Re: [cas-user] CAS 5.2.9 Authenticating LDAP users outside baseDn
So, I turned on ldaptive trace logs and inspected the CAS source code to
figure it out.
If you use authentication type AD, ldaptive does not use the baseDn to
authenticate, only the dnFormat parameter. So AD authenticates
anyu...@domain.com regardless of baseDN.
CAS then searches for the user using userFilter AFTER the authentication.
This fails since the user is not inside baseDn.
However, this is ok for CAS who only logs that the attributes for the
object could not be found, but authentication succeeds.
Changing authentication type to AUTHENTICATED (and removing the dnFormat
property) makes CAS search for the user with userFilter and baseDN BEFORE
authentication, limiting the users able to authenticate.
Em quarta-feira, 31 de março de 2021 às 17:33:04 UTC-3, Alcides Moraes
escreveu:
> Hello Richard, thanks for replying.
>
> dnFormat is required for AD type authentication, CAS will not start
> without it. The value "us...@domain.com" apparently is the default for
> ADs that authenticate with sAMAccountName, i have seen many examples here
> like this.
>
> I have tested other users outside the OU=Users and they are being
> authenticated. Subtree is desired, I have other OUs inside OU=Users
>
> Em quarta-feira, 31 de março de 2021 às 17:16:41 UTC-3, richard.frovarp
> escreveu:
>
>> My guess is that the bind user is going to ignore the base DN as it
>> happens before the search is done. As for the rest, it likely should follow
>> the base DN. You may have something effectively double defined there that
>> is causing it to work outside. I'm not sure what the dnFormat parameter
>> does. You'll want to refer to the ldaptive documentation as to what those
>> various values do:
>>
>> http://www.ldaptive.org/v1/
>>
>> Note that you'll want to list your DCs separately instead of just the one
>> name to get failover. Also, you have subtree search on, so it will search
>> in Users.
>>
>> On Wed, 2021-03-31 at 12:51 -0700, Alcides Moraes wrote:
>>
>>
>> Hello group,
>>
>> We have a working installation of CAS 5.2.9 authenticating against Active
>> Directory.
>>
>> However, we have noticed we are able to authenticate using credentials of
>> a user outside the BaseDN, including the bind user. How can we fix this?
>> Below are my authn.ldap configuration entries:
>>
>> ldap[0]:
>> baseDn: OU=Users,DC=domain3,DC=domain2,DC=domain1
>> bindCredential: bindpassword
>> bindDn: bind
>> blockWaitTime: 5000
>> connectTimeout: 5000
>> dnFormat: '%s...@domain3.domain2.domain1'
>> failFast: true
>> idleTime: 5000
>> ldapUrl: ldap://adserver
>> maxPoolSize: 10
>> minPoolSize: 3
>> principalAttributeId: sAMAccountName
>> principalAttributeList:
>> sAMAccountName,displayName,givenName,mail,distinguishedName
>> prunePeriod: 5000
>> subtreeSearch: true
>> type: AD
>> useSsl: false
>> useStartTls: false
>> userFilter: (sAMAccountName={user})
>> validateOnCheckout: true
>> validatePeriod: 600
>> validatePeriodically: true
>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/027eea47-acdb-41a4-95d3-62171904fe83n%40apereo.org.
Re: [cas-user] CAS 5.2.9 Authenticating LDAP users outside baseDn
Hello Richard, thanks for replying.
dnFormat is required for AD type authentication, CAS will not start without
it. The value "u...@domain.com" apparently is the default for ADs that
authenticate with sAMAccountName, i have seen many examples here like this.
I have tested other users outside the OU=Users and they are being
authenticated. Subtree is desired, I have other OUs inside OU=Users
Em quarta-feira, 31 de março de 2021 às 17:16:41 UTC-3, richard.frovarp
escreveu:
> My guess is that the bind user is going to ignore the base DN as it
> happens before the search is done. As for the rest, it likely should follow
> the base DN. You may have something effectively double defined there that
> is causing it to work outside. I'm not sure what the dnFormat parameter
> does. You'll want to refer to the ldaptive documentation as to what those
> various values do:
>
> http://www.ldaptive.org/v1/
>
> Note that you'll want to list your DCs separately instead of just the one
> name to get failover. Also, you have subtree search on, so it will search
> in Users.
>
> On Wed, 2021-03-31 at 12:51 -0700, Alcides Moraes wrote:
>
>
> Hello group,
>
> We have a working installation of CAS 5.2.9 authenticating against Active
> Directory.
>
> However, we have noticed we are able to authenticate using credentials of
> a user outside the BaseDN, including the bind user. How can we fix this?
> Below are my authn.ldap configuration entries:
>
> ldap[0]:
> baseDn: OU=Users,DC=domain3,DC=domain2,DC=domain1
> bindCredential: bindpassword
> bindDn: bind
> blockWaitTime: 5000
> connectTimeout: 5000
> dnFormat: '%s...@domain3.domain2.domain1'
> failFast: true
> idleTime: 5000
> ldapUrl: ldap://adserver
> maxPoolSize: 10
> minPoolSize: 3
> principalAttributeId: sAMAccountName
> principalAttributeList:
> sAMAccountName,displayName,givenName,mail,distinguishedName
> prunePeriod: 5000
> subtreeSearch: true
> type: AD
> useSsl: false
> useStartTls: false
> userFilter: (sAMAccountName={user})
> validateOnCheckout: true
> validatePeriod: 600
> validatePeriodically: true
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad43e3bd-0e96-430d-8ff9-abb9cc102a98n%40apereo.org.
