jasig-cas IRC Logs-2011-10-11
- Apereo Infrastructure
[07:57:16 CDT(-0500)] <kickehy> mornin'
[08:22:41 CDT(-0500)] <atilling> morning
[08:25:19 CDT(-0500)] <kickehy> helpful hint....don't use the "all in one" windows installer for mysql
[08:26:07 CDT(-0500)] <atilling> I wouldn't but because we don't use windows for an servers
[08:26:25 CDT(-0500)] <kickehy> must be nice
[08:27:03 CDT(-0500)] <kickehy> i'm a linux/unix n00b and since the evironment already was based on microsoft when I came here...it's what i get 
[08:29:35 CDT(-0500)] <kickehy> maybe after this is all done i'll write up a decent windows installation guide
[08:35:25 CDT(-0500)] <kickehy> atilling: do you know when/how the database tables are created?
[08:36:21 CDT(-0500)] <kickehy> is it when you build your war file?
[08:41:51 CDT(-0500)] <atilling> if you have JPA propperly configured the ables are built during the init of CAS
[08:42:00 CDT(-0500)] <kickehy> mmmk
[08:42:04 CDT(-0500)] <atilling> so basically server startup
[08:43:39 CDT(-0500)] <atilling> there is a single ORM deffinition so even if you are only using JPA for one purpose the tables are created for all JPA functions, tickets, service manager etc
[08:44:46 CDT(-0500)] <kickehy> ah that's good 
[08:45:44 CDT(-0500)] <kickehy> atilling: thanks for all your help by the way
[08:47:17 CDT(-0500)] <atilling> Glad to be a help in any way I can
[08:58:57 CDT(-0500)] <kickehy> i assume connection pooling (for the database and ldap) is worth it no matter how many users you have?
[09:04:20 CDT(-0500)] <atilling> at least for the LDAP, db is debatable
[09:04:57 CDT(-0500)] <kickehy> ok good, because configuring the database one looked a lot more confusing
[09:08:40 CDT(-0500)] <kickehy> also, i assume that since i'm specifying the database dialect in the ticketregistry.xml I do not need to state it in the cas.properties window
[09:17:51 CDT(-0500)] <atilling> depends on which JPA functions you are using, it's best to include it in both locations
[09:23:10 CDT(-0500)] <kickehy> one more thing before i try this... if my database schema is called 'cas' is my connection url: jdbc:mysql://localhost:3306/cas?autoReconnect=true
[09:27:09 CDT(-0500)] <atilling> correct
[09:27:16 CDT(-0500)] <kickehy> thanks
[09:27:40 CDT(-0500)] <atilling> did you add the mysql dependancy to your pom?
[09:30:57 CDT(-0500)] <kickehy> yes
[09:31:27 CDT(-0500)] <kickehy> http://pastie.org/2677183 <--that is my edited pom
[09:31:44 CDT(-0500)] <kickehy> except it's better formated in my file 
[09:31:52 CDT(-0500)] <kickehy> not sure what happened on the copy/paste there
[09:32:13 CDT(-0500)] <atilling> lol
[09:32:38 CDT(-0500)] <atilling> you may need:
[09:32:39 CDT(-0500)] <atilling> <dependency>
[09:32:40 CDT(-0500)] <atilling> <groupId>commons-dbcp</groupId>
[09:32:40 CDT(-0500)] <atilling> <artifactId>commons-dbcp</artifactId>
[09:32:41 CDT(-0500)] <atilling> <version>1.2.2</version>
[09:32:43 CDT(-0500)] <atilling> </dependency>
[09:33:04 CDT(-0500)] <kickehy> i saw that mentioned before when i was googling earlier
[09:33:08 CDT(-0500)] <kickehy> i'll go ahead and put it in
[09:33:29 CDT(-0500)] <atilling> depends on how you defined your datasource
[09:33:40 CDT(-0500)] <atilling> if it's class="org.apache.commons.dbcp.BasicDataSource
[09:33:58 CDT(-0500)] <atilling> then you need it - if you used another class then you may not
[09:34:30 CDT(-0500)] <kickehy> it is basicdatasource, i just copy/pasted from the jpaticketregistry wiki
[09:34:59 CDT(-0500)] <atilling> then you def need common-dbcp in your pom
[09:36:54 CDT(-0500)] <kickehy> for the serviceRegistrydao bean...do i place that in the ticketregistry.xml?
[09:37:24 CDT(-0500)] <kickehy> since it's going to call entitymanagerfactory
[09:37:48 CDT(-0500)] <atilling> you need to replace the serviceRegistrydao in your deployerConfig
[09:37:55 CDT(-0500)] <kickehy> ok
[09:38:22 CDT(-0500)] <atilling> doesn't really matter what file it's in spring is able to manage the references across files
[09:39:05 CDT(-0500)] <atilling> in our case we took serviceRegistrydao out of deployerConfig and created a seperate serviceManage.xml in spring-configuration
[09:39:14 CDT(-0500)] <kickehy> that concept is hard for my brain to grasp
[09:39:29 CDT(-0500)] <kickehy> being able to state the same thing in multiple places and it still works
[09:39:48 CDT(-0500)] <atilling> well it can't be the "same" thing
[09:39:57 CDT(-0500)] <atilling> each bean can only be defined once
[09:40:10 CDT(-0500)] <atilling> basically think of it as includes
[09:40:35 CDT(-0500)] <atilling> all the xml files are merged into one big single config during the init
[09:41:35 CDT(-0500)] <kickehy> oh ok
[09:41:41 CDT(-0500)] <kickehy> that makes more sense
[09:46:43 CDT(-0500)] <kickehy> well at least i know it's trying to create the tables now
[09:47:29 CDT(-0500)] <atilling> good
[09:47:35 CDT(-0500)] <kickehy> it just failed
[09:47:42 CDT(-0500)] <kickehy> it's saying the syntax is wrong
[09:47:57 CDT(-0500)] <kickehy> i changed the dialect to innodb
[09:48:02 CDT(-0500)] <kickehy> in both places
[09:48:12 CDT(-0500)] <atilling> usually that means your dialect is wrong
[09:48:42 CDT(-0500)] <kickehy> or could it be i didn't create innodb tables?
[09:48:44 CDT(-0500)] <atilling> we use org.hibernate.dialect.MySQLDialect for mysql
[09:49:07 CDT(-0500)] <atilling> did you create the cas database?
[09:49:23 CDT(-0500)] <kickehy> yes
[09:49:57 CDT(-0500)] <atilling> granted permissions to the user cas is connecting as?
[09:50:05 CDT(-0500)] <kickehy> yep
[09:50:11 CDT(-0500)] <kickehy> basically has full permissions
[09:50:55 CDT(-0500)] <kickehy> i was just going off of the wiki's suggestion of using innodb's
[09:50:56 CDT(-0500)] <atilling> Don't know then, I believe innodb should work - you could try org.hibernate.dialect.MySQLDialect
[09:52:47 CDT(-0500)] <atilling> did you set up your mysql to support innodb?
