Issues getting LDAP going - CAS 4.2.5

[Hank Foss]

Thanks to the documentation, I've been able to get far with the CAS build so far, but LDAP has been a bit of a challenge so far.

I followed this link to the letter:

https://apereo.github.io/cas/4.2.x/installation/LDAP-Authentication.html  Then I re-ran maven by running mvn install package, reloaded WAR file, and restarted Tomcat - not much luck so far.

What is good is that the log file cas.log has shown the source IP and attempting logon username. So that's a step in the right direction: at least it's showing the failure!

The local user casuser / Mellon logons are successful, and the cas.log shows that too. 

Any advice on LDAP configuration on CAS 4.2.5 is greatly appreciated.

Thanks,

Hank

[Dan Roque]

Hi Hank,

   I literally just configured CAS 4.2.5 with Tomcat 8.5.5 this week and also had a few issues along the way as the documentation is not fully complete. However, I configured everything using https://github.com/apereo/cas-gradle-overlay-template but maven should be roughly the same. Can you post your catalina.log file so we can see what errors you are experiencing? Also, I just saw a 4.2.6 announcement for an important security fix so you should change to that version when you can.

Dan

[Waldbieser, Carl]

Hank,

Is anything in your logs indicating that CAS is trying to connect to your directory? You might want to crank up the log levels if you aren't seeing anything.
If you have access to your directory logs, they can also be useful to diagnose if there is some issue connecting to the directory.
Is the client connecting?
Does TLS negotiation succeed?
Is the BIND for the admin account successful (in a 2-stage BIND)?
Is the BIND for the user account successful?

If not, you should at least be getting some kind of error in the CAS logs that gives you a hint. Try posting the output here for a failed login.

Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College

----- Original Message -----
From: "Hank Foss" <hank...@gmail.com>
To: "CAS Community" <cas-...@apereo.org>
Sent: Friday, September 30, 2016 4:17:24 PM
Subject: [cas-user] Issues getting LDAP going - CAS 4.2.5

Thanks to the documentation, I've been able to get far with the CAS build
so far, but LDAP has been a bit of a challenge so far.

I followed this link to the letter:
https://apereo.github.io/cas/4.2.x/installation/LDAP-Authentication.html

Then I re-ran maven by running* mvn install package*, reloaded WAR file,

and restarted Tomcat - not much luck so far.

What is good is that the log file cas.log has shown the source IP and
attempting logon username. So that's a step in the right direction: at
least it's showing the failure!

The local user casuser / Mellon logons are successful, and the cas.log
shows that too.

Any advice on LDAP configuration on CAS 4.2.5 is greatly appreciated.


Thanks,
Hank

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b2a7338-e6f8-461f-90cc-044c191355cd%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Hank Foss]

Lame as it is, this is the only response I'm getting from the logs at this point, and this is after cranking up the logging levels to debug:

------------------------------------------------------------

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Tue Oct 04 12:29:48 EDT 2016

CLIENT IP ADDRESS: <mine>

SERVER IP ADDRESS: <cas server's>

-----------------------------------------------------------

I'm not sure where to go at this point. I can telnet our AD server 636 from the CAS server, so that's not an issue.

Is there another log that ldap info is written to? Maybe I'm missing that.

Thanks,

Hank

On Friday, September 30, 2016 at 4:17:24 PM UTC-4, Hank Foss wrote:

[Waldbieser, Carl]

Hank,

Assuming you've set your logging as per the example:

<Logger name="org.ldaptive" level="debug" additivity="false">
<AppenderRef ref="console"/>
<AppenderRef ref="file"/>
</Logger>

I'd expect to see some kind of debug logs dumped somewhere in "$CATALINA_HOME/logs". Maybe in "catalina.out" if not in "cas.log"?

Can you post your "ldap.properties" file with any credentials redacted? That might give us some insight into your setup.

