Issue with cas 6 password managenment

[MD. Fazla Rabby]

We are already using CAS5.2 and password management working fine. But for CAS version 6 we are getting the ldap referral error  "java.security.cert.CertificateException: Hostname does not match the hostname in the server's certificate site:stackoverflow.com"

How to get around with this

This is my cas.properties

cas.authn.pm.enabled=true

cas.authn.pm.policyPattern=^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%~()_{}-]).{8,}$

cas.authn.pm.reset.text=Reset your password with this link: %s

cas.authn.pm.reset.subject=Password Reset Request

cas.authn.pm.reset.from=myemail.mydomain.com

#password reset expiry is set to 1 day equivalent minutes

cas.authn.pm.reset.expirationMinutes=1440

cas.authn.pm.reset.emailAttribute=secondaryEmail

cas.authn.pm.reset.securityQuestionsEnabled=true

# Automatically log in after successful password change

cas.authn.pm.autoLogin=false

# Used to sign/encrypt the password-reset link

cas.authn.pm.reset.crypto.encryption.key=asdasdasdasdasdasdasdasdasdasd

cas.authn.pm.reset.crypto.signing.key=asdasdasasdasdasdasdadsadasdasdasdasd

cas.authn.pm.reset.crypto.enabled=true

#Email Submissions

spring.mail.host=smtp.office365.com

spring.mail.port=587

spring.mail.username=mye...@email.com

spring.mail.password=pass

spring.mail.testConnection=true

spring.mail.properties.mail.smtp.auth=true

spring.mail.properties.mail.smtp.starttls.enable=true

#

##LDAP Password management

#

cas.authn.pm.ldap.type=AD

#

cas.authn.pm.ldap.ldapUrl=ldaps://myldap:636

cas.authn.pm.ldap.useSsl=true

cas.authn.pm.ldap.useStartTls=false

cas.authn.pm.ldap.connectTimeout=50000

cas.authn.pm.ldap.baseDn=DC=xx,DC=xx,DC=xx,DC=xx

cas.authn.pm.ldap.searchFilter=cn={user}

cas.authn.pm.ldap.subtreeSearch=true

cas.authn.pm.ldap.bindDn=CN=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=xx

cas.authn.pm.ldap.bindCredential=pass

# cas.authn.pm.ldap.connectionStrategy=

cas.authn.pm.ldap.trustCertificates=file:/etc/cas/myldap.cer

## cas.authn.pm.ldap.keystore=

## cas.authn.pm.ldap.keystorePassword=

## cas.authn.pm.ldap.keystoreType=JKS|JCEKS|PKCS12

cas.authn.pm.ldap.poolPassivator=BIND

cas.authn.pm.ldap.minPoolSize=3

cas.authn.pm.ldap.maxPoolSize=10

cas.authn.pm.ldap.validateOnCheckout=true

cas.authn.pm.ldap.validatePeriodically=true

cas.authn.pm.ldap.validatePeriod=600

cas.authn.pm.ldap.validateTimeout=5000

cas.authn.pm.ldap.failFast=true

cas.authn.pm.ldap.idleTime=500

cas.authn.pm.ldap.prunePeriod=600

cas.authn.pm.ldap.blockWaitTime=5000

##cas.authn.pm.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

#

## Attributes that should be fetched to indicate security questions and answers,

## assuming security questions are enabled.

cas.authn.pm.ldap.securityQuestionsAttributes.attributeQuestion1=attributeAnswer1

cas.authn.pm.ldap.securityQuestionsAttributes.attributeQuestion2=attributeAnswer2

cas.authn.pm.ldap.securityQuestionsAttributes.attrQuestion3=attributeAnswer2

#

cas.authn.pm.ldap.validator.type=SEARCH

cas.authn.pm.ldap.validator.baseDn=DC=xx,DC=xx,DC=xx,DC=xx

##cas.authn.pm.ldap.validator.searchFilter=(objectClass=*)

cas.authn.pm.ldap.validator.scope=SUBTREE

[Ray Bon]

Are you running the upgrade on a new host? A custom certificate?

You can create a certificate with build.sh gencert and import it with command at bottom of https://apereo.github.io/cas/5.3.x/installation/X509-Authentication.html

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[matrix]

The certificate is the host certificate of the LDAP server. LDAP is configured in such a way that for reset password request requires a ssl connection/ldaps. For the version 5.2 we have the LDAP referral, so we have modified our cas servers host file to point it to the IP and it works. But cas 6 authentication with ldap works fine but the password management doesn't work even after changing the host file. When we try to reset password, at first we get an error of no email address found and then it switches the view from enter your username/reset password to enter email address/forgot username. 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1542734910.2802.5.camel%40uvic.ca.

