By: Tomas Larsson user 10 Jun 2021 at 8:19 a.m. CDT

12 Responses

Hi all We have recently made a new installation of Gluu version 4.2.3 for test purpose. We included Shibboleth and Casa 4.2 (and oxd). We have replicated all config necessary from our production environment. Such as attributes, cache refresh and authentication settings. Everything works as expected so far, including MFA via SuperGluu/OTP Problem #1 Our goal is to use Casa and be able to set MFA on a personal basis. When we try this we run into the following trouble. When we access https://our_server/casa and tries to login it will always fail (Fail to authenticate). However, if we first login to gluus GUI (/identity) and then go to https://our_server/casa we are logged in (SSO). So, what is wrong? /opt/opendj/logs/access [10/Jun/2021:12:48:56 +0000] SEARCH REQ conn=545 op=242 msgID=243 base="ou=people,o=gluu" scope=sub filter="(&(&(objectClass=gluuPerson))(samAccountName=tlh))" attrs="ALL" [10/Jun/2021:12:48:56 +0000] SEARCH RES conn=545 op=242 msgID=243 result=0 nentries=0 unindexed etime=819 In this case it is quite obvious that this will fail. Identities in Gluu:s local LDAP is based on uid. Not samAccountName. How to change this? Problem #2 Logged in to casa through SSO. Trying to manage 2FA credentials / Super Gluu Devices / Add a Super Gluu device. Pressing the button 'Ready' presents the QR-Code. Then scanning the QR-Code gives the error message 'Failed to get Fido U2F metadata' and nothing else happends. So far we have observed that when we press the 'Ready' button we do get a strange error message in LDAP log. [10/Jun/2021:12:30:28 +0000] MODIFY RES conn=533 op=18 msgID=19 result=65 message="Entry inum=0000!8C4F.3CFC,ou=people,o=gluu cannot be modified because the resulting entry would have violated the server schema: Entry inum=0000!8C4F.3CFC,ou=people,o=gluu violates the Directory Server schema configuration because it includes attribute eduPersonAffiliation which is not allowed by any of the objectclasses defined in that entry" etime=0 Why would Casa try to tamper with 'eduPersonAffiliation' at all? We have of course checked that we dont have a broken schema for eduPerson. We have also checked that we can modify 'eduPersonAffiliation' through Gluu user administration or with a LDAP Browser. No problem. Also, cache refresh have imported 54 000 entries without complaining. Another reflection is that if we delete 'eduPersonAffiliation' and press the 'Ready' button we get the same error but now it complains about another attribute. For example eduPersonEntitlement and so on. Any ideas on this problem??? This message is also reflected in casa.log /opt/gluu/jetty/casa/logs/casa.log: 10-06 12:30:28.911 ERROR [qtp2051853139-20] gluu.casa.core.PersistenceService PersistenceService.java:166- Failed to update entry: inum=0000!8C4F.3CFC,ou=people,o=gluu org.gluu.persist.exception.EntryPersistenceException: Failed to update entry: inum=0000!8C4F.3CFC,ou=people,o=gluu at org.gluu.persist.ldap.impl.LdapEntryManager.merge(LdapEntryManager.java:293) ~[oxcore-persistence-ldap-4.2.3.Final.jar:?] at org.gluu.persist.impl.BaseEntryManager.merge(BaseEntryManager.java:248) ~[oxcore-persistence-core-4.2.3.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManager.merge(LdapEntryManager.java:120) ~[oxcore-persistence-ldap-4.2.3.Final.jar:?] at org.gluu.casa.core.PersistenceService.modify(PersistenceService.java:163) ~[classes/:?] at org.gluu.casa.core.PersistenceService$Proxy$_$$_WeldClientProxy.modify(Unknown Source) ~[classes/:?] at org.gluu.casa.core.UserService.generateRandEnrollmentCode(UserService.java:251) ~[classes/:?] at org.gluu.casa.core.UserService$Proxy$_$$_WeldClientProxy.generateRandEnrollmentCode(Unknown Source) ~[classes/:?] at org.gluu.casa.ui.vm.user.SuperGluuViewModel.showQR(SuperGluuViewModel.java:88) ~[classes/:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] at