I should also add that the userFilter is just limiting what CAS can see for 
the available pool of user objects. If you merely want to allow users of a 
certain group access to a particular service, then that is accomplished in 
the service definition under required attributes. But note I have not yet 
found how to get it to work with nested Active Directory groups, only 
direct child of the group.

On Tuesday, March 20, 2018 at 11:21:09 AM UTC-5, Michael Peterson wrote:
>
> Is the issue have to do with nested group membership in the Active 
> Directly group? In order for your LDAP filter to evaluate to true, the user 
> you are testing authenticating with needs to be directly a member of the 
> checked for group. If you want to have it recursively check if the user is 
> a member of the checked group, use something like this instead:
>
>
> cas.authn.ldap[0].userFilter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf:1.2.840.113556.1.4.1941:=CN=SpecificGroupName,OU=Groups,OU=Company,DC=example,DC=com))
>
> On Tuesday, March 13, 2018 at 6:39:05 AM UTC-5, Марат Бралиев wrote:
>>
>> I need to check user password and member of specific group:
>>
>> I have CAS 5.2.* 
>>
>> My config file:
>>
>> cas.authn.ldap[0].type=AUTHENTICATED
>> cas.authn.ldap[0].ldapUrl=ldap://example.com
>> cas.authn.ldap[0].useSsl=false
>>
>> cas.authn.ldap[0].bindDn=cn=portal_manager,ou=System 
>> Accounts,dc=example,dc=com
>> cas.authn.ldap[0].bindCredential=***********
>> cas.authn.ldap[0].baseDn=DC=example,DC=com
>> cas.authn.ldap[0].subtreeSearch=true
>>
>> cas.authn.ldap[0].userFilter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=SpecificGroupName,OU=Groups,OU=Company,DC=example,DC=com))
>>
>> cas.authn.ldap[0].usePasswordPolicy=false
>>
>> cas.authn.ldap[0].principalAttributeId=sAMAccountName
>> cas.authn.ldap[0].principalAttributePassword=
>>
>> cas.authn.ldap[0].principalAttributeList=displayName,commonName,email,memberOf
>> cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
>>
>> When I create auth request then CAS response error:
>>
>> 2018-03-13 17:34:38,515 DEBUG [org.ldaptive.SearchOperation] - <execute 
>> request=[org.ldaptive.SearchRequest@-384810870::baseDn=DC=hq,DC=bc, 
>> searchFilter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)),
>>  
>> parameters={context=null, user=braliyev_30424}], returnAttributes=[1.1], 
>> searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null, 
>> typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, 
>> searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, 
>> referralHandler=null, intermediateResponseHandlers=null] with 
>> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1004112938::config=[org.ldaptive.ConnectionConfig@1791270211::ldapUrl=ldap://hq.bc,
>>  
>> connectTimeout=PT5S, responseTimeout=PT5S, 
>> sslConfig=[org.ldaptive.ssl.SslConfig@887019403::credentialConfig=null, 
>> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, 
>> enabledCipherSuites=null, enabledProtocols=null, 
>> handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, 
>> connectionInitializer=[org.ldaptive.BindConnectionInitializer@727124254::bindDn=cn=kaspi_portal,ou=System
>>  
>> Accounts,dc=hq,dc=bc, bindSaslConfig=null, bindControls=null], 
>> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@1e7a75fd], 
>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@2104222132::metadata=[ldapUrl=ldap://hq.bc,
>>  
>> count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, 
>> java.naming.ldap.version=3, 
>> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, 
>> com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, 
>> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@334577122::operationExceptionResultCodes=[PROTOCOL_ERROR,
>>  
>> SERVER_DOWN], properties={}, 
>> controlProcessor=org.ldaptive.provider.ControlProcessor@29c0c417, 
>> environment=null, tracePackets=null, removeDnUrls=true, 
>> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, 
>> PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, 
>> hostnameVerifier=null]], 
>> providerConnection=org.ldaptive.provider.jndi.JndiConnection@6368ec02]>
