Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 59 Next »

[07:40:34 CDT(-0500)] <schun> Can anyone help me with enforcing password policies using ldap?
[13:01:08 CDT(-0500)] <apetro> It's that time again. Checking in to the weekly cas-dev IRC timeslot.
[13:04:48 CDT(-0500)] <schun> would anyone we able to assist me in getting the cas-ldap password policy enforcement working on 3.4.8?
[13:05:32 CDT(-0500)] <apetro> schun , loosely, yes.
[13:05:49 CDT(-0500)] <apetro> I'd be happy to try to look at it with you and answer a few questions if I can
[13:06:00 CDT(-0500)] <apetro> whether that actually results in assistance, you can be the judge (smile)
[13:06:22 CDT(-0500)] <schun> I really appreciate it.
[13:06:23 CDT(-0500)] <apetro> What are you starting from, and what problems are you encountering?
[13:06:48 CDT(-0500)] <schun> I found some code here: https://wiki.jasig.org/display/CASUM/LDAP+Password+Policy+Enforcement
[13:06:57 CDT(-0500)] <apetro> (and our conversation may be pre-empted by a more cas-dev focused conversation if others show up, I hope you'll understand.)
[13:07:07 CDT(-0500)] <schun> no problem.
[13:07:15 CDT(-0500)] <apetro> k
[13:07:52 CDT(-0500)] <schun> I went out to the source repository and found cas-server-support-ldap-pwd-expiration-3.4.7 under sandbox.
[13:07:54 CDT(-0500)] <apetro> yeah. Managing this contribution as wiki attachments is really problematic. I keep intending to get time to draw this into SVN and create the authoritative one development stream to rule them all on password policy.
[13:08:12 CDT(-0500)] <apetro> indeed. Every time someone posts an attachment to the wiki, I pull it into SVN
[13:08:46 CDT(-0500)] <apetro> looks like there's a later contribution, targeting 3.4.8. https://wiki.jasig.org/download/attachments/26149328/cas-server-support-ldap-pwd-expiration-3.4.7-3.4.8pm.patch
[13:10:06 CDT(-0500)] <schun> Right. That's the patch. It doesn't work out of the box so I patched the 3.4.7 code by hand.
[13:10:34 CDT(-0500)] <apetro> k
[13:10:42 CDT(-0500)] <schun> Also, the installation instructions on the page do not work.
[13:10:48 CDT(-0500)] <apetro> whois schun , btw ? (smile)
[13:11:08 CDT(-0500)] <schun> That's me (wink)
[13:11:10 CDT(-0500)] <serac> I'm here to say I can't make it other than to say I can't make it (wink)
[13:11:29 CDT(-0500)] <apetro> serac , you will be missed , but doubtless we can pick up on lists and next time.
[13:11:50 CDT(-0500)] <serac> Sounds good. I'll review the logs this pm for anything interesting.
[13:11:59 CDT(-0500)] <apetro> schun , yeah, the page instructions are problematic, in that if they did work, for which version of the attachment ought they be expected to work?
[13:12:12 CDT(-0500)] <apetro> needs into SVN, with documentation in SVN, versioned right with the code
[13:13:01 CDT(-0500)] <apetro> which rant is philosophically satisfying, but doesn't help you get to working code
[13:13:06 CDT(-0500)] <wgthom> checkin in
[13:13:50 CDT(-0500)] <schun> not sure. there is a reference to "../../java/cas-ldap-pwd/README" directory which I can't track down.
[13:14:26 CDT(-0500)] <schun> The script works if you specify the files to modify.,
[13:14:36 CDT(-0500)] <apetro> the patch, you mean?
[13:15:01 CDT(-0500)] <schun> Yes. If I get this working, I update the page.
