Re: [cas-user] CAS LDAP authentication with OpenLDAP aliases?
Carl,
Cas uses ldaptive, https://www.ldaptive.org/. Its docs may shed some light.
Ray
On Thu, 2022-05-19 at 10:41 -0400, Carl Waldbieser wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Ray,
No-- I don't want person "A" to be able to authenticate on behalf of person "B".
Currently, our users log on with a system assigned username. I'd like them to
also be able to claim their own username alias and be able to log on with that.
So for example, user "smithe" could have an alias "catlover86" and use that as
their username.
OpenLDAP has a concept of alias entries for its DIT that can refer to other
entries. Potentially, I could use this, but there are some caveats:
1. The LDAP client has to explicitly dereference aliases.
2. When an entry is being dereferenced, it won't be returned in a search if
you are searching for attributes on the alias itself. This is because the
filter matches the attributes on the dereferenced entry.
The 2nd rule is very counter-intuitive in my opinion. It took me a while to
wrap my head around what was going on. But you can set the LDAP base DN to the
alias during a SEARCH operation, and the dereferenced target will be returned
assuming you have a filter that matches the target.
Typically, our 2 step BIND in CAS looks like this:
1. SEARCH the LDAP DIT for an entry with an attribute (let's say "uid") that
matches the username provided. This search is done while BINDed as a DN with
elevated search privs.
2. Once a matching entry is found, BIND to it using the password provided.
CAS lets me set up a search filter like "(uid={user})" where it will do the
substitution for "user", so this works fine.
To use aliases, I'd want to do something like:
1. SEARCH the LDAP DIT for an entry with a base DN of
"uid={user},ou=aliases,o=myorg". Again, the search would be done while BINDed
as a DN with elevated search privs.
2. Once a matching *dereferenced* entry is found, BIND to it using the
password provided.
The configuration I'm not sure about is that CAS would need to be able to
substitute {user} into the base DN for the search, making sure to escape it
properly. Also, the SEARCH would need to indicate that alias entries should be
dereferenced.
I'm not sure if CAS supports this without getting into some magical Java bean
territory.
Thanks,
Carl Waldbieser
On Wed, May 18, 2022 at 7:09 PM Ray Bon mailto:r...@uvic.ca>>
wrote:
Carl,
Are you referring to surrogate authentication?
https://apereo.github.io/cas/6.4.x/authentication/Surrogate-Authentication.html
Ray
On Wed, 2022-05-18 at 16:23 -0400, Carl Waldbieser wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
If I have an entry and an alias in an OpenLDAP DIT such that searching on
"alias" dereferences "entry", is it possible to configure CAS to perform a 2
stage BIND in this way?
I.e.
1. User enters "alias" and password at the CAS login form.
2. CAS searches the DIT with LDAP base "uid=alias,ou=aliases,o=myorg" and a
filter like "(objectClass=*)".
3. The actual entry dereferenced has DN
"uid=entry,ou=somedepartment,o=myorg".
4. CAS attempts a BIND against this DN with the provided password.
It's not obvious from the documentation how one might configure that, or even
if it is possible.
Thanks,
Carl Waldbieser
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca
I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose
historical relationships with the land continue to this day.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/868a2f900c274818b9e38f466497d550f92d75a7.camel%40uvic.ca.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca
I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose
historical relationships with the land continue to this day.
--
- Website: https://apereo.github.io/cas
-
Re: [cas-user] CAS IDP OpenAthens error
Thanh, I have not used OpenAthens. It looks like OpenAthens is sending a signed request to .../SAML2/Callback, but there is no signing cert in their metadata. You may also be able to use the SAML config page at OpenAthens to configure it to not use the Callback. Ray On Wed, 2022-05-18 at 21:15 -0700, Thanh Nguyen wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Dear CAS community and members around the world, I am from an University in Vietnam. I got below error while integrate my CAS server with OpenAthens via SAML IDP. Please help me. Thanks a lot. 2022-05-19 11:12:54,217 WARN [org.opensaml.xmlsec.impl.BasicSignatureSigningParametersResolver] - 2022-05-19 11:12:54,218 ERROR [org.springframework.boot.web.support.ErrorPageFilter] - org.apereo.cas.support.saml.SamlException: org.opensaml.saml.common.SAMLException: No signature signing parameter is available at org.apereo.cas.support.saml.web.idp.profile.builders.enc.BaseSamlObjectSigner.encode(BaseSamlObjectSigner.java:128) ~[cas-server-support-saml-idp-5.2.5.jar:5.2.5] at org.apereo.cas.support.saml.web.idp.profile.builders.enc.BaseSamlObjectSigner$$FastClassBySpringCGLIB$$1fa50f6e.invoke() ~[cas-server-support-saml-idp-5.2.5.jar:5.2.5] at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:673) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.apereo.cas.support.saml.web.idp.profile.builders.enc.BaseSamlObjectSigner$$EnhancerBySpringCGLIB$$3fdada57.encode() ~[cas-server-support-saml-idp-5.2.5.jar:5.2.5] at org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder.buildResponse(SamlProfileSaml2ResponseBuilder.java:111) ~[cas-server-support-saml-idp-5.2.5.jar:5.2.5] at org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder.buildResponse(SamlProfileSaml2ResponseBuilder.java:48) ~[cas-server-support-saml-idp-5.2.5.jar:5.2.5] at org.apereo.cas.support.saml.web.idp.profile.builders.response.BaseSamlProfileSamlResponseBuilder.build(BaseSamlProfileSamlResponseBuilder.java:80) ~[cas-server-support-saml-idp-5.2.5.jar:5.2.5] at sun.reflect.GeneratedMethodAccessor548.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_181] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_181] at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213) ~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE] at com.sun.proxy.$Proxy258.build(Unknown Source) ~[?:?] at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController.buildSamlResponse(AbstractSamlProfileHandlerController.java:606) ~[cas-server-support-saml-idp-5.2.5.jar:5.2.5] at
Re: [cas-user] CAS LDAP authentication with OpenLDAP aliases?
