Passvators and Connection Strategy 6.1.6
87 views
Skip to first unread message
Mallory, Erik
May 18, 2020, 12:22:09 PM5/18/20
to cas-...@apereo.org
Hello,
Currently we are running CAS 6.1.6 and we have a problem when we reboot
a domain controller. It would appear that the ldap connection is not
failing to the second DC in the list causing logins to fail. We have
four of DCs. CAS is configured to use all 4 with a connection strategy
of ACTIVE_PASSIVE and passivators are set to none.
Could someone confirm and explain the relationship (if any) of
passivators to to the connection strategy configuration options?
Thanks,
--
Erik Mallory
Server Analyst
Wichita State University
Currently we are running CAS 6.1.6 and we have a problem when we reboot
a domain controller. It would appear that the ldap connection is not
failing to the second DC in the list causing logins to fail. We have
four of DCs. CAS is configured to use all 4 with a connection strategy
of ACTIVE_PASSIVE and passivators are set to none.
Could someone confirm and explain the relationship (if any) of
passivators to to the connection strategy configuration options?
Thanks,
--
Erik Mallory
Server Analyst
Wichita State University
Daniel Fisher
May 18, 2020, 10:35:29 PM5/18/20
to cas-...@apereo.org
On Mon, May 18, 2020 at 12:22 PM 'Mallory, Erik' via CAS Community <cas-...@apereo.org> wrote:
Could someone confirm and explain the relationship (if any) of
passivators to to the connection strategy configuration options?
Passivators are executed when a connection is returned to the pool. The connection strategy defines how multiple URLs should be handled when a connection is opened.
What do your logs say when the domain controller is rebooted?
--Daniel Fisher
Vikash Chandra Ansh
May 21, 2020, 2:01:31 AM5/21/20
to cas-...@apereo.org
Hi Daniel and Erik,
I am looking for the same concept. Guide to me how to break the connection pool after a fail login attempt so that request doest go to other one causing account locked issues.
Thanks and regards
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f0da2a0e706e758099f0ceade3eb141e42273d23.camel%40wichita.edu.
erik.m...@gmail.com
May 21, 2020, 12:05:10 PM5/21/20
to cas-...@apereo.org
Those logs have rolled so I can't post the exact text. LDAP error 81
can't contact ldap server. It never seems to fail to the next server
ACTIVE server. This causes logins to fail until I edit the cas config
or the AD server comes back.
> .
can't contact ldap server. It never seems to fail to the next server
ACTIVE server. This causes logins to fail until I edit the cas config
or the AD server comes back.
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwRHAMUZ355LtSpbW28UVuaKaJd%3DhsjNOjz0_Q%3DKFnb9EQ%40mail.gmail.com
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> .
Mallory, Erik
May 22, 2020, 10:43:39 AM5/22/20
to cas-...@apereo.org
Okay this just happened a few moments ago.. The DCs needed an emergency
reboot and cas did not handle it as I would expect.
I'd expect CAS to switch to another DC when an LDAP server/connection
error occurs.
Below is the error:
2020-05-22 09:25:22,736 ERROR
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[WSUAD]: [Unexpected LDAP error / LDAPException(resultCode=1
(operations error), numEntries=0, numReferences=0,
diagnosticMessage='000004DC: LdapErr: DSID-0C090A59, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, v4563', ldapSDKVersion=4.0.12,
revision=aaefc59e0e6d110bf3a8e8a029adb776f6d2ce28')]>
Below is the relevant config.
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://dcsvc-300.ad.wichita.edu
ldaps://dcsvc-307.ad.wichita.edu ldaps://latitude.ad.wichita.edu
ldaps://longitude.ad.wichita.edu
cas.authn.ldap[0].bindDn=CN=NOPE
cas.authn.ldap[0].bindCredential=secret
cas.authn.ldap[0].baseDn=ou=Wichita State
University,dc=ad,dc=wichita,dc=edu
cas.authn.ldap[0].connectionStrategy=ACTIVE_PASSIVE
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].dnFormat=%s...@wichita.edu
cas.authn.ldap[0].principalAttributeId=sAMAccountName
I'd super appreciate some guidance here.
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
reboot and cas did not handle it as I would expect.
I'd expect CAS to switch to another DC when an LDAP server/connection
error occurs.
Below is the error:
2020-05-22 09:25:22,736 ERROR
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[WSUAD]: [Unexpected LDAP error / LDAPException(resultCode=1
(operations error), numEntries=0, numReferences=0,
diagnosticMessage='000004DC: LdapErr: DSID-0C090A59, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, v4563', ldapSDKVersion=4.0.12,
revision=aaefc59e0e6d110bf3a8e8a029adb776f6d2ce28')]>
Below is the relevant config.