[13:15:07 CDT(-0500)] <apetro> ok
[13:15:16 CDT(-0500)] <apetro> please do
[13:16:05 CDT(-0500)] <apetro> I think more strategically I still want to pull the latest into trunk of the SVN set up for this project in sandbox and get to a stream of maintenance development on this in SVN
[13:17:48 CDT(-0500)] <schun> I believe cas-server-support-ldap-pwd-expiration-3.4.7 is written as a Maven Overlay so I added the missing pieces, corrected the directory structure and modified the pom.xml accordingly. Is that correct?
[13:18:10 CDT(-0500)] <apetro> it is intended to be a mvn overlay, yes.
[13:18:46 CDT(-0500)] <schun> ok. Then I'll proceed as such and get back to you with my results.
[13:19:36 CDT(-0500)] <apetro> oh, interesting. I guess I should have looked more closely at the 3.4.7 targeting code.
[13:19:49 CDT(-0500)] <apetro> it has in its /src/main/resources things that belong in a .war
[13:19:57 CDT(-0500)] <apetro> but the pom.xml doesn't describe a war overlay
[13:21:02 CDT(-0500)] <apetro> I would nonetheless proceed under the war overlay approach if you're sufficiently comfortable
[13:21:20 CDT(-0500)] <apetro> it necessarily touches the web flow, war overlay feels like the right way to do that
[13:21:46 CDT(-0500)] <apetro> that said, if the war overlay bit is a barrier, by all means do something that works, share it, and let's go from there.
[13:22:24 CDT(-0500)] <schun> sounds like a plan.
[16:23:56 CDT(-0500)] <topher> i've run into a snag getting the jasig-cas client working with .net mvc 2. when i add the [Authorize] token to a method, the redirect url is really mangled: /https:/cas.ucdavis.edu... instead of https://cas.ucdavis.edu/ etc. anybody have the .net client working?
[16:24:39 CDT(-0500)] <wgthom> working fine at Princeton…while I was still there. (smile)
[16:25:09 CDT(-0500)] <topher> wgthom: could you take a quick peek and see if there's something wrong with mine? i've got it on github in a small project
[16:25:33 CDT(-0500)] <wgthom> what the url
[16:25:51 CDT(-0500)] <topher> https://github.com/cthielen/Portal
[16:26:06 CDT(-0500)] <topher> Web.config is at https://github.com/cthielen/Portal/blob/master/Portal/Web.config . i should mention this is mvc 2, if that matters
[16:26:21 CDT(-0500)] <topher> my university lists their CAS parameters here: https://cas.ucdavis.edu/
[16:27:03 CDT(-0500)] <wgthom> you are using the 1.0 release of the .net cas client?
[16:27:26 CDT(-0500)] <topher> yea, downloaded here: https://wiki.jasig.org/display/CASC/.Net+Cas+Client
[16:30:10 CDT(-0500)] <topher> when i run it, i get "Server Error in '/' Application
[16:30:11 CDT(-0500)] <topher> '/https:/cas.ucdavis.edu/cas/login' is not a valid virtual path."
[16:31:18 CDT(-0500)] <wgthom> This looks odd: serverName="cas.ucdavis.edu"
[16:31:34 CDT(-0500)] <wgthom> what is the hostname of the server running the portal?
[16:31:56 CDT(-0500)] <topher> https://cas.ucdavis.edu/
[16:32:06 CDT(-0500)] <topher> i think the actual portal is https://cas.ucdavis.edu/cas/login
[16:32:13 CDT(-0500)] <wgthom> your portal is running on the same server as cas?
[16:32:24 CDT(-0500)] <wgthom> as the cas server?
[16:32:28 CDT(-0500)] <topher> the Web.config.sample that comes with the .net client has their serverName in short form too
[16:32:53 CDT(-0500)] <topher> ooooh
[16:32:54 CDT(-0500)] <topher> haha
[16:33:06 CDT(-0500)] <topher> serverName is the location of my application, right, not the CAS server?
[16:33:14 CDT(-0500)] <wgthom> exactly
[16:33:48 CDT(-0500)] <topher> well, i'm using a asp.net devel server locally, so i guess that should be localhost?
