Well, I've been continually frustrated by the fact that I can't get this LDAP auth for the services app working.
I have 2 CAS servers running on Tomcat behind a netscaler proxy. The CAS servers share a database for ticket storage. Active Directory is my LDAP provider. When I try to access services management using LDAP authorization, I get 'Access Denied.' When I replace the default hard coded method, it works. I have created a group in my AD called CASServiceMgmtAccess. I and some others are members of that group. I have configured CAS as follows <sec:ldap-server id="ldapServer" url="ldap://unfcsd.unf.edu:389/"; manager-dn="CN=CAS Service Account,OU=Service Account,OU=Security,OU=ITS,DC=unfcsd,DC=unf,DC=edu" manager-password="thePassword" /> <sec:ldap-user-service id="userDetailsService" server-ref="ldapServer" group-search-base="CN=CASServiceMgmtAccess,OU=Groups,OU=Security,OU=ITS,DC=unfcsd,DC=unf,DC=edu" group-role-attribute="cn" group-search-filter="(member={0})" user-search-base="OU=Employees,OU=UNFUsers,DC=unfcsd,DC=unf,DC=edu" user-search-filter="(sAMAccountName={0})" /> I did a packet capture and I can see that it: 1. Successfully binds to the domain controller 2. Sends a SearchRequest for my name 3. Receives a response with my LDAP profile 4. Sends a SearchRequest for "CN=CASServiceMgmtAccess,OU=Groups,OU=Security,OU=ITS,DC=unfcsd,DC=unf,DC=edu" wholeSubtree a. With a filter of member=<the full distinguishedName of my username> 5. Receives the full DN of my CASServiceMgmtAccess group indicating that the username was found as a member Now at this point, I would expect it to work. I took what saw in wireshark and used Apache Directory Explorer to search manually. I got exactly the same results. Is there something I'm missing like a declaration somewhere that the group members are admins or something? Geoff -----Original Message----- From: Marvin S. Addison [mailto:[email protected]] Sent: Thursday, October 10, 2013 5:01 PM To: [email protected] Subject: Re: [cas-user] Services Management -LDAP Auth > Has anyone gotten the LDAP authentication to work for services > management? I have tried various iterations of filter strings, but the > spring documentation isn't quite tailored to the way you have to do it > in the CAS file. It's really a Spring Security configuration matter more than CAS specifically. Here's a working configuration we use for another app: <ldap-server url="ldaps://authn.directory.vt.edu" /> <ldap-authentication-provider user-search-filter="uupid={0}" user-search-base="ou=people,dc=vt,dc=edu" group-search-filter="member={0}" group-search-base="ou=groups,dc=vt,dc=edu" group-role-attribute="uugid" /> The member attribute of our directory is like yours, it contains the DN of members of the group. The uugid attribute is equivalent to group CN; it's simply the group name. The uupid attribute is the username. I believe your group search filter is correct, but your user search filter is incorrect. You're searching by user CN, which if you're using AD should be more like the following: user-search-filter="(sAMAccountName={0})" The user search filter is used to obtain a DN that is subsequently used to search for groups by substitution into the group search filter. Most AD deployments use the sAMAccountName for username, so the above is probably what you need. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
