jasig-cas IRC Logs-2011-04-08

jasig-cas IRC Logs-2011-04-08

[01:26:03 CDT(-0500)] <yann2> hi
[01:26:07 CDT(-0500)] <yann2> apetro, , you around? (smile)
[10:05:24 CDT(-0500)] <mklein21005> i'm still having problems trying to authenticate with LDAP and AD. I was fastbind would not work with our AD but when I try to log in using the normal BindLdapAuthenticationHandler it says CAS is unavailable
[10:05:40 CDT(-0500)] <mklein21005> I checked all the logs and don't see any issues
[10:06:02 CDT(-0500)] <mklein21005> any suggestions?
[10:07:12 CDT(-0500)] <yann2> hi
[10:07:24 CDT(-0500)] <wgthom> turn up debugging and post the results to cas-user mailing list
[10:07:55 CDT(-0500)] <mklein21005> ok i'll do that
[10:07:58 CDT(-0500)] <yann2> wgthom, would you know if this is correct: http://waste.mandragor.org/cas.png ?
[10:08:56 CDT(-0500)] <wgthom> yep that's it
[10:09:33 CDT(-0500)] <yann2> ok awesome (smile) It's slightly different from what the doc says, which is why I was confused
[10:09:44 CDT(-0500)] <yann2> am writing a long piece of documentation on CAS, hopefully it ll be useful
[10:09:50 CDT(-0500)] <wgthom> where are u confused? where does it diverge?
[10:10:12 CDT(-0500)] <wgthom> you should definatly sync up with Marvin...he's leading the doc effort
[10:10:55 CDT(-0500)] <yann2> https://wiki.jasig.org/display/CASUM/Technical+Overview here
[10:11:01 CDT(-0500)] <yann2> "When the CAS server receives the request, CAS programmatically forms a new URL request (redirection) and calls application1 and adds a unique one-time-only random ticket (String) as a request parameter"
[10:11:18 CDT(-0500)] <yann2> you could easily read, CAS contaacts the application server with a ticket number
[10:11:37 CDT(-0500)] <yann2> but from what I understand CAS never contacts the app server itself, it redirects the user to it
[10:11:47 CDT(-0500)] <yann2> and then
[10:11:50 CDT(-0500)] <yann2> "CAS receives this secure request and prompts the user for his password. This is where the CAS server authenticates the user that's requesting access to application1. "
[10:12:10 CDT(-0500)] <yann2> you wuold understand CAS checks the password AFTER redirecting the user to the page with the ticket number
[10:12:14 CDT(-0500)] <yann2> but I understand its before
[10:12:42 CDT(-0500)] <wgthom> yeah, see what you mean. it is a little misleading...
[10:13:03 CDT(-0500)] <yann2> glad I got it right (tongue)
[10:13:16 CDT(-0500)] <wgthom> would be great for you to post your comments on the cas-user mailing list and work with Marvin to make it less confusing.
[10:13:58 CDT(-0500)] <yann2> am working on a tutorial on CAS , with example for Ubuntu 10
[10:14:24 CDT(-0500)] <yann2> to be fair I spent ages with tcpdump last night to understand it fully (tongue)
[10:14:36 CDT(-0500)] <wgthom> gotcha
[10:14:49 CDT(-0500)] <wgthom> the cas-user mailing list and this irc is your friend.
[10:15:01 CDT(-0500)] <yann2> what timezone is this channel in, mostly?
[10:15:20 CDT(-0500)] <wgthom> good question...
[10:15:21 CDT(-0500)] <wgthom> i'm est
[10:15:31 CDT(-0500)] <wgthom> apertro is cst ibelieve
[10:15:39 CDT(-0500)] <yann2> so US mostly, ok (smile)
[10:15:44 CDT(-0500)] <yann2> (< berlin)
[10:15:47 CDT(-0500)] <wgthom> so far yes.
[10:15:48 CDT(-0500)] <wgthom> nice
[10:16:00 CDT(-0500)] <wgthom> at unversity?