[09:52:58 CDT(-0500)] <kickehy> that's an excellent question
[09:53:25 CDT(-0500)] <atilling> in your mysql do a show engines
[09:53:54 CDT(-0500)] <kickehy> looks like the default
[09:54:35 CDT(-0500)] <kickehy> grab.by/b2Bx
[09:54:43 CDT(-0500)] <atilling> then org.hibernate.dialect.MySQLInnoDBDialect should work
[09:56:22 CDT(-0500)] <foxnesn1> kickehy: did you get CAS to authenticate using your ldap yet?
[09:57:00 CDT(-0500)] <kickehy> foxnesn1: working on it still
[09:57:14 CDT(-0500)] <kickehy> trying to get my database setup correctly atm
[09:58:58 CDT(-0500)] <kickehy> would the schema collation matter?
[09:59:18 CDT(-0500)] <atilling> I don't believe so
[10:04:18 CDT(-0500)] <foxnesn1> probably not
[10:04:29 CDT(-0500)] <foxnesn1> but best to go with utf-8
[10:04:42 CDT(-0500)] <foxnesn1> you can always change that later
[10:06:33 CDT(-0500)] <foxnesn1> i cannot for th elife of me get CAS to authenticate anyone in the AD, i think it may be the fact that it isnt ssl
[10:07:10 CDT(-0500)] <foxnesn1> but seriously all it should need is the manager, the handler and credentials
[10:14:15 CDT(-0500)] <kickehy> is there any way i can edit the table creatiion process? apparently mysql 5.1 doesn't support 'Type=InnoDB' anymore, they changed it to 'Engine=InnoDB'
[10:14:26 CDT(-0500)] <kickehy> err 5.5
[10:14:41 CDT(-0500)] <serac> That's deep within Hibernate guts.
[10:15:08 CDT(-0500)] <serac> So no, That said, Hibernate is good about platform-specific changes like this.
[10:15:18 CDT(-0500)] <serac> Have you checked whether there's a 55-specific dialect?
[10:15:35 CDT(-0500)] <kickehy> https://wiki.jasig.org/display/CASUM/JpaTicketRegistry
[10:15:40 CDT(-0500)] <kickehy> I was following that example
[10:15:56 CDT(-0500)] <kickehy> I suppose i could just the default Mysql dialect
[10:16:09 CDT(-0500)] <serac> At your own peril.
[10:16:13 CDT(-0500)] <kickehy> lol
[10:16:17 CDT(-0500)] <kickehy> maybe not then
[10:16:40 CDT(-0500)] <foxnesn1> kickehy: why you setting up mysql?
[10:16:42 CDT(-0500)] <serac> Like the doc says, there are at least two substantial reasons to use InnoDB.
[10:17:02 CDT(-0500)] <atilling> according to hibernate docs
[10:17:03 CDT(-0500)] <atilling> org.hibernate.dialect.MySQLInnoDBDialect (or)
[10:17:03 CDT(-0500)] <atilling> org.hibernate.dialect.MySQL5InnoDBDialect for MySQL5
[10:17:12 CDT(-0500)] <kickehy> ooooo i bet that's it
[10:17:12 CDT(-0500)] <serac> Thank you sir.
[10:17:40 CDT(-0500)] <serac> I can imagine the hib guys could stay busy keeping up with DB platform changes alone.
[10:18:00 CDT(-0500)] <kickehy> foxnesn1: i think it's for ticketing to track user's logon/logoff sessions
[10:18:06 CDT(-0500)] <kickehy> correct me if i'm wrong though guys
[10:18:24 CDT(-0500)] <serac> Is this a HA setup?
[10:18:30 CDT(-0500)] <foxnesn> must be HA
[10:18:34 CDT(-0500)] <serac> e.g. multiple CAS server nodes
[10:18:50 CDT(-0500)] <foxnesn> im not even gonna try that yet until i get CAS to authenticate against the AD
[10:18:57 CDT(-0500)] <kickehy> no....
[10:19:07 CDT(-0500)] <kickehy> I just though cas wouldn't work with ldap without it
[10:19:13 CDT(-0500)] <serac> Wrong.
[10:19:16 CDT(-0500)] <kickehy> hehe
[10:19:24 CDT(-0500)] <serac> The ticket store and the auth handlers are separate components.
[10:19:24 CDT(-0500)] <foxnesn> haha
[10:19:26 CDT(-0500)] <serac> Mix and match.
[10:19:40 CDT(-0500)] <serac> Save yourself the trouble and use in-memory if you don't need durable storage.
[10:20:02 CDT(-0500)] <serac> Note with the default in-memory ticket registry tickets evaporate on restarts, so that could be a reason to use JPA.
[10:20:46 CDT(-0500)] <serac> IMO losing authenticated state on restarts is a non-issue. I frequently delete from ticketgrantingticket;delete from serviceticket; on redeploys.
[10:21:07 CDT(-0500)] <serac> Your requirements may vary.
[10:21:13 CDT(-0500)] <foxnesn> i keep referring to https://wiki.jasig.org/display/CASUM/LDAP as a guide for LDAP but i need a very basic setup
[10:21:40 CDT(-0500)] <kickehy> it's amazing what happens when you put that 5 in the dialect
[10:21:53 CDT(-0500)] <serac> Good to know. Thanks atilling.
[10:22:02 CDT(-0500)] <kickehy> no errors this time
[10:22:41 CDT(-0500)] <kickehy> and there are my pretty tables
[10:22:43 CDT(-0500)] <atilling> I believe you started down the JPA path when you asked me about service manager
[10:22:49 CDT(-0500)] <kickehy> atilling: yeah
[10:22:51 CDT(-0500)] <foxnesn> i included this Integration with authenticationManager Bean in deployerConfigContext.xml
[10:22:57 CDT(-0500)] <foxnesn> from thw wiki
[10:23:16 CDT(-0500)] <foxnesn> and the contextsource bean id
[10:23:17 CDT(-0500)] <serac> Ah, right, that's a reason to go with JPA. If you're gonna invest in setting up a DB, might as well get the most out of it.
[10:23:59 CDT(-0500)] <atilling> He was asking best practices and I said I would rate service manager a best practice
[10:24:01 CDT(-0500)] <foxnesn> is there a book or something i could get that explains the philosophy behind each component?
[10:24:49 CDT(-0500)] <serac> CASUM+Javadocs is the best we have.
[10:24:50 CDT(-0500)] <atilling> Only the wiki/cas manual at this time
[10:25:43 CDT(-0500)] <foxnesn> im just having trouble putting it all together
[10:25:50 CDT(-0500)] <atilling> foxnesn can you take your passwords out of your deployerConfig and then share it? Seems like you are having an unusual level of pain
[10:26:06 CDT(-0500)] <foxnesn> yes
[10:26:07 CDT(-0500)] <foxnesn> hold one
[10:26:08 CDT(-0500)] <serac> Posting to pastebin is good for sharing on IRC.
