Without using a proxy is it possible to use ldap rather than ldaps? Unless your admins have specified otherwise you only need ldaps for password changes.
Using plain ldap you can run tshark from the CAS server console to get a packet trace you can look at in Wireshark. The packet trace should show where it's failing. Sent from my Android phone using Symantec TouchDown (www.symantec.com) -----Original Message----- From: Mike Seiler [[email protected]] Received: Tuesday, 30 Jun 2015, 1:44PM To: [email protected] [[email protected]] Subject: Re: [cas-user] Help with CAS 4.0 & AD The AD is set to allow global search by all authenticated users; any thing else (resetting password, etc) requires the administrator credentials - but we don't use the Password Manager in CAS - we do that externally via other apps. All we need is to determine that a user's account authenticates and pass the attributes on to other applications. I'm using the deployerConfigContext defined here: http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication (The first code sample, which says "The following configuration authenticates users by sAMAccountName without performing a search, which requires manager/administrator credentials in most cases. It is therefore the most performant and secure solution for the typical Active Directory deployment.") >From the command line: I am able to do an ldapsearch using my own credentials >(and looking up another user), and, of course, I am also able to do a search >for another user using the Admin credentials: ldapsearch -x -H ldaps://id.fuller.edu<http://id.fuller.edu> -b "ou=fuller,dc=id,dc=fuller,dc=edu" -D "[email protected]<mailto:[email protected]>" -w "admin_password" "(sAMAccountName=michaelseiler)" cn sn displayName sAMAccountName pwdLastSet lastLogon mail memberof With either the admin credentials or my own, I get all requested data back from the server, but with CAS the validation of my own personal account credentials fails, and all I can seem to get from the error logs is that my own personal credentials are invalid -- even though I can use them from the command line and retrieve data for any user. It seems that this is a configuration error in CAS, but the error logs are insufficient to help debug this. Setting up a proxy to track down issues is beyond my knowledge. If there is other documentation on setting up CAS 4.0 with LDAP that doesn't use the Maven overlay method or the cut-and-paste code from the above URL, I'd be happy to try that out at this point. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
