Hello
Finally working for me. For anyone with same issue, this explanation
helped me much: "Someone will need to be in the "admin" group in ldap to
manage services. The ROLES are uppercased versions with prepended ROLE_
of the group names. If there are underlines in your group name, it will
be translated to spaces." (source: https://bowerstudios.com/node/645)
i.e. if I have following configuration in cas.properties:
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
I have to create group with "ADMIN" name (or lowercase "admin", it does
not matter) - i.e. without "ROLE_", which is prefix only.
michal
On 6. 11. 2014 13:15, Michal Bruncko wrote:
Hello list,
I am trying to implement LDAP authentication to Services management
for CAS 3.5.2.1 instead of simple "user-service". I have used and
modified accordingly configuration mentioned here:
https://wiki.jasig.org/display/CASUM/Configuring#Configuring-Ldap-servermanagedlistofusers
What is the behavior:
- CAS successfully bind to "manager-dn"
- CAS successfully performed LDAP search in "user-search-base" for
user "uid=michal.bruncko"
- CAS successfully searched for group within "group-search-base" with
filter "(&(cn=CAS Admins)(uniquemember={0}))" where {0} is DN of
"uid=michal.bruncko" object
- LDAP successfully returned "group-role-attribute"
... but the problem is, that I am still getting "Access Denied" even
if all steps above were completed fine. But maybe I am still missing
the glue for "group-role-attribute". Does this "group-role-attribute"
means that this attribute (in my case "cn") must contain some specific
name in order to get authorized to CAS Service Management? Should the
LDAP group be named as "ADMIN" or "ROLE_ADMIN"? Where can I define
which LDAP group is that right for allowing access into Service
management gui?
thanks!
michal
--
Ing. Michal Bruncko, PhD., CCNP, RHCSAâ„¢
IT systems and network administrator
Coupled school of business and services Ruzomberok
Slovak Republic
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
