Anusuya,
Try these loggers to see if cas is changing the attribute or if that is what is
returned to cas from the attribute source.
<!-- DEBUG Found principal attributes [...] for [username]
Attribute policy [???] allows release of [...] for [username]
Final collection of attributes allowed are: [...] -->
<AsyncLogger
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
level="debug"/>
<!-- DEBUG Created seed map='{username=[loginname]}' for
uid='loginname' -->
<!-- DEBUG Query value will be indeterminate due to multiple attributes
and no username indicator.
<AsyncLogger
name="org.apereo.services.persondir.support.ldap.LdaptivePersonAttributeDao"
level="debug" includeLocation="true"/>
Ray
On Mon, 2021-07-19 at 22:16 -0700, Morning Star wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hi Ray,
Thanks for your resposne.
Yes. we use email as unique identifer:
Please find my service definition below:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https?|imaps?):\/\/(([A-Za-z0-9_-]+.)*insurance.com\/.*)",
"name" : "web",
"description" : "Allows HTTP(S) and IMAP(S) protocols",
"id" : 10000001,
"evaluationOrder" : 1,
"usernameAttribute" : "email",
"attributeReleasePolicy": {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "CN", "email", "uid" ] ]
},
"logoutType" : "BACK_CHANNEL"
}
On Monday, July 19, 2021 at 10:29:06 PM UTC+5:30 Ray Bon wrote:
Anusuya,
Hazelcast instance-name would be the same for all hosts in the cluster, say
'casProd'. I do not think that is related to your issue.
What does your service define as a unique identifier (you use email as the
lookup)?
You can set the username attribute,
https://apereo.github.io/cas/6.3.x/integration/Attribute-Release-PrincipalId.html#attribute
Ray
On Sun, 2021-07-18 at 10:33 -0700, Morning Star wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hi Team,
CAS Server : 6.3.3
CAS Client : 3.6.2
We are facing a peculiar issue in production. This issue is specific to
clustered environment. While communicating from one server to other server,
CAS releases wrong "UID".
We have 3 servers in PROD. CASPROD1, CASPROD2, CASPROD3
Scenario 1:
When user logs in, CAS server releases attribute UID in CASPROD1 after
successful authentication. While communicating to CAS client, CAS releases the
same UID attribute if request reaches the same server instance CASPROD1. This
is working fine.
Scenario 2:
When user logs in, CAS server releases attribute UID in CASPROD1 after
successful authentication. While communicating to CAS client, if second server
handle the request, CAS releases the different UID(which is already available
in CASPROD2 server.
LDAP properties:
cas.authn.ldap[0].order=0
cas.authn.ldap[0].ldapUrl=https://xxxx<https://xxxx/>
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=
cas.authn.ldap[0].searchFilter=email={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=xxxxxx
cas.authn.ldap[0].bindCredential=xxxx
cas.authn.ldap[0].principalAttributeId=ui
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].principalAttributeList=userStatus,tryCount,uid,CN,email
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=false
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].blockWaitTime=5000
Hazelcast properties
cas.ticket.registry.hazelcast.page-size=500
#cas.ticket.registry.hazelcast.cluster.size=3
cas.ticket.registry.hazelcast.cluster.members=10.34.xxx.58,10.34.xxx.57,10.34.xxx.59
cas.ticket.registry.hazelcast.cluster.instance-name=10.34.xxx.57(have given
this correctly for all server instances)
cas.ticket.registry.hazelcast.cluster.port=5701
cas.ticket.registry.hazelcast.enable-compression=false
cas.ticket.registry.hazelcast.enable-management-center-scripting=true
cas.ticket.registry.hazelcast.crypto.enabled=true
cas.ticket.registry.hazelcast.cluster.asyncBackupCount=1
cas.ticket.registry.hazelcast.cluster.backupCount=0
cas.ticket.registry.hazelcast.crypto.signing.key=7cQ-XUjlbIWahxBUD8IVVW6j7erYyuAmXn7m4O4CpdNpPaxNf1P5ka1JPa-V_T2UryZYtRPOzy1rhjIGQ7kQug
cas.ticket.registry.hazelcast.crypto.signing.keySize=512
cas.ticket.registry.hazelcast.crypto.encryption.key=Sx1MbKtfrP-36ysDRkNXWA
cas.ticket.registry.hazelcast.crypto.encryption.keySize=16
cas.ticket.registry.hazelcast.crypto.alg=AES
CAS server Logs:
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
Creating LDAP principal for [[email protected]<https://groups.google.com/>] based
on
[uid=8886927f-ea0f-4129-8097-b72e52a58591,ou=secure,dc=Consumer,dc=insurance,dc=com]
and attributes [[uid, cn, email, userStatus, tryCount]]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
