Re: [cas-user] Question about using CAS with LDAP..?

[Carl Waldbieser]

KP,

Not sure exactly what you are trying to do, but typically you can use CAS
attributes to make authorization decisions instead of having to use LDAP to
make a separate query.  Your particular needs may be different.  In a
typical case, one might only allow subjects to use a service if the account
owner can authenticate with CAS *and* CAS releases a particular entitlement
value to the service during tiket validation.  So with mod_auth_cas,
something like:

In the httpd config for the mod_auth_cas module (e.g. cas.conf in
/etc/httpd/conf.d or some other conf include folder):

LoadModule auth_cas_module modules/mod_auth_cas.so

CASCookiePath /var/cache/mod_auth_cas/
CASLoginURL *${CAS_PREFIX}*/login
CASValidateURL *${CAS_PREFIX}*/samlValidate
CASValidateSAML On


In the vhost config:


CASScope /
Authtype CAS
Require cas-attribute eduPersonEntitlement:
https://myservice.example.org/users


NOTE: The *${...}* syntax above is just a placeholder I am using-- I think
you actually can use environment variables in an Apache config with this
syntax, but I'm not suggesting that you ought to do that.
This example only allows users to log in if they can authenticate to CAS
and CAS releases an attribute named "eduPersonEntitlement" with a value of "
https://myservice.example.org/users;.  You could use group memberships or
whatever attributes are appropriate.

That means that your web app is totally decoupled from your centralized
person directory.  CAS brokers the authentication and provides the
information necessary to make policy enforcement decisions.

Thanks,
Carl Waldbieser
ITS
Lafayette College

On Thu, Feb 11, 2021 at 6:32 PM KC Pullen  wrote:

> Hello,
>
> I'm currently using CAS to protect web directories on Linux Centos7 and
> Apache 2.4.6.
>
> I'd like to use LDAP to grant authorization to select groups.
>
> The following is a list the sites/blogs that I'm using for reference:
> - https://fy.blackhats.net.au/blog/html/2011/07/10/Mod_auth_cas.html
> - https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl
> -
> https://stackoverflow.com/questions/8939487/how-to-support-require-group-foobar-in-mod-auth-cas
>
> Now, for "valid-user", there is no problem at all, but if I try to use
> LDAP and a filter, I'm getting the "Unauthorized" message.
>
> Below is a snippet from my conf file:
>
>
> 
>
> AuthName "Test password protection for  directory"
> AuthType CAS
> AuthLDAPURL "ldaps://
> mysite.edu:636/cn=Users,dc=nl,dc=edu?email?sub?(objectClass=*)"
>  Require ldap-filter &(email=testu...@mysite.edu)
> # Require valid-user
>
> 
>
> Would anyone be able to take a look and provide a suggestion or two ?
> Maybe share a link to a blog or web-page..?
>
> Thank you kindly,
>
> KP
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/de52d5e0-1f27-4b83-818d-6c0d5a252a57n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbNeY9Ox6bS4BMS8WcksVA%3D4DJOnGFDB2fWt4wRjE03r0w%40mail.gmail.com.

Re: [cas-user] Question about using CAS with LDAP...?

[KC Pullen]

To provide an update

I was able to get this to work.  I needed a user-name and password for 
binding:

AuthLDAPBindDN username
AuthLDAPBindPassword password


Thanks for the assistance... 

On Friday, February 12, 2021 at 12:25:22 PM UTC-6 dhawes wrote:

> On Fri, 12 Feb 2021 at 12:25, KC Pullen  wrote:
> >
> >
> > Ray,
> >
> > I'll take a look at the LDAP logs and see if I can find anything...
>
> What do your mod_authnz_ldap logs say?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57826aed-7d91-4ec1-a39c-d135d056df0an%40apereo.org.

Re: [cas-user] Question about using CAS with LDAP...?

[David Hawes]

On Fri, 12 Feb 2021 at 12:25, KC Pullen  wrote:
>
>
> Ray,
>
> I'll take a look at the LDAP logs and see if I can find anything...

