The values are very similar to what I used in my vanilla LDAP code. I should be able to make this work.
I assume that for the search base it is expecting something in the format "OU=...,DC=...,DC=com", with just the domain at first but use the OU bits to make the search quicker? Also, I am kind of curious... what is the purpose of using a separate account to connect to Active Directory? In my code I didn't need it, I used the user's username and password to connect to AD... if it failed, then he 'obviously' wasn't authorized. I did use a 'connecting' username/password only when the app needed to retrieve user details like displayName, email and phone number *after* authentication succeded. Thanks, b. ________________________________ From: Andrew Feller [mailto:[email protected]] Sent: Friday, February 20, 2009 8:32 AM To: [email protected] Subject: Re: [cas-user] CAS 3 problem Bruno, Here you go; here is an excerpt on how to configure LDAP AD. This would be included in your deployerConfigContext.xml. A- <!-- LDAP Authentication Handler used to authenticate against Lotus Domino Scope Values (javax.naming.directory.SearchControls): OBJECT_SCOPE (0) ONLEVEL_SCOPE (1) SUBTREE_SCOPE (2) --> <bean id="ldapActiveDirectory" class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" > <property name="filter" value="sAMAccountName=%u" /> <property name="searchBase" value="<your search base here>" /> <property name="contextSource" ref="contextSourceActiveDirectory" /> <property name="scope" value="2" /> <property name="timeout" value="120" /> <property name="ignorePartialResultException" value="yes" /> </bean> </list> </property> </bean> <bean id="contextSourceActiveDirectory" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> <property name="pooled" value="true"/> <property name="urls"> <list> <value>ldaps://activedirectory1.example.com</value> <value>ldaps://activedirectory2.example.com</value> </list> </property> <property name="userName" value="distinguishing name of account to connect to Active Directory server" /> <property name="password" value="password for userName to log into Active Directory server" /> <property name="baseEnvironmentProperties"> <map> <entry> <key><value>java.naming.security.authentication</value></key> <value>simple</value> </entry> </map> </property> </bean> On 2/20/09 8:09 AM, "Bruno Melloni" <[email protected]> wrote: Hi Li, I hit similar difficulties trying to understand how to configure CAS for LDAP authentication against ActiveDirectory. In the end I found it easier to write my own Authentication Handler and plain vanilla LDAP search code. You are doing the right thing by trying to use the CAS LDAP authentication handler, as it is a much more robust answer than any custom handler can be. But if you can't figure out how to configure the LDAP Authenticator properly, let me know I'd be happy to share my code and configuration. It is very primitive, but reliable and easy to use. b. ________________________________ From: Andrew Feller [mailto:[email protected]]<mailto:[email protected]%5d> Sent: Friday, February 20, 2009 7:40 AM To: [email protected] Subject: Re: [cas-user] CAS 3 problem Li, I think this might be a misconfiguration issue. When configuring your LDAP Context & Authentication Handler, you can set how deep beneath the searchBase to search. If you are like the rest of us, you probably don't have all user entries within a single base, so you need to configure the scope to search subtrees. Without more info, this is my best knee jerk reaction. Hope it helps, A- <!-- LDAP Authentication Handler used to authenticate against Lotus Domino Scope Values (javax.naming.directory.SearchControls): OBJECT_SCOPE (0) ONLEVEL_SCOPE (1) SUBTREE_SCOPE (2) --> <bean class="org.jasig.cas.authentication.handler.support.BindLdapAuthenticationHandler" p:filter="uid=%uid" p:searchBase="o=whatever" p:contextSource-ref="contextSource" p:scope="2" p:timeout="120" /> CAS Wiki: http://www.ja-sig.org/wiki/display/CASUM/LDAP On 2/20/09 2:27 AM, "Raghu Ravi" <[email protected]> wrote: Hi Li, Could you give more detail on the error, the server log will do. On Fri, Feb 20, 2009 at 5:55 AM, Li Zhang <[email protected]> wrote: Hi, I've installed CAS 3.3.1 server on my machine. Now I only can use my own credentials to login. Other persons on the same LDAP server can not login using CAS. What could be the problem? Is that a certificate issue ? Thanks. Li -- Andrew Feller, Analyst LSU University Information Services 200 Frey Computing Services Center Baton Rouge, LA 70803 Office: 225.578.3737 Fax: 225.578.6400 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