org.zkoss.bind.impl.ParamCall.call(ParamCall.java:172) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.bind.impl.BinderImpl.handleNotifyChange(BinderImpl.java:1911) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.bind.impl.BinderImpl.doExecute(BinderImpl.java:2080) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.bind.impl.BinderImpl.doCommand(BinderImpl.java:1806) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.bind.impl.BinderImpl.access$1300(BinderImpl.java:137) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.bind.impl.BinderImpl$CommandEventListener.onEvent0(BinderImpl.java:1647) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.bind.impl.BinderImpl$CommandEventListener.onEvent(BinderImpl.java:1600) ~[zkbind-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.AbstractComponent.onEvent(AbstractComponent.java:3184) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.AbstractComponent.service(AbstractComponent.java:3154) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.AbstractComponent.service(AbstractComponent.java:3096) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.impl.EventProcessor.process(EventProcessor.java:138) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.impl.UiEngineImpl.processEvent(UiEngineImpl.java:1890) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.impl.UiEngineImpl.process(UiEngineImpl.java:1662) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.ui.impl.UiEngineImpl.execUpdate(UiEngineImpl.java:1329) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.au.http.DHtmlUpdateServlet.process(DHtmlUpdateServlet.java:570) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.au.http.DHtmlUpdateServlet.doGet(DHtmlUpdateServlet.java:450) ~[zk-9.5.0.2.jar:9.5.0.2] at org.zkoss.zk.au.http.DHtmlUpdateServlet.doPost(DHtmlUpdateServlet.java:458) ~[zk-9.5.0.2.jar:9.5.0.2] at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[servlet-api-3.1.jar:3.1.0] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ~[servlet-api-3.1.jar:3.1.0] at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1443) ~[jetty-servlet-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791) ~[jetty-servlet-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626) ~[jetty-servlet-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) ~[jetty-servlet-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602) ~[jetty-security-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) ~[jetty-servlet-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.Server.handle(Server.java:516) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388) ~[jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633) [jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380) [jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273) [jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) [jetty-io-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) [jetty-io-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773) [jetty-util-9.4.35.v20201120.jar:9.4.35.v20201120] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905) [jetty-util-9.4.35.v20201120.jar:9.4.35.v20201120] at java.lang.Thread.run(Thread.java:834) [?:?] Caused by: com.unboundid.ldap.sdk.LDAPException: Entry inum=0000!8C4F.3CFC,ou=people,o=gluu cannot be modified because the resulting entry would have violated the server schema: Entry inum=0000!8C4F.3CFC,ou=people,o=gluu violates the Directory Server schema configuration because it includes attribute eduPersonAffiliation which is not allowed by any of the objectclasses defined in that entry at com.unboundid.ldap.sdk.LDAPConnection.modify(LDAPConnection.java:2898) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.AbstractConnectionPool.modify(AbstractConnectionPool.java:1324) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.modifyEntry(LdapOperationServiceImpl.java:816) ~[oxcore-persistence-ldap-4.2.3.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.updateEntryImpl(LdapOperationServiceImpl.java:802) ~[oxcore-persistence-ldap-4.2.3.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.updateEntry(LdapOperationServiceImpl.java:788) ~[oxcore-persistence-ldap-4.2.3.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManager.merge(LdapEntryManager.java:287) ~[oxcore-persistence-ldap-4.2.3.Final.jar:?] ... 61 more