[16:34:54 CDT(-0500)] <topher> well, i fixed that but it doesnt seem to have any effect on the mangled url problem
[16:35:11 CDT(-0500)] <wgthom> you best bet is to setup iis locallly with a cert (self-signed if neccessary) and use your actualy hostname
[16:35:46 CDT(-0500)] <topher> it's still trying to go to "/https:/cas.ucdavis...." which looks like the mvc routing engine got a hold of it, which i think implies the module isn't being used correctly because i think the cas stuff hooks in somewhere before the routing engine in the pipeline
[16:36:41 CDT(-0500)] <wgthom> possible…didn't get into much mvc2/cas usages…but I believe Scott H. had it working with mvc3. you might want to take this to the cas-user list.
[16:37:33 CDT(-0500)] <topher> thanks, i couldnt find the info for any mailing lists. do you know where i can sign up?
[16:38:05 CDT(-0500)] <wgthom> http://www.jasig.org/cas/mailing-lists
[16:38:10 CDT(-0500)] <topher> thanks!
[17:52:04 CDT(-0500)] <schun> apertro - I'm stuck on how to define the userDetailsService. Any suggestions?
[17:52:31 CDT(-0500)] <schun> oops! Sorry...apetro.
[17:52:54 CDT(-0500)] <apetro> Howdy
[17:53:16 CDT(-0500)] <apetro> userDetailsService for configuring access to the services registry?
[17:53:59 CDT(-0500)] <schun> I believe so, but I'm not sure how to set that up in the example code for ldap.
[17:54:44 CDT(-0500)] <schun> when I attempt to hit the login page, I get the following error message: Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'userDetailsService' is defined
[17:55:02 CDT(-0500)] <schun> Actually, it's an exception.
[17:55:08 CDT(-0500)] <apetro> interesting
[17:55:16 CDT(-0500)] <apetro> in your deployerConfigContext.xml , you should have something like this:
[17:55:16 CDT(-0500)] <apetro> <sec:user-service id="userDetailsService">
[17:55:16 CDT(-0500)] <apetro> <sec:user name="your_admin_user" password="notused" authorities="ROLE_ADMIN" />
[17:55:16 CDT(-0500)] <apetro> <sec:user name="another_admin_user" password="anythingatallbecausethispasswordoesntdoanything" authorities="ROLE_ADMIN" />
[17:55:16 CDT(-0500)] <apetro> </sec:user-service>
[17:55:35 CDT(-0500)] <apetro> the entire purpose of this
[17:55:41 CDT(-0500)] <schun> yup: <sec:user-service id="userDetailsService">
[17:55:42 CDT(-0500)] <schun> <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />
[17:55:42 CDT(-0500)] <schun> </sec:user-service>
[17:55:53 CDT(-0500)] <apetro> is to enumerate in an all-to-fancy way which users can log in to the services registry
[17:56:12 CDT(-0500)] <apetro> so, you replaced the @@THIS...@@ with a concrete username?
[17:56:16 CDT(-0500)] <apetro> like, say, schun?
[17:56:30 CDT(-0500)] <schun> does it have to be in the ldap registry?
[17:56:38 CDT(-0500)] <apetro> though I guess that shouldn't matter for the error you're getting
[17:56:41 CDT(-0500)] <apetro> hmm
[17:56:48 CDT(-0500)] <apetro> no, it doesn't have to be a user that actually exists
[17:56:56 CDT(-0500)] <apetro> nothing is going to reach out and see if the user exists
[17:57:13 CDT(-0500)] <apetro> but if that user actually exists and you can log in as it, then you'll be able to access the Services Registry (smile)
[17:57:57 CDT(-0500)] <apetro> does your <beans declaration at the top of deployerConfigContext include this: http://www.springframework.org/schema/security
[17:57:57 CDT(-0500)] <apetro> http://www.springframework.org/schema/security/spring-security-3.0.xsd
[17:58:00 CDT(-0500)] <schun> I believe Spring Security expects a bean named 'userDetailsService'
[17:58:16 CDT(-0500)] <schun> yup
[17:58:30 CDT(-0500)] <apetro> yeah. You'd get another error if you didn't have that anyway, I think.