[10:16:17 CDT(-0500)] <yann2> no, working for english archaeology company
[10:16:29 CDT(-0500)] <yann2> CAS seemed like a good fit (smile)
[10:16:33 CDT(-0500)] <wgthom> interesting
[10:16:35 CDT(-0500)] <wgthom> cool
[10:17:09 CDT(-0500)] <yann2> maybe I ll get some leads here on how to get my two CAS instances to share their storage at some point
[10:17:29 CDT(-0500)] <yann2> it's good software, I like it (smile)
[10:17:34 CDT(-0500)] <mklein21005> ok i posted cas.log to cas-user
[10:19:18 CDT(-0500)] <wgthom> yann2 here;s some good presentatinos https://wiki.jasig.org/display/CAS/Presentations+about+CAS
[10:19:59 CDT(-0500)] <yann2> btw - is it really useful to use maven to deploy CAS?
[10:20:07 CDT(-0500)] <yann2> am doing without, havent seen the utility so far
[10:20:42 CDT(-0500)] <wgthom> it can be if you are using some source control to manage your config and any extensions
[10:20:53 CDT(-0500)] <yann2> awesome thank you
[10:20:56 CDT(-0500)] <wgthom> as well as when it comes time to upgrade
[10:20:58 CDT(-0500)] <wgthom> or patch
[10:22:20 CDT(-0500)] <wgthom> yann2, here's another good one on Clustering CAS for HA https://wiki.jasig.org/download/attachments/28574591/Clustering+CAS.pdf?version=1&amp;modificationDate=1268947376041
[10:24:21 CDT(-0500)] <mklein21005> actually I posted it to the Jasig CAS mailing list
[10:25:08 CDT(-0500)] <mklein21005> and just posted it to the CAS-users mailing list i'm just waiting for it to be accepted
[10:25:22 CDT(-0500)] <wgthom> ok
[10:35:24 CDT(-0500)] <wgthom> heaing out to lunch... be back later.
[10:36:06 CDT(-0500)] <serac> mklein: How are you posting this message?
[10:36:48 CDT(-0500)] <mklein21005> http://jasig.275507.n4.nabble.com/uPortal-3-2-4-CAS-LDAP-Authentication-with-Active-Directory-td3436636.html
[10:37:21 CDT(-0500)] <serac> I encourage you to subscribe to cas-user and become a part of our community.
[10:37:45 CDT(-0500)] <serac> http://www.jasig.org/cas/community
[10:43:42 CDT(-0500)] <mklein21005> ok i joined
[10:43:48 CDT(-0500)] <mklein21005> and sent it to the mailing list
[10:57:08 CDT(-0500)] <serac> I'd expect to see the post by now, but don't see it. You sent to mail to cas-user@lists.jasig.org?
[10:57:45 CDT(-0500)] <mklein21005> yeah
[11:02:18 CDT(-0500)] <mklein21005> i tried sending it again
[11:12:08 CDT(-0500)] <serac> If you're not getting a bounce message, I'd think the list manager has got it and is waiting on something else to send it out.
[11:12:17 CDT(-0500)] <serac> I hate our listserv setup.
[11:12:48 CDT(-0500)] <serac> But in fairness, I think list management software in general is terrible.
[11:15:47 CDT(-0500)] <mklein21005> i put it on dpaste
[11:15:51 CDT(-0500)] <mklein21005> http://dpaste.com/530041/
[11:30:13 CDT(-0500)] <serac> There's no authentication attempt in that excerpt.
[11:31:17 CDT(-0500)] <serac> The last line looks like it's the beginning of an auth, but I need to see the DEBUG from the LDAP handler.
