Dear all, actually forwarding a question I asked at the uportal user list, someone here might be able to guide me with this. I want to know if it is possible to construct a complex ldap query to filter users based on anything other than something of the type "CN=u%,OU=testou,DC=somedomain,DC=com" when using fastbindldapauthenticationhandler. Or if I should be using the bindldapauthenticationhandler and if it would be possible to use proper ldap filters with it.
Thank you From: James Wennmacher [mailto:[email protected]] Sent: 19 September 2013 01:29 To: George Beitis Cc: [email protected] Subject: Re: [uportal-user] LDAP - AD Authentication I assume you mean the configuration of filter on org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler mentioned on https://wiki.jasig.org/display/UPM40/Configuring+the+Bundled+CAS+Server+to+Authenticate+Against+LDAP. Per https://wiki.jasig.org/display/CASUM/LDAP that is a string used to construct the dn that is used to bind to the ldap server. The page also references another handler BindLdapAuthenticationHandler that looks like it might use an ldap filter to search first, then bind afterward. If you have other questions the CAS user group would probably be better at answering them as they maintain that code. I hope that helps. James Wennmacher - Unicon 480.558.2420 On 09/16/2013 10:23 PM, George Beitis wrote: Hi James, That make things clearer thank you! I have another question regarding filters used for LDAP authentication, are these filters proper LDAP queries? The only thing I can get working as a filter is in the lines of "CN=u%,OU=testou,DC=somedomain,DC=com", but I can't used the sam account name for example or even a joint query of any sort. Any help on this? George From: James Wennmacher [mailto:[email protected]] Sent: 13 September 2013 22:11 To: [email protected]<mailto:[email protected]> Cc: George Beitis Subject: Re: [uportal-user] LDAP - AD Authentication Do you have an external CAS server to authenticate against? If you have an external CAS server, modify the filters/<environment>.properties to have the URL of the external CAS server. That CAS server would need to be configured to authenticate against LDAP. It sounds though that you don't have an external CAS server and you are using uPortal to present a login form that you want authenticated against SD. deployerConfigContext.xml is to configure the internal CAS Server to authenticate against source (internal database, or in your case an external LDAP). ldapContext.xml sets up an LDAP context that can be used by the internal login page to authenticate against. It also sets up an ldapContext that the PersonDirectory uses to obtain person attributes for the logged-in person. If I'm understanding you, you would want both of these to refer to LDAP as these are separate processes. You've probably already referred to these, but for more information, see https://wiki.jasig.org/display/UPM40/CAS https://wiki.jasig.org/display/UPM40/Active+Directory https://wiki.jasig.org/display/UPM40/Default+Person+Directory+configuration https://wiki.jasig.org/display/UPM40/LDAP+User+Attribute+Sources Note that the internal CAS server isn't really providing CAS SSO capability for you (you'd use an external CAS server for that) but simply a login page so you could just display the internal login portlet on your guest/unauthenticated page to request username/password and have the login portlet authenticate against AD. See Step 6 at https://wiki.jasig.org/display/UPM40/Active+Directory. I hope this clarifies things. James Wennmacher Unicon 480.558.2420 On 09/13/2013 12:38 AM, George Beitis wrote: Dear all, I need something clarified. When authenticating against Active Directory server, we are given 2 options, either cas or what appears to be in the inbuilt method. I somehow configured both so not sure which one is doing what. I am directed to the /cas/login page which I assume takes precedence. Is my assumption correct? Should I remove all configuration from the ldapContext.xml file? Or stick to the configuration there and remove all configuration from deployerConfigContext.xml overlay file? And if so, where will the user be logging from? The same CAS page? Regards George -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/uportal-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
