Maybe your ldap logs will have more info.

Ray

On Tue, 2018-03-13 at 04:39 -0700, Марат Бралиев wrote:
I need to check user password and member of specific group:

I have CAS 5.2.*

My config file:

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://example.com
cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].bindDn=cn=portal_manager,ou=System Accounts,dc=example,dc=com
cas.authn.ldap[0].bindCredential=***********
cas.authn.ldap[0].baseDn=DC=example,DC=com
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].userFilter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=SpecificGroupName,OU=Groups,OU=Company,DC=example,DC=com))

cas.authn.ldap[0].usePasswordPolicy=false

cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].principalAttributeList=displayName,commonName,email,memberOf
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true

When I create auth request then CAS response error:

2018-03-13 17:34:38,515 DEBUG [org.ldaptive.SearchOperation] - <execute 
request=[org.ldaptive.SearchRequest@-384810870::baseDn=DC=hq,DC=bc, 
searchFilter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)),
 parameters={context=null, user=braliyev_30424}], returnAttributes=[1.1], 
searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null, 
typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, 
searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, 
referralHandler=null, intermediateResponseHandlers=null] with 
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1004112938::config=[org.ldaptive.ConnectionConfig@1791270211::ldapUrl=ldap://hq.bc,
 connectTimeout=PT5S, responseTimeout=PT5S, 
sslConfig=[org.ldaptive.ssl.SslConfig@887019403::credentialConfig=null, 
trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, 
enabledCipherSuites=null, enabledProtocols=null, 
handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, 
connectionInitializer=[org.ldaptive.BindConnectionInitializer@727124254::bindDn=cn=kaspi_portal,ou=System
 Accounts,dc=hq,dc=bc, bindSaslConfig=null, bindControls=null], 
connectionStrategy=org.ldaptive.DefaultConnectionStrategy@1e7a75fd], 
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@2104222132::metadata=[ldapUrl=ldap://hq.bc,
 count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, 
java.naming.ldap.version=3, 
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, 
com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, 
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@334577122::operationExceptionResultCodes=[PROTOCOL_ERROR,
 SERVER_DOWN], properties={}, 
controlProcessor=org.ldaptive.provider.ControlProcessor@29c0c417, 
environment=null, tracePackets=null, removeDnUrls=true, 
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, 
PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, 
hostnameVerifier=null]], 
providerConnection=org.ldaptive.provider.jndi.JndiConnection@6368ec02]>
2018-03-13 17:34:38,521 DEBUG [org.ldaptive.SearchOperation] - <execute 
response=[org.ldaptive.Response@626954816::result=[org.ldaptive.SearchResult@-1662255094::entries=[],
 
references=[[org.ldaptive.SearchReference@74822743::referralUrls=[ldap://DomainDnsZones.hq.bc/DC=DomainDnsZones,DC=hq,DC=bc],
 responseControls=null, messageId=-1, referenceResponse=null], 
[org.ldaptive.SearchReference@-526386759::referralUrls=[ldap://hq.bc/CN=Configuration,DC=hq,DC=bc],
 responseControls=null, messageId=-1, referenceResponse=null], 
[org.ldaptive.SearchReference@-1214994231::referralUrls=[ldap://ForestDnsZones.hq.bc/DC=ForestDnsZones,DC=hq,DC=bc],
 responseControls=null, messageId=-1, referenceResponse=null]]], 
resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, 
referralURLs=null, messageId=-1] for 
request=[org.ldaptive.SearchRequest@-384810870::baseDn=DC=hq,DC=bc, 
searchFilter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)),
 parameters={context=null, user=braliyev_30424}], returnAttributes=[1.1], 
searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null, 
typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, 
searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, 
referralHandler=null, intermediateResponseHandlers=null] with 
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1004112938::config=[org.ldaptive.ConnectionConfig@1791270211::ldapUrl=ldap://hq.bc,
 connectTimeout=PT5S, responseTimeout=PT5S, 
sslConfig=[org.ldaptive.ssl.SslConfig@887019403::credentialConfig=null, 
trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, 
enabledCipherSuites=null, enabledProtocols=null, 
handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, 
connectionInitializer=[org.ldaptive.BindConnectionInitializer@727124254::bindDn=cn=kaspi_portal,ou=System
 Accounts,dc=hq,dc=bc, bindSaslConfig=null, bindControls=null], 
connectionStrategy=org.ldaptive.DefaultConnectionStrategy@1e7a75fd], 
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@2104222132::metadata=[ldapUrl=ldap://hq.bc,
 count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, 
java.naming.ldap.version=3, 
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, 
com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, 
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@334577122::operationExceptionResultCodes=[PROTOCOL_ERROR,
 SERVER_DOWN], properties={}, 
controlProcessor=org.ldaptive.provider.ControlProcessor@29c0c417, 
environment=null, tracePackets=null, removeDnUrls=true, 
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, 
PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, 
hostnameVerifier=null]], 
providerConnection=org.ldaptive.provider.jndi.JndiConnection@6368ec02]>

2018-03-13 17:34:38,526 INFO [org.ldaptive.auth.PooledSearchDnResolver] - 
<search for user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424, 
context=null] failed using 
filter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)),
 parameters={context=null, user=braliyev_30424}]>
2018-03-13 17:34:38,526 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 
<resolved dn=null for 
user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424, 
context=null]>
2018-03-13 17:34:38,526 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate 
dn=null with 
request=[org.ldaptive.auth.AuthenticationRequest@1687550059::user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424,
 context=null], returnAttributes=[commonName, sAMAccountName, displayName, 
memberOf, email], controls=null]>

CAS search request result is empty.



When I change configuration "userFilter" without checking memberOf  - 
cas.authn.ldap[0].userFilter=(&(objectCategory=Person)) authorization works 
corretly.

I checked my search request in LDAPAdmin utility, he works correctly.

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1520958408.1793.41.camel%40uvic.ca.

Reply via email to