[10:26:08 CDT(-0500)] <foxnesn> on
[10:26:14 CDT(-0500)] <foxnesn> right, pastie
[10:26:24 CDT(-0500)] <serac> Sure, whatever service you like.
[10:26:44 CDT(-0500)] <atilling> Note you can put your passwords in your properties file if you want to exclude them from the xml files
[10:27:21 CDT(-0500)] <serac> A very good practice IMO since you can easily control permissions on externalized properties files; not so much with XML bundled in a WAR file.
[10:27:29 CDT(-0500)] <atilling> also I keep meaning to put up a wiki article explaining how to use jcrypt and encode them, but I can provide instructions for that if needed
[10:27:48 CDT(-0500)] <serac> You're just moving the goal post to securing the key.
[10:28:04 CDT(-0500)] <atilling> partially correct
[10:28:29 CDT(-0500)] <atilling> the goal/requirement here is that no one file will give you the password
[10:29:03 CDT(-0500)] <atilling> with jcrypt they need the properties file and access to an enviroment variable
[10:29:39 CDT(-0500)] <serac> Are both files readable by the same set of permissions?
[10:29:50 CDT(-0500)] <atilling> nope
[10:30:14 CDT(-0500)] <atilling> the enviroment file is set and then destroyed in the inittab
[10:31:18 CDT(-0500)] <atilling> also the environment values are not backed up to our off site backup
[10:31:26 CDT(-0500)] <serac> You should write this up somewhere for review. I've heard a lot of arguments for encrypting credentials, and I've never head an argument that held up to scrutiny. Yours sounds interesting enough that it's worth review and consideration.
[10:31:31 CDT(-0500)] <atilling> everything else is
[10:32:10 CDT(-0500)] <atilling> I'll write a wiki entry, it's on my todo list
[10:32:18 CDT(-0500)] <serac> Cool, thanks.
[10:32:42 CDT(-0500)] <atilling> course it's been on that todo list about a year or so .....
[10:32:51 CDT(-0500)] <serac> haha, know what that's like.
[10:34:02 CDT(-0500)] <kickehy> if i'm not using ldaps at the moment, what port does it use?
[10:34:19 CDT(-0500)] <atilling> ldaps = 363, ldap = 389
[10:34:26 CDT(-0500)] <kickehy> atilling: thanks
[10:34:26 CDT(-0500)] <serac> ldaps=636
[10:34:34 CDT(-0500)] <foxnesn1> http://pastie.org/2677545
[10:35:27 CDT(-0500)] <atilling> yeah what serac said - sorry dyslexic without spellcheck I'd be lost
[10:37:32 CDT(-0500)] <atilling> your search base is a little specific
[10:38:00 CDT(-0500)] <atilling> have you tried searching your ldap with a thrid party ldap browser?
[10:38:49 CDT(-0500)] <serac> If you weren't trying to use the password expiration stuff, this would be a good use case for FastBind.
[10:39:20 CDT(-0500)] <atilling> I would suggest you try http://directory.apache.org/studio/ with that you can test the search
[10:39:48 CDT(-0500)] <serac> Since this is AD, the ldp.exe tool (or its modern equivalent) is also a good choice.
[10:40:40 CDT(-0500)] <atilling> actually I beleive near future support-ldap will include the the password expiration stuff for bindauth and fastbind
[10:41:28 CDT(-0500)] <foxnesn1> hrm
[10:41:40 CDT(-0500)] <foxnesn1> well i was able to setup a password self service program that talks with the ldap
[10:41:41 CDT(-0500)] <atilling> but I only say that because I wrote it and I've tested it with both
[10:41:42 CDT(-0500)] <serac> It's headed that way, yeah.
[10:41:44 CDT(-0500)] <foxnesn1> works just fine
[10:42:06 CDT(-0500)] <atilling> is that the search base the self serve is using?
[10:42:12 CDT(-0500)] <foxnesn1> yea
[10:42:45 CDT(-0500)] <foxnesn1> but it checks CN, not sAMAccountName
[10:43:10 CDT(-0500)] <atilling> I would try a search base of "dc=fasdev,dc-lcl"
[10:43:10 CDT(-0500)] <foxnesn1> i need the minimal amount
[10:43:25 CDT(-0500)] <atilling> well = not -
[10:43:40 CDT(-0500)] <foxnesn1> a handlder that does ldap and a manager that can handle httpd since im using CAS as the gateway
[10:43:59 CDT(-0500)] <foxnesn1> i dont need to setup pooled yet or anything for HA
[10:46:01 CDT(-0500)] <atilling> ok in your config
[10:46:36 CDT(-0500)] <atilling> it looks like you have ldap and 636 - or is that just the way you edited?
[10:46:47 CDT(-0500)] <foxnesn1> yea
[10:46:52 CDT(-0500)] <foxnesn1> i just hide it that way
[10:46:56 CDT(-0500)] <atilling> ok
[10:47:08 CDT(-0500)] <foxnesn1> i got rid of the spengo stuff
[10:47:16 CDT(-0500)] <atilling> ok
[10:47:42 CDT(-0500)] <foxnesn1> why is credentialstoprincipalsresolvers needed twice in the authmanager?
[10:48:09 CDT(-0500)] <foxnesn1> one in the property name for bean id and one for the property name in the bean class
[10:48:38 CDT(-0500)] <atilling> one is credentialstoprincipalsresolvers and one is credentialstoprincipalsresolver
[10:48:50 CDT(-0500)] <atilling> note the (s)
[10:49:01 CDT(-0500)] <foxnesn1> ooo
[10:49:05 CDT(-0500)] <foxnesn1> reading is important
[10:49:30 CDT(-0500)] <atilling> the two things I would try, one use a simplier searchbase
[10:50:11 CDT(-0500)] <atilling> too use a tool lokr ldp.exe or the apache tool to test that the user and password combo work the way your passing them
[10:50:52 CDT(-0500)] <foxnesn1> well i know the username and pass work already so that is good
[10:50:52 CDT(-0500)] <atilling> also with only 1 ldap server you don't need <property name="pooled" value="true"/>
[10:50:53 CDT(-0500)] <atilling> <property name="urls">
[10:51:38 CDT(-0500)] <atilling> set pooled=false and use <property name="url" value="ldaps://directory.example.com" />
[10:58:56 CDT(-0500)] <foxnesn1> blah still getting the message about the credentials cannot be determined to be authentic
[10:59:02 CDT(-0500)] <foxnesn1> it has to be some SSL stuff
[10:59:12 CDT(-0500)] <foxnesn1> because using AD explorer i can login on 389 but 636
[10:59:36 CDT(-0500)] <foxnesn1> but even if i setup the deployer for ldap 389 it still says it cant auth
[10:59:38 CDT(-0500)] <serac> Does your CAS server trust the SSL cert on your AD host?
[10:59:52 CDT(-0500)] <foxnesn1> i highly doubt it
[10:59:53 CDT(-0500)] <serac> AD won't allow a bind on 389.
