Skip to Content.
Sympa Menu

en - Re: [sympa-users] Oddity with CAS login

Subject: The mailing list for listmasters using Sympa

List archive

Chronological Thread  
  • From: Olivier Salaün <address@concealed>
  • To: Dallas Wisehaupt <address@concealed>
  • Cc: address@concealed
  • Subject: Re: [sympa-users] Oddity with CAS login
  • Date: Thu, 07 Aug 2008 09:18:43 +0200

Hi Dallas,

Your auth.conf file seems correct, apart from the ldap_bind_dn and ldap_bind_password entries that you should not mention if doing anonymous bind.

The strange thing is that Sympa logs say "CAS ticket validation failed :" but it should include a more detailed explanation after the ':'. If not, it might be a CAS protocol issue.
What version of CAS server do you run ? We did not test Sympa with latest CAS 3.x servers.

You write "The CAS server validates the ticket correctly and passes it back to sympa. ".
Did you mean "allocate" instead of "validates"?
If not, could you provide the corresponding CAS server log entries?

Dallas Wisehaupt a écrit :
We are just moving our test instance into production and in the process
updating from 5.2.3 to 5.4.3. I have sympa up and running but have run
into an issue with validating CAS user sessions on the new 5.4.3
instance. If you have the time, I'd just like some more eyes to verify
my sanity or lack there of.

Here are the relevant config settings that I see:

auth.conf:

cas
auth_service_name UofS-cas
base_url https://my.scranton.edu/cp/cas
logout_path /logout.jsp
login_path /login
service_validate_path /validate
ldap_host royaldirectory.scranton.edu:389
ldap_bind_dn
ldap_bind_password
ldap_suffix o=uofs.edu
ldap_get_email_by_uid_filter (uid=[uid])
ldap_email_attribute mail
ldap_scope one
ldap_timeout 7

sympa.conf:

capath /etc/httpd/conf/ssl_trusted_keys/
cafile /home/sympa/bin/etc/ca-bundle.crt

In our ssl_trusted_keys area we have the following certs with the x509
hash as symlinks:

eb6beeac.0 -> myscranton.pem
ed524cf5.0 -> entrust_ca.pem

So, what I'm seeing is this in the sympa log file when I hit our login
page:

Aug 6 16:16:44 gepard wwsympa[7496]: [robot gepard.scranton.edu] [client 134.198.30.45] main::do_redirect() do_redirect(https://my.scranton.edu/cp/cas/login?service=http://gepard.scranton.edu/sympa/?checked_cas=0&gateway=1) Aug 6 16:16:44 gepard wwsympa[7496]: SympaSession::new() SympaSession::new ignoring unknown session cookie Aug 6 16:16:44 gepard wwsympa[7496]: CAS ticket is detected. in{'ticket'}=ST-2517-9fnq8jeLck0xgkn425ma in{'checked_cas'}=0 Aug 6 16:16:44 gepard wwsympa[7496]: CAS ticket validation failed : Aug 6 16:16:44 gepard wwsympa[7496]: [robot gepard.scranton.edu]
[client 134.198.30.45] main::do_home() do_home

This is repeated if I select the login button that we have set for users
of CAS. The CAS server validates the ticket correctly and passes it back
to sympa.

If I bump the logging up to level 4, I still only see entries like the
following:

Aug 6 16:29:59 gepard wwsympa[7959]: cas authentication service UofS-cas Aug 6 16:29:59 gepard wwsympa[7959]: Language::gettext() Language::gettext(%d %b %Y at %H:%M:%S) Aug 6 16:29:59 gepard wwsympa[7959]: Language::gettext() Language::gettext(%H:%M:%S) Aug 6 16:29:59 gepard wwsympa[7959]: Language::SetLang() Language::SetLang(en_US) Aug 6 16:29:59 gepard wwsympa[7959]: Language::SetLang() Language::SetLang(us) Aug 6 16:29:59 gepard wwsympa[7959]: main::get_parameters() PATH_INFO: / Aug 6 16:29:59 gepard wwsympa[7959]: main::get_parameters() debug level 0 Aug 6 16:29:59 gepard wwsympa[7959]: SympaSession::new() SympaSession::new(gepard.scranton.edu,71878885982906,) Aug 6 16:29:59 gepard wwsympa[7959]: SympaSession::load() SympaSession::load(71878885982906) Aug 6 16:29:59 gepard wwsympa[7959]: List::db_get_handler() List::db_get_handler Aug 6 16:29:59 gepard wwsympa[7959]: cookielib::set_do_not_use_cas() cookielib::set_do_not_use_cas(,0,-10y) Aug 6 16:29:59 gepard wwsympa[7959]: CAS ticket is detected. in{'ticket'}=ST-2517-9fnq8jeLck0xgkn425ma in{'checked_cas'}=0 Aug 6 16:30:00 gepard wwsympa[7959]: CAS ticket validation failed : Aug 6 16:30:00 gepard wwsympa[7959]: [robot gepard.scranton.edu] [client 134.198.30.45] main::check_param_in() check_param_in Aug 6 16:30:00 gepard wwsympa[7959]: Scenario::request_action() List::request_action create_list,md5,gepard.scranton.edu Aug 6 16:30:00 gepard wwsympa[7959]: Scenario::new() Aug 6 16:30:00 gepard wwsympa[7959]: Scenario::_parse_scenario() (create_list, public_listmaster, gepard.scranton.edu) Aug 6 16:30:00 gepard wwsympa[7959]: Scenario::new() Aug 6 16:30:00 gepard wwsympa[7959]: Scenario::verify() (search('blacklist.txt',[sender])) Aug 6 16:30:00 gepard wwsympa[7959]: Scenario::search() List::search(blacklist.txt,nobody,gepard.scranton.edu)

The only thing I can imagine is that I am missing a trust or validation
hook somewhere, but I can't find it for anything. Any ideas for what to
check, or if there is some other logging I should be bumping up to see
the error?




Archive powered by MHonArc 2.6.19+.

Top of Page