Hi, can you share more information about how to retrieve user attribute from LDAP databse by using samlValidate because i am facing some error and also explain how to create ssl connection mod_auth_cas client site.
Thanks and Regards On Thursday, September 14, 2017 at 7:34:06 PM UTC+5:30, Micas Camela wrote: > > Hi dhawes, > > I did that and now I am getting the attributes. > > I assume my problems are all solved. > > Thank you all > > Best regards > > On Thursday, September 14, 2017 at 3:58:30 PM UTC+2, dhawes wrote: >> >> Have you tried using the /samlValidate endpoint with "CASValidateSaml >> On"? >> >> /serviceValidate may or may not return attributes, depending on your >> CAS server. If it does, you can use mod_auth_cas from git master, >> which supports CASv2 attributes. >> >> On 14 September 2017 at 09:11, Micas Camela <[email protected]> wrote: >> > Hi Doug C, >> > >> > I solved the problem generating the casdev certificate (previous >> generated >> > using keytool) using the following commands: >> > >> > openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout casdev.key >> -out >> > casdev.crt >> > >> > openssl pkcs12 -export -inkey casdev.key -in casdev.crt -name tomcat >> -out >> > casdev.p12 >> > >> > keytool -importkeystore -srckeystore casdev.p12 -srcstoretype pkcs12 >> > -destkeystore keystore.jks >> > >> > >> > And importing the casdev.crt in CASCLIENT (/etc/httpd/conf/casdev.crt). >> > >> > But unfortunatelly I am only getting the username, without any >> attributes. >> > >> > >> > Thank you >> > >> > >> > >> > On Wednesday, September 13, 2017 at 2:34:45 PM UTC+2, Micas Camela >> wrote: >> >> >> >> Hi there! >> >> >> >> I have configured on casdev (CentOS 7 + Tomcat 8.5.20 + CAS 5.0.8) and >> >> casclient (Apache 2.4 + mod_auth_cas + php app). >> >> >> >> After a successfull login I am getting an error page with: >> >> >> >> Unauthorized >> >> >> >> This server could not verify that you are authorized to access the >> >> document requested. Either you supplied the wrong credentials (e.g., >> bad >> >> password), or your browser doesn't understand how to supply the >> credentials >> >> required. >> >> >> >> >> >> CASDEV output: >> >> >> >> >> >> 2017-09-12 21:57:21,374 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Locating principal attributes for mrafael> >> >> 2017-09-12 21:57:21,374 DEBUG >> >> >> [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] >> >> >> >> - <DefaultPrincipalAttributesRepository will return the collection of >> >> attributes directly associated with the principal object which are >> >> [{cn=Micas Rafael, givenName=Micas, >> LdapAuthenticationHandler.dn=CN=Micas >> >> Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael}]> >> >> 2017-09-12 21:57:21,375 DEBUG >> >> >> [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository] >> >> >> >> - <Found [4] cached attributes for principal [mrafael] that are >> {cn=Micas >> >> Rafael, givenName=Micas, LdapAuthenticationHandler.dn=CN=Micas >> >> Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael}> >> >> 2017-09-12 21:57:21,375 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Found principal attributes {cn=Micas Rafael, givenName=Micas, >> >> LdapAuthenticationHandler.dn=CN=Micas >> >> Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael} for mrafael> >> >> 2017-09-12 21:57:21,375 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Calling attribute policy ReturnAllAttributeReleasePolicy to process >> >> attributes for mrafael> >> >> 2017-09-12 21:57:21,376 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Attribute policy ReturnAllAttributeReleasePolicy allows release of >> >> {cn=Micas Rafael, givenName=Micas, >> LdapAuthenticationHandler.dn=CN=Micas >> >> Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael} for mrafael> >> >> 2017-09-12 21:57:21,376 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Checking default attribute policy attributes> >> >> 2017-09-12 21:57:21,376 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Located application context. Retrieving default attributes for >> release, if >> >> any> >> >> 2017-09-12 21:57:21,377 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Default attributes for release are: [cn, sn, givenName]> >> >> 2017-09-12 21:57:21,377 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Found and added