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://dcsvc-300.ad.wichita.edu
ldaps://dcsvc-307.ad.wichita.edu ldaps://latitude.ad.wichita.edu
ldaps://longitude.ad.wichita.edu
cas.authn.ldap[0].bindDn=CN=NOPE
cas.authn.ldap[0].bindCredential=secret
cas.authn.ldap[0].baseDn=ou=Wichita State
University,dc=ad,dc=wichita,dc=edu
cas.authn.ldap[0].connectionStrategy=ACTIVE_PASSIVE
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].dnFormat=%s...@wichita.edu
cas.authn.ldap[0].principalAttributeId=sAMAccountName
I'd super appreciate some guidance here.
Thanks,
--
Erik Mallory
Server Analyst
Wichita State University
--
Erik Mallory
Server Analyst
Wichita State University
On Mon, 2020-05-18 at 22:35 -0400, Daniel Fisher wrote:
> CAUTION: This email originated from outside of Wichita State
> University. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
Mallory, Erik
May 22, 2020, 12:23:45 PM5/22/20
to cas-...@apereo.org
I found more log info in our test environment concerning the inability
of CAS to switch to an active AD DC with my configuration.
2020-05-22 09:07:07,607 ERROR
[org.ldaptive.pool.BlockingConnectionPool] - <[
org.ldaptive.pool.BlockingConnectionPool@1704234754::name=null,
poolConfig=[org.ldaptive.pool.PoolConfig@796
4874::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false,
validateOnCheckOut=true, validatePeriodically=true,
validatePeriod=PT5M, validateTimeout=PT5S], activator=null, passivator=
[org.ldaptive.pool.BindPassivator@697150633::bindRequest=[
org.ldaptive.BindRequest@266593343::bindDn=CN=casldapper,CN=Managed
Service Accounts,DC=ad,DC=wichita,DC=edu, saslConfig=null,
controls=null, referralHandler=null,
intermediateResponseHandlers=null]], validator=[
org.ldaptive.pool.SearchValidator@1322157662::searchRequest=[
org.ldaptive.SearchRequest@1100233085::
baseDn=, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(ob
jectClass=*), parameters={}], returnAttributes=[1.1],
searchScope=OBJECT, timeLimit=PT0S, sizeLimit=1, derefAliase
s=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED,
searchEntryHandlers=null,
searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$Se
archReferenceHan
dler@2bd6895], controls=null,
referralHandler=org.ldaptive.referral.SearchReferralHandler@6c05228e,
intermediateResponseHandlers=null]]
pruneStrategy=[org.ldaptive.pool.IdlePruneStrateg
y@85268059::prunePeriod=PT2H, idleTime=PT10M], connectOnCreate=true,
connectionFactory=[org.ldaptive.DefaultConnectionFactory@1223536490::pr
ovider=org.ldaptive.provider.unboundid.Unboun
dIDProvider@376345b,
config=[org.ldaptive.ConnectionConfig@1176659945::ldapUrl=ldaps://dcsvc
longitude.ad.wichita.edu, connectTimeout=PT3M20S, responseTimeout=PT5S,
sslConfig=[org.ldaptive.ssl.SslConfig@1806177976::credentialConfig=null
, trustManagers=null, hostnameVerifier=org
.ldaptive.ssl.DefaultHostnameVerifier@4e9b6258,
hostnameVerifierConfig=null, enabledCipherSuites=null,
enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true,
useStartTLS
=false, connectionInitializer=[
org.ldaptive.BindConnectionInitializer@2088588092::bindDn=CN=casldapper
,CN=Managed Service Accounts,DC=ad,DC=wichita,DC=edu,
bindSaslConfig=null, bindCont
rols=null],
connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy@29b56e75
]], initialized=true, availableCount=0, activeCount=0] unable to
connect to the ldap>
org.ldaptive.LdapException: LDAPException(resultCode=49 (invalid
credentials), diagnosticMessage='80090308: LdapErr: DSID-0C090436,
comment: AcceptSecurityContext error, data 52e, v4563
^@', ldapSDKVersion=4.0.12,
revision=aaefc59e0e6d110bf3a8e8a029adb776f6d2ce28
Please advise.
of CAS to switch to an active AD DC with my configuration.