What do your mod_authnz_ldap logs say?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wC76gvQ%3DBgo%2BkoqPv6zAw9tdLDYf6BB7xUY7vt0PZ1bKw%40mail.gmail.com.

Re: [cas-user] Question about using CAS with LDAP...?

['Richard Frovarp' via CAS Community]

In particular, I would either be looking at

https://apereo.github.io/cas/6.3.x/services/Configuring-Service-Access-Strategy.html

Or
https://github.com/apereo/mod_auth_cas
Require cas-attribute :

The first page you referenced is nearly a decade old, and brings an LDAP 
dependency into your HTTPD configuration. I'm guessing you can't anonymous bind 
to LDAP from HTTPD.


On Fri, 2021-02-12 at 15:10 +, 'Richard Frovarp' via CAS Community wrote:
I wouldn't mix the two methods. There's probably a way to make that work, but 
that's an HTTPD question, not a CAS question. You can have CAS authenticate 
against LDAP from the CAS IdP. That can either then return the list of 
attributes to have mod_auth_cas filter on. Or you can have the IdP do filtering 
on its side, depending on your needs.

On Thu, 2021-02-11 at 18:38 -0800, KC Pullen wrote:
Hello,

I'm currently using CAS to protect web directories on Linux Centos7 and Apache 
2.4.6.

I'd like to use LDAP to grant authorization to select groups.

The following is a list the sites/blogs that I'm using for reference:
- https://fy.blackhats.net.au/blog/html/2011/07/10/Mod_auth_cas.html
- https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl
- 
https://stackoverflow.com/questions/8939487/how-to-support-require-group-foobar-in-mod-auth-cas

Now, for "valid-user", there is no problem at all, but if I try to use LDAP and 
a filter, I'm getting the "Unauthorized" message.

Below is a snippet from my conf file:




AuthName "Test password protection for  directory"
AuthType CAS
AuthLDAPURL 
"ldaps://mysite.edu:636/cn=Users,dc=mysite,dc=edu?email?sub?(objectClass=*)"
 Require ldap-filter &(email=test...@mysite.edu)
# Require valid-user



Would anyone be able to take a look and provide a suggestion or two ?  Maybe 
share a link to a blog or web-page..?

Thank you kindly,

KP

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/79820f4a6a14b974fa03730a95270732e45e6f1c.camel%40ndsu.edu.

Re: [cas-user] Question about using CAS with LDAP...?

[Ray Bon]

KC,

Perhaps it is the LDAP side of things that is having problems.

Are you able to look at LDAP logs?

Ray

On Thu, 2021-02-11 at 18:38 -0800, KC Pullen wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,

I'm currently using CAS to protect web directories on Linux Centos7 and Apache 
2.4.6.

I'd like to use LDAP to grant authorization to select groups.

The following is a list the sites/blogs that I'm using for reference:
- https://fy.blackhats.net.au/blog/html/2011/07/10/Mod_auth_cas.html
- https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl
- 
https://stackoverflow.com/questions/8939487/how-to-support-require-group-foobar-in-mod-auth-cas

Now, for "valid-user", there is no problem at all, but if I try to use LDAP and 
a filter, I'm getting the "Unauthorized" message.

Below is a snippet from my conf file:




AuthName "Test password protection for  directory"
AuthType CAS
AuthLDAPURL 
"ldaps://mysite.edu:636/cn=Users,dc=mysite,dc=edu?email?sub?(objectClass=*)"
 Require ldap-filter &(email=test...@mysite.edu)
# Require valid-user



Would anyone be able to take a look and provide a suggestion or two ?  Maybe 
share a link to a blog or web-page..?

Thank you kindly,

KP

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/26b11e0bc14651c0c6dfab5f41d93c06f8ae2b7b.camel%40uvic.ca.

Re: [cas-user] Question about using CAS with LDAP...?

