[cas-user] Re: Help with LDAP auth

[Michael Peterson]

Is the issue have to do with nested group membership in the Active Directly 
group? In order for your LDAP filter to evaluate to true, the user you are 
testing authenticating with needs to be directly a member of the checked 
for group. If you want to have it recursively check if the user is a member 
of the checked group, use something like this instead:

cas.authn.ldap[0].userFilter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf:1.2.840.113556.1.4.1941:=CN=SpecificGroupName,OU=Groups,OU=Company,DC=example,DC=com))

On Tuesday, March 13, 2018 at 6:39:05 AM UTC-5, Марат Бралиев wrote:
>
> I need to check user password and member of specific group:
>
> I have CAS 5.2.* 
>
> My config file:
>
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldap://example.com
> cas.authn.ldap[0].useSsl=false
>
> cas.authn.ldap[0].bindDn=cn=portal_manager,ou=System 
> Accounts,dc=example,dc=com
> cas.authn.ldap[0].bindCredential=***********
> cas.authn.ldap[0].baseDn=DC=example,DC=com
> cas.authn.ldap[0].subtreeSearch=true
>
> cas.authn.ldap[0].userFilter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=SpecificGroupName,OU=Groups,OU=Company,DC=example,DC=com))
>
> cas.authn.ldap[0].usePasswordPolicy=false
>
> cas.authn.ldap[0].principalAttributeId=sAMAccountName
> cas.authn.ldap[0].principalAttributePassword=
>
> cas.authn.ldap[0].principalAttributeList=displayName,commonName,email,memberOf
> cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
>
> When I create auth request then CAS response error:
>
> 2018-03-13 17:34:38,515 DEBUG [org.ldaptive.SearchOperation] - <execute 
> request=[org.ldaptive.SearchRequest@-384810870::baseDn=DC=hq,DC=bc, 
> searchFilter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)),
>  
> parameters={context=null, user=braliyev_30424}], returnAttributes=[1.1], 
> searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null, 
> typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, 
> searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, 
> referralHandler=null, intermediateResponseHandlers=null] with 
> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1004112938::config=[org.ldaptive.ConnectionConfig@1791270211::ldapUrl=ldap://hq.bc,
>  
> connectTimeout=PT5S, responseTimeout=PT5S, 
> sslConfig=[org.ldaptive.ssl.SslConfig@887019403::credentialConfig=null, 
> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, 
> enabledCipherSuites=null, enabledProtocols=null, 
> handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, 
> connectionInitializer=[org.ldaptive.BindConnectionInitializer@727124254::bindDn=cn=kaspi_portal,ou=System
>  
> Accounts,dc=hq,dc=bc, bindSaslConfig=null, bindControls=null], 
> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@1e7a75fd], 
> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@2104222132::metadata=[ldapUrl=ldap://hq.bc,
>  
> count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, 
> java.naming.ldap.version=3, 
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, 
> com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, 
> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@334577122::operationExceptionResultCodes=[PROTOCOL_ERROR,
>  
> SERVER_DOWN], properties={}, 
> controlProcessor=org.ldaptive.provider.ControlProcessor@29c0c417, 
> environment=null, tracePackets=null, removeDnUrls=true, 
> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, 
> PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, 
> hostnameVerifier=null]], 
> providerConnection=org.ldaptive.provider.jndi.JndiConnection@6368ec02]>
> 2018-03-13 17:34:38,521 DEBUG [org.ldaptive.SearchOperation] - <execute 
> response=[org.ldaptive.Response@626954816::result=[org.ldaptive.SearchResult@-1662255094::entries=[],
>  
> references=[[org.ldaptive.SearchReference@74822743::referralUrls=[ldap://DomainDnsZones.hq.bc/DC=DomainDnsZones,DC=hq,DC=bc],
>  
> responseControls=null, messageId=-1, referenceResponse=null], 
> [org.ldaptive.SearchReference@-526386759::referralUrls=[ldap://hq.bc/CN=Configuration,DC=hq,DC=bc],
>  
> responseControls=null, messageId=-1, referenceResponse=null], 
> [org.ldaptive.SearchReference@-1214994231::referralUrls=[ldap://ForestDnsZones.hq.bc/DC=ForestDnsZones,DC=hq,DC=bc],
>  
> responseControls=null, messageId=-1, referenceResponse=null]]], 
> resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, 
> referralURLs=null, messageId=-1] for 
> request=[org.ldaptive.SearchRequest@-384810870::baseDn=DC=hq,DC=bc, 
> searchFilter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)),
>  
> parameters={context=null, user=braliyev_30424}], returnAttributes=[1.1], 
> searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null, 
> typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, 
> searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, 
> referralHandler=null, intermediateResponseHandlers=null] with 
> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1004112938::config=[org.ldaptive.ConnectionConfig@1791270211::ldapUrl=ldap://hq.bc,
>  
> connectTimeout=PT5S, responseTimeout=PT5S, 
> sslConfig=[org.ldaptive.ssl.SslConfig@887019403::credentialConfig=null, 
> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, 
> enabledCipherSuites=null, enabledProtocols=null, 
> handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, 
> connectionInitializer=[org.ldaptive.BindConnectionInitializer@727124254::bindDn=cn=kaspi_portal,ou=System
>  
> Accounts,dc=hq,dc=bc, bindSaslConfig=null, bindControls=null], 
> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@1e7a75fd], 
> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@2104222132::metadata=[ldapUrl=ldap://hq.bc,
>  
> count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, 
> java.naming.ldap.version=3, 
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, 
> com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, 
> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@334577122::operationExceptionResultCodes=[PROTOCOL_ERROR,
>  
> SERVER_DOWN], properties={}, 
> controlProcessor=org.ldaptive.provider.ControlProcessor@29c0c417, 
> environment=null, tracePackets=null, removeDnUrls=true, 
> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, 
> PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, 
> hostnameVerifier=null]], 
> providerConnection=org.ldaptive.provider.jndi.JndiConnection@6368ec02]>
>
> 2018-03-13 17:34:38,526 INFO [org.ldaptive.auth.PooledSearchDnResolver] - 
> <search for 
> user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424, 
> context=null] failed using 
> filter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)),
>  
> parameters={context=null, user=braliyev_30424}]>
> 2018-03-13 17:34:38,526 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 
> <resolved dn=null for 
> user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424, 
> context=null]>
> 2018-03-13 17:34:38,526 DEBUG [org.ldaptive.auth.Authenticator] - 
> <authenticate dn=null with 
> request=[org.ldaptive.auth.AuthenticationRequest@1687550059::user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424,
>  
> context=null], returnAttributes=[commonName, sAMAccountName, displayName, 
> memberOf, email], controls=null]>
>
> CAS search request result is empty.
>
>
>
> When I change configuration "userFilter" without checking memberOf  - 
> cas.authn.ldap[0].userFilter=(&(objectCategory=Person)) authorization works 
> corretly.
>
> I checked my search request in LDAPAdmin utility, he works correctly.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0ecbb5b7-852c-4f8a-b6ee-d1a98b1984fe%40apereo.org.