Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Marc Dufour]

sn is an attribute in the AD schema used to store the last name of the user.

I did a quick search in Google and found this info that could help 
you: 
http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5e6694eb-47e6-4c11-a823-742449ba0720%40apereo.org.

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

Gotcha! Still a little confused about the principal attributes. Could you give 
a brief summary of how it works? What is a sn? And how the parsing works?
Thanks 
Sent from my iPhone

> On Feb 27, 2018, at 11:57 AM, Marc Dufour  wrote:
> 
> I only need these attributes, so I limit the size of what it returned.
> 
> As for the bindDN, it is a regular Domain user, not an admin. It should only 
> need read access to Active Directory.
> 
> 
> Le mardi 27 février 2018 10:52:52 UTC-5, Kevin Liu a écrit :
>> 
>> Marc, what is the sn,givenName,memberOf,cn? Rather what is the 
>> principalAttributeList?
>> For your bindDN and bindCredentials, are you using an authenticating admin 
>> account or the user who's trying to get in?
>> 
>>> On Tuesday, February 27, 2018 at 7:54:08 AM UTC-6, Marc Dufour wrote:
>>> 
>>> Kevin, here are the properties that are working for me.
>>> 
>>> cas.authn.ldap[0].order=0
>>> cas.authn.ldap[0].name=AD
>>> cas.authn.ldap[0].type=AUTHENTICATED
>>> cas.authn.ldap[0].ldapUrl=ldaps://servername:3269
>>> cas.authn.ldap[0].useSsl=true
>>> cas.authn.ldap[0].connectTimeout=5000
>>> cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=TLD
>>> cas.authn.ldap[0].userFilter=(userPrincipalName={user})
>>> cas.authn.ldap[0].subtreeSearch=true
>>> cas.authn.ldap[0].principalAttributeList=sn,givenName,memberOf,cn
>>> cas.authn.ldap[0].bindDn=DN of user
>>> cas.authn.ldap[0].bindCredential=Password
>>> 
>>> Le lundi 26 février 2018 17:41:37 UTC-5, Kevin Liu a écrit :
 
 So I've included an extra ldap index to get around multiple OUs. I can now 
 authenticate users but only with their full name and not their 
 sAMAccountName. For example, on the cas login screen, if I put my 
 sAMAccountName kliu as the username and the associated password, I get 
 denied but if I put Kevin Liu I can login. It doesn't seem like 
 userFilter=sAMAccountName={name} get used as my sAMAccountName is kliu. 
 Maybe I don't understand userFilter completely.
 
 Marc, what other properties did you have to add to cas.properties. Your 
 situation sounds very similar to mine.
 
 
> 
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to a topic in the Google 
> Groups "CAS Community" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/a/apereo.org/d/topic/cas-user/Rtej6h-Bky0/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d8a96be7-ab97-4eb4-80fe-6ca8d6cf%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/58D27A1E-2508-4565-9D7D-738433F78F86%40gmail.com.

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Marc Dufour]

I only need these attributes, so I limit the size of what it returned.

As for the bindDN, it is a regular Domain user, not an admin. It should 
only need read access to Active Directory.


Le mardi 27 février 2018 10:52:52 UTC-5, Kevin Liu a écrit :
>
> Marc, what is the sn,givenName,memberOf,cn? Rather what is the 
> principalAttributeList?
> For your bindDN and bindCredentials, are you using an authenticating admin 
> account or the user who's trying to get in?
>
> On Tuesday, February 27, 2018 at 7:54:08 AM UTC-6, Marc Dufour wrote:
>>
>>
>> Kevin, here are the properties that are working for me.
>>
>> cas.authn.ldap[0].order=0
>> cas.authn.ldap[0].name=AD
>> cas.authn.ldap[0].type=AUTHENTICATED
>> cas.authn.ldap[0].ldapUrl=ldaps://servername:3269
>> cas.authn.ldap[0].useSsl=true
>> cas.authn.ldap[0].connectTimeout=5000
>> cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=TLD
>> cas.authn.ldap[0].userFilter=(userPrincipalName={user})
>> cas.authn.ldap[0].subtreeSearch=true
>> cas.authn.ldap[0].principalAttributeList=sn,givenName,memberOf,cn
>> cas.authn.ldap[0].bindDn=DN of user
>> cas.authn.ldap[0].bindCredential=Password
>>
>> Le lundi 26 février 2018 17:41:37 UTC-5, Kevin Liu a écrit :
>>>
>>> So I've included an extra ldap index to get around multiple OUs. I can 
>>> now authenticate users but only with their full name and not their 
>>> sAMAccountName. For example, on the cas login screen, if I put my 
>>> sAMAccountName kliu as the username and the associated password, I get 
>>> denied but if I put Kevin Liu I can login. It doesn't seem like 
>>> userFilter=sAMAccountName={name} get used as my sAMAccountName is kliu. 
>>> Maybe I don't understand userFilter completely.
>>>
>>> Marc, what other properties did you have to add to cas.properties. Your 
>>> situation sounds very similar to mine.
>>>
>>> 
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d8a96be7-ab97-4eb4-80fe-6ca8d6cf%40apereo.org.

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

Marc, what is the sn,givenName,memberOf,cn? Rather what is the 
principalAttributeList?
For your bindDN and bindCredentials, are you using an authenticating admin 
account or the user who's trying to get in?

On Tuesday, February 27, 2018 at 7:54:08 AM UTC-6, Marc Dufour wrote:
>
>
> Kevin, here are the properties that are working for me.
>
> cas.authn.ldap[0].order=0
> cas.authn.ldap[0].name=AD
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldaps://servername:3269
> cas.authn.ldap[0].useSsl=true
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=TLD
> cas.authn.ldap[0].userFilter=(userPrincipalName={user})
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].principalAttributeList=sn,givenName,memberOf,cn
> cas.authn.ldap[0].bindDn=DN of user
> cas.authn.ldap[0].bindCredential=Password
>
> Le lundi 26 février 2018 17:41:37 UTC-5, Kevin Liu a écrit :
>>
>> So I've included an extra ldap index to get around multiple OUs. I can 
>> now authenticate users but only with their full name and not their 
>> sAMAccountName. For example, on the cas login screen, if I put my 
>> sAMAccountName kliu as the username and the associated password, I get 
>> denied but if I put Kevin Liu I can login. It doesn't seem like 
>> userFilter=sAMAccountName={name} get used as my sAMAccountName is kliu. 
>> Maybe I don't understand userFilter completely.
>>
>> Marc, what other properties did you have to add to cas.properties. Your 
>> situation sounds very similar to mine.
>>
>> 
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/96a5b350-e4a7-488c-9973-9511679b55ab%40apereo.org.

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Marc Dufour]

Kevin, here are the properties that are working for me.

cas.authn.ldap[0].order=0
cas.authn.ldap[0].name=AD
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://servername:3269
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=TLD
cas.authn.ldap[0].userFilter=(userPrincipalName={user})
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].principalAttributeList=sn,givenName,memberOf,cn
cas.authn.ldap[0].bindDn=DN of user
cas.authn.ldap[0].bindCredential=Password

Le lundi 26 février 2018 17:41:37 UTC-5, Kevin Liu a écrit :
>
> So I've included an extra ldap index to get around multiple OUs. I can now 
> authenticate users but only with their full name and not their 
> sAMAccountName. For example, on the cas login screen, if I put my 
> sAMAccountName kliu as the username and the associated password, I get 
> denied but if I put Kevin Liu I can login. It doesn't seem like 
> userFilter=sAMAccountName={name} get used as my sAMAccountName is kliu. 
> Maybe I don't understand userFilter completely.
>
> Marc, what other properties did you have to add to cas.properties. Your 
> situation sounds very similar to mine.
>
> 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8c9d342c-3ea9-4eb7-a743-5d107c1948b9%40apereo.org.