If you run a continuous `netstat` command in another terminal window, do you see any connections to your directory? E.g.:

$ netstat -c -t | grep -e $NAME_OF_YOUR_DIRECTORY_HOST

Thanks,
Carl

----- Original Message -----
From: "Hank Foss" <hank...@gmail.com>
To: "CAS Community" <cas-...@apereo.org>

Sent: Tuesday, October 4, 2016 12:35:49 PM
Subject: [cas-user] Re: Issues getting LDAP going - CAS 4.2.5

Lame as it is, this is the only response I'm getting from the logs at this
point, and this is after cranking up the logging levels to debug:

------------------------------------------------------------
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Tue Oct 04 12:29:48 EDT 2016
CLIENT IP ADDRESS: <mine>
SERVER IP ADDRESS: <cas server's>
-----------------------------------------------------------

I'm not sure where to go at this point. I can telnet our AD server 636 from
the CAS server, so that's not an issue.

Is there another log that ldap info is written to? Maybe I'm missing that.

Thanks,
Hank



On Friday, September 30, 2016 at 4:17:24 PM UTC-4, Hank Foss wrote:
>
> Thanks to the documentation, I've been able to get far with the CAS build
> so far, but LDAP has been a bit of a challenge so far.
>
> I followed this link to the letter:
> https://apereo.github.io/cas/4.2.x/installation/LDAP-Authentication.html

> Then I re-ran maven by running* mvn install package*, reloaded WAR file,

> and restarted Tomcat - not much luck so far.
>
> What is good is that the log file cas.log has shown the source IP and
> attempting logon username. So that's a step in the right direction: at
> least it's showing the failure!
>
> The local user casuser / Mellon logons are successful, and the cas.log
> shows that too.
>
> Any advice on LDAP configuration on CAS 4.2.5 is greatly appreciated.
>
>
> Thanks,
> Hank
>

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a27c3755-8706-47e5-bac7-5d6dfb5f5179%40apereo.org.

[Hank Foss]

Yes we saved that but I was only looking at the cas.log file a the time. 

I'll look a the others and post back...

On Friday, September 30, 2016 at 4:17:24 PM UTC-4, Hank Foss wrote:

[Hank Foss]

Carl,

Here's quite a bit of information, but you may be able to help locate the issue. 

Below is my deployerConfigContext.xml file (domain info redacted); the first 50 lines of cas.log, and lastly the first 50 lines of catalina.2016-10-4.log.  

Thanks, Hank

deployerConfigContext.xml:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"

       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

       xmlns:p="http://www.springframework.org/schema/p"       

       xmlns:c="http://www.springframework.org/schema/c"

       xmlns:tx="http://www.springframework.org/schema/tx"

       xmlns:util="http://www.springframework.org/schema/util"

       xmlns:sec="http://www.springframework.org/schema/security"

       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd

       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd

       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd

       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

    <!--

       | The authentication manager defines security policy for authentication by specifying at a minimum

       | the authentication handlers that will be used to authenticate credential. While the AuthenticationManager

       | interface supports plugging in another implementation, the default PolicyBasedAuthenticationManager should

       | be sufficient in most cases.

       +-->

    <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">

        <constructor-arg>

            <map>

                <!--

                   | IMPORTANT

                   | Every handler requires a unique name.

                   | If more than one instance of the same handler class is configured, you must explicitly

                   | set its name to something other than its default name (typically the simple class name).

                   -->

                <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />

                <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" />

<entry key-ref="ldapAuthenticationHandler" value-ref="usernamePasswordCredentialsResolver" />

            </map>

        </constructor-arg>

        <property name="authenticationPolicy">

            <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" />

        </property>

    </bean>

    <!-- Required for proxy ticket mechanism. -->

    <bean id="proxyAuthenticationHandler"

          class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"

          p:httpClient-ref="httpClient" />

 

    <bean id="primaryAuthenticationHandler"

          class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">

        <property name="users">

            <map>

                <entry key="casuser" value="Mellon"/>

            </map>

        </property>

    </bean>

    <!-- Required for proxy ticket mechanism -->

    <bean id="proxyPrincipalResolver"

          class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />

    <!--

       | Resolves a principal from a credential using an attribute repository that is configured to resolve

       | against a deployer-specific store (e.g. LDAP).