Retrieved principal id attribute [[email protected]<https://groups.google.com/>]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
LDAP principal identifier created is
[[email protected]<https://groups.google.com/>]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
The following attributes are requested to be retrieved and mapped: [[]]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
Found principal attribute: [org.ldaptive.LdapAttribute@-384702864::name=uid,
values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
Principal attribute [org.ldaptive.LdapAttribute@-384702864::name=uid,
values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false] is virtually
remapped/renamed to [uid]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
Found principal attribute:
[org.ldaptive.LdapAttribute@-1753954665::name=userStatus, values=[ACTIVE],
binary=false]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
Principal attribute [org.ldaptive.LdapAttribute@-1753954665::name=userStatus,
values=[ACTIVE], binary=false] is virtually remapped/renamed to [userStatus]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
Found principal attribute:
[org.ldaptive.LdapAttribute@-1505406878::name=tryCount,
values=[0:1626509309221], binary=false]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
Principal attribute [org.ldaptive.LdapAttribute@-1505406878::name=tryCount,
values=[0:1626509309221], binary=false] is virtually remapped/renamed to
[tryCount]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
Found principal attribute: [org.ldaptive.LdapAttribute@-397428133::name=cn,
values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
Principal attribute [org.ldaptive.LdapAttribute@-397428133::name=cn,
values=[8886927f-ea0f-4129-8097-b72e52a58591], binary=false] is virtually
remapped/renamed to [CN]
2021-07-17 01:33:30 [INFO] com.ex.authentication.MigLdapHandlerAuthentication
Found principal attribute: [org.ldaptive.LdapAttribute@-930300140::name=email,
values=[[email protected]<https://groups.google.com/>], binary=false]
2021-07-17 01:33:30 [INFO]
com.mig.sso.authentication.MigLdapHandlerAuthentication Principal attribute
[org.ldaptive.LdapAttribute@-930300140::name=email,
values=[[email protected]<https://groups.google.com/>], binary=false] is virtually
remapped/renamed to [email]
2021-07-17 01:33:30 [INFO]
com.mig.sso.authentication.MigLdapHandlerAuthentication Created LDAP principal
for id [[email protected]<https://groups.google.com/>] and [5] attributes
2021-07-17 01:33:31 [INFO]
org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager Audit trail
record BEGIN
=============================================================
WHO: [email protected]<https://groups.google.com/>
WHAT: ST-1-l59MuWtx-WFlDsTQi42nww2riqQ-braxlcpa211 for
https://qa5-ex.insurance.com/home/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Sat Jul 17 01:33:31 PDT 2021
CLIENT IP ADDRESS: 10.34.ss.30
SERVER IP ADDRESS: 10.34.xxx.53
=============================================================
2021-07-17 01:33:31 [INFO]
org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager Audit trail
record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access
Granted,service=https://qa5-cp.mercuryinsurance.com/c...,principal=SimplePrincipal([email protected]<https://groups.google.com/>,
attributes={CN=[8886927f-ea0f-4129-8097-b72e52a58591],
uid=[8886927f-ea0f-4129-8097-b72e52a58591]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Sat Jul 17 01:33:31 PDT 2021
CLIENT IP ADDRESS: 10.34.xx.6
SERVER IP ADDRESS: 10.34.xxx.53
=============================================================
2021-07-17 01:35:26 [INFO]
org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager Audit trail
record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access
Granted,service=https://brextt051.int.mgc.com:11111...,principal=SimplePrincipal([email protected]<https://groups.google.com/>,
attributes={uid=[6666927f-ea0f-4129-8097-b72e52a58591], userStatus=[ACTIVE],
tryCount=[0:1626509309221], CN=[6666927f-ea0f-4129-8097-b72e52a58591],
email=[[email protected]<https://groups.google.com/>]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Sat Jul 17 01:35:26 PDT 2021
CLIENT IP ADDRESS: 10.34.xx.30
SERVER IP ADDRESS: 10.34.xxx.55
=============================================================
Will be really grateful if someone help me with the fix.
Regards,
Anusuya.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d2ad41cacfb29332ef69c8b372e002778d60583.camel%40uvic.ca.
