Deprecated LDAP settings in 6.6.2

[BenDDD]

Hi everyone,

Our CAS service is running but the logs show a message about LDAP settings:

[2022-11-16 17:12:54] [info] Failed to bind properties under 'cas' to org.apereo.cas.configuration.CasConfigurationProperties
[2022-11-16 17:12:54] [info] #011cas.authn.ldap[0].providerclass = org.ldaptive.provider.unboundid.UnboundIDProvider (Origin: "cas.authn.ldap[0].providerClass" from property source "bootstrapProperties-casCompositePropertySource")
[2022-11-16 17:12:54] [info] #011cas.authn.ldap[0].usessl = true (Origin: "cas.authn.ldap[0].useSsl" from property source "bootstrapProperties-casCompositePropertySource")
[2022-11-16 17:12:54] [info] Listed settings above are no longer recognized by CAS 6.6.2. They may have been renamed, removed, or relocated to a new namespace in the CAS configuration schema. CAS will ignore such settings to proceed with its normal initialization sequence. Please consult the CAS documentation to review and adjust each setting to find an alternative or remove the definition from the property source. Failure to do so puts the server stability in danger and complicates future upgrades.

It is specified that these settings are ignored but if I comment out the line "cas.authn.ldap\[0\].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider" in cas.properties, the service no longer starts.

I did not find in the documentation information concerning a removal, or a renaming of this settings in an earlier version.

Does anyone know what the correct settings to use?

Thanks in advance.

[Ray Bon]

What is the error message when that property is commented out?

Ray

On Wed, 2022-11-16 at 08:39 -0800, BenDDD wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[BenDDD]

Hi Ray,

Thank you for your answer.

My bad, i commented out the two settings again to copy the logs and the service started fine.

Does disabling the "cas.authn.ldap[0].usessl = true" setting disable encryption?

[Ray Bon]

I do not see it in the properties manifest.

./gradlew exportConfigMetadata

will output all cas properties to a file.

./gradlew tasks

will show other commands that can be helpful.

Ray

[BenDDD]

Hi Ray,

I have already looked at the settings available via the "./gradlew exportConfigMetadata" command and the only one that might match would be "cas.authn.ldap[].use-start-tls:":

grep cas.authn.ldap /opt/cas-overlay-template/config-metadata.properties | grep ssl

no results

grep cas.authn.ldap /opt/cas-overlay-template/config-metadata.properties | grep tls
# cas.authn.ldap[].use-start-tls:

But if I enable it, the service does not no longer starts:

[2022-11-17 16:01:49] [info] #033[1;31m2022-11-17 16:01:49,819 ERROR [org.ldaptive.transport.netty.NettyConnection] - <Connection open failed for org.ldaptive.transport.netty.NettyConnection@1210233213::ldapUrl=[org.ldaptive.LdapURL@-650620971::scheme=ldaps, hostname=dc1.lan.esiee.fr, port=636, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null], isOpen=true, connectTime=null, connectionConfig=[org.ldaptive.ConnectionConfig@435906735::ldapUrl=ldaps://dc1.lan.esiee.fr:636, connectTimeout=PT5S, responseTimeout=PT5S, reconnectTimeout=PT2M, autoReconnect=true, autoReconnectCondition=org.ldaptive.ConnectionConfig$$Lambda$3019/0x000000084142b040@4a912cfa, autoReplay=true, sslConfig=[org.ldaptive.ssl.SslConfig@1909400171::credentialConfig=null, trustManagers=null, hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@51b23e6e, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null, handshakeTimeout=PT1M], useStartTLS=true, connectionInitializers=[org.ldaptive.BindConnectionInitializer@171193219::bindDn=cn=LDAP,ou=comptes_services,ou=utilisateurs,dc=lan,dc=esiee,dc=fr, bindSaslConfig=null, bindControls=null], connectionStrategy=[org.ldaptive.ActivePassiveConnectionStrategy@323918567::ldapURLSet=[org.ldaptive.LdapURLSet@1350275720::active=[], inactive=[[org.ldaptive.LdapURL@-650620971::scheme=ldaps, hostname=dc1.lan.esiee.fr, port=636, baseDn=null, attributes=null, scope=null, filter=null, inetAddress=null]]], activateCondition=org.ldaptive.transport.TransportConnection$$Lambda$3026/0x0000000841458440@182e3aa3, retryCondition=org.ldaptive.AbstractConnectionStrategy$$Lambda$3022/0x000000084142ac40@7fd002e3, initialized=true], connectionValidator=null, transportOptions={}], channel=[id: 0x73272efc, L:/147.215.150.77:60890 - R:dc1.lan.esiee.fr/147.215.1.111:636]>#033[m
[2022-11-17 16:01:49] [info] org.ldaptive.ConnectException: SslHandler is already in use

[2022-11-17 16:01:49] [info] #011at org.ldaptive.transport.netty.NettyConnection.operation(NettyConnection.java:530) ~[ldaptive-2.1.1.jar:?]
[2022-11-17 16:01:49] [info] #011at org.ldaptive.transport.netty.NettyConnection.open(NettyConnection.java:301) ~[ldaptive-2.1.1.jar:?]
[2022-11-17 16:01:49] [info] #011at org.ldaptive.transport.netty.NettyConnection.test(NettyConnection.java:264) ~[ldaptive-2.1.1.jar:?]
[2022-11-17 16:01:49] [info] #011at org.ldaptive.LdapURLActivatorService.testInactiveUrls(LdapURLActivatorService.java:107) ~[ldaptive-2.1.1.jar:?]

[Ray Bon]

I have scheme and port, same as you. I do not have use-start-tls nor use-ssl (which only shows up in cas code for some databases and caches).

You may not need those settings.

Ray

[Daniel Fisher]

On Thu, Nov 17, 2022 at 10:16 AM BenDDD <dupalut...@gmail.com> wrote:

But if I enable it, the service does not no longer starts:

LDAPS and startTLS are mutually exclusive. Either use a URL with ldaps:// or use ldap:// and set use-start-tls=true.

--Daniel Fisher

[BenDDD]

Hi dfisher,

Thank you for this clear explanation.