On Wed, May 18, 2022 at 4:23 PM Carl Waldbieser wrote: > If I have an entry and an alias in an OpenLDAP DIT such that searching on > "alias" dereferences "entry", is it possible to configure CAS to perform a > 2 stage BIND in this way? > > I.e. > > >1. User enters "alias" and password at the CAS login form. >2. CAS searches the DIT with LDAP base "uid=alias,ou=aliases,o=myorg" >and a filter like "(objectClass=*)". >3. The actual entry dereferenced has DN >"uid=entry,ou=somedepartment,o=myorg". >4. CAS attempts a BIND against this DN with the provided password. > > It sounds like you need to set derefAliases to something other than the default (NEVER). https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#ldap-authenticationsearch-settings --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwTydvydNDqjsh1hCW8AZ52LV-6gqJhrkLnfK4oDjyK52A%40mail.gmail.com.
Re: [cas-user] CAS LDAP authentication with OpenLDAP aliases?
Ray,
No-- I don't want person "A" to be able to authenticate on behalf of person
"B".
Currently, our users log on with a system assigned username. I'd like them
to also be able to claim their own username alias and be able to log on
with that. So for example, user "smithe" could have an alias "catlover86"
and use that as their username.
OpenLDAP has a concept of alias entries for its DIT that can refer to other
entries. Potentially, I could use this, but there are some caveats:
1. The LDAP client has to explicitly dereference aliases.
2. When an entry is being dereferenced, it won't be returned in a search
if you are searching for attributes on the alias itself. This is because
the filter matches the attributes on the dereferenced entry.
The 2nd rule is very counter-intuitive in my opinion. It took me a while
to wrap my head around what was going on. But you can set the LDAP base DN
to the alias during a SEARCH operation, and the dereferenced target will be
returned assuming you have a filter that matches the target.
Typically, our 2 step BIND in CAS looks like this:
1. SEARCH the LDAP DIT for an entry with an attribute (let's say "uid")
that matches the username provided. This search is done while BINDed as a
DN with elevated search privs.
2. Once a matching entry is found, BIND to it using the password
provided.
CAS lets me set up a search filter like "(uid={user})" where it will do the
substitution for "user", so this works fine.
To use aliases, I'd want to do something like:
1. SEARCH the LDAP DIT for an entry with a base DN of
"uid={user},ou=aliases,o=myorg". Again, the search would be done while
BINDed as a DN with elevated search privs.
2. Once a matching *dereferenced* entry is found, BIND to it using the
password provided.
The configuration I'm not sure about is that CAS would need to be able to
substitute {user} into the base DN for the search, making sure to escape it
properly. Also, the SEARCH would need to indicate that alias entries
should be dereferenced.
I'm not sure if CAS supports this without getting into some magical Java
bean territory.
Thanks,
Carl Waldbieser
On Wed, May 18, 2022 at 7:09 PM Ray Bon wrote:
> Carl,
>
> Are you referring to surrogate authentication?
>
> https://apereo.github.io/cas/6.4.x/authentication/Surrogate-Authentication.html
>
> Ray
>
> On Wed, 2022-05-18 at 16:23 -0400, Carl Waldbieser wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> If I have an entry and an alias in an OpenLDAP DIT such that searching on
> "alias" dereferences "entry", is it possible to configure CAS to perform a
> 2 stage BIND in this way?
>
> I.e.
>
>
>1. User enters "alias" and password at the CAS login form.
>2. CAS searches the DIT with LDAP base "uid=alias,ou=aliases,o=myorg"
>and a filter like "(objectClass=*)".
>3. The actual entry dereferenced has DN
>"uid=entry,ou=somedepartment,o=myorg".
>4. CAS attempts a BIND against this DN with the provided password.
>
>
> It's not obvious from the documentation how one might configure that, or
> even if it is possible.
>
> Thanks,
> Carl Waldbieser
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional
> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ
> peoples whose historical relationships with the land continue to this day.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/868a2f900c274818b9e38f466497d550f92d75a7.camel%40uvic.ca
>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbPf7o0L%3DVOf58e4b6V%2B9n5JLyHyky-MW0gahbAjD2OU0A%40mail.gmail.com.