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

So I've included an extra ldap index to get around multiple OUs. I can now 
authenticate users but only with their full name and not their 
sAMAccountName. For example, on the cas login screen, if I put my 
sAMAccountName kliu as the username and the associated password, I get 
denied but if I put Kevin Liu I can login. It doesn't seem like 
userFilter=sAMAccountName={name} get used as my sAMAccountName is kliu. 
Maybe I don't understand userFilter completely.

Marc, what other properties did you have to add to cas.properties. Your 
situation sounds very similar to mine.

Mathew:
Standard pom.xml with the following added:


org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war
runtime


org.apereo.cas

cas-server-support-json-service-registry
${cas.version}


org.apereo.cas
cas-server-support-ldap
${cas.version}



cas.properties:
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://xxx.xxx.xxx.xxx:xxx
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].dnFormat=CN=%s,OU=Delta,OU=alpha,DC=beta,DC=gamma

On Monday, February 26, 2018 at 4:05:20 PM UTC-6, Marc Dufour wrote:
>
> Since my DN is not fixed as I authenticate users at the Forest level, I 
> could not use AD and used AUTHENTICATED instead, and 
> used cas.authn.ldap[0].userFilter=(userPrincipalName={user}) as filter, 
> with subtreeSearch set to true, and was able to authenticate on two 
> different domains (but this is our setup, you should use sAMAccountName if 
> this is what you need).
>
>
> Le lundi 26 février 2018 16:43:45 UTC-5, Kevin Liu a écrit :
>>
>> Okay so I've changed my cas.properties to reflect what you're saying. 
>>
>> I'm getting an error which requires me to input an dnFormat. Fair enough 
>> but looking at your documentation, it says to put %s which will get the 
>> username entered into the query. Does this mean that in your AD, your CN 
>> and sAMAccountName are the same? If so, I don't understand why it would be 
>> neccessary to put a userFilter because otherwise you would be verifying 
>> twice right? Once via dNFormat and then again with the userFilter. Sorry if 
>> I'm just being dumb and not seeing things. 
>>
>> On Monday, February 26, 2018 at 3:28:48 PM UTC-6, David Curry wrote:
>>>
>>> Correct. If you're using the AD type, you should be using
>>>
>>> cas.authn.ldap[0].userFilter:   sAMAccountName={user}
>>>
>>> Putting "anything" in the username field and getting authenticated 
>>> doesn't sound right.
>>>
>>> But if you're using AD and dnFormat, I'm almost positive that you DO NOT 
>>> want to have a "bindDn" or "bindCredential" in there. Those are for the 
>>> AUTHENTICATED (and other) types, not for the AD type.
>>>
>>> --Dave
>>>
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>
>>> [image: The New School]
>>>
>>> On Mon, Feb 26, 2018 at 4:14 PM, Kevin Liu  wrote:
>>>
 No worries! Reading the documents again, it looks like I may confused a 
 couple of things.
 AD Acive Directory - Users authenticate with sAMAccountName typically 
 using a DN format.
 It says that it authenticates using the sAMAccountName which should get 
 passed in if we use cas.authn.ldap[0].userFilter=sAMAccountName={user} 
 correct?
 Right now, I can put anything in the username field and it gets 
 authenticated. That can't be right?

 On Monday, February 26, 2018 at 3:11:51 PM UTC-6, David Curry wrote:
>
> Sorry, I don't. But some other folks on the list have been doing other 
> kinds of logins, so maybe they do.
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
> 
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
> [image: The New School]
>
> On Mon, Feb 26, 2018 at 3:54 PM, Kevin Liu  wrote:
>
>> Thanks, got it working! 
>>
>> I hope you don't mind me picking your brain a little further.  Do you 
>> have any experience with principalAttributeId fields? I'm wondering if I 
>> can first bind to LDAP, and then use username and password to 
>> authenticate 
>> instead and it looks like principalAttribute fields might be it.
>>
>> On Monday, February 26, 2018 at 2:36:13 PM UTC-6, David Curry wrote:
>>>
>>> I haven't tried it my

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Marc Dufour]

Since my DN is not fixed as I authenticate users at the Forest level, I 
could not use AD and used AUTHENTICATED instead, and 
used cas.authn.ldap[0].userFilter=(userPrincipalName={user}) as filter, 
with subtreeSearch set to true, and was able to authenticate on two 
different domains (but this is our setup, you should use sAMAccountName if 
this is what you need).


Le lundi 26 février 2018 16:43:45 UTC-5, Kevin Liu a écrit :
>
> Okay so I've changed my cas.properties to reflect what you're saying. 
>
> I'm getting an error which requires me to input an dnFormat. Fair enough 
> but looking at your documentation, it says to put %s which will get the 
> username entered into the query. Does this mean that in your AD, your CN 
> and sAMAccountName are the same? If so, I don't understand why it would be 
> neccessary to put a userFilter because otherwise you would be verifying 
> twice right? Once via dNFormat and then again with the userFilter. Sorry if 
> I'm just being dumb and not seeing things. 
>
> On Monday, February 26, 2018 at 3:28:48 PM UTC-6, David Curry wrote:
>>
>> Correct. If you're using the AD type, you should be using
>>
>> cas.authn.ldap[0].userFilter:   sAMAccountName={user}
>>
>> Putting "anything" in the username field and getting authenticated 
>> doesn't sound right.
>>
>> But if you're using AD and dnFormat, I'm almost positive that you DO NOT 
>> want to have a "bindDn" or "bindCredential" in there. Those are for the 
>> AUTHENTICATED (and other) types, not for the AD type.
>>
>> --Dave
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Mon, Feb 26, 2018 at 4:14 PM, Kevin Liu  wrote:
>>
>>> No worries! Reading the documents again, it looks like I may confused a 
>>> couple of things.
>>> AD Acive Directory - Users authenticate with sAMAccountName typically 
>>> using a DN format.
>>> It says that it authenticates using the sAMAccountName which should get 
>>> passed in if we use cas.authn.ldap[0].userFilter=sAMAccountName={user} 
>>> correct?
>>> Right now, I can put anything in the username field and it gets 
>>> authenticated. That can't be right?
>>>
>>> On Monday, February 26, 2018 at 3:11:51 PM UTC-6, David Curry wrote:

 Sorry, I don't. But some other folks on the list have been doing other 
 kinds of logins, so maybe they do.


 --

 DAVID A. CURRY, CISSP
 *DIRECTOR OF INFORMATION SECURITY*
 INFORMATION TECHNOLOGY

 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
 
 +1 212 229-5300 x4728 • david.cu...@newschool.edu

 [image: The New School]

 On Mon, Feb 26, 2018 at 3:54 PM, Kevin Liu  wrote:

> Thanks, got it working! 
>
> I hope you don't mind me picking your brain a little further.  Do you 
> have any experience with principalAttributeId fields? I'm wondering if I 
> can first bind to LDAP, and then use username and password to 
> authenticate 
> instead and it looks like principalAttribute fields might be it.
>
> On Monday, February 26, 2018 at 2:36:13 PM UTC-6, David Curry wrote:
>>
>> I haven't tried it myself, but you ought to be able to put 
>> cas.log.level back to "warn" and then add something like
>>
>> > includeLocation="true"/>
>>
>>
>> in the  section (down around line 61). See the comment 
>> right there in the file for a little more info.
>>
>> --Dave
>>
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
>> 
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Mon, Feb 26, 2018 at 3:23 PM, Kevin Liu  
>> wrote:
>>
>>> I'm messing with the logger. Is it possible to have just LDAP debug 
>>> codes output? If so, how? Cause I can't seem to be able to shut off the 
>>> others without shutting off debug all together.
>>>
>>> On Monday, February 26, 2018 at 11:53:16 AM UTC-6, David Curry wrote:

 Well, you can start with log4j2.xml, and change

 warn


 to

 debug


 which will give you a lot of detail (all in cas.log) about what's 
 going on. If that doesn't give you want you want, you can also (or 
 instead) 
 change

 


 to

 


 to get debugging from the LDAP code itself.