[11:00:09 CDT(-0500)] <foxnesn1> im gonna have to get the server admin to help me out
[11:00:25 CDT(-0500)] <serac> You can easily grab the cert using openssl or another tool.
[11:00:43 CDT(-0500)] <kickehy> holy freaking crap! http://grab.by/b2CW
[11:00:45 CDT(-0500)] <serac> Then you add it to the Java system trust store, $JAVA_HOME/jre/lib/security/cacerts.
[11:01:15 CDT(-0500)] <serac> kickehy: congrats
[11:01:24 CDT(-0500)] <foxnesn1> lol nice
[11:01:44 CDT(-0500)] <kickehy> my issues is i was using the wrong user to bind to ldap
[11:01:59 CDT(-0500)] <foxnesn1> what do you mean wrong user?
[11:02:17 CDT(-0500)] <serac> Some directories require you to bind as an admin/manager before searching for users.
[11:02:21 CDT(-0500)] <serac> e.g. AD
[11:02:29 CDT(-0500)] <kickehy> foxnesn1: i was using a user that didn't have permissions to bind to ldap
[11:02:33 CDT(-0500)] <foxnesn1> oo
[11:02:40 CDT(-0500)] <foxnesn1> yea that would do it
[11:02:47 CDT(-0500)] <kickehy> give me a min and i'll post so stuff
[11:02:58 CDT(-0500)] <serac> foxnesn: See https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide
[11:06:18 CDT(-0500)] <foxnesn1> doesnt a program like an AD explorer perform a bind on the AD to search users?
[11:06:55 CDT(-0500)] <serac> IIRC, yes.
[11:07:07 CDT(-0500)] <foxnesn> hrm then i can bind to 389 just fine...weird
[11:07:21 CDT(-0500)] <foxnesn> but not 636
[11:07:26 CDT(-0500)] <foxnesn> it says service unavailable
[11:08:00 CDT(-0500)] <foxnesn> but that is because the AD wont accept clients that are trusted
[11:08:03 CDT(-0500)] <foxnesn> are not
[11:08:22 CDT(-0500)] <foxnesn> i need to grab our wildcard cert and import them to this tomcat box
[11:08:24 CDT(-0500)] <atilling> we bind via ldap to ad
[11:08:48 CDT(-0500)] <kickehy> http://pastie.org/2677717 <--deployerconfig
[11:08:55 CDT(-0500)] <atilling> AD allows bind over ldap - doesn't allow password change over ldap
[11:09:36 CDT(-0500)] <foxnesn> right, but the user for CAS shouldnt need to allow password changes
[11:10:04 CDT(-0500)] <atilling> totally different process but we do password changes in CAS
[11:10:49 CDT(-0500)] <atilling> if you login with an expired password or on your first ever login we force you to change your password right inside cas before passing you on
[11:10:56 CDT(-0500)] <foxnesn> hrm, the only thing our CAS needs is to check that the user is in the AD and has the correct pass
[11:11:14 CDT(-0500)] <atilling> so LDAP should be all you need
[11:11:25 CDT(-0500)] <foxnesn> if it is expired it gets passed onto a password self service program
[11:11:25 CDT(-0500)] <serac> In that case you should use the FastBind handler.
[11:11:59 CDT(-0500)] <atilling> unless you are concerned about a someone sniffing the password between you CAS server and the ldap server
[11:12:01 CDT(-0500)] <kickehy> http://pastie.org/2677730 <--- cas.properties
[11:12:48 CDT(-0500)] <foxnesn> we would be concerned about that
[11:12:57 CDT(-0500)] <foxnesn> although it is all operating inside our trusted domain
[11:13:33 CDT(-0500)] <foxnesn> atilling: out of curiousity what program do you use to interrupt them to change their password?
[11:13:38 CDT(-0500)] <serac> I'm fairly certain AD will not allow a successful bind over an insecure connection, e.g. 389.
[11:13:43 CDT(-0500)] <kickehy> http://pastie.org/2677741 <--ticketregistry.xml, though at this point you're not using it
[11:14:29 CDT(-0500)] <foxnesn> kickehy: your AD is doing SSL?
[11:16:26 CDT(-0500)] <atilling> it's a combo - I use the password expire logic I posted to the wiki
[11:16:39 CDT(-0500)] <atilling> then the interrupts logic, also in the wiki
[11:17:02 CDT(-0500)] <kickehy> foxnesn: i'm not using ldaps at the moment if that's what you're asking, but i do force ssl when you go to the cas logon page
[11:17:08 CDT(-0500)] <atilling> the interrupt displays a password change form
[11:17:17 CDT(-0500)] <kickehy> foxnesn: that's my next step
[11:17:25 CDT(-0500)] <kickehy> is to get ldaps working
[11:17:30 CDT(-0500)] <atilling> and then our custom java changes the ad password
[11:17:40 CDT(-0500)] <foxnesn> so you can authenticate through ldap without ssl
[11:17:49 CDT(-0500)] <foxnesn> heh
[11:17:55 CDT(-0500)] <kickehy> for testing purposes yes
[11:18:04 CDT(-0500)] <kickehy> i just wanted to make sure it worked
[11:18:15 CDT(-0500)] <kickehy> plus i need to setup ldaps
[11:18:15 CDT(-0500)] <foxnesn> no i get it, but i thought that was not possible
[11:18:16 CDT(-0500)] <kickehy>
[11:18:34 CDT(-0500)] <foxnesn> now that i know it is possible i must be doing something else wrong
[11:18:40 CDT(-0500)] <serac> I, too, thought it was not possible.
[11:18:48 CDT(-0500)] <serac> At least in default configuration.
[11:19:55 CDT(-0500)] <kickehy> http://pastie.org/2677775 <--pom.xml, though you won't need the c3p0 dependency unless you're doing database pooling, which i ended up not doing so it's just in there for fun
[11:20:05 CDT(-0500)] <atilling> it's always been possible - just not best practice
[11:22:13 CDT(-0500)] <serac> Shocking. OpenLDAP ships by default with a config that returns an error 53 on an attempt to bind with plaintext credentials over a non-TLS channel.
[11:22:19 CDT(-0500)] <kickehy> http://pastie.org/2677796 <--that's what i added to the tomcat server.xml file
[11:23:43 CDT(-0500)] <serac> Tomcat connectors have nothing to do with SSL connections made by the JVM, e.g. HTTPSURLConnection and the like.
[11:24:32 CDT(-0500)] <kickehy> http://pastie.org/2677817 <---tomcat web.xml, all I did was add the <security-constraint> section
[11:25:32 CDT(-0500)] <kickehy> bout the only thing i don't have documented is the certificate stuff
[11:25:36 CDT(-0500)] <serac> We're just talking requiring the CAS server to talk over SSL, right?
[11:25:45 CDT(-0500)] <kickehy> yeah
[11:26:15 CDT(-0500)] <serac> The cert stuff for trusting your AD server is altogether different.