Re: [cas-user] CAS/LDAP user
HI everyone,
I solved the problem and it was in the cas.properties
cas.authn.ldap[0].searchFilter=supannAliasLogin={user}
Thanks.
Now I want to change the user interface and I can't find the location of
the css and logo.
Thanks everyone.
Le mer. 18 mai 2022 à 19:13, Ray Bon a écrit :
> Zaki,
>
> This is an ldap config issue.
> Either the testuser needs to be added to the people ou; or change the
> testuser dn to match what exists in ldap.
>
> Ray
>
> On Wed, 2022-05-18 at 09:54 +0300, Zaki Elmi Guelleh wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hi Ray,
>
> when i use the command line utility ldapsearch from cas server; i have
> this error: *result: 32 No such object*
> *root@cas:/etc/cas/config# ldapsearch -h 192.168.143.200 -x -W -D
> "cn=testuser,ou=people,dc=example,dc=com"*
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> # numResponses: 1
>
> Le mer. 18 mai 2022 à 08:31, Zaki Elmi Guelleh a
> écrit :
>
> Hi Ray,
> ldap settings are correct.
> *root@LDAPserv:~# ldapsearch -h 192.168.143.200 -x -W -D
> "cn=admin,dc=example,dc=com"*
> # testuser, people, example.com
> dn: cn=testuser,ou=people,dc=example,dc=com
> cn: testuser
> gidNumber: 9802
> givenName: testuser
> homeDirectory: /home/users/testuser
> mail:
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: supannPerson
> sn: testuser
> supannEmpId: 1001
> supannEmpProfil:: QWRtaW5pc3RyYXRldXIgZHUgU3lzdMOobWUgJiBSw6lzZWF1
> supannEntiteAffectation:
> uid: testuser
> uidNumber: 10012
> userPassword:: e01ENX16QVBuUjZhdnU4djR2blpvclA2KzVRPT0=
>
>
> logs cas :
>
> =
> WHO: audit:unknown
> WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver,
> event=success, timestamp=Wed May 18 07:23:54 CEST 2022}
> ACTION: AUTHENTICATION_EVENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Wed May 18 07:23:54 CEST 2022
> CLIENT IP ADDRESS: X.X.X.X
> SERVER IP ADDRESS: X.X.X.X
> =
>
> >
> 2022-05-18 07:24:07,465 INFO
> [org.apereo.cas.authentication.DefaultAuthenticationManager] -
> <[LdapAuthenticationHandler] exception details: *[Unable to resolve user
> dn for testuser].>*
> 2022-05-18 07:24:07,465 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - trail record BEGIN
> =
> WHO: testuser
> WHAT: [UsernamePasswordCredential(username=testuser, source=null,
> customFields={})]
> ACTION: AUTHENTICATION_FAILED
> APPLICATION: CAS
> WHEN: Wed May 18 07:24:07 CEST 2022
> CLIENT IP ADDRESS: X.X.X.X
> SERVER IP ADDRESS: X.X.X.X
> =
>
>
> Thanks
>
>
>
> Le mar. 17 mai 2022 à 19:23, Ray Bon a écrit :
>
> zak,
>
> This are the settings I have for ldap
>
>
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldaps://...
> cas.authn.ldap[0].connectTimeout=PT3S
> cas.authn.ldap[0].baseDn=ou=people,...
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].searchFilter=uid={user}
> cas.authn.ldap[0].bindDn=cn=Auth Manager,...
> cas.authn.ldap[0].bindCredential=...
> cas.authn.ldap[0].principalAttributeList=...
>
> You can use the command line utility, ldapsearch, to be sure your ldap
> settings are correct.
> Also check ldap logs.
>
> Ray
>
> On Tue, 2022-05-17 at 08:25 -0700, zak elmi wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hi everyone.
>
> I have a problem that I haven't been able to solve for a long time.
>
>
> [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] -
>
>
> _ _ _ ___ _
> / \ | _ \| | _ \| / _ \ / ___| / \ / ___|
>/ _ \ | |_) | _| | |_) | _|| | | | | | / _ \ \___ \
> / ___ \| __/| |___| _ <| |__| |_| | | |___ / ___ \ ___) |
> /_/ \_\_| |_|_| \_\_\___/ \/_/ \_\/
>
>
> CAS Version: 6.6.0-RC2
> CAS Branch: master
> CAS Commit Id: 7946bc20e93ed407274ca391864c8e67165b4c8c
> CAS Build Date/Time: 2022-05-10T11:39:56Z
> Spring Boot Version: 2.6.6
> Spring Version: 5.3.19
> Java Home: /usr/lib/jvm/jdk-11
> Java Vendor: Oracle Corporation
> Java Version: 11.0.15
> JVM Free Memory: 298 MB
> JVM Maximum Memory: 910 MB
> JVM Total Memory: 603 MB
> OS Architecture: amd64
> OS Name: Linux
> OS Version: 4.9.0-18-amd64
> OS Date/Time: 2022-05-17T16:45:45.852237
> OS Temp Directory: /opt/tomcat/latest/temp
>
> Apache