 As fo

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

Okay so I've changed my cas.properties to reflect what you're saying. 

I'm getting an error which requires me to input an dnFormat. Fair enough 
but looking at your documentation, it says to put %s which will get the 
username entered into the query. Does this mean that in your AD, your CN 
and sAMAccountName are the same? If so, I don't understand why it would be 
neccessary to put a userFilter because otherwise you would be verifying 
twice right? Once via dNFormat and then again with the userFilter. Sorry if 
I'm just being dumb and not seeing things. 

On Monday, February 26, 2018 at 3:28:48 PM UTC-6, David Curry wrote:
>
> Correct. If you're using the AD type, you should be using
>
> cas.authn.ldap[0].userFilter:   sAMAccountName={user}
>
> Putting "anything" in the username field and getting authenticated doesn't 
> sound right.
>
> But if you're using AD and dnFormat, I'm almost positive that you DO NOT 
> want to have a "bindDn" or "bindCredential" in there. Those are for the 
> AUTHENTICATED (and other) types, not for the AD type.
>
> --Dave
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Mon, Feb 26, 2018 at 4:14 PM, Kevin Liu  > wrote:
>
>> No worries! Reading the documents again, it looks like I may confused a 
>> couple of things.
>> AD Acive Directory - Users authenticate with sAMAccountName typically 
>> using a DN format.
>> It says that it authenticates using the sAMAccountName which should get 
>> passed in if we use cas.authn.ldap[0].userFilter=sAMAccountName={user} 
>> correct?
>> Right now, I can put anything in the username field and it gets 
>> authenticated. That can't be right?
>>
>> On Monday, February 26, 2018 at 3:11:51 PM UTC-6, David Curry wrote:
>>>
>>> Sorry, I don't. But some other folks on the list have been doing other 
>>> kinds of logins, so maybe they do.
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
>>> 
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>
>>> [image: The New School]
>>>
>>> On Mon, Feb 26, 2018 at 3:54 PM, Kevin Liu  wrote:
>>>
 Thanks, got it working! 

 I hope you don't mind me picking your brain a little further.  Do you 
 have any experience with principalAttributeId fields? I'm wondering if I 
 can first bind to LDAP, and then use username and password to authenticate 
 instead and it looks like principalAttribute fields might be it.

 On Monday, February 26, 2018 at 2:36:13 PM UTC-6, David Curry wrote:
>
> I haven't tried it myself, but you ought to be able to put 
> cas.log.level back to "warn" and then add something like
>
>  includeLocation="true"/>
>
>
> in the  section (down around line 61). See the comment right 
> there in the file for a little more info.
>
> --Dave
>
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
> 
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
> [image: The New School]
>
> On Mon, Feb 26, 2018 at 3:23 PM, Kevin Liu  wrote:
>
>> I'm messing with the logger. Is it possible to have just LDAP debug 
>> codes output? If so, how? Cause I can't seem to be able to shut off the 
>> others without shutting off debug all together.
>>
>> On Monday, February 26, 2018 at 11:53:16 AM UTC-6, David Curry wrote:
>>>
>>> Well, you can start with log4j2.xml, and change
>>>
>>> warn
>>>
>>>
>>> to
>>>
>>> debug
>>>
>>>
>>> which will give you a lot of detail (all in cas.log) about what's 
>>> going on. If that doesn't give you want you want, you can also (or 
>>> instead) 
>>> change
>>>
>>> 
>>>
>>>
>>> to
>>>
>>> 
>>>
>>>
>>> to get debugging from the LDAP code itself.
>>>
>>> As for your second question... you've exceeded my level of knowledge 
>>> of AD/LDAP. I think the answer might be that you can't use the "AD" 
>>> type of 
>>> LDAP setup and will have to switch to the "AUTHENTICATED" type, but I'm 
>>> not 
>>> very sure of that answer.
>>>
>>> Perhaps someone else on the list can jump in.
>>>
>>> --Dave
>>>
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
>>> 

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[David Curry]

Correct. If you're using the AD type, you should be using

cas.authn.ldap[0].userFilter:   sAMAccountName={user}

Putting "anything" in the username field and getting authenticated doesn't
sound right.

But if you're using AD and dnFormat, I'm almost positive that you DO NOT
want to have a "bindDn" or "bindCredential" in there. Those are for the
AUTHENTICATED (and other) types, not for the AD type.

--Dave



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, Feb 26, 2018 at 4:14 PM, Kevin Liu  wrote:

> No worries! Reading the documents again, it looks like I may confused a
> couple of things.
> AD Acive Directory - Users authenticate with sAMAccountName typically
> using a DN format.
> It says that it authenticates using the sAMAccountName which should get
> passed in if we use cas.authn.ldap[0].userFilter=sAMAccountName={user}
> correct?
> Right now, I can put anything in the username field and it gets
> authenticated. That can't be right?
>
> On Monday, February 26, 2018 at 3:11:51 PM UTC-6, David Curry wrote:
>>
>> Sorry, I don't. But some other folks on the list have been doing other
>> kinds of logins, so maybe they do.
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> 
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Mon, Feb 26, 2018 at 3:54 PM, Kevin Liu  wrote:
>>
>>> Thanks, got it working!
>>>
>>> I hope you don't mind me picking your brain a little further.  Do you
>>> have any experience with principalAttributeId fields? I'm wondering if I
>>> can first bind to LDAP, and then use username and password to authenticate
>>> instead and it looks like principalAttribute fields might be it.
>>>
>>> On Monday, February 26, 2018 at 2:36:13 PM UTC-6, David Curry wrote:

 I haven't tried it myself, but you ought to be able to put
 cas.log.level back to "warn" and then add something like

 >>> includeLocation="true"/>


 in the  section (down around line 61). See the comment right
 there in the file for a little more info.

 --Dave




 --

 DAVID A. CURRY, CISSP
 *DIRECTOR OF INFORMATION SECURITY*
 INFORMATION TECHNOLOGY

 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
 
 +1 212 229-5300 x4728 • david.cu...@newschool.edu

 [image: The New School]

 On Mon, Feb 26, 2018 at 3:23 PM, Kevin Liu  wrote:

> I'm messing with the logger. Is it possible to have just LDAP debug
> codes output? If so, how? Cause I can't seem to be able to shut off the
> others without shutting off debug all together.
>
> On Monday, February 26, 2018 at 11:53:16 AM UTC-6, David Curry wrote:
>>
>> Well, you can start with log4j2.xml, and change
>>
>> warn
>>
>>
>> to
>>
>> debug
>>
>>
>> which will give you a lot of detail (all in cas.log) about what's
>> going on. If that doesn't give you want you want, you can also (or 
>> instead)
>> change
>>
>> 
>>
>>
>> to
>>
>> 
>>
>>
>> to get debugging from the LDAP code itself.
>>
>> As for your second question... you've exceeded my level of knowledge
>> of AD/LDAP. I think the answer might be that you can't use the "AD" type 
>> of
>> LDAP setup and will have to switch to the "AUTHENTICATED" type, but I'm 
>> not
>> very sure of that answer.
>>
>> Perhaps someone else on the list can jump in.
>>
>> --Dave
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> 
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Mon, Feb 26, 2018 at 12:43 PM, Kevin Liu 
>> wrote:
>>
>>> Thank you Dave for providing additonal insight!
>>>
>>> Just to add, my MSDN I was refering above is actually an Microsoft
>>> Active Directory Server which I'm using the LDAP protocol to talk to (at
>>> least that is my understanding).
>>>
>>> I've got a few more questions. Is it possible to see what the LDAP
>>> is returning to CAS? Maybe via logs? Getting insight to what is being
>>> returned will help me get a better grasp on the LDAP CAS connections and
>>> communications.
>>>
>>> Also, in addition to mul

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

No worries! Reading the documents again, it looks like I may confused a 
couple of things.
AD Acive Directory - Users authenticate with sAMAccountName typically using 
a DN format.
It says that it authenticates using the sAMAccountName which should get 
passed in if we use cas.authn.ldap[0].userFilter=sAMAccountName={user} 
correct?
Right now, I can put anything in the username field and it gets 
authenticated. That can't be right?

