Bruno,
Yes, the search base is a distinguishing name of where to begin searching
within your AD LDAP directory.
As for the separate account, our AD installation doesn¹t allow anonymous
querying, so you have to use a service account. If your installation
doesn¹t care, then you can simply configure it to do anonymous querying.
You can do this by setting the ³anonymousReadOnly² property of the
ContextSource:
<bean id="contextSourceActiveDirectory"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> <property name="pooled" value="true"/>
> <property name="urls">
> <list>
>
> <value>ldaps://activedirectory1.example.com</value>
>
> <value>ldaps://activedirectory2.example.com</value>
> </list>
> </property>
> <property name="anonymousReadOnly" value="true" />
> <property name="baseEnvironmentProperties">
> <map>
> <entry>
>
> <key><value>java.naming.security.authentication</value></key>
> <value>simple</value>
> </entry>
> </map>
> </property>
</bean>
A-
On 2/20/09 8:54 AM, "Bruno Melloni" <[email protected]> wrote:
> The values are very similar to what I used in my vanilla LDAP code. I should
> be able to make this work.
>
> I assume that for the search base it is expecting something in the format
> ³OU=,DC=,DC=com², with just the domain at first but use the OU bits to make
> the search quicker?
>
> Also, I am kind of curious what is the purpose of using a separate account to
> connect to Active Directory? In my code I didn¹t need it, I used the user¹s
> username and password to connect to AD if it failed, then he obviously¹
> wasn¹t authorized. I did use a connecting¹ username/password only when the
> app needed to retrieve user details like displayName, email and phone number
> *after* authentication succeded.
>
> Thanks,
>
> b.
>
>
>
> From: Andrew Feller [mailto:[email protected]]
> Sent: Friday, February 20, 2009 8:32 AM
> To: [email protected]
> Subject: Re: [cas-user] CAS 3 problem
>
> Bruno,
>
> Here you go; here is an excerpt on how to configure LDAP AD. This would be
> included in your deployerConfigContext.xml.
>
> A-
> <!--
> LDAP Authentication Handler used to
> authenticate against Lotus Domino
> Scope Values
> (javax.naming.directory.SearchControls):
> OBJECT_SCOPE (0)
> ONLEVEL_SCOPE (1)
> SUBTREE_SCOPE (2)
> -->
> <bean id="ldapActiveDirectory"
> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
> <property name="filter"
> value="sAMAccountName=%u" />
> <property name="searchBase"
> value="<your search base here>" />
> <property name="contextSource"
> ref="contextSourceActiveDirectory" />
> <property name="scope" value="2" />
> <property name="timeout" value="120"
> />
> <property
> name="ignorePartialResultException" value="yes" />
> </bean>
> </list>
> </property>
> </bean>
> <bean id="contextSourceActiveDirectory"
> class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> <property name="pooled" value="true"/>
> <property name="urls">
> <list>
>
> <value>ldaps://activedirectory1.example.com</value>
>
> <value>ldaps://activedirectory2.example.com</value>
> </list>
> </property>
> <property name="userName" value="distinguishing name of
> account to connect to Active Directory server" />
> <property name="password" value="password for userName to log
> into Active Directory server" />
> <property name="baseEnvironmentProperties">
> <map>
> <entry>
>
> <key><value>java.naming.security.authentication</value></key>
> <value>simple</value>
> </entry>
> </map>
> </property>
> </bean>
>
>
> On 2/20/09 8:09 AM, "Bruno Melloni" <[email protected]> wrote:
> Hi Li,
>
> I hit similar difficulties trying to understand how to configure CAS for LDAP
> authentication against ActiveDirectory. In the end I found it easier to write
> my own Authentication Handler and plain vanilla LDAP search code.
>
> You are doing the right thing by trying to use the CAS LDAP authentication
> handler, as it is a much more robust answer than any custom handler can be.
> But if you can¹t figure out how to configure the LDAP Authenticator properly,
> let me know I¹d be happy to share my code and configuration. It is very
> primitive, but reliable and easy to use.
>
> b.
>
>
>
> From: Andrew Feller [mailto:[email protected]] <mailto:[email protected]%5d>
> Sent: Friday, February 20, 2009 7:40 AM
> To: [email protected]
> Subject: Re: [cas-user] CAS 3 problem
>
> Li,
>
> I think this might be a misconfiguration issue. When configuring your LDAP
> Context & Authentication Handler, you can set how deep beneath the searchBase
> to search. If you are like the rest of us, you probably don¹t have all user
> entries within a single base, so you need to configure the scope to search
> subtrees. Without more info, this is my best knee jerk reaction.
>
> Hope it helps,
> A-
>
> <!--
> LDAP Authentication Handler used to authenticate against Lotus Domino
> Scope Values (javax.naming.directory.SearchControls):
> OBJECT_SCOPE (0)
> ONLEVEL_SCOPE (1)
> SUBTREE_SCOPE (2)
> -->
> <bean
> class="org.jasig.cas.authentication.handler.support.BindLdapAuthenticationHand
> ler"
> p:filter="uid=%uid"
> p:searchBase="o=whatever"
> p:contextSource-ref="contextSource"
> p:scope="2"
> p:timeout="120" />
>
> CAS Wiki: http://www.ja-sig.org/wiki/display/CASUM/LDAP
>
>
>
> On 2/20/09 2:27 AM, "Raghu Ravi" <[email protected]> wrote:
> Hi Li,
> Could you give more detail on the error, the server log will do.
>
> On Fri, Feb 20, 2009 at 5:55 AM, Li Zhang <[email protected]> wrote:
> Hi,
>
> I've installed CAS 3.3.1 server on my machine.
> Now I only can use my own credentials to login.
> Other persons on the same LDAP server can
> not login using CAS. What could be the problem?
> Is that a certificate issue ?
>
>
> Thanks.
>
> Li
>
>
> --
> Andrew Feller, Analyst
> LSU University Information Services
> 200 Frey Computing Services Center
> Baton Rouge, LA 70803
> Office: 225.578.3737
> Fax: 225.578.6400
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