       -->

    <bean id="primaryPrincipalResolver"

          class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" >

        <property name="attributeRepository" ref="attributeRepository" />

    </bean>

<bean id="usernamePasswordCredentialsResolver"

          class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />

<!-- http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html LDAP Supporting Direct Bind -->

<bean id="ldapAuthenticationHandler"

      class="org.jasig.cas.authentication.LdapAuthenticationHandler"

      p:principalIdAttribute="sAMAccountName"

      c:authenticator-ref="authenticator">

    <property name="principalAttributeMap">

        <map>

            <!--

               | This map provides a simple attribute resolution mechanism.

               | Keys are LDAP attribute names, values are CAS attribute names.

               | Use this facility instead of a PrincipalResolver if LDAP is

               | the only attribute source.

               -->

            <entry key="sAMAccountName" value="sAMAccountName" />

            <entry key="mail" value="mail" />

            <entry key="displayName" value="displayName" />

        </map>

    </property>

</bean>

<bean id="authenticator" class="org.ldaptive.auth.Authenticator"

      c:resolver-ref="dnResolver"

      c:handler-ref="authHandler" />

<bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"

      p:baseDn="DC=example,DC=com" 

      p:allowMultipleDns="false"

      p:connectionFactory-ref="searchPooledLdapConnectionFactory"

      p:userFilter="sAMAccountName={user}" />

<bean id="searchPooledLdapConnectionFactory"

      class="org.ldaptive.pool.PooledConnectionFactory"

      p:connectionPool-ref="searchConnectionPool" />

<bean id="searchConnectionPool" parent="abstractConnectionPool" />

<bean id="abstractConnectionPool" abstract="true"

      class="org.ldaptive.pool.BlockingConnectionPool"

      init-method="initialize"

      p:poolConfig-ref="ldapPoolConfig"

      p:blockWaitTime="3000"

      p:validator-ref="searchValidator"

      p:pruneStrategy-ref="pruneStrategy"

      p:connectionFactory-ref="connectionFactory" />

<bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"

      p:minPoolSize="3"

      p:maxPoolSize="10"

      p:validateOnCheckOut="true"

      p:validatePeriodically="false"

      p:validatePeriod="300" />

<bean id="connectionFactory" class="org.ldaptive.DefaultConnectionFactory"

      p:connectionConfig-ref="connectionConfig" />

<bean id="connectionConfig" class="org.ldaptive.ConnectionConfig"

      p:ldapUrl="ldap://example.com:389"

      p:connectTimeout="3000"

      p:useStartTLS="false"

      p:sslConfig-ref="sslConfig" />

<!--

<bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">

    <property name="credentialConfig">

        <bean class="org.ldaptive.ssl.X509CredentialConfig"

              p:trustCertificates="${ldap.trustedCert}" />

    </property>

</bean>

-->

<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"

      p:prunePeriod="300"

      p:idleTime="600" />

<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />

<bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"

      p:connectionFactory-ref="bindPooledLdapConnectionFactory" />

<bean id="bindPooledLdapConnectionFactory"

      class="org.ldaptive.pool.PooledConnectionFactory"

      p:connectionPool-ref="bindConnectionPool" />

<bean id="bindConnectionPool" parent="abstractConnectionPool" />

    <!--

    Bean that defines the attributes that a service may return.  This example uses the Stub/Mock version.  A real implementation

    may go against a database or LDAP server.  The id should remain "attributeRepository" though.

    +-->

    <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"

            p:backingMap-ref="attrRepoBackingMap" />

    

    <util:map id="attrRepoBackingMap">

        <entry key="sAMAccountName" value="sAMAccountName" />  <!-- question about this: changed "uid" to "sAMAccountName" -->

        <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> 

        <entry key="groupMembership" value="groupMembership" />

    </util:map>

    <!-- 

    Sample, in-memory data store for the ServiceRegistry. A real implementation

    would probably want to replace this with the JPA-backed ServiceRegistry DAO

    The name of this bean should remain "serviceRegistryDao".