2020-05-22 09:07:07,607 ERROR
[org.ldaptive.pool.BlockingConnectionPool] - <[
org.ldaptive.pool.BlockingConnectionPool@1704234754::name=null,
poolConfig=[org.ldaptive.pool.PoolConfig@796
4874::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false,
validateOnCheckOut=true, validatePeriodically=true,
validatePeriod=PT5M, validateTimeout=PT5S], activator=null, passivator=
[org.ldaptive.pool.BindPassivator@697150633::bindRequest=[
org.ldaptive.BindRequest@266593343::bindDn=CN=casldapper,CN=Managed
Service Accounts,DC=ad,DC=wichita,DC=edu, saslConfig=null,
controls=null, referralHandler=null,
intermediateResponseHandlers=null]], validator=[
org.ldaptive.pool.SearchValidator@1322157662::searchRequest=[
org.ldaptive.SearchRequest@1100233085::
baseDn=, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(ob
jectClass=*), parameters={}], returnAttributes=[1.1],
searchScope=OBJECT, timeLimit=PT0S, sizeLimit=1, derefAliase
s=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED,
searchEntryHandlers=null,
searchReferenceHandlers=[org.ldaptive.referral.SearchReferralHandler$Se
archReferenceHan
dler@2bd6895], controls=null,
referralHandler=org.ldaptive.referral.SearchReferralHandler@6c05228e,
intermediateResponseHandlers=null]]
pruneStrategy=[org.ldaptive.pool.IdlePruneStrateg
y@85268059::prunePeriod=PT2H, idleTime=PT10M], connectOnCreate=true,
connectionFactory=[org.ldaptive.DefaultConnectionFactory@1223536490::pr
ovider=org.ldaptive.provider.unboundid.Unboun
dIDProvider@376345b,
config=[org.ldaptive.ConnectionConfig@1176659945::ldapUrl=ldaps://dcsvc
longitude.ad.wichita.edu, connectTimeout=PT3M20S, responseTimeout=PT5S,
sslConfig=[org.ldaptive.ssl.SslConfig@1806177976::credentialConfig=null
, trustManagers=null, hostnameVerifier=org
.ldaptive.ssl.DefaultHostnameVerifier@4e9b6258,
hostnameVerifierConfig=null, enabledCipherSuites=null,
enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true,
useStartTLS
=false, connectionInitializer=[
org.ldaptive.BindConnectionInitializer@2088588092::bindDn=CN=casldapper
,CN=Managed Service Accounts,DC=ad,DC=wichita,DC=edu,
bindSaslConfig=null, bindCont
rols=null],
connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy@29b56e75
]], initialized=true, availableCount=0, activeCount=0] unable to
connect to the ldap>
org.ldaptive.LdapException: LDAPException(resultCode=49 (invalid
credentials), diagnosticMessage='80090308: LdapErr: DSID-0C090436,
comment: AcceptSecurityContext error, data 52e, v4563
^@', ldapSDKVersion=4.0.12,
revision=aaefc59e0e6d110bf3a8e8a029adb776f6d2ce28
Please advise.
Thanks,
--
Erik Mallory
Server Analyst
Wichita State University
--
Erik Mallory
Server Analyst
Wichita State University
On Mon, 2020-05-18 at 22:35 -0400, Daniel Fisher wrote:
Daniel Fisher
May 22, 2020, 2:28:45 PM5/22/20
to cas-...@apereo.org
On Fri, May 22, 2020 at 12:23 PM 'Mallory, Erik' via CAS Community <cas-...@apereo.org> wrote:
org.ldaptive.LdapException: LDAPException(resultCode=49 (invalid
credentials), diagnosticMessage='80090308: LdapErr: DSID-0C090436,
comment: AcceptSecurityContext error, data 52e, v4563
^@', ldapSDKVersion=4.0.12,
revision=aaefc59e0e6d110bf3a8e8a029adb776f6d2ce28
Can you confirm the bind credentials work against all 4 directories?
--Daniel Fisher
erik.m...@gmail.com
May 22, 2020, 3:09:23 PM5/22/20
to cas-...@apereo.org
Yes.
I'm guessing the failure is due to the fact I do not have validators
configured.
I've added the the configuration for validators now in our dev
environment.
> .
I'm guessing the failure is due to the fact I do not have validators
configured.
I've added the the configuration for validators now in our dev
environment.
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwTvb3R%2B-az%3DqF431yvQoHGr_yWvXfKB4ZtrJ%2BFqJC2kAw%40mail.gmail.com
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> .
Daniel Fisher
May 22, 2020, 9:13:59 PM5/22/20
to cas-...@apereo.org
On Fri, May 22, 2020 at 3:09 PM <erik.m...@gmail.com> wrote:
Yes.
I'm guessing the failure is due to the fact I do not have validators
configured.
I've added the the configuration for validators now in our dev
environment.
The connection pool error you posted looks like a bind failure from your service credentials. See if you can correlate that error in your directory logs, that's probably a piece of the puzzle.
The error coming from PolicyBasedAuthenticationManager does look like you need to configure a pool passivator, but to that end I don't see how these two errors are related. And notably, they are more than 15 minutes apart in the logs.
--Daniel Fisher
Reply all
Reply to author
Forward
0 new messages