default attribute for release: cn> >> >> 2017-09-12 21:57:21,378 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Found and added default attribute for release: sn> >> >> 2017-09-12 21:57:21,378 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Found and added default attribute for release: givenName> >> >> 2017-09-12 21:57:21,379 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Default attributes found to be released are {cn=Micas Rafael, >> >> givenName=Micas, sn=Rafael}> >> >> 2017-09-12 21:57:21,379 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Attempting to merge policy attributes and default attributes> >> >> 2017-09-12 21:57:21,380 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Adding default attributes first to the released set of attributes> >> >> 2017-09-12 21:57:21,380 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Adding policy attributes to the released set of attributes> >> >> 2017-09-12 21:57:21,380 DEBUG >> >> >> [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - >> >> <Final collection of attributes allowed are: {cn=Micas Rafael, >> >> givenName=Micas, LdapAuthenticationHandler.dn=CN=Micas >> >> Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael}> >> >> 2017-09-12 21:57:21,381 DEBUG >> >> [org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - >> <Skipping >> >> access strategy policy, since no attributes rules are defined> >> >> 2017-09-12 21:57:21,381 DEBUG >> >> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - >> <Current >> >> authentication via ticket >> >> TGT-**********************************************HSoxyIIULz-casdev >> allows >> >> service https://192.168.0.151/secured-by-cas/index.php to participate >> in the >> >> existing SSO session> >> >> 2017-09-12 21:57:21,382 DEBUG >> >> [org.apereo.cas.ticket.DefaultServiceTicketFactory] - <Looking up >> service >> >> ticket id generator for >> >> >> [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl]> >> >> 2017-09-12 21:57:21,382 DEBUG >> >> [org.apereo.cas.ticket.DefaultServiceTicketFactory] - <Attempting to >> encode >> >> service ticket ST-13-cHtrhddFq5kPa9nFdymw-casdev> >> >> 2017-09-12 21:57:21,383 DEBUG >> >> [org.apereo.cas.ticket.DefaultServiceTicketFactory] - <Encoded service >> >> ticket id ST-13-cHtrhddFq5kPa9nFdymw-casdev> >> >> 2017-09-12 21:57:21,383 DEBUG >> >> [org.apereo.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket >> >> [TGT-**********************************************HSoxyIIULz-casdev] >> to >> >> registry.> >> >> 2017-09-12 21:57:21,384 DEBUG >> >> [org.apereo.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket >> >> [ST-13-cHtrhddFq5kPa9nFdymw-casdev] to registry.> >> >> 2017-09-12 21:57:21,384 INFO >> >> [org.apereo.cas.CentralAuthenticationServiceImpl] - <Granted ticket >> >> [ST-13-cHtrhddFq5kPa9nFdymw-casdev] for service >> >> [https://192.168.0.151/secured-by-cas/index.php] and principal >> [mrafael]> >> >> 2017-09-12 21:57:21,384 DEBUG >> >> [org.apereo.cas.CentralAuthenticationServiceImpl] - <Publishing >> >> >> org.apereo.cas.support.events.CasServiceTicketGrantedEvent@72e6be69[ticketGrantingTicket=TGT-**********************************************HSoxyIIULz-casdev,serviceTicket=ST-13-cHtrhddFq5kPa9nFdymw-casdev]> >> >> >> >> 2017-09-12 21:57:21,384 DEBUG >> >> [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - <Resolving >> >> principal at audit point [execution(ServiceTicket >> >> >> org.apereo.cas.CentralAuthenticationServiceImpl.grantServiceTicket(String,Service,AuthenticationResult))]> >> >> >> >> 2017-09-12 21:57:21,385 INFO >> >> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> <Audit >> >> trail record BEGIN >> >> ============================================================= >> >> WHO: mrafael >> >> WHAT: ST-13-cHtrhddFq5kPa9nFdymw-casdev for >> >> https://192.168.0.151/secured-by-cas/index.php >> >> ACTION: SERVICE_TICKET_CREATED >> >> APPLICATION: CAS >> >> WHEN: Tue Sep 12 21:57:21 EDT 2017 >> >> CLIENT IP ADDRESS: 192.168.0.1 >> >> SERVER IP ADDRESS: 192.168.0.150 >> >> ============================================================= >> >> >> >> CASCLIENT: >> >> >> >> >> >> [Tue Sep 12 21:58:22.473143 2017] [ssl:info] [pid 10811] (70007)The >> >> timeout specified has expired: [client 192.168.0.1:62026] AH01991: >> SSL input >> >> filter read failed. >> >> [Tue Sep 12 21:58:22.473219 