Merci Fabrice ! I’ll test this when I have some time. In fact, it seemed to me appropriate to declare an Attribute Repository for the recovery of attributes by Kerberos. On the other hand, I have 3 Active Directory domains connected in triangle (federating/admin domain with 2 domains delegated) so I think I will cry. I’ll make a feedback, I promise!
Thank you again!! Le mardi 27 août 2019 17:50:48 UTC+2, Fabrice Bacchella a écrit : > > It works for me with the following setup, in CAS6: > > spnego: > name: Kerberos > order: 0 > mixedModeAuthentication: true > supportedBrowsers: "MSIE,Trident,Firefox,AppleWebKit,curl" > ipsToCheckPattern: .* > principal: > principalAttribute: "sAMAccountName" > system: > kerberosConf: "file:/data/cas/conf/krb5.conf" > loginConf: "file:/data/cas/conf/login.conf" > kerberosDebug: false > properties: > - > jcifsServicePrincipal: "HTTP/host@REALM" > attributeRepository: > ldap: > - > name: AdRealm > # workaroud for > https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8217606 > providerClass: > org.ldaptive.provider.unboundid.UnboundIDProvider > ldapUrl: ldaps://ldap.realm.com > bindDn: "serviceAccount" > baseDn: ou=...,DC=... > searchFilter: "sAMAccountName={user}" > trustCertificates: > "file:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" > attributes: > displayName: name > givenName: firstName > sn: lastName > ou: ou > uid: uid > mail: mail > sAMAccountName: sAMAccountName > ... > personDirectory: > principalAttribute: "sAMAccountName" > useExistingPrincipalId: true > principalResolutionFailureFatal: true > > I'm not sure about personDirectory. The documentation about that feature > is a (bad) joke, so I never quit understood what those arguments do. > > And I have an application-secrets.yml to store secrets: > cas: > authn: > attributeRepository: > ldap: > - bindCredential: "SomeCredentials" > > > > Le 22 août 2019 à 12:30, Sparadrus (FR) <[email protected] <javascript:>> > a écrit : > > *NOTICE :* The sender of this email is external to 3DS. Be wary of the > content and do not open unexpected attachments or links. > ------------------------------ > > Hi, > When my users login manually from CAS, attributes from AD are correctly > retrieved and pass to my webapp. But with SPNEGO automatic login, i don't > see on cas.log the attributes and my webapp (nextcloud) don't update user > information (displayName, mail, memberOf). I don't see any row on apereo > documentation who permit retrieve attributes from SPNEGO... Maybe I does > create a service file specially for SPNEGO..? > If you have any idea :) > Thanks at all ;) > > > SPENGO section from cas.properties : > > cas.authn.spnego.kerberosConf=file:/etc/krb5.conf > cas.authn.spnego.mixedModeAuthentication=true > cas.authn.spnego.cachePolicy=600 > cas.authn.spnego.timeout=300000 > > cas.authn.spnego.jcifsServicePrincipal=HTTP/[email protected] > > <javascript:> > cas.authn.spnego.jcifsServicePassword=MyPassWord > cas.authn.spnego.loginConf=file:/etc/cas/config/login.conf > cas.authn.spnego.ntlmAllowed=false > cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit > cas.authn.spnego.hostNameClientActionStrategy=baseSpnegoClientAction > cas.authn.spnego.kerberosKdc=192.168.0.1 > cas.authn.spnego.ipsToCheckPattern=10.+ > cas.authn.spnego.kerberosDebug=true > cas.authn.spnego.kerberosRealm=DOMAIN.LAN > cas.authn.spnego.send401OnAuthenticationFailure=true > # cas.authn.spnego.jcifsNetbiosWins= > # cas.authn.spnego.hostNamePatternString=.+ > # cas.authn.spnego.jcifsUsername= > # cas.authn.spnego.useSubjectCredsOnly=false > # cas.authn.spnego.jcifsDomainController= > # cas.authn.spnego.dnsTimeout=2000 > # cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader > # cas.authn.spnego.jcifsDomain= > # cas.authn.spnego.ntlm=false > cas.authn.spnego.principalWithDomainName=false > # cas.authn.spnego.jcifsPassword= > cas.authn.spnego.spnegoAttributeName=sAMAccountName > # cas.authn.spnego.name=DOMAIN.LAN > cas.authn.spnego.principal.principalAttribute=sAMAccountName > # cas.authn.spnego.principal.returnNull=false > > And the section for AD : > > cas.authn.ldap[1].type=AD > cas.authn.ldap[1].ldapUrl=ldap://10.0.0.1 > cas.authn.ldap[1].useSsl=false > cas.authn.ldap[1].useStartTls=false > cas.authn.ldap[1].connectTimeout=5000 > cas.authn.ldap[1].baseDn=DC=DOMAIN1,DC=LAN > cas.authn.ldap[1].bindDn=DOMAIN1\\mylogin > cas.authn.ldap[1].bindCredential=MyBindPassword > cas.authn.ldap[1].principalAttributeId=sAMAccountName > cas.authn.ldap[1].principalAttributePassword=unicodePwd > > cas.authn.ldap[1].principalAttributeList=sAMAccountName,sn,cn,givenName,displayName,mail,memberOf > cas.authn.ldap[1].userFilter=(sAMAccountName={user}) > cas.authn.ldap[1][email protected] <javascript:> > cas.authn.ldap[1].allowMultiplePrincipalAttributeValues=true > cas.authn.ldap[1].subtreeSearch=true > cas.authn.ldap[1].usePasswordPolicy=false > cas.authn.ldap[1].failFast=false > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b211705-5ccd-496a-88f3-5637344f5604%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b211705-5ccd-496a-88f3-5637344f5604%40apereo.org?utm_medium=email&utm_source=footer> > . > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/175b37aa-241e-4bdf-bcd2-68ebb5caf246%40apereo.org.
