Is there a preferred OS?
43 views
Skip to first unread message
charlie derr
Jun 25, 2024, 9:39:58 AM (4 days ago) Jun 25
to cas-...@apereo.org, IT Department
Hi all,
As we work on attempting to bring a CAS7 instance into production to replace an older version, we're finding that we're struggling with some basics (the previous sysadmin who did the heavy lifting in standing up that older version a number of years ago has moved on and is no longer part of our team).
Is tomcat10 running on debian12 a reasonable choice to make? We use debian for almost all of our GNU/linux VMs now for all other server applications. But if CAS is just easier, more robust, and/or not as challenging to properly secure on RHEL9 or some other distro, we're willing to consider that.
And on any platform, how can we enable debug-level logging. Our biggest challenge right at the moment is to get a new CAS7 development instance to talk to our test LDAP server. Success has been achieved by a colleague of mine when he installed both the CAS instance and a test LDAP server on the same VM, but we need to have the CAS server talk to and LDAP server on another VM for production, and we can't seem to make that happen (ldapsearch queries from the CAS server's bash shell to the external LDAP server succeed, so we don't think there are firewall/network issues causing problems). It'd be great if we could find a way to have verbose logging on the LDAP connection attempt that's failing from within CAS, catalina, and/or tomcat...
And on any platform, how can we enable debug-level logging. Our biggest challenge right at the moment is to get a new CAS7 development instance to talk to our test LDAP server. Success has been achieved by a colleague of mine when he installed both the CAS instance and a test LDAP server on the same VM, but we need to have the CAS server talk to and LDAP server on another VM for production, and we can't seem to make that happen (ldapsearch queries from the CAS server's bash shell to the external LDAP server succeed, so we don't think there are firewall/network issues causing problems). It'd be great if we could find a way to have verbose logging on the LDAP connection attempt that's failing from within CAS, catalina, and/or tomcat...
thanks so very much in advance for whatever information you might have and/or pointers to specific documentation we might have missed (or not read thoroughly enough?),
~c
--
Charlie Derr Director of Instructional Technology
Bard College at Simon's Rock https://simons-rock.edu
Encryption key: https://hope.simons-rock.edu/~cderr/
413-528-7344 Pronouns: he/him/his
Frédéric Dussurget
Jun 25, 2024, 10:53:30 AM (4 days ago) Jun 25
to CAS Community, charlie derr, IT Department
Hi,
yes it runs fine on ;
- Debian 12
- Tomcat10 from distro
- openjdk 21 from
download.java.net/java/GA/jdk21/... ( Just be sure to link CA certificates files to those of the distro, something like this :sudo ln -s /etc/ssl/certs/java/cacerts /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts )
You might turn on debug mode editing /etc/cas/config/log4j2.xml to get errors in catalina.out (turn warn to debug)
Obviously you might also check your ldapserver and firewall logs, trafic on your net interfaces etc.
Have you added those deps before building cas-overlay-config clone to make it work with ldap (at the very bottom of build.gradle file) ?:
implementation "org.apereo.cas:cas-server-support-ldap"
implementation "org.apereo.cas:cas-server-support-ldap-core"
(note that if you're using ldap for other purpose (AUP, surrogate ...) You'll have to add more ldap deps ...)
Have you tried ldapsearch requests thru ssl (starttls/ldaps) from the command line ?
hope it helps
charlie derr
Jun 25, 2024, 11:33:10 PM (4 days ago) Jun 25
to Frédéric Dussurget, CAS Community, IT Department
Thanks so much for all the great information!
In particular though I just want to ask about this detail (and I'll dive
into all the others shortly as well to doublecheck everything that I had
thought I had done correctly):
On 6/25/24 10:49, Frédéric Dussurget wrote:
> Have you tried ldapsearch requests thru ssl (starttls/ldaps) from the
> command line ?
My understanding was that it should be possible to get non-ssl
connections to work from the CAS server (just in test mode to get over
this hurdle). Is this not true? Does CAS insist on encrypting that
request during transport?
We do have ldaps available (on port 636) on our LDAP server, but if my
assumption was wrong (and it really is necessary for the traffic between
the CAS server and the LDAP server to use SSL), then perhaps a
certificate issue may be preventing the connection...
thanks again,
~c
--
Bard College at Simon's Rock & Bard Academy
Director of Instructional Technology 413.528.7344
https://simons-rock.edu/~cderr/Charlie_Derr_public_key.text
cd...@simons-rock.edu they/them/theirs or he/him/his both fine
In particular though I just want to ask about this detail (and I'll dive
into all the others shortly as well to doublecheck everything that I had
thought I had done correctly):
On 6/25/24 10:49, Frédéric Dussurget wrote:
> Have you tried ldapsearch requests thru ssl (starttls/ldaps) from the
> command line ?
connections to work from the CAS server (just in test mode to get over
this hurdle). Is this not true? Does CAS insist on encrypting that
request during transport?
We do have ldaps available (on port 636) on our LDAP server, but if my
assumption was wrong (and it really is necessary for the traffic between
the CAS server and the LDAP server to use SSL), then perhaps a
certificate issue may be preventing the connection...
thanks again,
~c
--
Bard College at Simon's Rock & Bard Academy
Director of Instructional Technology 413.528.7344
https://simons-rock.edu/~cderr/Charlie_Derr_public_key.text
cd...@simons-rock.edu they/them/theirs or he/him/his both fine
Reply all
Reply to author
Forward
0 new messages