Mike, I think the key part is "without performing a search" in the quote I pulled from the A/D section. I am not sure how that is possible in traditional LDAP unless all the accounts are in a single ou that has been configured beforehand. Our LDAP DIT is "context-crazy" aka "bushy", with accounts for different departments in different ous.
I am not sure how that would work using LDAP. Could just be something unclear in the text, though. Thanks, Carl ----- Original Message ----- From: "Mike Seiler" <[email protected]> To: [email protected] Sent: Tuesday, June 30, 2015 4:59:00 PM Subject: Re: [cas-user] Help with CAS 4.0 & AD Carl, Our current CAS server (3.5.2) simply binds as the manager and then authenticates the user from the AD with a search. To me, that first paragraph & sample code seems to suggest that it does the same thing - using only the manager credentials to authenticate the user. Thanks, Mike On Tue, Jun 30, 2015 at 1:17 PM, Waldbieser, Carl <[email protected]> wrote: > Mike, > > I did notice this while going over the instructions: > > "The following configuration authenticates users by sAMAccountName > without performing a search, which requires manager/administrator > credentials in most cases". > > Is that something special you can do in A/D since sAMAccountName is > guarunteed to be unique in the domain? With typical LDAP authN, you need > to do a search to get the full DN and then BIND as that DN. > > Still poking around ... > > Thanks, > Carl > > ----- Original Message ----- > From: "Mike Seiler" <[email protected]> > To: [email protected] > Sent: Tuesday, June 30, 2015 3:39:02 PM > Subject: Re: [cas-user] Help with CAS 4.0 & AD > > Here's my cas.properties info: > #======================================== > # General properties > #======================================== > ldap.url=ldaps://id.fuller.edu > ldap.connectTimeout=3000 > ldap.useStartTLS=false > > #======================================== > # LDAP connection pool configuration > #======================================== > ldap.pool.minSize=3 > ldap.pool.maxSize=10 > ldap.pool.validateOnCheckout=false > ldap.pool.validatePeriodically=true > ldap.pool.blockWaitTime=3000 > ldap.pool.validatePeriod=300 > ldap.pool.prunePeriod=300 > ldap.pool.idleTime=600 > > #======================================== > # Authentication > #======================================== > # Base DN of users to be authenticated > ldap.baseDn=ou=fuller,DC=id,DC=fuller,DC=edu > # the CN=Users here because the CASADMIN is outside the "ou" we put our > normal users into. > ldap.authn.managerDN=CN=CASADMIN,CN=Users,DC=id,DC=fuller,DC=edu > ldap.authn.managerPassword=XXXXXXXX > ldap.domain=fuller.edu > ldap.trustedCert=file:/etc/cas/id_app.pem > # [The cut and paste deployer config doesn't actually use the below, but I > modified them anyway] > ldap.authn.searchFilter=(sAMAccountName=%s) > ldap.authn.format=%[email protected] > > Thanks for taking a looking at this. > > On Tue, Jun 30, 2015 at 12:06 PM, Waldbieser, Carl <[email protected] > > > wrote: > > > Mike, > > > > Could you post the non-sensitive parts of your LDAP configuration? > > We are using CAS 3.x and usin OpenLDAP so it is not necessarily a good > > match, but our settings look like: > > > > # == LDAP Authentication settings == > > ldap.authentication.filter=uid=%u > > ldap.authentication.server.urls=ldaps://ldap.lafayette.edu > > ldap.authentication.basedn=O=lafayette > > ldap.authentication.manager.userdn=cn=casbrowser,o=lafayette > > ldap.authentication.manager.password=REDACTED > > ldap.authentication.ignorePartialResultException=true > > ldap.authentication.scope=2 > > ldap.authentication.jndi.connect.timeout=3000 > > ldap.authentication.jndi.read.timeout=3000 > > ldap.authentication.jndi.security.level=simple > > > > > > Thanks, > > Carl > > > > ----- Original Message ----- > > From: "Mike Seiler" <[email protected]> > > To: [email protected] > > Sent: Tuesday, June 30, 2015 2:44:32 PM > > Subject: Re: [cas-user] Help with CAS 4.0 & AD > > > > The AD is set to allow global search by all authenticated users; any > thing > > else (resetting password, etc) requires the administrator credentials - > but > > we don't use the Password Manager in CAS - we do that externally via > other > > apps. All we need is to determine that a user's account authenticates > and > > pass the attributes on to other applications. > > > > I'm using the deployerConfigContext defined here: > > > > > http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication > > (The first code sample, which says "The following configuration > > authenticates users by sAMAccountName without performing a search, which > > requires manager/administrator credentials in most cases. It is therefore > > the most performant and secure solution for the typical Active Directory > > deployment.") > > > > *From the command line:* I am able to do an ldapsearch using my own > > credentials (and looking up another user), and, of course, I am also able > > to do a search for another user using the Admin credentials: > > > > ldapsearch -x -H ldaps://id.fuller.edu -b > > "ou=fuller,dc=id,dc=fuller,dc=edu" -D "[email protected]" -w > > "admin_password" "(sAMAccountName=michaelseiler)" cn sn displayName > > sAMAccountName pwdLastSet lastLogon mail memberof > > > > With either the admin credentials or my own, I get all requested data > back > > from the server, but with CAS the validation of my own personal account > > credentials fails, and all I can seem to get from the error logs is that > my > > own personal credentials are invalid -- even though I can use them from > the > > command line and retrieve data for any user. > > > > It seems that this is a configuration error in CAS, but the error logs > are > > insufficient to help debug this. > > > > Setting up a proxy to track down issues is beyond my knowledge. If there > > is other documentation on setting up CAS 4.0 with LDAP that doesn't use > the > > Maven overlay method or the cut-and-paste code from the above URL, I'd be > > happy to try that out at this point. > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > *Michael Seiler* > -------------------------------------------------- > Systems Integration Engineer > Fuller Theological Seminary > Phone: (970) 306-6105 > [email protected] > > *Fuller Summer Hours:* Please note that all Fuller offices will be closed > on Fridays from 7/3-8/28 > *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, > and will be out of the office for vacation 7/31 - 8/31 > > *Please NOTE:* > I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate > help, please contact TSS (626.584.5675) and they can route the issue to > the > appropriate person. If this is a business process life or death emergency, > you may call me at the above number. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- *Michael Seiler* -------------------------------------------------- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 [email protected] *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