>> 2018-03-13 17:34:38,521 DEBUG [org.ldaptive.SearchOperation] - <execute 
>> response=[org.ldaptive.Response@626954816::result=[org.ldaptive.SearchResult@-1662255094::entries=[],
>>  
>> references=[[org.ldaptive.SearchReference@74822743::referralUrls=[ldap://DomainDnsZones.hq.bc/DC=DomainDnsZones,DC=hq,DC=bc],
>>  
>> responseControls=null, messageId=-1, referenceResponse=null], 
>> [org.ldaptive.SearchReference@-526386759::referralUrls=[ldap://hq.bc/CN=Configuration,DC=hq,DC=bc],
>>  
>> responseControls=null, messageId=-1, referenceResponse=null], 
>> [org.ldaptive.SearchReference@-1214994231::referralUrls=[ldap://ForestDnsZones.hq.bc/DC=ForestDnsZones,DC=hq,DC=bc],
>>  
>> responseControls=null, messageId=-1, referenceResponse=null]]], 
>> resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, 
>> referralURLs=null, messageId=-1] for 
>> request=[org.ldaptive.SearchRequest@-384810870::baseDn=DC=hq,DC=bc, 
>> searchFilter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)),
>>  
>> parameters={context=null, user=braliyev_30424}], returnAttributes=[1.1], 
>> searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null, 
>> typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, 
>> searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, 
>> referralHandler=null, intermediateResponseHandlers=null] with 
>> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1004112938::config=[org.ldaptive.ConnectionConfig@1791270211::ldapUrl=ldap://hq.bc,
>>  
>> connectTimeout=PT5S, responseTimeout=PT5S, 
>> sslConfig=[org.ldaptive.ssl.SslConfig@887019403::credentialConfig=null, 
>> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, 
>> enabledCipherSuites=null, enabledProtocols=null, 
>> handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, 
>> connectionInitializer=[org.ldaptive.BindConnectionInitializer@727124254::bindDn=cn=kaspi_portal,ou=System
>>  
>> Accounts,dc=hq,dc=bc, bindSaslConfig=null, bindControls=null], 
>> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@1e7a75fd], 
>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@2104222132::metadata=[ldapUrl=ldap://hq.bc,
>>  
>> count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, 
>> java.naming.ldap.version=3, 
>> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, 
>> com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, 
>> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@334577122::operationExceptionResultCodes=[PROTOCOL_ERROR,
>>  
>> SERVER_DOWN], properties={}, 
>> controlProcessor=org.ldaptive.provider.ControlProcessor@29c0c417, 
>> environment=null, tracePackets=null, removeDnUrls=true, 
>> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, 
>> PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, 
>> hostnameVerifier=null]], 
>> providerConnection=org.ldaptive.provider.jndi.JndiConnection@6368ec02]>
>>
>> 2018-03-13 17:34:38,526 INFO [org.ldaptive.auth.PooledSearchDnResolver] - 
>> <search for 
>> user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424, 
>> context=null] failed using 
>> filter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)),
>>  
>> parameters={context=null, user=braliyev_30424}]>
>> 2018-03-13 17:34:38,526 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] 
>> - <resolved dn=null for 
>> user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424, 
>> context=null]>
>> 2018-03-13 17:34:38,526 DEBUG [org.ldaptive.auth.Authenticator] - 
>> <authenticate dn=null with 
>> request=[org.ldaptive.auth.AuthenticationRequest@1687550059::user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424,
>>  
>> context=null], returnAttributes=[commonName, sAMAccountName, displayName, 
>> memberOf, email], controls=null]>
>>
>> CAS search request result is empty.
>>
>>
>>
>> When I change configuration "userFilter" without checking memberOf  - 
>> cas.authn.ldap[0].userFilter=(&(objectCategory=Person)) authorization works 
>> corretly.
>>
>> I checked my search request in LDAPAdmin utility, he works correctly.
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d2b20ffd-b118-4a49-a080-da8163360876%40apereo.org.

Reply via email to