On Monday, February 26, 2018 at 3:11:51 PM UTC-6, David Curry wrote:
>
> Sorry, I don't. But some other folks on the list have been doing other 
> kinds of logins, so maybe they do.
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Mon, Feb 26, 2018 at 3:54 PM, Kevin Liu  > wrote:
>
>> Thanks, got it working! 
>>
>> I hope you don't mind me picking your brain a little further.  Do you 
>> have any experience with principalAttributeId fields? I'm wondering if I 
>> can first bind to LDAP, and then use username and password to authenticate 
>> instead and it looks like principalAttribute fields might be it.
>>
>> On Monday, February 26, 2018 at 2:36:13 PM UTC-6, David Curry wrote:
>>>
>>> I haven't tried it myself, but you ought to be able to put cas.log.level 
>>> back to "warn" and then add something like
>>>
>>> >> includeLocation="true"/>
>>>
>>>
>>> in the  section (down around line 61). See the comment right 
>>> there in the file for a little more info.
>>>
>>> --Dave
>>>
>>>
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
>>> 
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>
>>> [image: The New School]
>>>
>>> On Mon, Feb 26, 2018 at 3:23 PM, Kevin Liu  wrote:
>>>
 I'm messing with the logger. Is it possible to have just LDAP debug 
 codes output? If so, how? Cause I can't seem to be able to shut off the 
 others without shutting off debug all together.

 On Monday, February 26, 2018 at 11:53:16 AM UTC-6, David Curry wrote:
>
> Well, you can start with log4j2.xml, and change
>
> warn
>
>
> to
>
> debug
>
>
> which will give you a lot of detail (all in cas.log) about what's 
> going on. If that doesn't give you want you want, you can also (or 
> instead) 
> change
>
> 
>
>
> to
>
> 
>
>
> to get debugging from the LDAP code itself.
>
> As for your second question... you've exceeded my level of knowledge 
> of AD/LDAP. I think the answer might be that you can't use the "AD" type 
> of 
> LDAP setup and will have to switch to the "AUTHENTICATED" type, but I'm 
> not 
> very sure of that answer.
>
> Perhaps someone else on the list can jump in.
>
> --Dave
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
> 
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
> [image: The New School]
>
> On Mon, Feb 26, 2018 at 12:43 PM, Kevin Liu  
> wrote:
>
>> Thank you Dave for providing additonal insight!
>>
>> Just to add, my MSDN I was refering above is actually an Microsoft 
>> Active Directory Server which I'm using the LDAP protocol to talk to (at 
>> least that is my understanding).
>>
>> I've got a few more questions. Is it possible to see what the LDAP is 
>> returning to CAS? Maybe via logs? Getting insight to what is being 
>> returned 
>> will help me get a better grasp on the LDAP CAS connections and 
>> communications.
>>
>> Also, in addition to multiple OUs, it turns out that the DN that is 
>> being used doesn't utilize a user's username but rather a user's full 
>> name 
>> as part of the DN.  For example, my DN is CN=Kevin Liu, OU=Alpha, 
>> DC=beta, 
>> DC=gamma instead of CN=kliu. Do you have any ideas on how I might get 
>> around that?
>>
>> On Friday, February 23, 2018 at 2:24:37 PM UTC-6, David Curry wrote:
>>>
>>>
>>> There are smarter (way smarter) LDAP people than me, but yeah, 
>>> that's kind of it. Some LDAPs (like AD) will let you bind as the user 
>>> him/herself to authenticate, others require you to use a special 
>>> account to 
>>> make the bind, and then authenticate the user. Although come to think 
>>> of 
>>> it, I think AD might only permit that over an LDAPS connection, which 
>>> might 
>>> be why you were havin

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[David Curry]

Sorry, I don't. But some other folks on the list have been doing other
kinds of logins, so maybe they do.


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, Feb 26, 2018 at 3:54 PM, Kevin Liu  wrote:

> Thanks, got it working!
>
> I hope you don't mind me picking your brain a little further.  Do you have
> any experience with principalAttributeId fields? I'm wondering if I can
> first bind to LDAP, and then use username and password to authenticate
> instead and it looks like principalAttribute fields might be it.
>
> On Monday, February 26, 2018 at 2:36:13 PM UTC-6, David Curry wrote:
>>
>> I haven't tried it myself, but you ought to be able to put cas.log.level
>> back to "warn" and then add something like
>>
>> > includeLocation="true"/>
>>
>>
>> in the  section (down around line 61). See the comment right
>> there in the file for a little more info.
>>
>> --Dave
>>
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> 
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Mon, Feb 26, 2018 at 3:23 PM, Kevin Liu  wrote:
>>
>>> I'm messing with the logger. Is it possible to have just LDAP debug
>>> codes output? If so, how? Cause I can't seem to be able to shut off the
>>> others without shutting off debug all together.
>>>
>>> On Monday, February 26, 2018 at 11:53:16 AM UTC-6, David Curry wrote:

 Well, you can start with log4j2.xml, and change

 warn


 to

 debug


 which will give you a lot of detail (all in cas.log) about what's going
 on. If that doesn't give you want you want, you can also (or instead) 
 change

 


 to

 


 to get debugging from the LDAP code itself.

 As for your second question... you've exceeded my level of knowledge of
 AD/LDAP. I think the answer might be that you can't use the "AD" type of
 LDAP setup and will have to switch to the "AUTHENTICATED" type, but I'm not
 very sure of that answer.

 Perhaps someone else on the list can jump in.

 --Dave



 --

 DAVID A. CURRY, CISSP
 *DIRECTOR OF INFORMATION SECURITY*
 INFORMATION TECHNOLOGY

 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
 
 +1 212 229-5300 x4728 • david.cu...@newschool.edu

 [image: The New School]

 On Mon, Feb 26, 2018 at 12:43 PM, Kevin Liu  wrote:

> Thank you Dave for providing additonal insight!
>
> Just to add, my MSDN I was refering above is actually an Microsoft
> Active Directory Server which I'm using the LDAP protocol to talk to (at
> least that is my understanding).
>
> I've got a few more questions. Is it possible to see what the LDAP is
> returning to CAS? Maybe via logs? Getting insight to what is being 
> returned
> will help me get a better grasp on the LDAP CAS connections and
> communications.
>
> Also, in addition to multiple OUs, it turns out that the DN that is
> being used doesn't utilize a user's username but rather a user's full name
> as part of the DN.  For example, my DN is CN=Kevin Liu, OU=Alpha, DC=beta,
> DC=gamma instead of CN=kliu. Do you have any ideas on how I might get
> around that?
>
> On Friday, February 23, 2018 at 2:24:37 PM UTC-6, David Curry wrote:
>>
>>
>> There are smarter (way smarter) LDAP people than me, but yeah, that's
>> kind of it. Some LDAPs (like AD) will let you bind as the user 
>> him/herself
>> to authenticate, others require you to use a special account to make the
>> bind, and then authenticate the user. Although come to think of it, I 
>> think
>> AD might only permit that over an LDAPS connection, which might be why 
>> you
>> were having trouble.
>>
>> Likewise, some LDAPs will let you retrieve attributes at the same
>> time that you authenticate, and others require you to make a separate
>> request for that. In our particular case, our LDAP contains a superset of
>> the users in AD (AD has "active" people, LDAP has "active" and "alumni").
>> But the two directories have different (overlapping) sets of attributes,
>> and we always want to get all of them and merge them together, so in my 
>> CAS
>> config, I do the authentication and attribute retrieval separately.
>>
>> I'm not sure how you get a dnFormat that handles multiple OUs, or if
>> you even can. In my case, we have almost everyone in a single OU, ex

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

Thanks, got it working! 