[arti wavale]

can you explain me, how implemented password management in cas 5.2 and can share cas.properties file and which dependency are you used in pox.xml file?

[Vikash Chandra Ansh]

Hi Arti,

How are you proceeding with ldap password management. Please involve me as well as I want to incorporate this in my application.

Thanks and Regards

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d2b5ab2-a319-47b7-a802-be92b1008802o%40apereo.org.

[arti wavale]

All detail information provided in a document . Please find the attachment

I am facing error such as "could not update the account password "

If anyone can help to resolve this issue

-------------------------------------------------------------------------------------------------

Pom.xml:

<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-pm-ldap</artifactId>
    <version>${cas.version}</version>
</dependency>





	
	
	
	


cas.properties:

cas.authn.accept.users= cas.authn.ldap[0].order=0 cas.authn.ldap[0].name=LDAP Server cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].ldapUrl=ldap://localhost cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].useStartTls=false cas.authn.ldap[0].connectTimeout=50000 cas.authn.ldap[0].subtreeSearch=true cas.authn.ldap[0].validatePeriod=270 cas.authn.ldap[0].userFilter=cn={user} #cas.authn.ldap[0].userFilter=(|(uid={user})(cn={user})(mail={user})) cas.authn.ldap[0].baseDn=dc=example,dc=com #cas.authn.ldap[0].enhanceWithEntryResolver=true #cas.authn.ldap[0].dnFormat:cn=%s,cn=admin,dc=example,dc=com cas.authn.ldap[0].bindDn=cn=admin,dc=example,dc=com cas.authn.ldap[0].bindCredential=administrator cas.authn.ldap[0].enhanceWithEntryResolver=true cas.authn.ldap[0].dnFormat:cn=%s,cn=admin,dc=example,dc=com cas.authn.ldap[0].principalAttributeList=memberOf,uid,cn,mail cas.authn.ldap[0].collectDnAttribute=false

cas.authn.ldap[0].principalAttributeId=cn
cas.authn.ldap[0].principalAttributePassword=userPassword
# attributes to be retrieved from LDAP userPassword
#cas.authn.ldap[0].principalAttributeList=uid,cn,mail
#cas.authn.ldap[0].collectDnAttribute=false
cas.authn.ldap[0].principalDnAttributeName=principalLdapDn
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
# cas.authn.ldap[0].credentialCriteria=
# LDAP Password Encoding
# cas.authn.ldap[0].passwordEncoder.type=
# cas.authn.ldap[0].passwordEncoder.characterEncoding=UTF-8
# cas.authn.ldap[0].passwordEncoder.encodingAlgorithm=SHA
# LDAP Pooling
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=50
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=true
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].blockWaitTime=5000

cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.ldap[0].allowMultipleDns=false





#Password Management

spring.mail.host=mail.technology.com
spring.mail.port=587
spring.mail.username=x...@technology.com
spring.mail.password=xxxxxx
spring.mail.testConnection=true
spring.mail.properties.mail.smtp.auth=true
spring.mail.properties.mail.smtp.starttls.enable=true




	
	
	
	


cas.authn.pm.enabled=true
#cas.authn.pm.policyPattern=^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%~()_{}-]).{8,}$ 
#cas.authn.pm.reset.text=password reset:%s

cas.authn.pm.reset.text=Reset your password with this link: %s

#cas.authn.pm.reset.subject=armor password reset
cas.authn.pm.reset.subject=Password Reset Request
cas.authn.pm.reset.from=${spring.mail.username}
cas.authn.pm.reset.expirationMinutes=10
cas.authn.pm.reset.emailAttribute=mail
cas.authn.pm.reset.securityQuestionsEnabled=false
cas.authn.pm.autoLogin=false

cas.authn.pm.reset.crypto.encryption.key=xxxxxxxxxxxxxxxxxxxxxxxx
cas.authn.pm.reset.crypto.signing.key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cas.authn.pm.reset.crypto.enabled=true


