Perfect. It’s working Thanks a lot. Yannick
CONFIDENTIALITE : Le message contenu dans cet email ainsi que dans tout fichier attaché est destiné exclusivement aux destinataires mentionnés ci-dessus. Il peut contenir des informations protégées par le secret professionnel et dont la divulgation est strictement prohibée. Si vous avez reçu cet email par erreur, détruisez-en le contenu. Vous n'êtes en effet pas autorisé, dans cette hypothèse, à copier, distribuer ou conserver ce message. Merci. CONFIDENTIALITY. This e-mail is intended only for the use of the individual to whom or the entity to which it is addressed and may contain information which is confidential and privileged. Confidentiality and privilege are not lost by this e-mail having been sent to a wrong person. If you are not the intended recipient or the person responsible for delivering it to the intended recipient, please do not read, print, store and act in reliance on it or on any attachments. Instead, please e-mail it back to the sender and then immediately and permanently delete it. De : Armando Martins [mailto:[email protected]] Envoyé : jeudi 15 janvier 2015 09:28 À : [email protected] Objet : Re: [cas-user] CAS with LDAP / LDAP Scope Hi, i think you have to turn on the subtreeSearch in your bean dnResolver like this : <bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver" p:baseDn="${ldap.authn.baseDn}" p:allowMultipleDns="false" p:subtreeSearch="true" p:connectionFactory-ref="searchPooledLdapConnectionFactory" p:userFilter="${ldap.authn.searchFilter}" /> Hope this helps 2015-01-15 9:01 GMT+01:00 Yannick MOLINET <[email protected]<mailto:[email protected]>>: Hi all, I'm working to authenticate users on a OpenLDAP server. My cas.properties is like : #======================================== # Authentication #======================================== # Base DN of users to be authenticated ldap.authn.baseDn=dc=domain,dc=local # Manager DN for authenticated searches ldap.authn.managerDN=cn=admin,dc=domain,dc=local # Manager password for authenticated searches ldap.authn.managerPassword=myadminpwd # Search filter used for configurations that require searching for DNs ldap.authn.searchFilter=(uid={user}) # Search filter used for configurations that require searching for DNs ldap.authn.format=%s ldap.baseDn=dc=domain,dc=local ldap.trustedCert=/etc/pki/tls/certs/chain-24222-cas4.exemple.fr-3-AddTrust_External_CA_Root.pem but, when I try to authenticate, it's not working. 1. Which encryption for password is waiting by CAS (default is md5 in OpenLDAP) 2. In debug log, I can see « searchScope=ONELEVEL » but some users are in sub OU, so how can I change search scope ? My log (catalina.out) : 2015-01-15 00:13:39,797 DEBUG [org.ldaptive.SearchOperation] - <execute request=[org.ldaptive.SearchRequest@1343718622::baseDn=dc=domain,dc=local, searchFilter=[org.ldaptive.SearchFilter@-286922140::filter=(uid={user}), parameters={[email protected]<mailto:[email protected]>}], returnAttributes=[1.1], searchScope=ONELEVEL, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@78993229::config=[org.ldaptive.ConnectionConfig@1828438737::ldapUrl=ldap://10.0.18.12<http://10.0.18.12>, connectTimeout=3000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@78864189::credentialConfig=[org.ldaptive.ssl.X509CredentialConfig@-762247154::trustCertificates=/etc/pki/tls/certs/chain-24222-cas4.exemple.fr-3-AddTrust_External_CA_Root.pem, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=null], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@879346250::connectionCount=1, environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@189965096::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=DEFAULT, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null, controlProcessor=org.ldaptive.provider.ControlProcessor@5e559ce6<mailto:controlProcessor=org.ldaptive.provider.ControlProcessor@5e559ce6>]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@46aff06c<mailto:providerConnection=org.ldaptive.provider.jndi.JndiConnection@46aff06c>]> 2015-01-15 00:13:39,800 DEBUG [org.ldaptive.SearchOperation] - <execute response=[org.ldaptive.Response@1702839416::result=[[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1] for request=[org.ldaptive.SearchRequest@1343718622::baseDn=dc=domain,dc=local, searchFilter=[org.ldaptive.SearchFilter@-286922140::filter=(uid={user}), parameters={[email protected]<mailto:[email protected]>}], returnAttributes=[1.1], searchScope=ONELEVEL, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@78993229::config=[org.ldaptive.ConnectionConfig@1828438737::ldapUrl=ldap://10.0.18.12<http://10.0.18.12>, connectTimeout=3000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@78864189::credentialConfig=[org.ldaptive.ssl.X509CredentialConfig@-762247154::trustCertificates=/etc/pki/tls/certs/chain-24222-cas4.exemple.fr-3-AddTrust_External_CA_Root.pem, authenticationCertificate=null, authenticationKey=null], trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=null], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@879346250::connectionCount=1, environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@189965096::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=DEFAULT, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null, controlProcessor=org.ldaptive.provider.ControlProcessor@5e559ce6<mailto:controlProcessor=org.ldaptive.provider.ControlProcessor@5e559ce6>]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@46aff06c<mailto:providerConnection=org.ldaptive.provider.jndi.JndiConnection@46aff06c>]> 2015-01-15 00:13:39,800 INFO [org.ldaptive.auth.PooledSearchDnResolver] - <search for [email protected]<mailto:[email protected]> failed using filter=[org.ldaptive.SearchFilter@-286922140::filter=(uid={user}), parameters={[email protected]<mailto:[email protected]>}]> 2015-01-15 00:13:39,800 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolved dn=null for [email protected]<mailto:[email protected]>> 2015-01-15 00:13:39,800 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate dn=null with request=[org.ldaptive.auth.AuthenticationRequest@107501143::[email protected]<mailto:[email protected]>, retAttrs=[]]> 2015-01-15 00:13:39,800 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <LDAP response: [org.ldaptive.auth.AuthenticationResponse@737963274::authenticationResultCode=DN_RESOLUTION_FAILURE, ldapEntry=null, accountState=null, result=false, resultCode=null, message=DN cannot be null, controls=null]> 2015-01-15 00:13:39,800 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler failed authenticating [email protected]<mailto:[email protected]>+password> Thanks for help, Yannick -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Armando Martins -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
