E.g. my login user on the Microsoft network is dlwhitehurst . When I use "dlwhitehurst" in the CAS login, it's ultimately passed to AD as the sAMAccountName=%u
Also, if you have an expert for AD, it would be beneficial to work together with that individual. David On Thu, May 28, 2009 at 8:34 AM, Michael A Jones <[email protected]> wrote: > Hi there, > > I think I might have tracked down the cause of my problems with CAS and > AD. The connection context side is ok now. I am using a bind security > context with a service account. It looks like an issue now with user > attributes being populated to AD from my IDM system, so it's not > necessarily a CAS issue anymore. Worth reporting though I think. > I need some help tracking down which attributes I should be using. From > IDM I am populating the following in AD: > > givenName > sn > title > eduPersonAfilliation > eduPersonCourseName > mail > userPassword > cn > > I am populating the cn and assumed this would be the userid to be used > for CAS and the userPassword, as the password in CAS. However this isn't > the case. I created a test user from the AD console and this user is > authenticating ok in CAS. For this user the userid is a concatenation of > the firstname then initials then a period/fullstop and then the > lastname. Then the password is the password that I set in the AD console > user creation wizard. > > This combination works ok for this user. I have tried the same format of > login credentials for my other users, but not getting any success. It > seems the Username or Password or both not being populated in the same > way based on my attributes by my IDM system. I am quite new to AD in > general so I am not sure where to start as yet on investigating this > issue. > > Comments appreciated. > > Regards > > Mike Jones > > Identity Management Systems Administrator > IT Systems > University of Hull > > Tel: 01482 465549 > Email: [email protected] > > > -----Original Message----- > From: Marvin Addison [mailto:[email protected]] > Sent: 27 May 2009 15:14 > To: [email protected] > Subject: Re: [cas-user] Problem authenticating with CAS to Active > Directory > > Again, I believe it would be helpful to clarify a few things: > > - Administrator is a service account in this case. (It is by all > measures a poor choice, but meets the criteria.) > - The username/password properties in your contextSource bean are > _not used_ with the fast bind handler. > - If you need to use a service account to search for users, you need > to use BindLdapAuthenticationHandler. > > If all the users you wish to authenticate have DNs like > [email protected],OU=Identities,DC=ExampleOrganization,DC=local, > then you should be able to use FastBindLdapAuthenticationHandler as > follows: > > <bean > class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >> > <property > name="filter" > value="cn=%u,ou=Identities,dc=ExampleOrganization,dc=local" /> > <property name="contextSource" ref="contextSource" /> > </bean> > > <bean id="contextSource" > > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > <property name="urls"> > <list> > <value>ldap://198.168.0.1</value> > </list> > </property> > <property name="baseEnvironmentProperties"> > <map> > <entry key=java.naming.security.authentication" value="simple" /> > </map> > </property> > </bean> > > (Note org.springframework.ldap.core.support.LdapContextSource replaces > org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource as of > CAS 3.3.2.) > > Assuming [email protected] is a valid CN, you should be able to > authenticate with that username. > > Testing with LDP is the way to go. If you can bind with a DN in LDP, > the same settings will work in CAS. Spend your time testing with LDP > until you get a DN/password pair that works, then come back to CAS and > test. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > ***************************************************************************************** > To view the terms under which this email is distributed, please go to > http://www.hull.ac.uk/legal/email_disclaimer.html > ***************************************************************************************** > -- David L. Whitehurst http://www.capehenrytech.com … Providing software instruction through a sea of Technology. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