[11:26:30 CDT(-0500)] <kickehy> right i'd have to import that into the castore
[11:26:35 CDT(-0500)] <kickehy> if i'm not mistaken
[11:26:36 CDT(-0500)] <serac> Correct.
[11:26:45 CDT(-0500)] <kickehy> just haven't gotten there yet
[11:27:01 CDT(-0500)] <kickehy> i wanted to make sure it worked with just ldap first
[11:27:06 CDT(-0500)] <serac> Just wanted to clarify that it has nothing to do with Tomcat SSL setup – that's a common point of confusion, so it seems you're straight.
[11:27:29 CDT(-0500)] <kickehy> yeah you need two certs, one for tomcat and one for the ldaps search
[11:28:05 CDT(-0500)] <serac> Strictly speaking you need a keypair for tomcat, and just a cert for ldaps.
[11:28:07 CDT(-0500)] <kickehy> and by ldaps serach i mean the AD's cert
[11:28:11 CDT(-0500)] <serac> correct
[11:28:49 CDT(-0500)] <kickehy> we have our own CA here (if you recall me complaining a week ago) and I had to upgrade our CA in order for this to all work
[11:29:02 CDT(-0500)] <kickehy> that was the first crazy step for me
[11:29:03 CDT(-0500)] <serac> Right, right.
[11:29:13 CDT(-0500)] <serac> Sounds like a pretty painful step 0.
[11:29:20 CDT(-0500)] <serac> Nothing really to do with CAS.
[11:29:34 CDT(-0500)] <kickehy> it wasn't too bad once i realized i was an idiot when i set it up initially
[11:29:47 CDT(-0500)] <kickehy> uncheck one option and everything was good after that
[11:55:12 CDT(-0500)] <foxnesn> ok so i went back to the drawing board
[11:55:33 CDT(-0500)] <foxnesn> i can auth one of our clients through CAS using the demo setup in the wiki
[11:55:37 CDT(-0500)] <foxnesn> using the scott/secret combo
[11:55:45 CDT(-0500)] <foxnesn> i need to replace that with ldap
[12:02:30 CDT(-0500)] <kickehy> https://wiki.jasig.org/display/CASUM/End-to-end+Windows+Example <--that's where i started
[12:02:50 CDT(-0500)] <kickehy> and my pastie.org files should help configure it
[12:03:20 CDT(-0500)] <kickehy> really the important thing is installing everything right and then getting your certificates imported correctly
[12:03:39 CDT(-0500)] <kickehy> then those files i posted shouldd make it decently straight forward
[12:04:18 CDT(-0500)] <foxnesn> yea, just a pain because we have the AD on windows and all of our webapps on linux
[12:04:31 CDT(-0500)] <foxnesn> and we have server admins and then application admins
[12:04:51 CDT(-0500)] <foxnesn> so this is actually more of a pain dealing with personel
[12:05:18 CDT(-0500)] <foxnesn> and you cant step on anyone's toes or into their "area" especially when it comes to security
[12:05:22 CDT(-0500)] <kickehy> ah
[12:05:45 CDT(-0500)] <foxnesn> also, this school generally buys solutions
[12:05:58 CDT(-0500)] <foxnesn> which are easy to setup since they are prepackaged
[12:06:25 CDT(-0500)] <foxnesn> so setting up our own auth tier is a new venture in which nobody has any real experience
[12:06:50 CDT(-0500)] <foxnesn> so im trying to pull in knowledge from different departments and get a handle on how things are authenticated now
[12:07:04 CDT(-0500)] <foxnesn> it took two days just to get approved for a development AD
[12:07:20 CDT(-0500)] <foxnesn> and im working on another big project at the moment as well
[12:07:25 CDT(-0500)] <foxnesn> so im losing hair fast
[12:07:34 CDT(-0500)] <serac> Curious what school, where you are.
[12:12:02 CDT(-0500)] <kickehy> <--- loras.edu
[12:12:17 CDT(-0500)] * kickehy out to lunch
[12:12:25 CDT(-0500)] <serac> Thanks for that.
[12:41:46 CDT(-0500)] <kickehy> http://shib.kuleuven.be/docs/ssl_commands.shtml <--that's pretty useful
[12:56:18 CDT(-0500)] <kickehy> does it matter what alias i give my AD cert?
[13:01:05 CDT(-0500)] <atilling> Shouldn't
[13:03:30 CDT(-0500)] <kickehy> just to double-check, is the formate for ldaps.... ldaps://server.domain.edu:636
[13:03:34 CDT(-0500)] <kickehy> format*
[13:03:52 CDT(-0500)] <atilling> correct
[13:03:57 CDT(-0500)] <kickehy> thank you
[13:08:45 CDT(-0500)] <kickehy> hmmm i wonder if i have to reboot my domain controller after installing that cert
[13:12:50 CDT(-0500)] <kickehy> "unable to find valid certification path to requested target" <--yay for certs
[13:31:16 CDT(-0500)] <kickehy> i guess i should reopen my certifcate rant
[13:40:18 CDT(-0500)] <kickehy> keytool import -keystore KEYSTORE.jks -storepass "secret" -file MYCERT.crt <--that should work right?
[13:40:39 CDT(-0500)] <kickehy> and it has to be DER encoded
[13:42:24 CDT(-0500)] <atilling> unless you're forcing your tomcat to use that truststore you are better off importing to cacerts
[13:44:14 CDT(-0500)] <kickehy> http://pastie.org/2677796 <---i created that cascerts.jks file, then i created the keypair, imported my CA's cert using -trustcacerts, imported the exported domain controller cert into that same file using the above command
[13:45:05 CDT(-0500)] <kickehy> now, do i have to change something else in cas to use that same keystore?
[13:45:24 CDT(-0500)] <atilling> you misunderstood, your JRE that you are running tomcat and CAS out of has a truststore built in
[13:45:34 CDT(-0500)] <atilling> the password by default is changeit
[13:46:12 CDT(-0500)] <kickehy> so i have to use that one instead of the one i created in the tomcat_home folder?
[13:46:25 CDT(-0500)] <atilling> unless you are maintaining a seperate truststore and modifing the tomcat config to point to it you're better off adding to the JRE one
[13:47:02 CDT(-0500)] <atilling> I've done it both ways, trust me, adding the cert to the default truststore is much easier
[13:48:24 CDT(-0500)] <kickehy> so then in my server.xml i have to point that to "%JAVA_HOME%\jre\lib\security\cacerts"
[13:48:53 CDT(-0500)] <atilling> if you use the default you don't need to change server.xml
[13:51:10 CDT(-0500)] <kickehy> do you have an example of the server.xml file? i didn't backup the original
[13:52:19 CDT(-0500)] <atilling> Not handy, sorry
[13:52:34 CDT(-0500)] <atilling> you have the orig tar you downloaded?