I hope you don't mind me picking your brain a little further.  Do you have 
any experience with principalAttributeId fields? I'm wondering if I can 
first bind to LDAP, and then use username and password to authenticate 
instead and it looks like principalAttribute fields might be it.

On Monday, February 26, 2018 at 2:36:13 PM UTC-6, David Curry wrote:
>
> I haven't tried it myself, but you ought to be able to put cas.log.level 
> back to "warn" and then add something like
>
>  includeLocation="true"/>
>
>
> in the  section (down around line 61). See the comment right 
> there in the file for a little more info.
>
> --Dave
>
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Mon, Feb 26, 2018 at 3:23 PM, Kevin Liu  > wrote:
>
>> I'm messing with the logger. Is it possible to have just LDAP debug codes 
>> output? If so, how? Cause I can't seem to be able to shut off the others 
>> without shutting off debug all together.
>>
>> On Monday, February 26, 2018 at 11:53:16 AM UTC-6, David Curry wrote:
>>>
>>> Well, you can start with log4j2.xml, and change
>>>
>>> warn
>>>
>>>
>>> to
>>>
>>> debug
>>>
>>>
>>> which will give you a lot of detail (all in cas.log) about what's going 
>>> on. If that doesn't give you want you want, you can also (or instead) change
>>>
>>> 
>>>
>>>
>>> to
>>>
>>> 
>>>
>>>
>>> to get debugging from the LDAP code itself.
>>>
>>> As for your second question... you've exceeded my level of knowledge of 
>>> AD/LDAP. I think the answer might be that you can't use the "AD" type of 
>>> LDAP setup and will have to switch to the "AUTHENTICATED" type, but I'm not 
>>> very sure of that answer.
>>>
>>> Perhaps someone else on the list can jump in.
>>>
>>> --Dave
>>>
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
>>> 
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>
>>> [image: The New School]
>>>
>>> On Mon, Feb 26, 2018 at 12:43 PM, Kevin Liu  wrote:
>>>
 Thank you Dave for providing additonal insight!

 Just to add, my MSDN I was refering above is actually an Microsoft 
 Active Directory Server which I'm using the LDAP protocol to talk to (at 
 least that is my understanding).

 I've got a few more questions. Is it possible to see what the LDAP is 
 returning to CAS? Maybe via logs? Getting insight to what is being 
 returned 
 will help me get a better grasp on the LDAP CAS connections and 
 communications.

 Also, in addition to multiple OUs, it turns out that the DN that is 
 being used doesn't utilize a user's username but rather a user's full name 
 as part of the DN.  For example, my DN is CN=Kevin Liu, OU=Alpha, DC=beta, 
 DC=gamma instead of CN=kliu. Do you have any ideas on how I might get 
 around that?

 On Friday, February 23, 2018 at 2:24:37 PM UTC-6, David Curry wrote:
>
>
> There are smarter (way smarter) LDAP people than me, but yeah, that's 
> kind of it. Some LDAPs (like AD) will let you bind as the user 
> him/herself 
> to authenticate, others require you to use a special account to make the 
> bind, and then authenticate the user. Although come to think of it, I 
> think 
> AD might only permit that over an LDAPS connection, which might be why 
> you 
> were having trouble.
>
> Likewise, some LDAPs will let you retrieve attributes at the same time 
> that you authenticate, and others require you to make a separate request 
> for that. In our particular case, our LDAP contains a superset of the 
> users 
> in AD (AD has "active" people, LDAP has "active" and "alumni"). But the 
> two 
> directories have different (overlapping) sets of attributes, and we 
> always 
> want to get all of them and merge them together, so in my CAS config, I 
> do 
> the authentication and attribute retrieval separately.
>
> I'm not sure how you get a dnFormat that handles multiple OUs, or if 
> you even can. In my case, we have almost everyone in a single OU, except 
> for some administrator accounts, which are in a separate OU. Rather than 
> try and handle them all together, I just punted and defined two different 
> AD configs for them, one for each OU. If you look at my documentation, 
> you'll note that ldap[0] and ldap[2] are actually the SAME AD server, 
> they 
> just have different baseDN and dnFormat settings.
>
> --Dave
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
>

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[David Curry]

I haven't tried it myself, but you ought to be able to put cas.log.level
back to "warn" and then add something like




in the  section (down around line 61). See the comment right there
in the file for a little more info.

--Dave




--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, Feb 26, 2018 at 3:23 PM, Kevin Liu  wrote:

> I'm messing with the logger. Is it possible to have just LDAP debug codes
> output? If so, how? Cause I can't seem to be able to shut off the others
> without shutting off debug all together.
>
> On Monday, February 26, 2018 at 11:53:16 AM UTC-6, David Curry wrote:
>>
>> Well, you can start with log4j2.xml, and change
>>
>> warn
>>
>>
>> to
>>
>> debug
>>
>>
>> which will give you a lot of detail (all in cas.log) about what's going
>> on. If that doesn't give you want you want, you can also (or instead) change
>>
>> 
>>
>>
>> to
>>
>> 
>>
>>
>> to get debugging from the LDAP code itself.
>>
>> As for your second question... you've exceeded my level of knowledge of
>> AD/LDAP. I think the answer might be that you can't use the "AD" type of
>> LDAP setup and will have to switch to the "AUTHENTICATED" type, but I'm not
>> very sure of that answer.
>>
>> Perhaps someone else on the list can jump in.
>>
>> --Dave
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> 
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Mon, Feb 26, 2018 at 12:43 PM, Kevin Liu  wrote:
>>
>>> Thank you Dave for providing additonal insight!
>>>
>>> Just to add, my MSDN I was refering above is actually an Microsoft
>>> Active Directory Server which I'm using the LDAP protocol to talk to (at
>>> least that is my understanding).
>>>
>>> I've got a few more questions. Is it possible to see what the LDAP is
>>> returning to CAS? Maybe via logs? Getting insight to what is being returned
>>> will help me get a better grasp on the LDAP CAS connections and
>>> communications.
>>>
>>> Also, in addition to multiple OUs, it turns out that the DN that is
>>> being used doesn't utilize a user's username but rather a user's full name
>>> as part of the DN.  For example, my DN is CN=Kevin Liu, OU=Alpha, DC=beta,
>>> DC=gamma instead of CN=kliu. Do you have any ideas on how I might get
>>> around that?
>>>
>>> On Friday, February 23, 2018 at 2:24:37 PM UTC-6, David Curry wrote:


 There are smarter (way smarter) LDAP people than me, but yeah, that's
 kind of it. Some LDAPs (like AD) will let you bind as the user him/herself
 to authenticate, others require you to use a special account to make the
 bind, and then authenticate the user. Although come to think of it, I think
 AD might only permit that over an LDAPS connection, which might be why you
 were having trouble.

 Likewise, some LDAPs will let you retrieve attributes at the same time
 that you authenticate, and others require you to make a separate request
 for that. In our particular case, our LDAP contains a superset of the users
 in AD (AD has "active" people, LDAP has "active" and "alumni"). But the two
 directories have different (overlapping) sets of attributes, and we always
 want to get all of them and merge them together, so in my CAS config, I do
 the authentication and attribute retrieval separately.

 I'm not sure how you get a dnFormat that handles multiple OUs, or if
 you even can. In my case, we have almost everyone in a single OU, except
 for some administrator accounts, which are in a separate OU. Rather than
 try and handle them all together, I just punted and defined two different
 AD configs for them, one for each OU. If you look at my documentation,
 you'll note that ldap[0] and ldap[2] are actually the SAME AD server, they
 just have different baseDN and dnFormat settings.

