Hi Team, CAS Server : 6.3.3 CAS Client : 3.6.2
We are facing a peculiar issue in production. This issue is specific to clustered environment. While communicating from one server to other server, CAS releases wrong "UID". We have 3 servers in PROD. CASPROD1, CASPROD2, CASPROD3 *Scenario 1:* When user logs in, CAS server releases attribute UID in CASPROD1 after successful authentication. While communicating to CAS client, CAS releases the same UID attribute if request reaches the same server instance CASPROD1. *This is working fine.* *Scenario 2:* When user logs in, CAS server releases attribute UID in CASPROD1 after successful authentication. While communicating to CAS client, if second server handle the request, CAS releases the different UID(which is already available in CASPROD2 server. *LDAP properties:* cas.authn.ldap[0].order=0 cas.authn.ldap[0].ldapUrl=https://xxxx cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].useSsl=true cas.authn.ldap[0].useStartTls=false cas.authn.ldap[0].connectTimeout=5000 cas.authn.ldap[0].baseDn= cas.authn.ldap[0].searchFilter=email={user} cas.authn.ldap[0].subtreeSearch=true cas.authn.ldap[0].bindDn=xxxxxx cas.authn.ldap[0].bindCredential=xxxx cas.authn.ldap[0].principalAttributeId=ui cas.authn.ldap[0].principalAttributePassword= cas.authn.ldap[0].principalAttributeList=userStatus,tryCount,uid,CN,email cas.authn.ldap[0].minPoolSize=3 cas.authn.ldap[0].maxPoolSize=10 cas.authn.ldap[0].validateOnCheckout=true cas.authn.ldap[0].validatePeriodically=true cas.authn.ldap[0].validatePeriod=600 cas.authn.ldap[0].failFast=false cas.authn.ldap[0].idleTime=5000 cas.authn.ldap[0].prunePeriod=5000 cas.authn.ldap[0].blockWaitTime=5000 *Hazelcast properties* cas.ticket.registry.hazelcast.page-size=500 #cas.ticket.registry.hazelcast.cluster.size=3 cas.ticket.registry.hazelcast.cluster.members=10.34.xxx.58,10.34.xxx.57,10.34.xxx.59 cas.ticket.registry.hazelcast.cluster.instance-name=10.34.xxx.57*(have given this correctly for all server instances)* cas.ticket.registry.hazelcast.cluster.port=5701 cas.ticket.registry.hazelcast.enable-compression=false cas.ticket.registry.hazelcast.enable-management-center-scripting=true cas.ticket.registry.hazelcast.crypto.enabled=true cas.ticket.registry.hazelcast.cluster.asyncBackupCount=1 cas.ticket.registry.hazelcast.cluster.backupCount=0 cas.ticket.registry.hazelcast.crypto.signing.key=7cQ-XUjlbIWahxBUD8IVVW6j7erYyuAmXn7m4O4CpdNpPaxNf1P5ka1JPa-V_T2UryZYtRPOzy1rhjIGQ7kQug cas.ticket.registry.hazelcast.crypto.signing.keySize=512 cas.ticket.registry.hazelcast.crypto.encryption.key=Sx1MbKtfrP-36ysDRkNXWA cas.ticket.registry.hazelcast.crypto.encryption.keySize=16 cas.ticket.registry.hazelcast.crypto.alg=AES CAS server Logs: 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication Creating LDAP principal for [*[email protected] <https://groups.google.com/>*] based on [uid= *8886927f-ea0f-4129-8097-b72e52a58591*,ou=secure,dc=Consumer,dc=insurance,dc=com] and attributes [[uid, cn, email, userStatus, tryCount]] 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication Retrieved principal id attribute [[email protected] <https://groups.google.com/>] 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication LDAP principal identifier created is [[email protected] <https://groups.google.com/>] 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication The following attributes are requested to be retrieved and mapped: [[]] 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication Found principal attribute: [org.ldaptive.LdapAttribute@-384702864::name=uid, values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false] 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication Principal attribute [org.ldaptive.LdapAttribute@-384702864::name=uid, values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false] is virtually remapped/renamed to [uid] 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication Found principal attribute: [org.ldaptive.LdapAttribute@-1753954665::name=userStatus, values=[ACTIVE], binary=false] 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication Principal attribute [org.ldaptive.LdapAttribute@-1753954665::name=userStatus, values=[ACTIVE], binary=false] is virtually remapped/renamed to [userStatus] 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication Found principal attribute: [org.ldaptive.LdapAttribute@-1505406878::name=tryCount, values=[0:1626509309221], binary=false] 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication Principal attribute [org.ldaptive.LdapAttribute@-1505406878::name=tryCount, values=[0:1626509309221], binary=false] is virtually remapped/renamed to [tryCount] 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication Found principal attribute: [org.ldaptive.LdapAttribute@-397428133::name=cn, values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false] 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication Principal attribute [org.ldaptive.LdapAttribute@-397428133::name=cn, values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false] is virtually remapped/renamed to [CN] 2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication Found principal attribute: [org.ldaptive.LdapAttribute@-930300140::name=email, values=[ [email protected] <https://groups.google.com/>], binary=false] 2021-07-17 01:33:30 [INFO] com.mig.sso.authentication.MigLdapHandlerAuthentication Principal attribute [org.ldaptive.LdapAttribute@-930300140::name=email, values=[ [email protected] <https://groups.google.com/>], binary=false] is virtually remapped/renamed to [email] 2021-07-17 01:33:30 [INFO] com.mig.sso.authentication.MigLdapHandlerAuthentication Created LDAP principal for id [[email protected] <https://groups.google.com/>] and [5] attributes 2021-07-17 01:33:31 [INFO] org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager Audit trail record BEGIN ============================================================= WHO: [email protected] <https://groups.google.com/> WHAT: ST-1-l59MuWtx-WFlDsTQi42nww2riqQ-braxlcpa211 for https://qa5-ex.insurance.com/home/ ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Sat Jul 17 01:33:31 PDT 2021 CLIENT IP ADDRESS: 10.34.ss.30 SERVER IP ADDRESS: 10.34.xxx.53 ============================================================= 2021-07-17 01:33:31 [INFO] org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Service Access Granted,service= https://qa5-cp.mercuryinsurance.com/c...,principal=SimplePrincipal(id=*[email protected] <https://groups.google.com/>,* attributes={CN=[8886927f-ea0f-4129-8097-b72e52a58591], uid=[*8886927f-ea0f-4129-8097-b72e52a58591*]}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Sat Jul 17 01:33:31 PDT 2021 CLIENT IP ADDRESS: 10.34.xx.6 SERVER IP ADDRESS: 10.34.xxx.53 ============================================================= 2021-07-17 01:35:26 [INFO] org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Service Access Granted,service=https://brextt051.int.mgc.com:11111...,principal=SimplePrincipal(id=*[email protected] <https://groups.google.com/>*, attributes={uid=[ *6666927f-ea0f-4129-8097-b72e52a58591*], userStatus=[ACTIVE], tryCount=[0:1626509309221], CN=[6666927f-ea0f-4129-8097-b72e52a58591], email=[[email protected] <https://groups.google.com/>]}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Sat Jul 17 01:35:26 PDT 2021 CLIENT IP ADDRESS: 10.34.xx.30 SERVER IP ADDRESS: 10.34.xxx.55 ============================================================= Will be really grateful if someone help me with the fix. Regards, Anusuya. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4f7c7116-4752-4b1c-b6dd-222280f38f2fn%40apereo.org.
