There are smarter (way smarter) LDAP people than me, but yeah, that's kind
of it. Some LDAPs (like AD) will let you bind as the user him/herself to
authenticate, others require you to use a special account to make the bind,
and then authenticate the user. Although come to think of it, I think AD
might only permit that over an LDAPS connection, which might be why you
were having trouble.

Likewise, some LDAPs will let you retrieve attributes at the same time that
you authenticate, and others require you to make a separate request for
that. In our particular case, our LDAP contains a superset of the users in
AD (AD has "active" people, LDAP has "active" and "alumni"). But the two
directories have different (overlapping) sets of attributes, and we always
want to get all of them and merge them together, so in my CAS config, I do
the authentication and attribute retrieval separately.

I'm not sure how you get a dnFormat that handles multiple OUs, or if you
even can. In my case, we have almost everyone in a single OU, except for
some administrator accounts, which are in a separate OU. Rather than try
and handle them all together, I just punted and defined two different AD
configs for them, one for each OU. If you look at my documentation, you'll
note that ldap[0] and ldap[2] are actually the SAME AD server, they just
have different baseDN and dnFormat settings.

--Dave



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Fri, Feb 23, 2018 at 3:12 PM, Kevin Liu <annihil8...@gmail.com> wrote:

> Just to make sure I understand the LDAP and CAS connection properly, CAS
> is sending over a set of credentials to first access the LDAP correct? Is
> that the bindDN and bindCredential? Does it then search through the result
> query for userFilter for a match?
>
> Also, I'm a little confused about the dNFormat. I inputed directly what is
> the DN for user 1. However, for other users, since they belong to different
> OU, how do I change the code such that it becomes more versatile?
>
> My eventual goal is for cas to authenticate users from a single OU.
>
> Thank you all for bearing with me so far and all my questions.
>
> On Friday, February 23, 2018 at 11:44:35 AM UTC-6, Kevin Liu wrote:
>>
>> I finally got it to talk to my LDAP! I've realized I should also put that
>> my LDAP is really a MSDN. It is in a very limited capacity though. Here is
>> my cas.properties and I hope someone can help me figure out how to expand
>> the scope of authentication. My apologies about the obfuscation.
>>
>> #AD Configurations
>> cas.authn.ldap[0].type=AD
>> cas.authn.ldap[0].ldapUrl=ldap://ladpserver:389
>> cas.authn.ldap[0].useSsl=false
>> cas.authn.ldap[0].useStartTls=false
>> cas.authn.ldap[0].connectTimeout=5000
>> cas.authn.ldap[0].subtreeSearch=true
>> cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
>> cas.authn.ldap[0].userFilter=cn={user}
>> cas.authn.ldap[0].bindDn=user1@beta.gamma
>> cas.authn.ldap[0].bindCredential=user1Password
>> cas.authn.ldap[0].dnFormat=CN=User 1,OU=Test,OU=alpha,DC=beta,DC=gamma
>>
>> This configuration only works for 1 user, user1. How do I expand it such
>> that any user can input their credentials for validation?
>> Also interesting, for user1, they can input either user1 or
>> user1@beta.gamma and be able to login with the correct password.
>>
>>
>>
>>
>> On Friday, February 23, 2018 at 9:17:02 AM UTC-6, David Curry wrote:
>>>
>>> Yes, that looks like your DN.
>>>
>>> But if CAS is not starting, it's something else. Are you using 5.2.2?
>>> Can you post your pom.xml and cas.log files as attachments?
>>>
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>
>>> [image: The New School]
>>>
>>> On Fri, Feb 23, 2018 at 9:56 AM, Kevin Liu <annih...@gmail.com> wrote:
>>>
>>>> For my own account, when I execute the LDAP query in my first post, I
>>>> can't see my own DN but I can see what I'm a member of. Is the listed
>>>> member field my DN?
>>>>
>>>> member: CN=Kevin Liu,OU=Delta,OU=Alpha,DC=Beta,DC=Gamma
>>>>
>>>> Would this be my DN?
>>>>
>>>> On Friday, February 23, 2018 at 6:17:22 AM UTC-6, alberto wrote:
>>>>>
>>>>> On Thu, 22 Feb 2018 13:43:05 -0800 (PST)
>>>>> Kevin Liu <annih...@gmail.com> wrote:
>>>>>
>>>>> > Correct me if I'm wrong but looking at the directory, not everyone
>>>>> > has a DN. Some users are only members of a group it looks like.
>>>>>
>>>>> I don't think so. DN is the ultimate identifier in LDAP/AD. As stated
>>>>> in MSDN: «The LDAP API references an LDAP object by its distinguished
>>>>> name (DN)». Even a group have a DN so you can perform operations on
>>>>> it.
>>>>>
>>>>> ( Source: https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).a
>>>>> spx )
>>>>>
>>>>> --
>>>>> Alberto Cabello Sánchez
>>>>> Servicio de Informática
>>>>> Universidad de Extremadura
>>>>>
>>>> --
>>>> - Website: https://apereo.github.io/cas
>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>> - Contributions: https://goo.gl/mh7qDG
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to cas-user+u...@apereo.org.
>>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>>> ereo.org/d/msgid/cas-user/4c960c01-c31d-4c3b-8386-c9dadafaf8
>>>> 12%40apereo.org
>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c960c01-c31d-4c3b-8386-c9dadafaf812%40apereo.org?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>
>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/197ffc37-0e97-4a1b-b997-
> 30c462259b65%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/197ffc37-0e97-4a1b-b997-30c462259b65%40apereo.org?utm_medium=email&utm_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANVqZHqFM_YkOue2td8DWvuEp5im-%2BJwrTjR%3DtTZQuiiQ%40mail.gmail.com.

Reply via email to