisher
--
- Website: https://apereo.gith
authn.ldap[0].ldapUrl=ldaps://VDC.FQDN:636
> #cas.authn.ldap[0].startTLS=true
>
>
The keystore properties are used to configure authentication credentials.
To configure trust anchors you can use:
cas.authn.ldap[0].trust-store=
cas.authn.ldap[0].trust-store-password=
cas.authn.ldap[0].trus
This appears to be a bug in JNDI code that manifests with an NPE in the
ldaptive thread local code.
I've filed an issue, but there isn't a resolution yet.
Work arounds include:
* Use startTLS
* Use the UnboundID provider
* Use Java 8 (versions 9-12 are all affected)
--Daniel Fisher
O
there a way to ensure that threads time out after some time
> instead of getting stuck in limbo? Thank you.
>
What version of Java are you using?
Java >=9 has a JNDI bug that orphans LDAP connections.
You can configure CAS to use the UnboundID provider to work around
this is
On Wed, Jan 18, 2017 at 10:41 AM, Ben Branch wrote:
> #
>
> # Authentication
>
> #
>
> ldap.authn.searchFilter=sAMAccountName=%u
>
>
>
Try ldap.authn.searchFilter=(sAMAccountName={user
please help me get LDAP attributes?
>
Put the org.ldaptive package in DEBUG and see what the logs say.
If you're certain the attributes are being requested, confirm that the user
has read access to those attributes.
--Daniel Fisher
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- C
On Mon, Feb 20, 2017 at 4:30 PM, rbon wrote:
> The attributes are released with 3.5.2.1 so it is not a user access issue.
> I have double checked that 3.5.2.1 and 4.2.7 installs are connecting to the
> same ldap with the same settings.
> I have attached logs relating to the ldaptive search.
>
>F
areAuthenticationHandler component does not support salted
hashes. I don't know which set of CAS properties wires up the ldaptive
authentication handler, but you want to use the
PooledBindAuthenticationHandler. This way your directory will handle the
work of comparing salted hashes.
--Daniel Fis
>
> 2017-06-22 15:07:18,761 WARN [org.apereo.cas.authentication
> .PolicyBasedAuthenticationManager] - Credentials may be incorrect or CAS cannot find authentication handler that
> supports [t.benutzer] of type [UsernamePasswordCredential], which suggests
> a configuration proble
That's it, just wanted to make sure you're actually using a pool.
Can you post your complete configuration?
--Daniel Fisher
On Thu, Jun 22, 2017 at 11:05 AM, David Hübner
wrote:
> What exactly are we talking about?
> I have cas.authn.ldap[0].minPoolSize and maxPoolSize set to
c validation and then tweak the validate
period for your environment.
--Daniel Fisher
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project we
s to see why validation is failing.
--Daniel Fisher
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/
alStateException: Connection is not open
>
Here's the connection validation failing, presumably because of the close
passivator. There's definitely some strange stuff going on here. I see you
changed your config and got it working, however it should be possible to
get the behavior you wa
a big deal.
--Daniel Fisher
On Thu, Nov 30, 2017 at 12:40 AM, Marc K. wrote:
> Hi,
>
> i recently updated our CAS 3.x with some modifications to the new Apereo
> CAS 5.1.6. After messing around with tons of property i'm currently facing
> the problem of users not able to
his property?
cas.authn.ldap[0].searchEntryHandlers[0].type=OBJECT_GUID
--Daniel Fisher
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message bec
52 matches
Mail list logo