#cas.authn.pm.enabled=true
cas.authn.pm.ldap.type=GENERIC
cas.authn.pm.ldap.ldapUrl=${cas.authn.ldap[0].ldapUrl}
cas.authn.pm.ldap.useSsl=false
cas.authn.pm.ldap.connectTimeout=5000
cas.authn.pm.ldap.baseDn=${cas.authn.ldap[0].baseDn}
cas.authn.pm.ldap.userFilter=${cas.authn.ldap[0].userFilter}
cas.authn.pm.ldap.subtreeSearch=true
cas.authn.pm.ldap.bindDn=cn=admin,dc=example,dc=com
cas.authn.pm.ldap.bindCredential=administrator

cas.authn.pm.ldap.poolPassivator=BIND
cas.authn.pm.ldap.minPoolSize=3
cas.authn.pm.ldap.maxPoolSize=10
cas.authn.pm.ldap.validateOnCheckout=true
cas.authn.pm.ldap.validatePeriodically=true
cas.authn.pm.ldap.validatePeriod=600
cas.authn.pm.ldap.validateTimeout=5000
cas.authn.pm.ldap.failFast=true




	
	
	
	


cas.authn.pm.ldap.idleTime=500
cas.authn.pm.ldap.prunePeriod=600
cas.authn.pm.ldap.blockWaitTime=5000

cas.authn.pm.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

#validator
cas.authn.pm.ldap.validator.type=SEARCH
cas.authn.pm.ldap.validator.baseDn=dc=example,dc=com
#cas.authn.pm.ldap.validator.searchFilter=(objectClass=*)
cas.authn.pm.ldap.validator.scope=SUBTREE

-----------------------------------------------------------------------

Thanks and Regards

Arti

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

[Vikash Chandra Ansh]

Hey Arti,

Can u share your number. I have some doubts. 

Vikash Chandra 

+918567019627

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1ed5f48-591d-4a82-89fa-eefddeb888d6o%40apereo.org.

[Root]

@Arthi,

Have you included "cas.authn.pm.ldap.searchFilter=cn={user}"  in cas.properties?, and you should enable debug mode in both CAS and LDAP server side and check both logs to get more detail.

[arti wavale]

Hello Root,

First of all,

Thank you so much for your reply..

I'm using CAS v5.2 in which I have used "cas.authn.pm.ldap.userFilter=cn={user}" in cas.properties file. The userFilter attribute was renamed to searchFilter in CAS v5.3 but Still I have tried "cas.authn.pm.ldap.searchFilter=cn={user}" in cas.properties file and check it but same error occurred.

Thanks and Regards

Arti

[Root]

OK, but what about the logs?, looking at logs you can get some hint,  have you enabled CAS debug mode  ( <Root level="DEBUG">)  in cas-log4j2.xml file?, and also in your LDAP server some option to enable debug/verbose mode,  after enable and restarting the services,  tail both the logs and try to change the LDAP password, and see what error you get in logs.

[Root]

Log is too much, but i can see the error is related  to storing the LDAP password type, what type of algorithm is used to store password?, (SSHA ,SHA-512, scrypt, MD5.....etc) and the character encoding, the default should be UTF-8

Try to keep default and try or just don't specify too much variables relating to this  in the cas properties.

On Wednesday, July 8, 2020 at 10:03:18 AM UTC+5:30 arti wavale wrote:

Hello,

I am providing cas.log file, please once check it and if got any idea to resolve password managemnt problem then please guide me

[arti wavale]

Hello root,

Thanks for quick response

i have used SHA format for LDAP password.

and also tried below properties in cas.properties file but still problem is same which is "could not update account password"

# LDAP Password Encoding
cas.authn.ldap[0].passwordEncoder.type=DEFAULT
cas.authn.ldap[0].passwordEncoder.characterEncoding=UTF-8
cas.authn.ldap[0].passwordEncoder.encodingAlgorithm=SHA

I have a one doubt, right now I am using simple ldap database connection means url=ldap://localhost:389 so is it a reason password management not working?

is there any complusion to use ssl ldap connection means url=ldaps://localhost:636 then and oly then password management work?

Thanks and Regards

Arti

[indiandefence]

SHA is pretty simple algorithm, but weak too, if you are testing its fine, but not good for production.

Yes, you should give a try with 636 and as new browsers are pushing towards https, using encrypted connection should become default.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9ba35900-375c-4310-b1b4-e20319f82987o%40apereo.org.

[arti wavale]

Hello Root Sir,

Thank you so much for guiding me and helping me to resolve problem.

Appreciated..

Thanks and Regards

Arti

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9ba35900-375c-4310-b1b4-e20319f82987o%40apereo.org.

[indiandefence]

Glad it helped you. 👍

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4aa0e2c3-104b-4fbc-88a6-b1cd46d6a465o%40apereo.org.