So, I turned on ldaptive trace logs and inspected the CAS source code to
figure it out.
If you use authentication type AD, ldaptive does not use the baseDn to
authenticate, only the dnFormat parameter. So AD authenticates
anyu...@domain.com regardless of baseDN.
CAS then searches for the user
Hello Richard, thanks for replying.
dnFormat is required for AD type authentication, CAS will not start without
it. The value "u...@domain.com" apparently is the default for ADs that
authenticate with sAMAccountName, i have seen many examples here like this.
I have tested other users outside
My guess is that the bind user is going to ignore the base DN as it happens
before the search is done. As for the rest, it likely should follow the base
DN. You may have something effectively double defined there that is causing it
to work outside. I'm not sure what the dnFormat parameter does.
Hello group,
We have a working installation of CAS 5.2.9 authenticating against Active
Directory.
However, we have noticed we are able to authenticate using credentials of a
user outside the BaseDN, including the bind user. How can we fix this?
Below are my authn.ldap configuration entries: