mmoayyed on master
fix build (compare)
mmoayyed on master
fix rest config api (compare)
mmoayyed on 6.3.x
fix rest config api (compare)
apereocas-bot on gh-pages
Published docs to [gh-pages] fr… (compare)
apereocas-bot on gh-pages
Published docs [gh-pages]. (compare)
mmoayyed on master
add log4j json template layout introduce headers for rest api … update pac4j (compare)
mmoayyed on 6.3.x
version updates; small adjustme… add headers for rest audit Merge branch '6.3.x' of github.… (compare)
apereocas-bot on gh-pages
Published docs to [gh-pages] fr… (compare)
mmoayyed on master
Add tests for idtoken-token oid… (compare)
@mmoayyed , have you got any news about PM feature? Is there any 6.x version with this functionallity resolved? thanks in advance
After this commit: apereo/cas@58345b0 password management is not working, any method annotated with @Async and calling to "ClientInfoHolder.getClientInfo()" throws NPE because ClientInfoHolder use ThreadLocal.
@mmoayyed Please check this commit, there are problems with PM and Audit.
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "https://example.com:8081/app\\?client_name=CasClient",
"name": "My App",
"id": 8081,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": false,
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "Microsoft Account" ] ]
}
}
}
val registeredService = payload.getRegisteredService() == null
? locateRegisteredService(serviceAudience)
: payload.getRegisteredService();
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);
org.apereo.services.persondir.IPersonAttributeDao
is called on every creation of a ProxyGrantingTicket. For me it looks like org.apereo.cas.audit.AuditableExecution.execute(AuditableContext)
leads to org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository.retrievePersonAttributesToPrincipalAttributes(String)
which is called for any service url. Is this the intended behavior?
@mmoayyed tested 6.1.2 with same results, CAS sends the token to the user, but the token fails to load a form, instead loads the login form again
this is my relevant config (anonymizing some fields tougth)
cas.authn.pm.enabled=true
cas.authn.pm.ldap.type=AD
cas.authn.pm.ldap.usernameAttribute=userPrincipalName
cas.authn.pm.ldap.searchFilterUsername=(userPrincipalName={user})
cas.authn.pm.ldap.ldapUrl=ldap://...:389
cas.authn.pm.ldap.useSsl=false
cas.authn.pm.ldap.baseDn=OU=produccion,DC=...,DC=...
cas.authn.pm.ldap.searchFilter=(userPrincipalName={user})
cas.authn.pm.ldap.bindDn=...
cas.authn.pm.ldap.bindCredential=.....
cas.authn.pm.reset.mail.from=autenticacion.noreply@...
cas.authn.pm.reset.mail.attributeName=userPrincipalName
cas.authn.pm.reset.mail.text=Para recuperar su contrase\u00F1a siga las instrucciones de este enlace: %s
cas.authn.pm.reset.mail.subject=Solicitud de cambio de contraseña
cas.authn.pm.reset.mail.from=....
cas.authn.pm.reset.mail.attributeName=email
cas.authn.pm.reset.mail.text=Reset your password with this link: %s
cas.authn.pm.reset.mail.subject=Password Reset Request
cas.authn.pm.reset.expirationMinutes=10
spring.mail.host=....
spring.mail.port=25
spring.mail.username=....
spring.mail.password=....
spring.mail.testConnection=true
spring.mail.properties.mail.smtp.auth=true
spring.mail.properties.mail.smtp.starttls.enable=false
The most annoying thing is that nothing appears on the log, I've got trace level enabled
cas.properties
configuration parameters for Jetty, similar to the ones for the embedded Tomcat container detailed at https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#embedded-apache-tomcat-container ?
after that i ran into new errors/ problems. The "set new password" method doesn't work. It only works if you reset the password by sending an email to the user.
I follow this guide: https://apereo.github.io/2019/10/25/cas61x-password-management-jdbc/
my remarks:
- "# Password Reset Email Info" and "# Forgot Username Email Info" have their option values mixed up. If you want have forgotten your username the system should lookup your email address. If you want to reset your password you need to give your name in stead of email address IMHO
- expired login method fails to update the database table Users. It does store the old password in the history table.
- text above the input fields isn't quite clear on what to do.
This is what i found out at 23 november.
Hi all,
I'm testing CAS 6.1.2 in an external Jetty (9.4.24) container, and I've been running into an issue where CAS logs an error message like the following:
User limit of inotify instances reached or too many open files
Prior to a huge stack trace and the application shutting down.
I originally saw this issue when running the embedded Jetty container, then switched over to an external container to see if that would make any difference (it did not). I am running Jetty in a Docker container, and have increased the following sysctl parameters on the Docker host:
# sysctl -p
fs.inotify.max_user_watches = 560144
fs.inotify.max_user_instances = 512
I also have increased nofiles
substantially, but that doesn't seem to have helped either.