 --Dave



 --

 DAVID A. CURRY, CISSP
 *DIRECTOR OF INFORMATION SECURITY*
 INFORMATION TECHNOLOGY

 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
 
 +1 212 229-5300 x4728 • david.cu...@newschool.edu

 [image: The New School]

 On Fri, Feb 23, 2018 at 3:12 PM, Kevin Liu  wrote:

> Just to make sure I understand the LDAP and CAS connection properly,
> CAS is sending over a set of credentials to first access the LDAP correct?
> Is that the bindDN and bindCredential? Does it then search through the
> result query for userFilter for a match?
>
> Also, I'm a little confused about the dNFormat. I inputed directl

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

I'm messing with the logger. Is it possible to have just LDAP debug codes 
output? If so, how? Cause I can't seem to be able to shut off the others 
without shutting off debug all together.

On Monday, February 26, 2018 at 11:53:16 AM UTC-6, David Curry wrote:
>
> Well, you can start with log4j2.xml, and change
>
> warn
>
>
> to
>
> debug
>
>
> which will give you a lot of detail (all in cas.log) about what's going 
> on. If that doesn't give you want you want, you can also (or instead) change
>
> 
>
>
> to
>
> 
>
>
> to get debugging from the LDAP code itself.
>
> As for your second question... you've exceeded my level of knowledge of 
> AD/LDAP. I think the answer might be that you can't use the "AD" type of 
> LDAP setup and will have to switch to the "AUTHENTICATED" type, but I'm not 
> very sure of that answer.
>
> Perhaps someone else on the list can jump in.
>
> --Dave
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Mon, Feb 26, 2018 at 12:43 PM, Kevin Liu  > wrote:
>
>> Thank you Dave for providing additonal insight!
>>
>> Just to add, my MSDN I was refering above is actually an Microsoft Active 
>> Directory Server which I'm using the LDAP protocol to talk to (at least 
>> that is my understanding).
>>
>> I've got a few more questions. Is it possible to see what the LDAP is 
>> returning to CAS? Maybe via logs? Getting insight to what is being returned 
>> will help me get a better grasp on the LDAP CAS connections and 
>> communications.
>>
>> Also, in addition to multiple OUs, it turns out that the DN that is being 
>> used doesn't utilize a user's username but rather a user's full name as 
>> part of the DN.  For example, my DN is CN=Kevin Liu, OU=Alpha, DC=beta, 
>> DC=gamma instead of CN=kliu. Do you have any ideas on how I might get 
>> around that?
>>
>> On Friday, February 23, 2018 at 2:24:37 PM UTC-6, David Curry wrote:
>>>
>>>
>>> There are smarter (way smarter) LDAP people than me, but yeah, that's 
>>> kind of it. Some LDAPs (like AD) will let you bind as the user him/herself 
>>> to authenticate, others require you to use a special account to make the 
>>> bind, and then authenticate the user. Although come to think of it, I think 
>>> AD might only permit that over an LDAPS connection, which might be why you 
>>> were having trouble.
>>>
>>> Likewise, some LDAPs will let you retrieve attributes at the same time 
>>> that you authenticate, and others require you to make a separate request 
>>> for that. In our particular case, our LDAP contains a superset of the users 
>>> in AD (AD has "active" people, LDAP has "active" and "alumni"). But the two 
>>> directories have different (overlapping) sets of attributes, and we always 
>>> want to get all of them and merge them together, so in my CAS config, I do 
>>> the authentication and attribute retrieval separately.
>>>
>>> I'm not sure how you get a dnFormat that handles multiple OUs, or if you 
>>> even can. In my case, we have almost everyone in a single OU, except for 
>>> some administrator accounts, which are in a separate OU. Rather than try 
>>> and handle them all together, I just punted and defined two different AD 
>>> configs for them, one for each OU. If you look at my documentation, you'll 
>>> note that ldap[0] and ldap[2] are actually the SAME AD server, they just 
>>> have different baseDN and dnFormat settings.
>>>
>>> --Dave
>>>
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
>>> 
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>
>>> [image: The New School]
>>>
>>> On Fri, Feb 23, 2018 at 3:12 PM, Kevin Liu  wrote:
>>>
 Just to make sure I understand the LDAP and CAS connection properly, 
 CAS is sending over a set of credentials to first access the LDAP correct? 
 Is that the bindDN and bindCredential? Does it then search through the 
 result query for userFilter for a match? 

 Also, I'm a little confused about the dNFormat. I inputed directly what 
 is the DN for user 1. However, for other users, since they belong to 
 different OU, how do I change the code such that it becomes more 
 versatile? 

 My eventual goal is for cas to authenticate users from a single OU.

 Thank you all for bearing with me so far and all my questions.

 On Friday, February 23, 2018 at 11:44:35 AM UTC-6, Kevin Liu wrote:
>
> I finally got it to talk to my LDAP! I've realized I should also put 
> that my LDAP is really a MSDN. It is in a very limited capacity though. 
> Here is my cas.properties and I hope someone can help me figure out how 
> to 
> expand the scop

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[David Curry]

Well, you can start with log4j2.xml, and change

warn


to

debug


which will give you a lot of detail (all in cas.log) about what's going on.
If that doesn't give you want you want, you can also (or instead) change




to




to get debugging from the LDAP code itself.

As for your second question... you've exceeded my level of knowledge of
AD/LDAP. I think the answer might be that you can't use the "AD" type of
LDAP setup and will have to switch to the "AUTHENTICATED" type, but I'm not
very sure of that answer.

Perhaps someone else on the list can jump in.

--Dave



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, Feb 26, 2018 at 12:43 PM, Kevin Liu  wrote:

> Thank you Dave for providing additonal insight!
>
> Just to add, my MSDN I was refering above is actually an Microsoft Active
> Directory Server which I'm using the LDAP protocol to talk to (at least
> that is my understanding).
>
> I've got a few more questions. Is it possible to see what the LDAP is
> returning to CAS? Maybe via logs? Getting insight to what is being returned
> will help me get a better grasp on the LDAP CAS connections and
> communications.
>
> Also, in addition to multiple OUs, it turns out that the DN that is being
> used doesn't utilize a user's username but rather a user's full name as
> part of the DN.  For example, my DN is CN=Kevin Liu, OU=Alpha, DC=beta,
> DC=gamma instead of CN=kliu. Do you have any ideas on how I might get
> around that?
>
> On Friday, February 23, 2018 at 2:24:37 PM UTC-6, David Curry wrote:
>>
>>
>> There are smarter (way smarter) LDAP people than me, but yeah, that's
>> kind of it. Some LDAPs (like AD) will let you bind as the user him/herself
>> to authenticate, others require you to use a special account to make the
>> bind, and then authenticate the user. Although come to think of it, I think
>> AD might only permit that over an LDAPS connection, which might be why you
>> were having trouble.
>>
>> Likewise, some LDAPs will let you retrieve attributes at the same time
>> that you authenticate, and others require you to make a separate request
>> for that. In our particular case, our LDAP contains a superset of the users
>> in AD (AD has "active" people, LDAP has "active" and "alumni"). But the two
>> directories have different (overlapping) sets of attributes, and we always
>> want to get all of them and merge them together, so in my CAS config, I do
>> the authentication and attribute retrieval separately.
>>
>> I'm not sure how you get a dnFormat that handles multiple OUs, or if you
>> even can. In my case, we have almost everyone in a single OU, except for
>> some administrator accounts, which are in a separate OU. Rather than try
>> and handle them all together, I just punted and defined two different AD
>> configs for them, one for each OU. If you look at my documentation, you'll
>> note that ldap[0] and ldap[2] are actually the SAME AD server, they just
>> have different baseDN and dnFormat settings.
>>
>> --Dave
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> 
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Fri, Feb 23, 2018 at 3:12 PM, Kevin Liu  wrote:
>>
>>> Just to make sure I understand the LDAP and CAS connection properly, CAS
>>> is sending over a set of credentials to first access the LDAP correct? Is
>>> that the bindDN and bindCredential? Does it then search through the result
>>> query for userFilter for a match?
>>>
>>> Also, I'm a little confused about the dNFormat. I inputed directly what
>>> is the DN for user 1. However, for other users, since they belong to
>>> different OU, how do I change the code such that it becomes more versatile?
>>>
>>> My eventual goal is for cas to authenticate users from a single OU.
>>>
>>> Thank you all for bearing with me so far and all my questions.
>>>
>>> On Friday, February 23, 2018 at 11:44:35 AM UTC-6, Kevin Liu wrote:

 I finally got it to talk to my LDAP! I've realized I should also put
 that my LDAP is really a MSDN. It is in a very limited capacity though.
 Here is my cas.properties and I hope someone can help me figure out how to
 expand the scope of authentication. My apologies about the obfuscation.