    +-->

    <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"

            p:registeredServices-ref="registeredServicesList" />

    <util:list id="registeredServicesList">

        <bean class="org.jasig.cas.services.RegexRegisteredService"

              p:id="0" 

     p:name="HTTP and IMAP" 

     p:description="Allows HTTP(S) and IMAP(S) protocols"

              p:serviceId="^(https?|imaps?)://.*" 

     p:evaluationOrder="10000001" />

        <!--

        Use the following definition instead of the above to further restrict access

        to services within your domain (including sub domains).

        Note that example.com must be replaced with the domain you wish to permit.

        This example also demonstrates the configuration of an attribute filter

        that only allows for attributes whose length is 3.

        -->

        <!--

        <bean class="org.jasig.cas.services.RegexRegisteredService">

            <property name="id" value="1" />

            <property name="name" value="HTTP and IMAP on example.com" />

            <property name="description" value="Allows HTTP(S) and IMAP(S) protocols on example.com" />

            <property name="serviceId" value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" />

            <property name="evaluationOrder" value="0" />

            <property name="attributeFilter">

              <bean class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter" c:regex="^\w{3}$" /> 

            </property>

        </bean>

        -->

    </util:list>

    

    <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />

    

    <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" />

  

    <util:list id="monitorsList">

      <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" />

      <!--

        NOTE

        The following ticket registries support SessionMonitor:

          * DefaultTicketRegistry

          * JpaTicketRegistry

        Remove this monitor if you use an unsupported registry.

      -->

      <bean class="org.jasig.cas.monitor.SessionMonitor"

          p:ticketRegistry-ref="ticketRegistry"

          p:serviceTicketCountWarnThreshold="5000"

          p:sessionCountWarnThreshold="100000" />

    </util:list>

</beans>

cas.log:

[root@cas-server01 tomcat]# tail -50 cas.log

2016-10-04 17:15:02,977 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2 services from JsonServiceRegistryDao.

2016-10-04 17:16:02,975 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.

2016-10-04 17:16:02,977 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2 services from JsonServiceRegistryDao.

2016-10-04 17:16:08,858 INFO [org.jasig.cas.ticket.registry.TicketRegistryCleaner] - Beginning ticket cleanup...

2016-10-04 17:16:08,859 INFO [org.jasig.cas.ticket.registry.TicketRegistryCleaner] - 0 expired tickets found and removed.

2016-10-04 17:17:02,977 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.

2016-10-04 17:17:02,978 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2 services from JsonServiceRegistryDao.

2016-10-04 17:18:02,976 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.

2016-10-04 17:18:02,977 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2 services from JsonServiceRegistryDao.

2016-10-04 17:18:08,855 INFO [org.jasig.cas.ticket.registry.TicketRegistryCleaner] - Beginning ticket cleanup...

2016-10-04 17:18:08,855 INFO [org.jasig.cas.ticket.registry.TicketRegistryCleaner] - 0 expired tickets found and removed.

2016-10-04 17:19:02,976 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.

2016-10-04 17:19:02,977 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2 services from JsonServiceRegistryDao.

2016-10-04 17:19:22,493 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - AcceptUsersAuthenticationHandler failed authenticating <my sAMAccountName>

2016-10-04 17:19:22,494 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: [my sAMAccountName]

WHAT: Supplied credentials: [my sAMAccountName]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Tue Oct 04 17:19:22 EDT 2016

CLIENT IP ADDRESS: <my IP>

SERVER IP ADDRESS: <cas server IP>

=============================================================

2016-10-04 17:19:22,494 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: <my sAMAccountName>

WHAT: Supplied credentials: [my sAMAccountName]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Tue Oct 04 17:19:22 EDT 2016

CLIENT IP ADDRESS: <my IP>

SERVER IP ADDRESS: <cas server IP>

=============================================================

2016-10-04 17:20:02,976 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.

