Hi there,
I think I might have tracked down the cause of my problems with CAS and
AD. The connection context side is ok now. I am using a bind security
context with a service account. It looks like an issue now with user
attributes being populated to AD from my IDM system, so it's not
necessarily a CAS issue anymore. Worth reporting though I think.
I need some help tracking down which attributes I should be using. From
IDM I am populating the following in AD:
givenName
sn
title
eduPersonAfilliation
eduPersonCourseName
mail
userPassword
cn
I am populating the cn and assumed this would be the userid to be used
for CAS and the userPassword, as the password in CAS. However this isn't
the case. I created a test user from the AD console and this user is
authenticating ok in CAS. For this user the userid is a concatenation of
the firstname then initials then a period/fullstop and then the
lastname. Then the password is the password that I set in the AD console
user creation wizard.
This combination works ok for this user. I have tried the same format of
login credentials for my other users, but not getting any success. It
seems the Username or Password or both not being populated in the same
way based on my attributes by my IDM system. I am quite new to AD in
general so I am not sure where to start as yet on investigating this
issue.
Comments appreciated.
Regards
Mike Jones
Identity Management Systems Administrator
IT Systems
University of Hull
Tel: 01482 465549
Email: [email protected]
-----Original Message-----
From: Marvin Addison [mailto:[email protected]]
Sent: 27 May 2009 15:14
To: [email protected]
Subject: Re: [cas-user] Problem authenticating with CAS to Active
Directory
Again, I believe it would be helpful to clarify a few things:
- Administrator is a service account in this case. (It is by all
measures a poor choice, but meets the criteria.)
- The username/password properties in your contextSource bean are
_not used_ with the fast bind handler.
- If you need to use a service account to search for users, you need
to use BindLdapAuthenticationHandler.
If all the users you wish to authenticate have DNs like
[email protected],OU=Identities,DC=ExampleOrganization,DC=local,
then you should be able to use FastBindLdapAuthenticationHandler as
follows:
<bean
class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"
>
<property
name="filter"
value="cn=%u,ou=Identities,dc=ExampleOrganization,dc=local" />
<property name="contextSource" ref="contextSource" />
</bean>
<bean id="contextSource"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="urls">
<list>
<value>ldap://198.168.0.1</value>
</list>
</property>
<property name="baseEnvironmentProperties">
<map>
<entry key=java.naming.security.authentication" value="simple" />
</map>
</property>
</bean>
(Note org.springframework.ldap.core.support.LdapContextSource replaces
org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource as of
CAS 3.3.2.)
Assuming [email protected] is a valid CN, you should be able to
authenticate with that username.
Testing with LDP is the way to go. If you can bind with a DN in LDP,
the same settings will work in CAS. Spend your time testing with LDP
until you get a DN/password pair that works, then come back to CAS and
test.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user*****************************************************************************************
To view the terms under which this email is distributed, please go to
http://www.hull.ac.uk/legal/email_disclaimer.html
*****************************************************************************************