[13:52:51 CDT(-0500)] <kickehy> i suppose that would work, i could just redownload it
[13:56:46 CDT(-0500)] <kickehy> http://pastie.org/2678577 <---so the only thing i added initially was the 'connector port=8443' section
[13:57:03 CDT(-0500)] <atilling> ok
[13:58:32 CDT(-0500)] <kickehy> i guess i'm not understanding how tomcat would know to use the cacerts store in the java_home folder
[13:58:54 CDT(-0500)] <kickehy> or because it uses java, it just does by default?
[13:59:11 CDT(-0500)] <atilling> exactly
[13:59:24 CDT(-0500)] <atilling> and all the java apps do by default as well
[13:59:28 CDT(-0500)] <kickehy> and cas is the same way
[13:59:40 CDT(-0500)] <kickehy> which would make sense why it's not working
[14:00:10 CDT(-0500)] <atilling> if you don't put it in cacerts then you need to configure each and every java app
[14:00:20 CDT(-0500)] <kickehy> ah
[14:00:51 CDT(-0500)] <kickehy> does it matter that the cacerts file doesn't have an extension, like .jks?
[14:01:31 CDT(-0500)] <atilling> nope
[14:01:41 CDT(-0500)] <kickehy> ok
[14:02:07 CDT(-0500)] <atilling> lots of files don't really need extensions
[14:02:22 CDT(-0500)] <kickehy> one more question, do i have to request a new keypair for that file?
[14:02:23 CDT(-0500)] <atilling> that's a dos conevention
[14:02:35 CDT(-0500)] <atilling> nope should be all set
[14:04:01 CDT(-0500)] <kickehy> well then, it should be as easy as importing the trusted CA cert and the AD cert
[14:04:12 CDT(-0500)] <kickehy> and changing my server.xml file
[14:04:39 CDT(-0500)] <atilling> right, not the truststore but the keystore
[14:14:23 CDT(-0500)] <kickehy> i think terminology is throwing me off here
[14:15:40 CDT(-0500)] <kickehy> ooooo are you saying import the trusted CA cert without using the -trustcacerts tag?
[14:18:00 CDT(-0500)] <atilling> ok which peice are you on - having CAS trust the LDAPS cert or have the CAS login page secure?
[14:18:09 CDT(-0500)] <atilling> two different processes
[14:18:19 CDT(-0500)] <kickehy> both
[14:18:45 CDT(-0500)] <kickehy> i have to "redo" the certs for both since i'll be switching to the cacerts file
[14:19:01 CDT(-0500)] <kickehy> i currently don't have any certificates in it
[14:21:28 CDT(-0500)] <atilling> I would strongly recomend not doing both at once
[14:21:40 CDT(-0500)] <atilling> pick one make sure it works then the other
[14:21:54 CDT(-0500)] <kickehy> let's start with the login page then
[14:22:06 CDT(-0500)] <kickehy> considering you have to get to that first
[14:22:09 CDT(-0500)] <atilling> ok using tomcat?
[14:22:13 CDT(-0500)] <kickehy> yep
[14:22:28 CDT(-0500)] <atilling> is tomcat using 8443 or 443?
[14:23:48 CDT(-0500)] <atilling> Connector executor="tomcatThreadPool" port="??"
[14:23:50 CDT(-0500)] <kickehy> 8443, i didn't even want to try and switch to 443
[14:24:00 CDT(-0500)] <atilling> ok best not to
[14:24:47 CDT(-0500)] <atilling> to run on port 443 tomcat would have to run as root and a bad java app could cause you all sorts of trouble
[14:25:25 CDT(-0500)] <atilling> ok so how are you connecting 443 to 8443 ? iptables? NAT? apache connectors? load balancer?
[14:26:08 CDT(-0500)] <kickehy> i suppose i'm not then
[14:26:48 CDT(-0500)] <kickehy> i just go to https://server.domain.edu:8443
[14:27:01 CDT(-0500)] <atilling> ahh
[14:27:38 CDT(-0500)] <atilling> ok, most likely we want to wire 443 to 8443 so that your users don't have to put 8443 in their browser
[14:28:07 CDT(-0500)] <atilling> so what platform are you running tomcat on? Winblows?
[14:28:12 CDT(-0500)] <kickehy> yep
[14:28:34 CDT(-0500)] <atilling> Ok does the server also run IIS or apache?
[14:28:42 CDT(-0500)] <kickehy> nope
[14:28:47 CDT(-0500)] <kickehy> heh
[14:29:03 CDT(-0500)] <kickehy> be right back
[14:30:00 CDT(-0500)] <atilling> is there a firewall or loadbalancer between the server and your end-users?
[14:33:39 CDT(-0500)] <kickehy> well
[14:34:05 CDT(-0500)] <kickehy> i would suppose so if it was in the DMZ
[14:34:54 CDT(-0500)] <atilling> ok, let disregard that option then - with windows ports are handled differently the with linux
[14:35:21 CDT(-0500)] <atilling> so on windows you do want to set your server.xml to use port 443 and port 80
[14:36:27 CDT(-0500)] <atilling> so next step - you have your ssl cert for the server?
[14:36:45 CDT(-0500)] <foxnesn1> hrm, i never created the spring-configuration dir in WEB-INF
[14:37:02 CDT(-0500)] <kickehy> atilling: yes i do
[14:37:17 CDT(-0500)] <atilling> minimal install you won't need sring-config dir
[14:37:28 CDT(-0500)] <kickehy> atilling: and you're saying take the '8' off of the '8443' in each connector?
[14:37:38 CDT(-0500)] <atilling> correct
[14:38:15 CDT(-0500)] <atilling> but you're slightlly ahead of yourself
[14:38:49 CDT(-0500)] <atilling> on the server you need to import the server's ssl cert into a new keystore file
[14:39:14 CDT(-0500)] <kickehy> like the other .jks file i already have?
[14:39:29 CDT(-0500)] <foxnesn1> wait a minute, do i want to edit the deployer in src/main/webapps/WEB-INF or in target/local-as/WEB-INF ??
[14:39:34 CDT(-0500)] <atilling> keystore -> outgoing connections truststore -> incoming connections
[14:39:46 CDT(-0500)] <atilling> src/main/webapps/WEB-INF
[14:40:06 CDT(-0500)] <atilling> your changes will go into target every time you compile
[14:40:38 CDT(-0500)] <kickehy> ohhhh i always was wondering what the deal was with the src folder
[14:40:50 CDT(-0500)] <kickehy> i just compiled and recopied the files over
[14:41:03 CDT(-0500)] <kickehy> rather than creating a src folder
[14:41:33 CDT(-0500)] <atilling> src/main/webapps/WEB-INF is where YOUR deployerconfig.xml should live
[14:42:17 CDT(-0500)] <atilling> and your pom.xml should in be in the parent directory of src
[14:43:19 CDT(-0500)] <atilling> ok so use keytool to import the CA cert
[14:43:53 CDT(-0500)] <atilling> you should have a .jks file - maybe named keystore.jks that contains just your CA and it's chain
[14:44:53 CDT(-0500)] <kickehy> ok give me a second...or two
[14:45:09 CDT(-0500)] <atilling> the point of the maven overlay - all your customizations go in src/main/webapps/WEB-INF and when you mvn package it pulls all the files from cas-server-webapp that AREN'T in your src/main/webapps/WEB-INF
[14:46:49 CDT(-0500)] <atilling> during the mvn package step it outs everything, your files cas files etc into the /target folder and then munges it all together and creates the war
[14:47:34 CDT(-0500)] <atilling> if you do mvn clean it will delete everything in /target/
[14:50:23 CDT(-0500)] <kickehy> atilling: ok, i created a blank keystore and import the cert using keytool -import -keystore KEYSTORE.jks -storepass "secret" -file MYCERT.crt
[14:50:42 CDT(-0500)] <kickehy> imported*
[14:51:10 CDT(-0500)] <atilling> did you specify an alias?
