It works for me with the following setup, in CAS6:
spnego:
name: Kerberos
order: 0
mixedModeAuthentication: true
supportedBrowsers: "MSIE,Trident,Firefox,AppleWebKit,curl"
ipsToCheckPattern: .*
principal:
principalAttribute: "sAMAccountName"
system:
kerberosConf: "file:/data/cas/conf/krb5.conf"
loginConf: "file:/data/cas/conf/login.conf"
kerberosDebug: false
properties:
-
jcifsServicePrincipal: "HTTP/host@REALM"
attributeRepository:
ldap:
-
name: AdRealm
# workaroud for
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8217606
providerClass:
org.ldaptive.provider.unboundid.UnboundIDProvider
ldapUrl: ldaps://ldap.realm <ldaps://ldap.realm>.com
bindDn: "serviceAccount"
baseDn: ou=...,DC=...
searchFilter: "sAMAccountName={user}"
trustCertificates:
"file:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
attributes:
displayName: name
givenName: firstName
sn: lastName
ou: ou
uid: uid
mail: mail
sAMAccountName: sAMAccountName
...
personDirectory:
principalAttribute: "sAMAccountName"
useExistingPrincipalId: true
principalResolutionFailureFatal: true
I'm not sure about personDirectory. The documentation about that feature is a
(bad) joke, so I never quit understood what those arguments do.
And I have an application-secrets.yml to store secrets:
cas:
authn:
attributeRepository:
ldap:
- bindCredential: "SomeCredentials"
> Le 22 août 2019 à 12:30, Sparadrus (FR) <[email protected]> a écrit :
>
> NOTICE : The sender of this email is external to 3DS. Be wary of the content
> and do not open unexpected attachments or links.
>
> Hi,
> When my users login manually from CAS, attributes from AD are correctly
> retrieved and pass to my webapp. But with SPNEGO automatic login, i don't see
> on cas.log the attributes and my webapp (nextcloud) don't update user
> information (displayName, mail, memberOf). I don't see any row on apereo
> documentation who permit retrieve attributes from SPNEGO... Maybe I does
> create a service file specially for SPNEGO..?
> If you have any idea :)
> Thanks at all ;)
>
>
> SPENGO section from cas.properties :
>
> cas.authn.spnego.kerberosConf=file:/etc/krb5.conf
> cas.authn.spnego.mixedModeAuthentication=true
> cas.authn.spnego.cachePolicy=600
> cas.authn.spnego.timeout=300000
> cas.authn.spnego.jcifsServicePrincipal=HTTP/[email protected]
> cas.authn.spnego.jcifsServicePassword=MyPassWord
> cas.authn.spnego.loginConf=file:/etc/cas/config/login.conf
> cas.authn.spnego.ntlmAllowed=false
> cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
> cas.authn.spnego.hostNameClientActionStrategy=baseSpnegoClientAction
> cas.authn.spnego.kerberosKdc=192.168.0.1
> cas.authn.spnego.ipsToCheckPattern=10.+
> cas.authn.spnego.kerberosDebug=true
> cas.authn.spnego.kerberosRealm=DOMAIN.LAN
> cas.authn.spnego.send401OnAuthenticationFailure=true
> # cas.authn.spnego.jcifsNetbiosWins=
> # cas.authn.spnego.hostNamePatternString=.+
> # cas.authn.spnego.jcifsUsername=
> # cas.authn.spnego.useSubjectCredsOnly=false
> # cas.authn.spnego.jcifsDomainController=
> # cas.authn.spnego.dnsTimeout=2000
> # cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
> # cas.authn.spnego.jcifsDomain=
> # cas.authn.spnego.ntlm=false
> cas.authn.spnego.principalWithDomainName=false
> # cas.authn.spnego.jcifsPassword=
> cas.authn.spnego.spnegoAttributeName=sAMAccountName
> # cas.authn.spnego.name=DOMAIN.LAN
> cas.authn.spnego.principal.principalAttribute=sAMAccountName
> # cas.authn.spnego.principal.returnNull=false
>
> And the section for AD :
>
> cas.authn.ldap[1].type=AD
> cas.authn.ldap[1].ldapUrl=ldap://10.0.0.1
> cas.authn.ldap[1].useSsl=false
> cas.authn.ldap[1].useStartTls=false
> cas.authn.ldap[1].connectTimeout=5000
> cas.authn.ldap[1].baseDn=DC=DOMAIN1,DC=LAN
> cas.authn.ldap[1].bindDn=DOMAIN1\\mylogin
> cas.authn.ldap[1].bindCredential=MyBindPassword
> cas.authn.ldap[1].principalAttributeId=sAMAccountName
> cas.authn.ldap[1].principalAttributePassword=unicodePwd
> cas.authn.ldap[1].principalAttributeList=sAMAccountName,sn,cn,givenName,displayName,mail,memberOf
> cas.authn.ldap[1].userFilter=(sAMAccountName={user})
> cas.authn.ldap[1].dnFormat=%[email protected]
> cas.authn.ldap[1].allowMultiplePrincipalAttributeValues=true
> cas.authn.ldap[1].subtreeSearch=true
> cas.authn.ldap[1].usePasswordPolicy=false
> cas.authn.ldap[1].failFast=false
>
> --
> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
> - Gitter Chatroom: https://gitter.im/apereo/cas <https://gitter.im/apereo/cas>
> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected]
> <mailto:[email protected]>.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b211705-5ccd-496a-88f3-5637344f5604%40apereo.org
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b211705-5ccd-496a-88f3-5637344f5604%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/93F601E7-3A9B-4360-9400-5C535879D964%40gmail.com.