 #AD Configurations
 cas.authn.ldap[0].type=AD
 cas.authn.ldap[0].ldapUrl=ldap://ladpserver:389
 cas.authn.ldap[0].useSsl=false
 cas.authn.ldap[0].useStartTls=false
 cas.authn.ldap[0].connectTimeout=5000
 cas.authn.ldap[0].subtreeSearch=true
 cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
 cas.authn.ldap[0].userFilter=cn={user}
 cas.authn.ldap[0].bindDn=user1@beta.gamma
>

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

Thank you Dave for providing additonal insight!

Just to add, my MSDN I was refering above is actually an Microsoft Active 
Directory Server which I'm using the LDAP protocol to talk to (at least 
that is my understanding).

I've got a few more questions. Is it possible to see what the LDAP is 
returning to CAS? Maybe via logs? Getting insight to what is being returned 
will help me get a better grasp on the LDAP CAS connections and 
communications.

Also, in addition to multiple OUs, it turns out that the DN that is being 
used doesn't utilize a user's username but rather a user's full name as 
part of the DN.  For example, my DN is CN=Kevin Liu, OU=Alpha, DC=beta, 
DC=gamma instead of CN=kliu. Do you have any ideas on how I might get 
around that?

On Friday, February 23, 2018 at 2:24:37 PM UTC-6, David Curry wrote:
>
>
> There are smarter (way smarter) LDAP people than me, but yeah, that's kind 
> of it. Some LDAPs (like AD) will let you bind as the user him/herself to 
> authenticate, others require you to use a special account to make the bind, 
> and then authenticate the user. Although come to think of it, I think AD 
> might only permit that over an LDAPS connection, which might be why you 
> were having trouble.
>
> Likewise, some LDAPs will let you retrieve attributes at the same time 
> that you authenticate, and others require you to make a separate request 
> for that. In our particular case, our LDAP contains a superset of the users 
> in AD (AD has "active" people, LDAP has "active" and "alumni"). But the two 
> directories have different (overlapping) sets of attributes, and we always 
> want to get all of them and merge them together, so in my CAS config, I do 
> the authentication and attribute retrieval separately.
>
> I'm not sure how you get a dnFormat that handles multiple OUs, or if you 
> even can. In my case, we have almost everyone in a single OU, except for 
> some administrator accounts, which are in a separate OU. Rather than try 
> and handle them all together, I just punted and defined two different AD 
> configs for them, one for each OU. If you look at my documentation, you'll 
> note that ldap[0] and ldap[2] are actually the SAME AD server, they just 
> have different baseDN and dnFormat settings.
>
> --Dave
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Fri, Feb 23, 2018 at 3:12 PM, Kevin Liu  > wrote:
>
>> Just to make sure I understand the LDAP and CAS connection properly, CAS 
>> is sending over a set of credentials to first access the LDAP correct? Is 
>> that the bindDN and bindCredential? Does it then search through the result 
>> query for userFilter for a match? 
>>
>> Also, I'm a little confused about the dNFormat. I inputed directly what 
>> is the DN for user 1. However, for other users, since they belong to 
>> different OU, how do I change the code such that it becomes more versatile? 
>>
>> My eventual goal is for cas to authenticate users from a single OU.
>>
>> Thank you all for bearing with me so far and all my questions.
>>
>> On Friday, February 23, 2018 at 11:44:35 AM UTC-6, Kevin Liu wrote:
>>>
>>> I finally got it to talk to my LDAP! I've realized I should also put 
>>> that my LDAP is really a MSDN. It is in a very limited capacity though. 
>>> Here is my cas.properties and I hope someone can help me figure out how to 
>>> expand the scope of authentication. My apologies about the obfuscation. 
>>>
>>> #AD Configurations
>>> cas.authn.ldap[0].type=AD
>>> cas.authn.ldap[0].ldapUrl=ldap://ladpserver:389
>>> cas.authn.ldap[0].useSsl=false
>>> cas.authn.ldap[0].useStartTls=false
>>> cas.authn.ldap[0].connectTimeout=5000
>>> cas.authn.ldap[0].subtreeSearch=true
>>> cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
>>> cas.authn.ldap[0].userFilter=cn={user}
>>> cas.authn.ldap[0].bindDn=user1@beta.gamma
>>> cas.authn.ldap[0].bindCredential=user1Password
>>> cas.authn.ldap[0].dnFormat=CN=User 1,OU=Test,OU=alpha,DC=beta,DC=gamma
>>>
>>> This configuration only works for 1 user, user1. How do I expand it such 
>>> that any user can input their credentials for validation?
>>> Also interesting, for user1, they can input either user1 or 
>>> user1@beta.gamma and be able to login with the correct password.
>>>
>>>
>>>
>>>
>>> On Friday, February 23, 2018 at 9:17:02 AM UTC-6, David Curry wrote:

 Yes, that looks like your DN.

 But if CAS is not starting, it's something else. Are you using 5.2.2? 
 Can you post your pom.xml and cas.log files as attachments?



 --

 DAVID A. CURRY, CISSP
 *DIRECTOR OF INFORMATION SECURITY*
 INFORMATION TECHNOLOGY

 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
 
 +1 212 229-5300 x4728 • david.cu...@n

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[David Curry]

There are smarter (way smarter) LDAP people than me, but yeah, that's kind
of it. Some LDAPs (like AD) will let you bind as the user him/herself to
authenticate, others require you to use a special account to make the bind,
and then authenticate the user. Although come to think of it, I think AD
might only permit that over an LDAPS connection, which might be why you
were having trouble.

Likewise, some LDAPs will let you retrieve attributes at the same time that
you authenticate, and others require you to make a separate request for
that. In our particular case, our LDAP contains a superset of the users in
AD (AD has "active" people, LDAP has "active" and "alumni"). But the two
directories have different (overlapping) sets of attributes, and we always
want to get all of them and merge them together, so in my CAS config, I do
the authentication and attribute retrieval separately.

I'm not sure how you get a dnFormat that handles multiple OUs, or if you
even can. In my case, we have almost everyone in a single OU, except for
some administrator accounts, which are in a separate OU. Rather than try
and handle them all together, I just punted and defined two different AD
configs for them, one for each OU. If you look at my documentation, you'll
note that ldap[0] and ldap[2] are actually the SAME AD server, they just
have different baseDN and dnFormat settings.