2016-10-04 17:20:02,977 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2 services from JsonServiceRegistryDao.

2016-10-04 17:20:08,854 INFO [org.jasig.cas.ticket.registry.TicketRegistryCleaner] - Beginning ticket cleanup...

2016-10-04 17:20:08,854 INFO [org.jasig.cas.ticket.registry.TicketRegistryCleaner] - 0 expired tickets found and removed.

2016-10-04 17:21:02,976 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.

2016-10-04 17:21:02,977 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2 services from JsonServiceRegistryDao.

2016-10-04 17:22:02,977 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.

2016-10-04 17:22:02,979 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2 services from JsonServiceRegistryDao.

2016-10-04 17:22:08,858 INFO [org.jasig.cas.ticket.registry.TicketRegistryCleaner] - Beginning ticket cleanup...

2016-10-04 17:22:08,858 INFO [org.jasig.cas.ticket.registry.TicketRegistryCleaner] - 0 expired tickets found and removed.

2016-10-04 17:23:02,977 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.

2016-10-04 17:23:02,981 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2 services from JsonServiceRegistryDao.

catalina.2016-10-4. log:

[root@cas-server01 logs]# tail -50 catalina.2016-10-04.log 

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://java.sun.com/jsp/jstl/core is already defined

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://java.sun.com/jstl/fmt_rt is already defined

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://java.sun.com/jstl/fmt is already defined

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://java.sun.com/jsp/jstl/fmt is already defined

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://java.sun.com/jsp/jstl/functions is already defined

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://jakarta.apache.org/taglibs/standard/permittedTaglibs is already defined

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://jakarta.apache.org/taglibs/standard/scriptfree is already defined

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://java.sun.com/jstl/sql_rt is already defined

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://java.sun.com/jstl/sql is already defined

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://java.sun.com/jsp/jstl/sql is already defined

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://java.sun.com/jstl/xml_rt is already defined

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://java.sun.com/jstl/xml is already defined

Oct 04, 2016 4:58:04 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: http://java.sun.com/jsp/jstl/xml is already defined

Oct 04, 2016 4:58:05 PM org.apache.catalina.startup.HostConfig deployDirectory

INFO: Deployment of web application directory /var/lib/tomcat/webapps/examples has finished in 372 ms

Oct 04, 2016 4:58:05 PM org.apache.catalina.startup.HostConfig deployDirectory

INFO: Deploying web application directory /var/lib/tomcat/webapps/sample

Oct 04, 2016 4:58:05 PM org.apache.catalina.startup.HostConfig deployDirectory

INFO: Deployment of web application directory /var/lib/tomcat/webapps/sample has finished in 203 ms

Oct 04, 2016 4:58:05 PM org.apache.catalina.startup.HostConfig deployDirectory

INFO: Deploying web application directory /var/lib/tomcat/webapps/docs

Oct 04, 2016 4:58:05 PM org.apache.catalina.startup.HostConfig deployDirectory

INFO: Deployment of web application directory /var/lib/tomcat/webapps/docs has finished in 147 ms

Oct 04, 2016 4:58:05 PM org.apache.catalina.startup.HostConfig deployDirectory

INFO: Deploying web application directory /var/lib/tomcat/webapps/host-manager

Oct 04, 2016 4:58:05 PM org.apache.catalina.startup.HostConfig deployDirectory

INFO: Deployment of web application directory /var/lib/tomcat/webapps/host-manager has finished in 138 ms

Oct 04, 2016 4:58:05 PM org.apache.catalina.startup.HostConfig deployDirectory

INFO: Deploying web application directory /var/lib/tomcat/webapps/manager

Oct 04, 2016 4:58:05 PM org.apache.catalina.startup.HostConfig deployDirectory

INFO: Deployment of web application directory /var/lib/tomcat/webapps/manager has finished in 145 ms

Oct 04, 2016 4:58:05 PM org.apache.coyote.AbstractProtocol start

INFO: Starting ProtocolHandler ["http-bio-8443"]

