Hello Mike. We are using CAS 4.0.2 with AD.
In cas.properties, we are using [sAMAccountName]@[ldap Url] for ldap.authn.managerDN and is working. In your case it will be [email protected] But we are using second variant, ldap_requiring_authenticated_search<http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#ldap_requiring_authenticated_search>; I understood you are using the first variant, active_directory_authentication<http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication>, so it should not matter what you have in cas.properties for managerDN because it’s not using it, from what I can tell. Can you comment those lines in cas.properties to test what’s the result ? From: Mike Seiler [mailto:[email protected]] Sent: Wednesday, July 01, 2015 01:11 To: [email protected] Subject: Re: [cas-user] Help with CAS 4.0 & AD Thanks Mearl, I'll take a look at implementing that method then instead of the first on the list. In my command line searches, I've made sure to pull the userPrincipalName and they do indeed come back as [email protected]<mailto:[email protected]>. Mike On Tue, Jun 30, 2015 at 3:06 PM, Danner, Mearl <[email protected]<mailto:[email protected]>> wrote: If you need the memberOf attribute you’ll need to use the authenticated bind plus search method. The method using only samaccountname does not return attributes. It only gives a yes/no on the authentication. The example shows an attribute map, but it will not do anything. In your case about the authentication of your userid you might need to look at your AD record to see if the userprinciplename is really your samaccountname@domain. It is that by default, but provisioning or an admin can change it. From: Mike Seiler [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, June 30, 2015 4:34 PM To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] Help with CAS 4.0 & AD Carl, All of our users are in fact in one distinct OU in the AD (ou=fuller), and we then manage web access by the "memberOf" attribute in each of our individual external apps (e.g. StudentMembers, AlumMembers, EmployeeMembers, etc). Right now, these apps only get the username from CAS -- and not the full attributes list -- and then have to perform a separate query to the AD to get the membership attribute for the authorization portion of logging in to the particular app. I was hoping to bypass all that with v4.0's attribute mapping (among other added benefits), which is why I'm building out this new server. It would give us a smaller maintenance footprint (fewer firewall mods, fewer certificate installs, fewer network calls, etc.); I know that the attribute mapping is possible in 3.5 (with some additional modifications), so I may just revert back to tinkering with a test instance of the current set up instead. Thanks, Mike On Tue, Jun 30, 2015 at 2:03 PM, Waldbieser, Carl <[email protected]<mailto:[email protected]>> wrote: Mike, I think the key part is "without performing a search" in the quote I pulled from the A/D section. I am not sure how that is possible in traditional LDAP unless all the accounts are in a single ou that has been configured beforehand. Our LDAP DIT is "context-crazy" aka "bushy", with accounts for different departments in different ous. I am not sure how that would work using LDAP. Could just be something unclear in the text, though. Thanks, Carl ----- Original Message ----- From: "Mike Seiler" <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> Sent: Tuesday, June 30, 2015 4:59:00 PM Subject: Re: [cas-user] Help with CAS 4.0 & AD Carl, Our current CAS server (3.5.2) simply binds as the manager and then authenticates the user from the AD with a search. To me, that first paragraph & sample code seems to suggest that it does the same thing - using only the manager credentials to authenticate the user. Thanks, Mike On Tue, Jun 30, 2015 at 1:17 PM, Waldbieser, Carl <[email protected]<mailto:[email protected]>> wrote: > Mike, > > I did notice this while going over the instructions: > > "The following configuration authenticates users by sAMAccountName > without performing a search, which requires manager/administrator > credentials in most cases". > > Is that something special you can do in A/D since sAMAccountName is > guarunteed to be unique in the domain? With typical LDAP authN, you need > to do a search to get the full DN and then BIND as that DN. > > Still poking around ... > > Thanks, > Carl > > ----- Original Message ----- > From: "Mike Seiler" > <[email protected]<mailto:[email protected]>> > To: [email protected]<mailto:[email protected]> > Sent: Tuesday, June 30, 2015 3:39:02 PM > Subject: Re: [cas-user] Help with CAS 4.0 & AD > > Here's my cas.properties info: > #======================================== > # General properties > #======================================== > ldap.url=ldaps://id.fuller.edu<http://id.fuller.edu> > ldap.connectTimeout=3000 > ldap.useStartTLS=false > > #======================================== > # LDAP connection pool configuration > #======================================== > ldap.pool.minSize=3 > ldap.pool.maxSize=10 > ldap.pool.validateOnCheckout=false > ldap.pool.validatePeriodically=true > ldap.pool.blockWaitTime=3000 > ldap.pool.validatePeriod=300 > ldap.pool.prunePeriod=300 > ldap.pool.idleTime=600 > > #======================================== > # Authentication > #======================================== > # Base DN of users to be authenticated > ldap.baseDn=ou=fuller,DC=id,DC=fuller,DC=edu > # the CN=Users here because the CASADMIN is outside the "ou" we put our > normal users into. > ldap.authn.managerDN=CN=CASADMIN,CN=Users,DC=id,DC=fuller,DC=edu > ldap.authn.managerPassword=XXXXXXXX > ldap.domain=fuller.edu<http://fuller.edu> > ldap.trustedCert=file:/etc/cas/id_app.pem > # [The cut and paste deployer config doesn't actually use the below, but I > modified them anyway] > ldap.authn.searchFilter=(sAMAccountName=%s) > ldap.authn.format=%[email protected]<mailto:[email