Any ideas on where to begin looking to resolve this issue? I see CAS constantly logging messages like this: 2019-12-21 03:41:46,082 INFO [org.apereo.cas.util.io.PathWatcherService] - <Watching directory at [/etc/cas/config]>
, which I assume to be related to the inotify issues.
Thanks!
Hi @mmoayyed, let me put some context
I'm trying to make Password Management work on 6.0.3 version against Active Directory. I also have another environment with OpenLDAP for testing. In both cases, auth works just fine, but PM doesn't.
Current behaviour is that PM correctly finds the user in the user directory and sends the token by mail.
https://myserver.my.domain/cas/login?pswdrst=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aWRIbHdJam9pU2xkVUluMC4udzVOVk15NU9EeWsxS3JKSDZDYUREQS5neFMtbHROUVJxQ01MZEh5dFFyTWZrNEhpczB6Z29OZGd6eTdQeE5UeEYzVUoteTZPRm85VnpFQTdXV1RXR0ZRVURwbU0xRHZMQ1VPanRXTjlyMTFWYXZCVWwtSHlOdUY3RWFTVU93Y2tXTlRfVFlmbEdBQlJZTEpGUFBER0cyTXNIOXlUTlJ0MWoyNFYybUJpMnNibks1dnk2LW84eXRIR1FrRHZETkdOVEUyeXlsYnA4VmJaaTR4Skh6eGhKU00wd29SeWNGTERGNUhQN0pycVZ4RTVBLlUwek9pRWtGYkVXeXliVHFwYkhNUWc=.5Pswn-eqEwnDbGAqAVdbaCQRjsCKs1mWQcbWfGLJDLfExEnkcAeWicKwEx0PJk94FMQzjoYFLqv4e0Zguw_Mxg
But when I load the received URL, pswdrst urlParam seems to be ignored at all, regular login form gets loaded and no errors are shown in the logs, just this
This is the config for the OpenLDAP environment (replacing sensible values)
cas.server.name=https://myserver.my.domain
cas.server.prefix=${cas.server.name}/cas
server.port=443
server.ssl.enabled=true
cas.serviceRegistry.initFromJson=false
cas.serviceRegistry.json.location=file:/etc/cas/services
logging.config: file:/etc/cas/config/log4j2.xml
cas.authn.accept.users=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://myopenldapserver.my.domain:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=ou=People,dc=my,dc=domain
cas.authn.ldap[0].searchFilter=uid={user}
# https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#email-notifications
cas.authn.pm.enabled=true
cas.authn.pm.autoLogin =true
cas.authn.pm.policyPattern =^(?=.*[a-z])[A-Za-z\\d]{4,}
cas.authn.pm.ldap.type=GENERIC
cas.authn.pm.ldap.usernameAttribute=uid
cas.authn.pm.ldap.ldapUrl=ldap://myopenldapserver.my.domain:389
cas.authn.pm.ldap.useSsl=false
cas.authn.pm.ldap.baseDn=ou=People,dc=my,dc=domain
cas.authn.pm.ldap.searchFilter=(uid={user})
cas.authn.pm.ldap.bindDn=uid=somuser,ou=People,dc=my,dc=domain
cas.authn.pm.ldap.bindCredential=mypassword
cas.authn.pm.reset.mail.from=cas@my.domain
cas.authn.pm.reset.mail.attributeName=mail
cas.authn.pm.reset.mail.text=%s
cas.authn.pm.reset.mail.subject=Reset your password
cas.authn.pm.reset.securityQuestionsEnabled=false
cas.authn.pm.reset.expirationMinutes=10
cas.authn.pm.autoLogin=false
spring.mail.host=smtp.my.domain
spring.mail.port=25
spring.mail.username=cas@my.domain
spring.mail.password=caspassword
spring.mail.testConnection=true
spring.mail.properties.mail.smtp.auth=true
spring.mail.properties.mail.smtp.starttls.enable=false
@mmoayyed I also noticed this logs lines, so i pasted those propierties too
WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [G3DuCmQupz-IC2TmAtl5dQrnz0EK0rQKOikWzzvM9Jg] of size [256] for [Password Reset Token]. The generated key MUST be added to CAS settings under setting [cas.authn.pm.reset.crypto.encryption.key].>
WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [lwrDVYc0vZ7Bl7FEqAnS7LbPPlMZ7xpaaz-d-1VRocox5praHqPC1hR1SNK8c8QtLaQqO933kReYoGVjpKNCYw] of size [512] for [Password Reset Token]. The generated key MUST be added to CAS settings under setting [cas.authn.pm.reset.crypto.signing.key].>
like that
cas.authn.pm.reset.crypto.signing.key=lwrDVYc0vZ7Bl7FEqAnS7LbPPlMZ7xpaaz-d-1VRocox5praHqPC1hR1SNK8c8QtLaQqO933kReYoGVjpKNCYw
cas.authn.pm.reset.crypto.encryption.key=G3DuCmQupz-IC2TmAtl5dQrnz0EK0rQKOikWzzvM9Jg