Oct 04, 2016 4:58:06 PM org.apache.coyote.AbstractProtocol start

INFO: Starting ProtocolHandler ["ajp-bio-8009"]

Oct 04, 2016 4:58:06 PM org.apache.catalina.startup.Catalina start

INFO: Server startup in 26285 ms

On Friday, September 30, 2016 at 4:17:24 PM UTC-4, Hank Foss wrote:

[Hank Foss]

On Friday, September 30, 2016 at 4:17:24 PM UTC-4, Hank Foss wrote:

[Hank Foss]

Also, there was no response when I ran:

  $ netstat -c -t | grep -e $NAME_OF_YOUR_DIRECTORY_HOST 

On Friday, September 30, 2016 at 4:17:24 PM UTC-4, Hank Foss wrote:

[Dan Roque]

Hi Hank,

   Here are my working files using CAS 4.2.6 and Active Directory LDAP (domain info redacted)

deployerConfigContext.xml - http://pastebin.com/AnZJRpSw

cas.properties - http://pastebin.com/AnZJRpSw

Note: This requires the ldaptive libraries in order to work properly.

http://www.ldaptive.org/download.html

Dan

[Dan Roque]

Woops, I posted the same link twice

My cas.properties file is here

http://pastebin.com/zZJ8B66x

[Hank Foss]

Thanks, Dan.

Extremely helpful, with some luck this should be it.

-Hank

On Friday, September 30, 2016 at 4:17:24 PM UTC-4, Hank Foss wrote:

[Hank Foss]

Dan,

Can you provide a copy of your POM also?

Also, when logins are made to the CAS server (https://cas-server:8443/cas/login) I'm guessing it's only username / password, and then it takes you in like 'casuser' and 'Mellon'. Is this correct? In other words, there is no need to type 'domain\sAMAccountName' and 'password.'

Thanks,

Hank

On Friday, September 30, 2016 at 4:17:24 PM UTC-4, Hank Foss wrote:

[Dan Roque]

Hi Hank,

    For the CAS login page, we only use username/password (no Domain required). As for 'casuser', this is the user that will search the directory for the login user.

As for the POM, I generated the war file using the gradle overlay template instead of maven. In order to run correctly, you need to add the following dependencies to the build.gradle file

    runtime 'org.jasig.cas:cas-server-support-ldap:4.2.6'

    runtime 'org.ldaptive:ldaptive:1.2.0'

Here is the complete build.gradle just in case

http://pastebin.com/RtwrpLjm

Note: This is not the overlay build.gradle file, it's the main CAS one.

If you still want to use maven then you would need to add the following to the CAS POM file (untested)

<dependencies> <dependency> <groupId>org.ldaptive</groupId> <artifactId>ldaptive</artifactId> <version>1.2.0</version> </dependency> </dependencies>

<dependencies> <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-ldap</artifactId> <version>4.2.6</version> </dependency> </dependencies>

To verify it worked properly, the libraries should show up under WEB-INF/lib within the war file.

Hope that helps,

Dan

[Hank Foss]

Thanks, Dan.

I've been using Maven all along. I'll go with the Gradle overlay.

-Hank

On Friday, September 30, 2016 at 4:17:24 PM UTC-4, Hank Foss wrote:

[Hank Foss]

Hi Dan,

I'm  hoping the environmental variables are identical with gradle as with maven, because it's looking like we'll have to recompile.

Question, does CAS need to be running over LDAPS or is LDAP fine?

Thanks,

Hank

On Friday, September 30, 2016 at 4:17:24 PM UTC-4, Hank Foss wrote:

[Dan Roque]

Do you mean the cas.properties? If so then yes it is identical. The only difference between gradle and maven is the build process. The instructions for building the war file can be found here

https://github.com/apereo/cas-gradle-overlay-template/blob/master/README.md

Make sure you replaced the default deployerConfigContext.xml and cas.properties before you attempt to build.

As for LDAPS, It is up to you really. We use LDAPS to secure LDAP traffic over SSL but you can start with LDAP for now and move to LDAPS when you have time to configure everything required for it.