protected]> > > Thanks for taking a looking at this. > > On Tue, Jun 30, 2015 at 12:06 PM, Waldbieser, Carl > <[email protected]<mailto:[email protected]> > > > wrote: > > > Mike, > > > > Could you post the non-sensitive parts of your LDAP configuration? > > We are using CAS 3.x and usin OpenLDAP so it is not necessarily a good > > match, but our settings look like: > > > > # == LDAP Authentication settings == > > ldap.authentication.filter=uid=%u > > ldap.authentication.server.urls=ldaps://ldap.lafayette.edu<http://ldap.lafayette.edu> > > ldap.authentication.basedn=O=lafayette > > ldap.authentication.manager.userdn=cn=casbrowser,o=lafayette > > ldap.authentication.manager.password=REDACTED > > ldap.authentication.ignorePartialResultException=true > > ldap.authentication.scope=2 > > ldap.authentication.jndi.connect.timeout=3000 > > ldap.authentication.jndi.read.timeout=3000 > > ldap.authentication.jndi.security.level=simple > > > > > > Thanks, > > Carl > > > > ----- Original Message ----- > > From: "Mike Seiler" > > <[email protected]<mailto:[email protected]>> > > To: [email protected]<mailto:[email protected]> > > Sent: Tuesday, June 30, 2015 2:44:32 PM > > Subject: Re: [cas-user] Help with CAS 4.0 & AD > > > > The AD is set to allow global search by all authenticated users; any > thing > > else (resetting password, etc) requires the administrator credentials - > but > > we don't use the Password Manager in CAS - we do that externally via > other > > apps. All we need is to determine that a user's account authenticates > and > > pass the attributes on to other applications. > > > > I'm using the deployerConfigContext defined here: > > > > > http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication > > (The first code sample, which says "The following configuration > > authenticates users by sAMAccountName without performing a search, which > > requires manager/administrator credentials in most cases. It is therefore > > the most performant and secure solution for the typical Active Directory > > deployment.") > > > > *From the command line:* I am able to do an ldapsearch using my own > > credentials (and looking up another user), and, of course, I am also able > > to do a search for another user using the Admin credentials: > > > > ldapsearch -x -H ldaps://id.fuller.edu<http://id.fuller.edu> -b > > "ou=fuller,dc=id,dc=fuller,dc=edu" -D > > "[email protected]<mailto:[email protected]>" -w > > "admin_password" "(sAMAccountName=michaelseiler)" cn sn displayName > > sAMAccountName pwdLastSet lastLogon mail memberof > > > > With either the admin credentials or my own, I get all requested data > back > > from the server, but with CAS the validation of my own personal account > > credentials fails, and all I can seem to get from the error logs is that > my > > own personal credentials are invalid -- even though I can use them from > the > > command line and retrieve data for any user. > > > > It seems that this is a configuration error in CAS, but the error logs > are > > insufficient to help debug this. > > > > Setting up a proxy to track down issues is beyond my knowledge. If there > > is other documentation on setting up CAS 4.0 with LDAP that doesn't use > the > > Maven overlay method or the cut-and-paste code from the above URL, I'd be > > happy to try that out at this point. > > > > -- > > You are currently subscribed to > > [email protected]<mailto:[email protected]> as: > > [email protected]<mailto:[email protected]> > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to > > [email protected]<mailto:[email protected]> as: > > [email protected]<mailto:[email protected]> > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > *Michael Seiler* > -------------------------------------------------- > Systems Integration Engineer > Fuller Theological Seminary > Phone: (970) 306-6105<tel:%28970%29%20306-6105> > [email protected]<mailto:[email protected]> > > *Fuller Summer Hours:* Please note that all Fuller offices will be closed > on Fridays from 7/3-8/28 > *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, > and will be out of the office for vacation 7/31 - 8/31 > > *Please NOTE:* > I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate > help, please contact TSS (626.584.5675<tel:%28626.584.5675>) and they can > route the issue to > the > appropriate person. If this is a business process life or death emergency, > you may call me at the above number. > > -- > You are currently subscribed to > [email protected]<mailto:[email protected]> as: > [email protected]<mailto:[email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to > [email protected]<mailto:[email protected]> as: > [email protected]<mailto:[email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- *Michael Seiler* -------------------------------------------------- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105<tel:%28970%29%20306-6105> [email protected]<mailto:[email protected]> *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675<tel:%28626.584.5675>) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Michael Seiler -------------------------------------------------- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105<tel:%28970%29%20306-6105> [email protected]<mailto:[email protected]> Fuller Summer Hours: Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 Mike's Vacation Notice: From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 Please NOTE: I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675<tel:%28626.584.5675>) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Michael Seiler -------------------------------------------------- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 [email protected]<mailto:[email protected]> Fuller Summer Hours: Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 Mike's Vacation Notice: From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 Please NOTE: I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