[17:58:40 CDT(-0500)] <apetro> Spring Security is expecting this bean, yes
[17:58:57 CDT(-0500)] <apetro> it's how it figures out which users are allowed to get through Spring Security and into the Services Registry
[18:00:42 CDT(-0500)] <apetro> well, if it's in your deployerConfigContext.xml , and that file is deployed properly, etc. , then I don't see why there'd be no such bean.
[18:01:59 CDT(-0500)] <apetro> any chance it's just commented out? (smile)
[18:02:11 CDT(-0500)] <schun> Checking now...
[18:05:18 CDT(-0500)] <schun> the only mention of the userDetailsService is in the actual base for the overlay: cas-server-webapp-3.4.8: <sec:user-service id="userDetailsService">
[18:05:19 CDT(-0500)] <schun> <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />
[18:05:19 CDT(-0500)] <schun> </sec:user-service>
[18:06:05 CDT(-0500)] <apetro> oh, interesting
[18:06:07 CDT(-0500)] <schun> It is referred to in the securityContext.xml: <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
[18:06:08 CDT(-0500)] <schun> p:key="my_password_for_this_auth_provider_only"
[18:06:08 CDT(-0500)] <schun> p:serviceProperties-ref="serviceProperties"
[18:06:08 CDT(-0500)] <schun> p:userDetailsService-ref="userDetailsService">
[18:06:09 CDT(-0500)] <schun> <property name="ticketValidator">
[18:06:09 CDT(-0500)] <schun> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
[18:06:09 CDT(-0500)]

<schun> <constructor-arg index="0" value="$

Unknown macro: {cas.securityContext.ticketValidator.casServerUrlPrefix}

" />


[18:06:09 CDT(-0500)] <schun> </bean>
[18:06:10 CDT(-0500)] <schun> </property>
[18:06:10 CDT(-0500)] <schun> </bean>
[18:06:43 CDT(-0500)] <apetro> so, to the extent that the ultimate deployerConfigContext.xml that's in your final resulting .war doesn't have this <sec:user-service ../> declaration
[18:06:47 CDT(-0500)] <apetro> ultimately you haven't declared one
[18:06:50 CDT(-0500)] <apetro> and it won't work. It needs one.
[18:08:11 CDT(-0500)] <schun> right. trying it now.
[18:23:45 CDT(-0500)] <schun> got past that error. now it's : auditTrailManager
[20:14:01 CDT(-0500)] <apetro> schun : what about auditTrailManager?
[20:19:30 CDT(-0500)] <schun> took care of that problem the same way I did userDetailsService. There were a couple more that needed to be explicitly defined in the overlay.
[20:20:16 CDT(-0500)] <schun> I am looking at a spring jsp problem now.
[20:21:08 CDT(-0500)] <schun> sorry, I meant webflow
[20:33:03 CDT(-0500)] <apetro> k
[20:33:10 CDT(-0500)] <apetro> what's wrong with the JSP?
[20:54:21 CDT(-0500)] <schun> the '&' is not recognized in externalContext.requestParameterMap['renew'] neq '' && externalContext.requestParameterMap['renew'] neq null. Do you know what the correct 'and' operator is?
[21:24:22 CDT(-0500)] <schun> are you there?
[21:25:50 CDT(-0500)] <schun> can anyone help me with spring webflow?
[21:55:05 CDT(-0500)] <apetro> Sorry, got late here, wandered off. Feel free to take this up on cas-user@
[23:28:58 CDT(-0500)] <schun> ryt?

  • No labels