[11:43:42 CDT(-0500)] <mklein21005> http://dpaste.com/530052/
[11:43:51 CDT(-0500)] <mklein21005> i added the extra lines
[11:52:55 CDT(-0500)] <serac> Shows successful auth, but has trouble finding message bundle:
[11:52:56 CDT(-0500)] <serac> DEBUG [http-8080-2] Apr/08 10:17:08,669 cas.CentralAuthenticationServiceImpl.[] - Attempting to create TicketGrantingTicket for [username: mklein21005] WARN [http-8080-2] Apr/08 10:17:08,673 support.ResourceBundleMessageSource.[] - ResourceBundle [default] not found for MessageSource: Can't find bundle for base name default, locale en
[11:57:29 CDT(-0500)] <serac> Based on the message, there should be a default_en.properties or simply default.properties somewhere on your classpath.
[12:10:52 CDT(-0500)] <mklein21005> what do you mean by class path
[12:23:46 CDT(-0500)] <mklein21005> alright i got rid of that warn and it still doesn't work
[12:44:07 CDT(-0500)] <serac> So it looks like an authentication error in CAS? Just "login failed" or similar?
[12:50:01 CDT(-0500)] <mklein21005> it still says CAS is unavailable
[12:50:35 CDT(-0500)] <mklein21005> yeah
[12:50:42 CDT(-0500)] <apetro> (have a conflicting conference call at 2pm Eastern today, so I won't be able to fully attend to this IRC chat, but I'm loosely around and might react to being poked.)
[12:59:28 CDT(-0500)] <wgthom> checking in
[12:59:42 CDT(-0500)] <serac> I'm working on the LT issue based on the thread yesterday.
[12:59:52 CDT(-0500)] <serac> I think I have a good solution.
[13:00:03 CDT(-0500)] <wgthom> nice
[13:00:21 CDT(-0500)] <serac> Bill, thanks for highlighting that discussion earlier today.
[13:00:30 CDT(-0500)] <wgthom> yep. active channel today
[13:00:31 CDT(-0500)] <serac> I was watching it fly by, but didn't really read carefully.
[13:00:45 CDT(-0500)] <serac> Active is good (smile)
[13:00:51 CDT(-0500)] <wgthom> indeed
[13:00:59 CDT(-0500)] <serac> Really wish we could get contributors to pull in same direction as us.
[13:01:21 CDT(-0500)] <serac> How many CAS diagrams are in the universe? How many do we really need?
[13:02:14 CDT(-0500)] <wgthom> a few to be sure
[13:25:54 CDT(-0500)] <yann2> BTW, did anyone ever tried drupal CAS as a CAS server, instead of the official one?
[13:27:20 CDT(-0500)] <yann2> serac, to be fair I had a look at the mailing list (on sourceforge right?) and it seemed completely deserted
[13:27:28 CDT(-0500)] <yann2> am actually quite surprised there are people here (smile)
[13:27:45 CDT(-0500)] <yann2> would be happy to contribute to the official documentation but its no wiki
[13:27:52 CDT(-0500)] <serac> Mailing list on sourceforge?
[13:27:57 CDT(-0500)] <wgthom> haven't heard of anyone running drupal as a cas server
[13:28:01 CDT(-0500)] <serac> It's cas-user@lists.jasig.org and very active.
[13:28:08 CDT(-0500)] <yann2> hum
[13:28:32 CDT(-0500)] <serac> ^^^ see above for link to mailing list page on jasig.org
[13:29:03 CDT(-0500)] <serac> https://wiki.jasig.org/display/CASUM/Home
[13:29:23 CDT(-0500)] <yann2> indeed... damn cant remember where I landed last time I looked
[13:29:34 CDT(-0500)] <serac> Doc contributions should be filed as jira issues against https://issues.jasig.org/browse/CASW.
[13:31:37 CDT(-0500)] <yann2> also need to look at cas_mod_proxy and CAS proxying, I am currently proxying CAS with mod_proxy only, not sure what all this proxying is about (smile)
[13:48:35 CDT(-0500)] <serac> cas_mod_proxy?
[13:49:11 CDT(-0500)] <serac> The two apache modules I'm familiar with are mod_cas (dated) and mod_auth_cas (actively maintained). m-a-c doesn't support proxy at present.
