Thank you, Marvin. Our environment does have the username in the CN field, but also in sAMAccountName. I changed the User-search-filter to sAMAccountName and it made no difference.
I do have what is likely a stupid question. Is the Group-search-base supposed to stop at an OU? I took mine all the way to the CN of the group. If it is supposed to stop at the OU level, then how does Spring identify the right group? -----Original Message----- From: Marvin S. Addison [mailto:[email protected]] Sent: Thursday, October 10, 2013 5:01 PM To: [email protected] Subject: Re: [cas-user] Services Management -LDAP Auth > Has anyone gotten the LDAP authentication to work for services > management? I have tried various iterations of filter strings, but the > spring documentation isn't quite tailored to the way you have to do it > in the CAS file. It's really a Spring Security configuration matter more than CAS specifically. Here's a working configuration we use for another app: <ldap-server url="ldaps://authn.directory.vt.edu" /> <ldap-authentication-provider user-search-filter="uupid={0}" user-search-base="ou=people,dc=vt,dc=edu" group-search-filter="member={0}" group-search-base="ou=groups,dc=vt,dc=edu" group-role-attribute="uugid" /> The member attribute of our directory is like yours, it contains the DN of members of the group. The uugid attribute is equivalent to group CN; it's simply the group name. The uupid attribute is the username. I believe your group search filter is correct, but your user search filter is incorrect. You're searching by user CN, which if you're using AD should be more like the following: user-search-filter="(sAMAccountName={0})" The user search filter is used to obtain a DN that is subsequently used to search for groups by substitution into the group search filter. Most AD deployments use the sAMAccountName for username, so the above is probably what you need. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