[14:51:23 CDT(-0500)] <kickehy> crap no...one sec
[14:52:23 CDT(-0500)] <kickehy> there we go
[14:52:35 CDT(-0500)] <atilling> if you use the alias tomcat you don't need to specify it in the server.xml - if you use something else you do
[14:53:20 CDT(-0500)] <atilling> ok you have the keystore, and it's saved in some path the tomcat server can read?
[14:53:34 CDT(-0500)] <atilling> next you modify server.xml
[14:53:41 CDT(-0500)] <kickehy> and we are talking about my certificate authority's cert right?
[14:54:25 CDT(-0500)] <atilling> in keystore you need to import the authorities CA and the server's cert
[14:54:39 CDT(-0500)] <atilling> the cas.myschool.edu cert
[14:54:44 CDT(-0500)] <kickehy> heh ok
[14:55:18 CDT(-0500)] <kickehy> the authorities CA cert should be imported using -trustcacerts right?
[14:55:23 CDT(-0500)] <atilling> the server specific cert is helpful to alias as tomcat but you don't need to
[14:55:26 CDT(-0500)] <kickehy> sorry i'm making this complicated
[14:55:31 CDT(-0500)] <atilling> yes
[14:55:36 CDT(-0500)] <kickehy> lol
[14:55:38 CDT(-0500)] <kickehy> ok
[14:55:48 CDT(-0500)] <kickehy> give me a min then
[15:01:28 CDT(-0500)] <kickehy> or two i screwed up my server's cert
[15:01:33 CDT(-0500)] <kickehy> i messed up the FQDN
[15:01:50 CDT(-0500)] <atilling> yeah, that could be an issue
[15:03:24 CDT(-0500)] <atilling> if you go to: https://github.com/atilling/cas/tree/conncoll
[15:03:53 CDT(-0500)] <atilling> you'll see our entire cas build
[15:03:53 CDT(-0500)] <foxnesn1> knowing about certs is a pain in the balls
[15:03:53 CDT(-0500)] <atilling> https://github.com/atilling/cas/tree/conncoll/cas-server-cc contains our customizations etc
[15:04:01 CDT(-0500)] <foxnesn1> fastbind is a handler right, not a manager?
[15:04:25 CDT(-0500)] <atilling> I've been doing admin, development and consulting for 20 years - I know a little about almost everything
[15:04:51 CDT(-0500)] <atilling> correct
[15:05:01 CDT(-0500)] <foxnesn1> im going to try that instead
[15:05:09 CDT(-0500)] <atilling> fastbind would replace bindldap
[15:05:37 CDT(-0500)] <foxnesn1> all we want cas to do is check the user/login against the AD and then if authenticated sign them into everything
[15:05:55 CDT(-0500)] <foxnesn1> and we can use sAMAccountName directly
[15:06:14 CDT(-0500)] <atilling> then fastbind would be a good choice
[15:06:27 CDT(-0500)] <foxnesn1> would it work in a HA environment tho?
[15:07:31 CDT(-0500)] <atilling> yes
[15:07:36 CDT(-0500)] <foxnesn1> ahh good
[15:07:59 CDT(-0500)] <atilling> but you need to have some form of distributed ticket registry
[15:08:00 CDT(-0500)] <foxnesn1> for the filter in fastbind would it be sAMAccountName=u% ?
[15:08:11 CDT(-0500)] <atilling> I believe so
[15:08:39 CDT(-0500)] <foxnesn1> how does a distro ticket reg work?
[15:08:52 CDT(-0500)] <atilling> easiest to do is JPA
[15:08:56 CDT(-0500)] <kickehy> atilling: ok i think i'm good
[15:09:14 CDT(-0500)] <atilling> you have a database server that all your CAS servers link to
[15:10:22 CDT(-0500)] <atilling> if you auth on server1 your ST is stored in the DB so if app1 validates the ST with server2 the ticket is still valid
[15:10:56 CDT(-0500)] <atilling> ok so you have a keystore.jks with your CA and your server cert?
[15:11:15 CDT(-0500)] <kickehy> yes!
[15:11:21 CDT(-0500)] <atilling> You know the password of the keystore and you know the alias of the server cert?
[15:11:24 CDT(-0500)] <kickehy> at least i hope
[15:11:36 CDT(-0500)] <kickehy> yep
[15:12:05 CDT(-0500)] <atilling> you know the path to the keystore file and it's somewhere the tomcat server has rights to read from?
[15:13:02 CDT(-0500)] <kickehy> i'll copy it over to the conf folder like i did previously for the other one
[15:13:21 CDT(-0500)] <atilling> Edit your server.xml and look for the entry like <Connector port="443"
[15:13:55 CDT(-0500)] <kickehy> you mean 8443?
[15:13:55 CDT(-0500)] <foxnesn1> bah our AD doesnt support anonymous searches so i dont think i can use fastbind
[15:14:04 CDT(-0500)] <atilling> in that connector you want SSLEnabled="true"
[15:14:20 CDT(-0500)] <atilling> on winblows you want to change the 8443 to 443
[15:14:27 CDT(-0500)] <atilling> but yes that connector
[15:14:32 CDT(-0500)] <kickehy> heh k
[15:15:14 CDT(-0500)] <foxnesn1> Manager credentials are only required if your directory does not support anonymous searches.
[15:15:16 CDT(-0500)] <kickehy> protocol="HTTP/1.1"
[15:15:17 CDT(-0500)] <foxnesn1> Never provide these credentials for FastBindLdapAuthenticationHandler since the user's
[15:15:18 CDT(-0500)] <atilling> keyAlias="<whatever alias you call the server cert in the keystore>"
[15:15:21 CDT(-0500)] <foxnesn1> credentials are used for the bind operation.
[15:15:57 CDT(-0500)] <atilling> Fastbind doesn't do a search at all
[15:16:14 CDT(-0500)] <atilling> it attempts to bind to the ldap as the user loging in
[15:18:00 CDT(-0500)] <atilling> keystoreFile="c:\some winblows path to the keystore\keystore.jks"
[15:18:11 CDT(-0500)] <atilling> keyPass="secret"
[15:18:47 CDT(-0500)] <atilling> once you have those 4 properties in the connector you should be good to go to have an https login screen
[15:19:53 CDT(-0500)] <kickehy> do i need to change the protocol?