Dan

[Dan Roque]

Actually, I understand now... You mean the environment variables you are using within your POM file for maven. Which variables are you using? I can look for the corresponding gradle ones.

Dan

[Hank Foss]

LDAP is now working. Thanks for all of your input on this.

The solution, besides having the configContext file along with the cas.Properties file, was that the working directory for CAS was actually not where I originally thought -- it was in the Tomcat home folder. Once I copied the configContext and cas.Properties to that directory and reloaded the CAS warfile, LDAP kicked in!

Our next step is to set up a CASified link. 

On Friday, September 30, 2016 at 4:17:24 PM UTC-4, Hank Foss wrote:

[Dan Roque]

Excellent! I guess you can create another topic if you have issues with that.

Dan

[Brandon Martin]

I'm currently trying to set this up, I have everything working except LDAP authentication. I'd love to see the deployerContextConfig.xml you posted here but the link is now dead.

[Dan Roque]

Hi Brandon,

   Here is a repost of both files you requested. They shouldn't expire now.

deployerConfigContext.xml - http://pastebin.com/m9JypyUB

cas.properties - http://pastebin.com/DvvA08Yi

Dan

[Brandon Martin]

Fantastic! Than you much Dan!

--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/r6ELh0dNDDs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.

To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/835c4bb6-b4b7-434e-b6e8-265e0ac1b2d4%40apereo.org.

[z mortazavi]

Hi

I setup jasig-cas-4.2.6 and I can login successful in cas-side but in my client I get login successful but phpCAS::getAttributes() no return my attribute such as mail and givenName

deployerConfigContext.xml is:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

       xmlns:context="http://www.springframework.org/schema/context"

       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"

       xmlns:aop="http://www.springframework.org/schema/aop"

       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:sec="http://www.springframework.org/schema/security"

       xmlns:ldaptive="http://www.ldaptive.org/schema/spring-ext"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd


       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd

       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
       http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
       http://www.ldaptive.org/schema/spring-ext http://www.ldaptive.org/schema/spring-ext.xsd">

   
     
    <bean id="ldapAuthenticationHandler"         class="org.jasig.cas.authentication.LdapAuthenticationHandler"
    

      c:authenticator-ref="authenticator">
    <property name="principalAttributeMap">
        <map>
   

    <entry key="givenName" value="firstName"/>
     <entry key="mail" value="email"/>
   
        </map>
    </property>
    </bean>
   
   
   
   
    <util:map id="authenticationHandlersResolvers">

        <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />

           <entry key-ref="ldapAuthenticationHandler" value="#{null}" />

    </util:map>
   
   
    <util:list id="authenticationMetadataPopulators">
        <ref bean="successfulHandlerMetaDataPopulator" />
        <ref bean="rememberMeAuthenticationMetaDataPopulator" />
    </util:list>
       
       
       
    <alias name="acceptUsersAuthenticationHandler" alias="primaryAuthenticationHandler" />
    <alias name="personDirectoryPrincipalResolver" alias="primaryPrincipalResolver" />

    <bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"

          p:backingMap-ref="attrRepoBackingMap" />

    <util:map id="attrRepoBackingMap">
 
   

    <entry key="givenName" value="firstName"/>
    <entry key="mail" value="email"/>
  
     
        <entry>
            <key><value>memberOf</value></key>
            <list>
                <value>faculty</value>
                <value>staff</value>
                <value>org</value>
            </list>
        </entry>
    </util:map>

   
    <alias name="serviceThemeResolver" alias="themeResolver" />

    <alias name="jsonServiceRegistryDao" alias="serviceRegistryDao" />

    <alias name="defaultTicketRegistry" alias="ticketRegistry" />
   
    <alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" />
    <alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" />

    <alias name="anyAuthenticationPolicy" alias="authenticationPolicy" />
    <alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" />

    <bean id="auditTrailManager"
          class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager"
          p:entrySeparator="${cas.audit.singleline.separator:|}"
          p:useSingleLine="${cas.audit.singleline:false}"/>

