Michael, That really helped. I finally have ldap working. You filled in some gaps for me. But I did have one remaining problem that I had to resolve. Our AD certs are self signed for ldap. The chain cert wasn’t trusted by just loading the public cert. So I had to get the CA and install it into the Java native keystore. After that, it worked. I think if we had a commercial signed certs, I think your cert instructions would have worked. Still getting used to Java.
Thanks! Tim *From:* [email protected] [mailto:[email protected]] *On Behalf Of *michael kromarek *Sent:* Wednesday, December 13, 2017 4:20 PM *To:* [email protected] *Subject:* Re: [cas-user] CAS ldap against AD? We use SSL as startTLS tends to complain, saying it has already occurred, so SSL. You will want the cert from the server you are connecting to, which you can pull with openssl like so: echo -n | openssl s_client -connect 192.168.1.225:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem This is what we use for our AD auth and attribute resolution #======================================== # LDAP Auth #======================================== cas.authn.ldap[0].type=AD cas.authn.ldap[0].ldapUrl=ldaps://your_ad_server.site.org cas.authn.ldap[0].connectTimeout=3000 cas.authn.ldap[0].useStartTLS=false cas.authn.ldap[0].trustedCertificates=file:///etc/ssl/certs/cert_name.crt #pool settings and validation cas.authn.ldap[0].minPoolSize=3 cas.authn.ldap[0].maxPoolSize=10 cas.authn.ldap[0].validateOnCheckout=false cas.authn.ldap[0].validatePeriodically=true cas.authn.ldap[0].validatePeriod=300 # Amount of time in milliseconds to block on pool exhausted condition before giving up. cas.authn.ldap[0].blockWaitTime=3000 # Attempt to prune connections every N seconds cas.authn.ldap[0].prunePeriod=300 #max connection idle time, for pool conections cas.authn.ldap[0].idleTime=600 #search filters and settings cas.authn.ldap[0].bindDn=<full DN of manager account> cas.authn.ldap[0].bindCredential=<account password> cas.authn.ldap[0].baseDn=dc=site,dc=org cas.authn.ldap[0].userFilter=(sAMAccountName={user}) #construct login as [email protected] cas.authn.ldap[0].dnFormat=%[email protected] #principal id and attributes cas.authn.ldap[0].principalAttributeId=sAMAccountName cas.authn.ldap[0].principalAttributeList=sAMAccountName,dn,sn,cn,givenname,mail,memberOf,displayName #======================================== # LDAP Attributes Retrival #======================================== #default attributes to release (you don't have to do this, but you can if you want) cas.authn.attributeRepository.defaultAttributesToRelease=sAMAccountName,dn,sn,cn,givenname,mail,displayName #attributes cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName=sAMAccountName cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName cas.authn.attributeRepository.ldap[0].attributes.givenname=givenname cas.authn.attributeRepository.ldap[0].attributes.sn=sn cas.authn.attributeRepository.ldap[0].attributes.mail=mail cas.authn.attributeRepository.ldap[0].attributes.distinguishedName=dn #connection and search cas.authn.attributeRepository.ldap[0].ldapUrl=ldaps:// your_ad_server.site.org cas.authn.attributeRepository.ldap[0].useSsl=true cas.authn.attributeRepository.ldap[0].useStartTls=false cas.authn.attributeRepository.ldap[0].baseDn=dc=site,dc=org cas.authn.attributeRepository.ldap[0].userFilter=(sAMAccountName={user}) cas.authn.attributeRepository.ldap[0].subtreeSearch=true cas.authn.attributeRepository.ldap[0].bindDn=<account for searching full dn> cas.authn.attributeRepository.ldap[0].bindCredential=<account password> On Wed, Dec 13, 2017 at 2:08 PM, Tim Tyler <[email protected]> wrote: I am a newbie to CAS. I just installed 5.2 using Maven. I successfully logged in via the test account of causer. But now I want to get ldap against active directory working. I successfully installed the dependencies and that seems ok. My issue is with configuring cas.properties. I read on-line that if I use type=AD, I need to use dnFormat? Is that true? I don’t really understand how that entry should look. Also, I would like to use SSL or TLS. Not sure if certs are necessary for at least establishing encryption. Can someone share with me the necessary settings for getting ldap to auth against AD. I seem to be struggling with what I particularly need to get ldap to work against AD. And if I need dnFormat, I could use an example of how that should look. Below is my config related to ldap. cas.authn.ldap[0].type=AD cas.authn.ldap[0].ldapUrl=ldaps://bcdc3.beloit.edu cas.authn.ldap[0].connectionStrategy= cas.authn.ldap[0].useSsl=true cas.authn.ldap[0].useStartTls=false cas.authn.ldap[0].connectTimeout=5000 cas.authn.ldap[0].subtreeSearch=true cas.authn.ldap[0].baseDn=dc=its,dc=beloit,dc=edu cas.authn.ldap[0].userFilter=cn={sAMAccountName} cas.authn.ldap[0].bindDn=CN=ldapadmin,CN=Users,DC=its,DC=beloit,DC=edu cas.authn.ldap[0].bindCredential=xxxxxxxx #cas.authn.ldap[0].enhanceWithEntryResolver=false #cas.authn.ldap[0].dnFormat=%s,dc=its,dc=beloit,dc=edu #cas.authn.ldap[0].principalAttributeId=sAMAccountName #cas.authn.ldap[0].principalAttributePassword=password Tim Tyler Network Engineer Beloit College -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/22394f2759232d0a1e53c6d61f841f82%40mail.gmail.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/22394f2759232d0a1e53c6d61f841f82%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALfsmq72po0gCrKM164NRu_H444UEiHse1CcmQOWyapityNjYg%40mail.gmail.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALfsmq72po0gCrKM164NRu_H444UEiHse1CcmQOWyapityNjYg%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dabb902baf1e384e8aa8246dbf21ce57%40mail.gmail.com.