[15:20:18 CDT(-0500)] <atilling> should be sslProtocol="TLS"
[15:20:33 CDT(-0500)] <kickehy> protocol="org.apache.coyote.http11.Http11Protocol"
[15:20:38 CDT(-0500)] <kickehy> that's what i have
[15:20:48 CDT(-0500)] <atilling> that's fine
[15:20:50 CDT(-0500)] <kickehy> ok
[15:21:07 CDT(-0500)] <kickehy> give me a second and i'll try it
[15:21:16 CDT(-0500)] <atilling> should have scheme="https"
[15:29:23 CDT(-0500)] <foxnesn1> heh getting 404
[15:31:47 CDT(-0500)] <foxnesn1> kickehy: can you post your deployer again?
[15:32:09 CDT(-0500)] <kickehy> http://pastie.org/2677717
[15:32:23 CDT(-0500)] <atilling> the 404 what does it say at the bottom?
[15:32:46 CDT(-0500)] <foxnesn1> requested resourceis not available
[15:32:55 CDT(-0500)] <atilling> is it being returned by tomcat or apache?
[15:32:59 CDT(-0500)] <kickehy> atilling: it's saying it can't find an alias entry for tomcat, but if i list my certs in the keystore, it's there
[15:33:05 CDT(-0500)] <foxnesn1> tomcat
[15:33:34 CDT(-0500)] <atilling> and in webapps you have a deployed CAS folder?
[15:33:39 CDT(-0500)] <foxnesn1> yup
[15:34:03 CDT(-0500)] <atilling> did you leave manager in the webapps?
[15:34:33 CDT(-0500)] <foxnesn1> i deleted the cas dir and the cas.war before i copied the new cas.war over to webapps
[15:34:47 CDT(-0500)] <atilling> and it deployed to a cas dir?
[15:35:05 CDT(-0500)] <kickehy> atilling: oooo i bet it's because i didn't import the private key
[15:36:06 CDT(-0500)] <foxnesn1> ive never deleted anything but the cas.war and the cas dir
[15:36:32 CDT(-0500)] <foxnesn1> so ive always just been deleting thouse and bringing over the new cas.war and redeploying
[15:37:06 CDT(-0500)] <atilling> ok normally tomcat comes with a /manager/ app in the webapps folder - do you have that?
[15:37:25 CDT(-0500)] <foxnesn1> yup
[15:38:12 CDT(-0500)] <atilling> ok try accessing http://cas.myedu.edu/manager/
[15:38:31 CDT(-0500)] <atilling> it should prompt you for password
[15:39:13 CDT(-0500)] <atilling> kickehy: what version of tomcat are you running?
[15:39:15 CDT(-0500)] <foxnesn1> it asks for a pw
[15:39:36 CDT(-0500)] <kickehy> 6
[15:39:45 CDT(-0500)] <atilling> ok did you configure one in tomcat-users.xml?
[15:39:55 CDT(-0500)] <foxnesn1> no
[15:40:50 CDT(-0500)] <foxnesn1> diong that now
[15:42:31 CDT(-0500)] <atilling> kickehy: check the apache documents here: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
[15:43:36 CDT(-0500)] <foxnesn1> status 403
[15:43:50 CDT(-0500)] <foxnesn1> access to requested resource has been denied
[15:44:15 CDT(-0500)] <atilling> after you update tomcat-users you need to restart tomcat
[15:44:16 CDT(-0500)] <foxnesn1> lol this is like a comedy of errors
[15:44:22 CDT(-0500)] <foxnesn1> i restarted
[15:44:48 CDT(-0500)] <atilling> odd - well at least we know your tomcat server is doing something
[15:44:59 CDT(-0500)] <atilling> try /cas/login/ now
[15:45:58 CDT(-0500)] <atilling> still 404?
[15:46:33 CDT(-0500)] <foxnesn1> yea
[15:46:51 CDT(-0500)] <foxnesn1> ill just redo it
[15:46:58 CDT(-0500)] <foxnesn1> i only have 15 minutes anyway
[15:49:22 CDT(-0500)] <atilling> foxnesn1: the next step would be to look at your catalina.out and see if you threw any error on startup
[15:52:07 CDT(-0500)] <foxnesn1> had to go back to generic
[15:52:19 CDT(-0500)] <foxnesn1> it works without me adding or changing anything in the deployer
[15:52:35 CDT(-0500)] <foxnesn1> so like before the generic setup works just fine and i can auth my cas clients against it
[15:52:45 CDT(-0500)] <foxnesn1> for generic purposes of course
[15:52:59 CDT(-0500)] <foxnesn1> but as soon as i tell it to use the AD it wont auth
[15:53:21 CDT(-0500)] <atilling> well won't auth and 404 are two different problems
[15:53:23 CDT(-0500)] <foxnesn1> but the user/pass im setup with will let me browse the AD using an ldap reader
[15:53:33 CDT(-0500)] <foxnesn1> i know
[15:53:44 CDT(-0500)] <foxnesn1> i think it 404'd because of something in the war file
[15:54:19 CDT(-0500)] <foxnesn1> tomorrow i will talk with someone at work who has setup tomcat to auth against our truststore
[15:54:41 CDT(-0500)] <foxnesn1> im sure that there is some little security measure built into everything that must be addressed first
[15:54:45 CDT(-0500)] <atilling> right, and if your deployerconfig is the only thing in your src/main then it would have been somethng in that
[15:55:30 CDT(-0500)] <foxnesn1> is fastbind a security issue or something?
[15:56:14 CDT(-0500)] <atilling> fastBind attempts to bind as the user logging in - if all you need is a yes/no login check it's fine
[15:56:35 CDT(-0500)] <foxnesn1> why would i need something more?
[15:56:42 CDT(-0500)] <foxnesn1> or, why woulkd someone else need more
[15:57:13 CDT(-0500)] <atilling> first typical reason attributes - like you need to return the user
[15:57:31 CDT(-0500)] <atilling> 's email address to the casified app
[15:59:35 CDT(-0500)] <atilling> real world example for us we use google for email, but we have students, alumni and staff all on three different sub domains
[16:00:11 CDT(-0500)] <atilling> we use the attribute repository to pass the user's email address to google when the user authenticates via CAS
[16:00:32 CDT(-0500)] <foxnesn1> ahh
[16:01:02 CDT(-0500)] <atilling> other uses too including the banner integration stuff
[16:01:57 CDT(-0500)] <atilling> but fastBind is fine for the login good true/false check
[16:02:33 CDT(-0500)] <atilling> well five o'clock here - calling it a day - might be on tomorrow
[16:05:24 CDT(-0500)] <kickehy> w00t i finally got that cert going
[20:31:37 CDT(-0500)] <foxnesn> kickehy: i am jealous