Hi Ray,
Thanks for your resposne.
Yes. we use email as unique identifer:
Please find my service definition below:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" :
"^(https?|imaps?):\/\/(([A-Za-z0-9_-]+.)*insurance.com\/.*)",
"name" : "web",
"description" : "Allows HTTP(S) and IMAP(S) protocols",
"id" : 10000001,
"evaluationOrder" : 1,
"usernameAttribute" : "email",
"attributeReleasePolicy": {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "CN", "email", "uid" ]
]
},
"logoutType" : "BACK_CHANNEL"
}
On Monday, July 19, 2021 at 10:29:06 PM UTC+5:30 Ray Bon wrote:
> Anusuya,
>
> Hazelcast instance-name would be the same for all hosts in the cluster,
> say 'casProd'. I do not think that is related to your issue.
>
> What does your service define as a unique identifier (you use email as the
> lookup)?
>
> You can set the username attribute,
> https://apereo.github.io/cas/6.3.x/integration/Attribute-Release-PrincipalId.html#attribute
>
> Ray
>
>
> On Sun, 2021-07-18 at 10:33 -0700, Morning Star wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
>
> Hi Team,
>
> CAS Server : 6.3.3
> CAS Client : 3.6.2
>
> We are facing a peculiar issue in production. This issue is specific to
> clustered environment. While communicating from one server to other
> server, CAS releases wrong "UID".
>
> We have 3 servers in PROD. CASPROD1, CASPROD2, CASPROD3
> *Scenario 1:*
> When user logs in, CAS server releases attribute UID in CASPROD1 after
> successful authentication. While communicating to CAS client, CAS releases
> the same UID attribute if request reaches the same server instance
> CASPROD1. *This is working fine.*
>
> *Scenario 2:*
> When user logs in, CAS server releases attribute UID in CASPROD1 after
> successful authentication. While communicating to CAS client, if second
> server handle the request, CAS releases the different UID(which is already
> available in CASPROD2 server.
>
> *LDAP properties:*
> cas.authn.ldap[0].order=0
> cas.authn.ldap[0].ldapUrl=https://xxxx
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].useSsl=true
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].baseDn=
> cas.authn.ldap[0].searchFilter=email={user}
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].bindDn=xxxxxx
> cas.authn.ldap[0].bindCredential=xxxx
>
> cas.authn.ldap[0].principalAttributeId=ui
> cas.authn.ldap[0].principalAttributePassword=
> cas.authn.ldap[0].principalAttributeList=userStatus,tryCount,uid,CN,email
> cas.authn.ldap[0].minPoolSize=3
> cas.authn.ldap[0].maxPoolSize=10
> cas.authn.ldap[0].validateOnCheckout=true
> cas.authn.ldap[0].validatePeriodically=true
> cas.authn.ldap[0].validatePeriod=600
> cas.authn.ldap[0].failFast=false
> cas.authn.ldap[0].idleTime=5000
> cas.authn.ldap[0].prunePeriod=5000
> cas.authn.ldap[0].blockWaitTime=5000
>
> *Hazelcast properties*
> cas.ticket.registry.hazelcast.page-size=500
> #cas.ticket.registry.hazelcast.cluster.size=3
>
> cas.ticket.registry.hazelcast.cluster.members=10.34.xxx.58,10.34.xxx.57,10.34.xxx.59
> cas.ticket.registry.hazelcast.cluster.instance-name=10.34.xxx.57*(have
> given this correctly for all server instances)*
> cas.ticket.registry.hazelcast.cluster.port=5701
> cas.ticket.registry.hazelcast.enable-compression=false
> cas.ticket.registry.hazelcast.enable-management-center-scripting=true
> cas.ticket.registry.hazelcast.crypto.enabled=true
> cas.ticket.registry.hazelcast.cluster.asyncBackupCount=1
> cas.ticket.registry.hazelcast.cluster.backupCount=0
>
> cas.ticket.registry.hazelcast.crypto.signing.key=7cQ-XUjlbIWahxBUD8IVVW6j7erYyuAmXn7m4O4CpdNpPaxNf1P5ka1JPa-V_T2UryZYtRPOzy1rhjIGQ7kQug
> cas.ticket.registry.hazelcast.crypto.signing.keySize=512
> cas.ticket.registry.hazelcast.crypto.encryption.key=Sx1MbKtfrP-36ysDRkNXWA
> cas.ticket.registry.hazelcast.crypto.encryption.keySize=16
> cas.ticket.registry.hazelcast.crypto.alg=AES
>
> CAS server Logs:
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication Creating LDAP principal
> for [*[email protected] <https://groups.google.com/>*] based on [uid=
> *8886927f-ea0f-4129-8097-b72e52a58591*,ou=secure,dc=Consumer,dc=insurance,dc=com]
>
> and attributes [[uid, cn, email, userStatus, tryCount]]
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication Retrieved principal id
> attribute [[email protected] <https://groups.google.com/>]
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication LDAP principal
> identifier created is [[email protected] <https://groups.google.com/>]
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication The following
> attributes are requested to be retrieved and mapped: [[]]
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication Found principal