['Richard Frovarp' via CAS Community]

I wouldn't mix the two methods. There's probably a way to make that work, but 
that's an HTTPD question, not a CAS question. You can have CAS authenticate 
against LDAP from the CAS IdP. That can either then return the list of 
attributes to have mod_auth_cas filter on. Or you can have the IdP do filtering 
on its side, depending on your needs.

On Thu, 2021-02-11 at 18:38 -0800, KC Pullen wrote:
Hello,

I'm currently using CAS to protect web directories on Linux Centos7 and Apache 
2.4.6.

I'd like to use LDAP to grant authorization to select groups.

The following is a list the sites/blogs that I'm using for reference:
- https://fy.blackhats.net.au/blog/html/2011/07/10/Mod_auth_cas.html
- https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl
- 
https://stackoverflow.com/questions/8939487/how-to-support-require-group-foobar-in-mod-auth-cas

Now, for "valid-user", there is no problem at all, but if I try to use LDAP and 
a filter, I'm getting the "Unauthorized" message.

Below is a snippet from my conf file:




AuthName "Test password protection for  directory"
AuthType CAS
AuthLDAPURL 
"ldaps://mysite.edu:636/cn=Users,dc=mysite,dc=edu?email?sub?(objectClass=*)"
 Require ldap-filter &(email=test...@mysite.edu)
# Require valid-user



Would anyone be able to take a look and provide a suggestion or two ?  Maybe 
share a link to a blog or web-page..?

Thank you kindly,

KP

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b73b5c47db40d3b46dc859b8c176761f45625b7f.camel%40ndsu.edu.

[cas-user] Question about using CAS with LDAP...?

[KC Pullen]

Hello,

I'm currently using CAS to protect web directories on Linux Centos7 and 
Apache 2.4.6.

I'd like to use LDAP to grant authorization to select groups.   

The following is a list the sites/blogs that I'm using for reference: 
- https://fy.blackhats.net.au/blog/html/2011/07/10/Mod_auth_cas.html
- https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl
- 
https://stackoverflow.com/questions/8939487/how-to-support-require-group-foobar-in-mod-auth-cas

Now, for "valid-user", there is no problem at all, but if I try to use LDAP 
and a filter, I'm getting the "Unauthorized" message.

Below is a snippet from my conf file:




AuthName "Test password protection for  directory"
AuthType CAS
AuthLDAPURL "ldaps://
mysite.edu:636/cn=Users,dc=mysite,dc=edu?email?sub?(objectClass=*) 
"
 Require ldap-filter &(email=test...@mysite.edu 
)
# Require valid-user



Would anyone be able to take a look and provide a suggestion or two ?  
Maybe share a link to a blog or web-page..?   

Thank you kindly,

KP

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b6a8c0a-e6b6-48fa-83bb-28328345ec8en%40apereo.org.

[cas-user] Question about using CAS with LDAP..?

[KC Pullen]

Hello,

I'm currently using CAS to protect web directories on Linux Centos7 and 
Apache 2.4.6.

I'd like to use LDAP to grant authorization to select groups.   

The following is a list the sites/blogs that I'm using for reference: 
- https://fy.blackhats.net.au/blog/html/2011/07/10/Mod_auth_cas.html
- https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl
- 
https://stackoverflow.com/questions/8939487/how-to-support-require-group-foobar-in-mod-auth-cas

Now, for "valid-user", there is no problem at all, but if I try to use LDAP 
and a filter, I'm getting the "Unauthorized" message.

Below is a snippet from my conf file:




AuthName "Test password protection for  directory"
AuthType CAS
AuthLDAPURL 
"ldaps://mysite.edu:636/cn=Users,dc=nl,dc=edu?email?sub?(objectClass=*)"
 Require ldap-filter &(email=testu...@mysite.edu)
# Require valid-user



Would anyone be able to take a look and provide a suggestion or two ?  
Maybe share a link to a blog or web-page..?   

Thank you kindly,

KP


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/de52d5e0-1f27-4b83-818d-6c0d5a252a57n%40apereo.org.