[13:49:17 CDT(-0500)] <yann2> mod_auth_cas sry
[13:49:29 CDT(-0500)] <serac> np
[13:49:44 CDT(-0500)] <serac> Just wanted to make sure there's not something floating out there we aren't aware of.
[13:50:00 CDT(-0500)] <yann2> https://lists.wisc.edu/read/messages?id=12810792 like here
[13:50:12 CDT(-0500)] <yann2> why is he using that apache module?
[13:51:06 CDT(-0500)] <serac> It provides CAS authentication for Apache. Other than that reason I couldn't say.
[13:51:43 CDT(-0500)] <yann2> I got something like that http://pastealacon.com/27161
[13:52:29 CDT(-0500)] <yann2> I think I need to read a bit more (smile)
[13:52:48 CDT(-0500)] <yann2> thanks for your help
[13:53:15 CDT(-0500)] <serac> np
[14:19:17 CDT(-0500)] <yann2> http://www.mandragor.org/node/2# where I stand so far, if anyone want to have a look (still needs a bit of theming, and planning to add some phpcas examples)
[14:25:47 CDT(-0500)] <wgthom> pretty nice.
[14:26:12 CDT(-0500)] <wgthom> the diagram seems to capture the basic 1.0 protocol well
[14:26:24 CDT(-0500)] <wgthom> there is also proxy tickets added in 2.0
[14:26:42 CDT(-0500)] <wgthom> single sign off
[14:26:43 CDT(-0500)] <wgthom> etc
[14:26:45 CDT(-0500)] <wgthom> saml
[14:27:13 CDT(-0500)] <yann2> yep the proxy thing I havent understood yet what it was for :/
[14:27:37 CDT(-0500)] <wgthom> comes to play mostly in portal like senarios
[14:28:20 CDT(-0500)] <wgthom> where you have a bit of code that wants to access a down stream service on behalf of the user (without ever seeing the users credentials)
[14:28:32 CDT(-0500)] <wgthom> like an email channel running in a portal that needs access to an imap
[14:29:02 CDT(-0500)] <wgthom> proxy tickets let the email portlet authentication against imap without the users primary credentials
[14:30:03 CDT(-0500)] <yann2> oh. For example if I have a RSS aggregator that aggregates data from a feed that requires CAS authentication, ticket proxying could be useful?
[14:30:17 CDT(-0500)] <wgthom> exactly
[14:30:35 CDT(-0500)] <yann2> might need that (smile) thanks, I ll read more about it
[14:30:58 CDT(-0500)] <wgthom> user logs on to aggregator. aggregator used proxy ticket to pull downstream feeds (assuming that take CAS authN)
[14:31:47 CDT(-0500)] <wgthom> there is also a outlet mechanism to get the users primary credentials (ClearPass) via proxy tickets in the cases that you have to have the password
[14:32:05 CDT(-0500)] <wgthom> but proxy is the prefered way
[14:33:51 CDT(-0500)] <yann2> just a small question BTW: does the ticket number act as a password? if I can intercept a ticket number, I should be able to log in as the user who is using that ticket?
[14:34:25 CDT(-0500)] <yann2> or is there an additional security measure?
[14:35:55 CDT(-0500)] <wgthom> Yes, the Service Ticket must be kept private which is why SSL is required. It is also Service specific, has a short time-to-live, and is one time use only.
[14:36:43 CDT(-0500)] <wgthom> so not exactly like a reusable password.
[14:37:04 CDT(-0500)] <yann2> k - so there is a cookie on top of it with a SID where CAS remembers the user is logged in I guess
[14:38:16 CDT(-0500)] <wgthom> The Ticket Granting Ticket (Cookie) is specific to the CAS server and is the mechanism to achieve SSO. This is seperate from the Service Tickets that gain access to a particular Service.
[14:38:39 CDT(-0500)] <yann2> ok