> attribute: [org.ldaptive.LdapAttribute@-384702864::name=uid,
> values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false]
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication Principal attribute
> [org.ldaptive.LdapAttribute@-384702864::name=uid,
> values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false] is virtually
> remapped/renamed to [uid]
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication Found principal
> attribute: [org.ldaptive.LdapAttribute@-1753954665::name=userStatus,
> values=[ACTIVE], binary=false]
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication Principal attribute
> [org.ldaptive.LdapAttribute@-1753954665::name=userStatus, values=[ACTIVE],
> binary=false] is virtually remapped/renamed to [userStatus]
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication Found principal
> attribute: [org.ldaptive.LdapAttribute@-1505406878::name=tryCount,
> values=[0:1626509309221], binary=false]
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication Principal attribute
> [org.ldaptive.LdapAttribute@-1505406878::name=tryCount,
> values=[0:1626509309221], binary=false] is virtually remapped/renamed to
> [tryCount]
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication Found principal
> attribute: [org.ldaptive.LdapAttribute@-397428133::name=cn,
> values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false]
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication Principal attribute
> [org.ldaptive.LdapAttribute@-397428133::name=cn,
> values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false] is virtually
> remapped/renamed to [CN]
> 2021-07-17 01:33:30 [INFO]
> com.ex.authentication.MigLdapHandlerAuthentication Found principal
> attribute: [org.ldaptive.LdapAttribute@-930300140::name=email, values=[
> [email protected] <https://groups.google.com/>], binary=false]
> 2021-07-17 01:33:30 [INFO]
> com.mig.sso.authentication.MigLdapHandlerAuthentication Principal
> attribute [org.ldaptive.LdapAttribute@-930300140::name=email, values=[
> [email protected] <https://groups.google.com/>], binary=false] is virtually
> remapped/renamed to [email]
> 2021-07-17 01:33:30 [INFO]
> com.mig.sso.authentication.MigLdapHandlerAuthentication Created LDAP
> principal for id [[email protected] <https://groups.google.com/>] and [5]
> attributes
>
> 2021-07-17 01:33:31 [INFO]
> org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager Audit
> trail record BEGIN
> =============================================================
> WHO: [email protected] <https://groups.google.com/>
> WHAT: ST-1-l59MuWtx-WFlDsTQi42nww2riqQ-braxlcpa211 for
> https://qa5-ex.insurance.com/home/
> ACTION: SERVICE_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Sat Jul 17 01:33:31 PDT 2021
> CLIENT IP ADDRESS: 10.34.ss.30
> SERVER IP ADDRESS: 10.34.xxx.53
> =============================================================
>
>
> 2021-07-17 01:33:31 [INFO]
> org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager Audit
> trail record BEGIN
> =============================================================
> WHO: audit:unknown
> WHAT: [result=Service Access Granted,service=
> https://qa5-cp.mercuryinsurance.com/c...,principal=SimplePrincipal(id=*[email protected]
>
> <https://groups.google.com/>,*
> attributes={CN=[8886927f-ea0f-4129-8097-b72e52a58591],
> uid=[*8886927f-ea0f-4129-8097-b72e52a58591*]}),requiredAttributes={}]
> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Sat Jul 17 01:33:31 PDT 2021
> CLIENT IP ADDRESS: 10.34.xx.6
> SERVER IP ADDRESS: 10.34.xxx.53
> =============================================================
>
>
> 2021-07-17 01:35:26 [INFO]
> org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager Audit
> trail record BEGIN
> =============================================================
> WHO: audit:unknown
> WHAT: [result=Service Access
> Granted,service=https://brextt051.int.mgc.com:11111...,principal=SimplePrincipal(id=*[email protected]
>
> <https://groups.google.com/>*, attributes={uid=[
> *6666927f-ea0f-4129-8097-b72e52a58591*], userStatus=[ACTIVE],
> tryCount=[0:1626509309221], CN=[6666927f-ea0f-4129-8097-b72e52a58591],
> email=[[email protected] <https://groups.google.com/>
> ]}),requiredAttributes={}]
> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Sat Jul 17 01:35:26 PDT 2021
> CLIENT IP ADDRESS: 10.34.xx.30
> SERVER IP ADDRESS: 10.34.xxx.55
> =============================================================
>
>
> Will be really grateful if someone help me with the fix.
>
> Regards,
> Anusuya.
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/60cbeb2e-759f-4c2e-88c3-efc40d1a0fc8n%40apereo.org.