    <alias name="neverThrottle" alias="authenticationThrottle" />

    <util:list id="monitorsList">
        <ref bean="memoryMonitor" />
        <ref bean="sessionMonitor" />
    </util:list>

    <alias name="defaultPrincipalFactory" alias="principalFactory" />
    <alias name="defaultAuthenticationTransactionManager" alias="authenticationTransactionManager" />
    <alias name="defaultPrincipalElectionStrategy" alias="principalElectionStrategy" />
    <alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" />

   

   
<bean id="serviceRegistryDao"
      class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
      p:registeredServices-ref="registeredServicesList" />
   


    <util:list id="registeredServicesList">
        <bean class="org.jasig.cas.services.RegexRegisteredService"

          p:id="1"
          p:name="sso"
          p:serviceId="^(https?|imaps?|http?)://.*"
          p:description="sso cas"
          p:evaluationOrder="0" >
 
  
 <property name="attributeReleasePolicy">
    <bean class="org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy">
        <property name="allowedAttributes">
   

                    
                <list>
                    <value>mail</value>
                    <value>givenName</value>
                   

                </list>
    </property>
    </bean>
   
        </property>

        </bean>
 

    </util:list>   

   
           
        <ldaptive:ad-authenticator id="authenticator"
           
        ldapUrl="xxxx"
        baseDn="xxxxxx"
        userFilter="xx"
        bindDn="xxxxx"
        bindCredential="xxxxxxxx"
        connectTimeout="5000"
        useStartTLS="false"
        blockWaitTime="3000"
        maxPoolSize="10"
        allowMultipleDns="false"
        minPoolSize="1"
        validateOnCheckOut="false"
        validatePeriodically="true"
        validatePeriod="300"
        idleTime="600"
        prunePeriod="300"
        failFastInitialize="false"
        subtreeSearch="true"
        useSSL="false"

/>
       
</beans>

and my json file is:

....
    "attributeReleasePolicy" : {
    "@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
    "principalAttributesRepository" : {
      "@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"   }
   "allowedAttributes" : [ "java.util.ArrayList", [ "mail", "givenName"] ]
    "authorizedToReleaseCredentialPassword" : false,
    "authorizedToReleaseProxyGrantingTicket" : false
  },
...

and in client side i have:

phpCAS::client(CAS_VERSION_3_0,'xxx',443,'cas');

...

$attr = phpCAS::getAttributes();

but my response is (don't involve my attribute mail and givenName) :

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
AEF4 .|    |    |    |    |    |        <cas:authenticationSuccess>
AEF4 .|    |    |    |    |    |            <cas:user>xxx</cas:user>
AEF4 .|    |    |    |    |    |           
AEF4 .|    |    |    |    |    |                <cas:attributes>
AEF4 .|    |    |    |    |    |                         
AEF4 .|    |    |    |    |    |                            <cas:LdapAuthenticationHandler.dn>xxxxxxxxx</cas:LdapAuthenticationHandler.dn>
AEF4 .|    |    |    |    |    |                         
AEF4 .|    |    |    |    |    |                            <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
AEF4 .|    |    |    |    |    |                          
AEF4 .|    |    |    |    |    |                            <cas:isFromNewLogin>true</cas:isFromNewLogin>
AEF4 .|    |    |    |    |    |                            
AEF4 .|    |    |    |    |    |                            <cas:authenticationDate>2017-02-01T10:46:15.737+03:30</cas:authenticationDate>
AEF4 .|    |    |    |    |    |                       
AEF4 .|    |    |    |    |    |               
AEF4 .|    |    |    |    |    |                </cas:attributes>
AEF4 .|    |    |    |    |    |        
AEF4 .|    |    |    |    |    |        </cas:authenticationSuccess>
AEF4 .|    |    |    |    |    |    </cas:serviceResponse>

please help me.

thanks in advance.

You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/90BDF397-A2F7-44F1-9552-792E27DD1902%40edtools.psd401.net.