Gluu 4.2.3 Ubuntu 20.04 Gluu Casa 4.1 Ubuntu 20.04

closed

By Mobarak Hosen Shakil staff 14 Jun 2021 at 10:23 a.m. CDT

Copy

Hi Tomas Larsson, I will try to replicate the issue. Can you please share your cache configuration?

By Tomas Larsson user 15 Jun 2021 at 8:17 a.m. CDT

Copy

Hi Mobarak You can find 4 pictures from our cache refresh config at the provided link. Click on the picture to enlarge. I also provide you with a PDF that explains our setup. We do learn all accounts from our central LDAP (OruCat) witch by the way also is an OpenDJ server. Authentication on the other hand is configured with a windows AD (OruNet) for employees and a windows AD (EduNet) for students. And also a small part of accounts (Special) authenticate back to the central LDAP (OruCat). Finally we also have 4 local accounts in Gluu internal LDAP that all belongs to the 'Gluu Manager Group'. Please download 77-custom... if you want to see the correct output. Regards /Tomas

Video or screenshot link

By Mobarak Hosen Shakil staff 15 Jun 2021 at 9:19 a.m. CDT

Copy

Thanks, I will check them.

By Mobarak Hosen Shakil staff 21 Jun 2021 at 3:49 p.m. CDT

Copy

is it local server? > Pressing the button 'Ready' presents the QR-Code. Then scanning the QR-Code gives the error message 'Failed to get Fido U2F metadata' and nothing else happends. super gluu needs a FQDN apache certified pbulic server. Thanks & Regards ~ Shakil

By Tomas Larsson user 24 Jun 2021 at 7:32 a.m. CDT

Copy

Hi! First of all. All components are installed at one occation and runs in one hardware, so I guess the server is local. If that was your question? And of course the server has a public IP and a FQDN. Regards /Tomas

By Mobarak Hosen Shakil staff 24 Jun 2021 at 11:52 a.m. CDT

Copy

I mean you need an internet accessable (non-internal, localhost) gluu server with dns pointing at the public IP. I have tested super gluu with casa. It's working fine. Thanks & Regards ~ Shakil

By Tomas Larsson user 28 Jun 2021 at 3:30 a.m. CDT

Copy

OK. Good for you. But what do you think we should do about problem #1 and #2 in my original post? Regards /Tomas

By Tomas Larsson user 02 Jul 2021 at 5:52 a.m. CDT

Copy

Hi Mobarak Update. We found out that if we removed all attributes defined by objectClass eduPerson on one of our accounts then we suddenly where able to login to casa. So, what will happen to your installation if you add some attributes from eduPerson to your testaccount. Will you still be able to login to casa? Or will you end up in the same situation that we have? Cheers /Tomas

By Mohib Zico Account Admin 06 Jul 2021 at 1:33 a.m. CDT

Copy

>> So, what will happen to your installation if you add some attributes from eduPerson to your testaccount. Interesting finding, eduPerson is really important for all EDU.. we have to keep CASA running with all eduPerson attributes...

By Tomas Larsson user 06 Jul 2021 at 3:46 a.m. CDT

Copy

I'm not sure that you are confirming that my finding is correct. Have you confirmed it? /Tomas

By Mohib Zico Account Admin 06 Jul 2021 at 4:09 a.m. CDT

Copy

Sorry.. I meant... for any kind of EDU ... eduPerson attributes are important so we will make sure that eduPerson attribute doesn't conflict with CASA. >> Have you confirmed it? Still in QA phase, will update you as soon as we find something. Thanks!

By Mobarak Hosen Shakil staff 13 Jul 2021 at 12:11 p.m. CDT

Copy

FYKI, I tested locally. Activated few attributes from `EduPerson` and `GluuCustomPerson` as well. Created two accounts with those attributes. then logged successfully on CASA using that two accounts. So, I don't think CASA conflict with `EduPerson` attributes. Regards ~ Shakil

You need to Login in order to post an answer

Problem with Casa

By: Tomas Larsson user 10 Jun 2021 at 8:19 a.m. CDT

Answers

By Mobarak Hosen Shakil staff 14 Jun 2021 at 10:23 a.m. CDT

By Tomas Larsson user 15 Jun 2021 at 8:17 a.m. CDT

By Mobarak Hosen Shakil staff 15 Jun 2021 at 9:19 a.m. CDT

By Mobarak Hosen Shakil staff 21 Jun 2021 at 3:49 p.m. CDT

By Tomas Larsson user 24 Jun 2021 at 7:32 a.m. CDT

By Mobarak Hosen Shakil staff 24 Jun 2021 at 11:52 a.m. CDT

By Tomas Larsson user 28 Jun 2021 at 3:30 a.m. CDT

By Tomas Larsson user 02 Jul 2021 at 5:52 a.m. CDT

By Mohib Zico Account Admin 06 Jul 2021 at 1:33 a.m. CDT

By Tomas Larsson user 06 Jul 2021 at 3:46 a.m. CDT

By Mohib Zico Account Admin 06 Jul 2021 at 4:09 a.m. CDT

By Mobarak Hosen Shakil staff 13 Jul 2021 at 12:11 p.m. CDT

Post an answer