2017] [ssl:debug] [pid 10811] >> >> ssl_engine_io.c(992): [client 192.168.0.1:62026] AH02001: Connection >> closed >> >> to child 2 with standard shutdown (server 192.168.0.151:443) >> >> [Tue Sep 12 21:58:23.222991 2017] [ssl:info] [pid 10812] [client >> >> 192.168.0.1:62029] AH01964: Connection to child 3 established (server >> >> 192.168.0.151:443) >> >> [Tue Sep 12 21:58:23.223794 2017] [ssl:debug] [pid 10812] >> >> ssl_engine_kernel.c(1812): [client 192.168.0.1:62029] AH02041: >> Protocol: >> >> TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) >> >> [Tue Sep 12 21:58:23.224096 2017] [ssl:info] [pid 10812] (70014)End of >> >> file found: [client 192.168.0.1:62029] AH01991: SSL input filter read >> >> failed. >> >> [Tue Sep 12 21:58:23.224146 2017] [ssl:debug] [pid 10812] >> >> ssl_engine_io.c(992): [client 192.168.0.1:62029] AH02001: Connection >> closed >> >> to child 3 with standard shutdown (server 192.168.0.151:443) >> >> [Tue Sep 12 21:58:23.224847 2017] [ssl:info] [pid 10809] [client >> >> 192.168.0.1:62030] AH01964: Connection to child 0 established (server >> >> 192.168.0.151:443) >> >> [Tue Sep 12 21:58:23.225255 2017] [ssl:debug] [pid 10809] >> >> ssl_engine_kernel.c(1812): [client 192.168.0.1:62030] AH02041: >> Protocol: >> >> TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) >> >> [Tue Sep 12 21:58:23.225750 2017] [ssl:debug] [pid 10809] >> >> ssl_engine_kernel.c(224): [client 192.168.0.1:62030] AH02034: Initial >> (No.1) >> >> HTTPS request received for child 0 (server 192.168.0.151:443), >> referer: >> >> https://192.168.0.151/ >> >> [Tue Sep 12 21:58:23.225832 2017] [authz_core:debug] [pid 10809] >> >> mod_authz_core.c(809): [client 192.168.0.1:62030] AH01626: >> authorization >> >> result of Require valid-user : denied (no authenticated user yet), >> referer: >> >> https://192.168.0.151/ >> >> [Tue Sep 12 21:58:23.225840 2017] [authz_core:debug] [pid 10809] >> >> mod_authz_core.c(809): [client 192.168.0.1:62030] AH01626: >> authorization >> >> result of <RequireAny>: denied (no authenticated user yet), referer: >> >> https://192.168.0.151/ >> >> [Tue Sep 12 21:58:23.225846 2017] [auth_cas:debug] [pid 10809] >> >> mod_auth_cas.c(2076): [client 192.168.0.1:62030] Entering >> >> cas_authenticate(), referer: https://192.168.0.151/ >> >> [Tue Sep 12 21:58:23.225854 2017] [auth_cas:debug] [pid 10809] >> >> mod_auth_cas.c(584): [client 192.168.0.1:62030] CAS Service >> >> 'https%3a%2f%2f192.168.0.151%2fsecured-by-cas%2findex.php', referer: >> >> https://192.168.0.151/ >> >> [Tue Sep 12 21:58:23.225856 2017] [auth_cas:debug] [pid 10809] >> >> mod_auth_cas.c(532): [client 192.168.0.1:62030] entering >> getCASLoginURL(), >> >> referer: https://192.168.0.151/ >> >> [Tue Sep 12 21:58:23.225860 2017] [auth_cas:debug] [pid 10809] >> >> mod_auth_cas.c(509): [client 192.168.0.1:62030] entering >> getCASGateway(), >> >> referer: https://192.168.0.151/ >> >> [Tue Sep 12 21:58:23.225861 2017] [auth_cas:debug] [pid 10809] >> >> mod_auth_cas.c(599): [client 192.168.0.1:62030] entering >> redirectRequest(), >> >> referer: https://192.168.0.151/ >> >> [Tue Sep 12 21:58:23.225863 2017] [auth_cas:debug] [pid 10809] >> >> mod_auth_cas.c(611): [client 192.168.0.1:62030] Adding outgoing >> header: >> >> Location: >> >> >> https://192.168.0.150:8443/cas/login?service=https%3a%2f%2f192.168.0.151%2fsecured-by-cas%2findex.php, >> >> >> >> referer: https://192.168.0.151/ >> >> [Tue Sep 12 21:58:23.275446 2017] [ssl:debug] [pid 10809] >> >> ssl_engine_kernel.c(224): [client 192.168.0.1:62030] AH02034: >> Subsequent >> >> (No.2) HTTPS request received for child 0 (server 192.168.0.151:443), >> >> referer: https://192.168.0.151/ >> >> [Tue Sep 12 21:58:23.275554 2017] [authz_core:debug] [pid 10809] >> >> mod_authz_core.c(809): [client 192.168.0.1:62030] AH01626: >> authorization >> >> result of Require valid-user : denied (no authenticated user yet), >> referer: >> >> https://192.168.0.151/ >> >> [Tue Sep 12 21:58:23.275560 2017] [authz_core:debug] [pid 10809] >> >> mod_authz_core.c(809): [client 192.168.0.1:62030] AH01626: >> authorization >> >> result of <RequireAny>: denied (no authenticated user yet), referer: >> >> https:// >> > >> > ... >> > >> > [Message clipped] >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/08666602-d8f5-41b6-9f50-a2ef1252b7da%40apereo.org.