Re: [cas-user] CAS 5.2.9 Authenticating LDAP users outside baseDn
My guess is that the bind user is going to ignore the base DN as it happens
before the search is done. As for the rest, it likely should follow the base
DN. You may have something effectively double defined there that is causing it
to work outside. I'm not sure what the dnFormat parameter does. You'll want to
refer to the ldaptive documentation as to what those various values do:
http://www.ldaptive.org/v1/
Note that you'll want to list your DCs separately instead of just the one name
to get failover. Also, you have subtree search on, so it will search in Users.
On Wed, 2021-03-31 at 12:51 -0700, Alcides Moraes wrote:
Hello group,
We have a working installation of CAS 5.2.9 authenticating against Active
Directory.
However, we have noticed we are able to authenticate using credentials of a
user outside the BaseDN, including the bind user. How can we fix this?
Below are my authn.ldap configuration entries:
ldap[0]:
baseDn: OU=Users,DC=domain3,DC=domain2,DC=domain1
bindCredential: bindpassword
bindDn: bind
blockWaitTime: 5000
connectTimeout: 5000
dnFormat: '%s@domain3.domain2.domain1'
failFast: true
idleTime: 5000
ldapUrl: ldap://adserver
maxPoolSize: 10
minPoolSize: 3
principalAttributeId: sAMAccountName
principalAttributeList:
sAMAccountName,displayName,givenName,mail,distinguishedName
prunePeriod: 5000
subtreeSearch: true
type: AD
useSsl: false
useStartTls: false
userFilter: (sAMAccountName={user})
validateOnCheckout: true
validatePeriod: 600
validatePeriodically: true
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d867109d751ede146152a1bc67d1069cde5ce16.camel%40ndsu.edu.
Re: [cas-user] Re: CAS 6.3.x Password Policy
Hello
Same issue in 6.4RC branch.
Still trying to find where this URL can be set.
In the code the message.format code section has on only argument...the
number of days .
Le mer. 31 mars 2021 à 04:44, Andy Ng a écrit :
> Hi BN,
>
> Seems like you can override this file to set a custom URL.
>
>
> https://github.com/apereo/cas/blob/v6.3.3/support/cas-server-support-thymeleaf/src/main/resources/templates/fragments/pwdupdateform.html#L154
>
> However, I suspect this link can be set somewhere else as well, maybe you
> can trace the logic see if you can find where it is set.
> If not, I think this is a bug, seems weird you need to override a file to
> change such a URL
>
> See if this helps,
>
> Cheers!
> Andy
>
>
>
> On Tuesday, 30 March 2021 at 22:08:23 UTC+8 Bartosz Nitkiewicz wrote:
>
>> Hi.
>> After successful login to CAS I see password expiration days warning. In
>> polish messages_pl.properties there is section:
>>
>> password.expiration.warning=Termin ważności hasła upływa za {0} dni.
>> Proszę zmienić hasło
>>
>> It gives me something like this:
>> Termin ważności hasła upływa za *11* <- this is proper value dni. Proszę *11
>> *zmienić hasło.
>>
>> I noticed that in other languages there is: Please > class="link-change-password">change your password. So I've changed it
>> to *1.*
>>
>> I want to set this value for custom URL with application for changing
>> password.
>> Where should I look for it? Maybe there is some cas.properties setting
>> for it?
>> Any hints?
>> Regards
>> BN
>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b976ad5e-e73a-40a5-8cdc-688e03d01300n%40apereo.org
>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BM02Yuqtob3kz_kvVfdusz%2B0wY2V%3D2KjquWsh3bVYmYbUTLpQ%40mail.gmail.com.
[cas-user] CAS 5.2.9 Authenticating LDAP users outside baseDn
Hello group,
We have a working installation of CAS 5.2.9 authenticating against Active
Directory.
However, we have noticed we are able to authenticate using credentials of a
user outside the BaseDN, including the bind user. How can we fix this?
Below are my authn.ldap configuration entries:
ldap[0]:
baseDn: OU=Users,DC=domain3,DC=domain2,DC=domain1
bindCredential: bindpassword
bindDn: bind
blockWaitTime: 5000
connectTimeout: 5000
dnFormat: '%s@domain3.domain2.domain1'
failFast: true
idleTime: 5000
ldapUrl: ldap://adserver
maxPoolSize: 10
minPoolSize: 3
principalAttributeId: sAMAccountName
principalAttributeList:
sAMAccountName,displayName,givenName,mail,distinguishedName
prunePeriod: 5000
subtreeSearch: true
type: AD
useSsl: false
useStartTls: false
userFilter: (sAMAccountName={user})
validateOnCheckout: true
validatePeriod: 600
validatePeriodically: true
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/114358b8-06ff-4931-aa57-05060b6a01c7n%40apereo.org.