--Dave



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Fri, Feb 23, 2018 at 3:12 PM, Kevin Liu  wrote:

> Just to make sure I understand the LDAP and CAS connection properly, CAS
> is sending over a set of credentials to first access the LDAP correct? Is
> that the bindDN and bindCredential? Does it then search through the result
> query for userFilter for a match?
>
> Also, I'm a little confused about the dNFormat. I inputed directly what is
> the DN for user 1. However, for other users, since they belong to different
> OU, how do I change the code such that it becomes more versatile?
>
> My eventual goal is for cas to authenticate users from a single OU.
>
> Thank you all for bearing with me so far and all my questions.
>
> On Friday, February 23, 2018 at 11:44:35 AM UTC-6, Kevin Liu wrote:
>>
>> I finally got it to talk to my LDAP! I've realized I should also put that
>> my LDAP is really a MSDN. It is in a very limited capacity though. Here is
>> my cas.properties and I hope someone can help me figure out how to expand
>> the scope of authentication. My apologies about the obfuscation.
>>
>> #AD Configurations
>> cas.authn.ldap[0].type=AD
>> cas.authn.ldap[0].ldapUrl=ldap://ladpserver:389
>> cas.authn.ldap[0].useSsl=false
>> cas.authn.ldap[0].useStartTls=false
>> cas.authn.ldap[0].connectTimeout=5000
>> cas.authn.ldap[0].subtreeSearch=true
>> cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
>> cas.authn.ldap[0].userFilter=cn={user}
>> cas.authn.ldap[0].bindDn=user1@beta.gamma
>> cas.authn.ldap[0].bindCredential=user1Password
>> cas.authn.ldap[0].dnFormat=CN=User 1,OU=Test,OU=alpha,DC=beta,DC=gamma
>>
>> This configuration only works for 1 user, user1. How do I expand it such
>> that any user can input their credentials for validation?
>> Also interesting, for user1, they can input either user1 or
>> user1@beta.gamma and be able to login with the correct password.
>>
>>
>>
>>
>> On Friday, February 23, 2018 at 9:17:02 AM UTC-6, David Curry wrote:
>>>
>>> Yes, that looks like your DN.
>>>
>>> But if CAS is not starting, it's something else. Are you using 5.2.2?
>>> Can you post your pom.xml and cas.log files as attachments?
>>>
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> 
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>
>>> [image: The New School]
>>>
>>> On Fri, Feb 23, 2018 at 9:56 AM, Kevin Liu  wrote:
>>>
 For my own account, when I execute the LDAP query in my first post, I
 can't see my own DN but I can see what I'm a member of. Is the listed
 member field my DN?

 member: CN=Kevin Liu,OU=Delta,OU=Alpha,DC=Beta,DC=Gamma

 Would this be my DN?

 On Friday, February 23, 2018 at 6:17:22 AM UTC-6, alberto wrote:
>
> On Thu, 22 Feb 2018 13:43:05 -0800 (PST)
> Kevin Liu  wrote:
>
> > Correct me if I'm wrong but looking at the directory, not everyone
> > has a DN. Some users are only members of a group it looks like.
>
> I don't think so. DN is the ultimate identifier in LDAP/AD. As stated
> in MSDN: «The LDAP API references an LDAP object by its distinguished
> name (DN)». Even a group have a DN so you can perform operations on
> it.
>
> ( Source: https://msdn.microsoft.com/en-us/library/aa36610

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

Just to make sure I understand the LDAP and CAS connection properly, CAS is 
sending over a set of credentials to first access the LDAP correct? Is that 
the bindDN and bindCredential? Does it then search through the result query 
for userFilter for a match? 

Also, I'm a little confused about the dNFormat. I inputed directly what is 
the DN for user 1. However, for other users, since they belong to different 
OU, how do I change the code such that it becomes more versatile? 

My eventual goal is for cas to authenticate users from a single OU.

Thank you all for bearing with me so far and all my questions.

On Friday, February 23, 2018 at 11:44:35 AM UTC-6, Kevin Liu wrote:
>
> I finally got it to talk to my LDAP! I've realized I should also put that 
> my LDAP is really a MSDN. It is in a very limited capacity though. Here is 
> my cas.properties and I hope someone can help me figure out how to expand 
> the scope of authentication. My apologies about the obfuscation. 
>
> #AD Configurations
> cas.authn.ldap[0].type=AD
> cas.authn.ldap[0].ldapUrl=ldap://ladpserver:389
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
> cas.authn.ldap[0].userFilter=cn={user}
> cas.authn.ldap[0].bindDn=user1@beta.gamma
> cas.authn.ldap[0].bindCredential=user1Password
> cas.authn.ldap[0].dnFormat=CN=User 1,OU=Test,OU=alpha,DC=beta,DC=gamma
>
> This configuration only works for 1 user, user1. How do I expand it such 
> that any user can input their credentials for validation?
> Also interesting, for user1, they can input either user1 or 
> user1@beta.gamma and be able to login with the correct password.
>
>
>
>
> On Friday, February 23, 2018 at 9:17:02 AM UTC-6, David Curry wrote:
>>
>> Yes, that looks like your DN.
>>
>> But if CAS is not starting, it's something else. Are you using 5.2.2? Can 
>> you post your pom.xml and cas.log files as attachments?
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Fri, Feb 23, 2018 at 9:56 AM, Kevin Liu  wrote:
>>
>>> For my own account, when I execute the LDAP query in my first post, I 
>>> can't see my own DN but I can see what I'm a member of. Is the listed 
>>> member field my DN? 
>>>
>>> member: CN=Kevin Liu,OU=Delta,OU=Alpha,DC=Beta,DC=Gamma
>>>
>>> Would this be my DN?
>>>
>>> On Friday, February 23, 2018 at 6:17:22 AM UTC-6, alberto wrote:

 On Thu, 22 Feb 2018 13:43:05 -0800 (PST) 
 Kevin Liu  wrote: 

 > Correct me if I'm wrong but looking at the directory, not everyone 
 > has a DN. Some users are only members of a group it looks like. 

 I don't think so. DN is the ultimate identifier in LDAP/AD. As stated 
 in MSDN: «The LDAP API references an LDAP object by its distinguished 
 name (DN)». Even a group have a DN so you can perform operations on it. 

 ( Source: 
 https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx ) 

 -- 
 Alberto Cabello Sánchez 
 Servicio de Informática 
 Universidad de Extremadura 

>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c960c01-c31d-4c3b-8386-c9dadafaf812%40apereo.org
>>>  
>>> 
>>> .
>>>
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/197ffc37-0e97-4a1b-b997-30c462259b65%40apereo.org.

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[David Curry]

I'm not sure what you mean by your LDAP is really a MSDN, but...

If you're using the "AD" type, then you want (according to the
documentation), this:

cas.authn.ldap[0].userFilter=cn={user}


to be:

cas.authn.ldap[0].userFilter=sAMAccountName={user}


And you should not need (and perhaps should not have) these:

cas.authn.ldap[0].bindDn=user1@beta.gamma
cas.authn.ldap[0].bindCredential=user1Password


At least, you don't need them on "real" AD -- maybe you do need them on
whatever an "MSDN AD" is.

Finally, and probably most important (I would try changing just this one
setting first), you want this:

cas.authn.ldap[0].dnFormat=CN=User 1,OU=Test,OU=alpha,DC=beta,DC=gamma


to be this:

cas.authn.ldap[0].dnFormat=CN=%s,OU=Test,OU=alpha,DC=beta,DC=gamma


so that CAS can fill in the username to the authentication request.

--Dave



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Fri, Feb 23, 2018 at 12:44 PM, Kevin Liu  wrote:

> I finally got it to talk to my LDAP! I've realized I should also put that
> my LDAP is really a MSDN. It is in a very limited capacity though. Here is
> my cas.properties and I hope someone can help me figure out how to expand
> the scope of authentication. My apologies about the obfuscation.
>
> #AD Configurations
> cas.authn.ldap[0].type=AD
> cas.authn.ldap[0].ldapUrl=ldap://ladpserver:389
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
> cas.authn.ldap[0].userFilter=cn={user}
> cas.authn.ldap[0].bindDn=user1@beta.gamma
> cas.authn.ldap[0].bindCredential=user1Password
> cas.authn.ldap[0].dnFormat=CN=User 1,OU=Test,OU=alpha,DC=beta,DC=gamma
>
> This configuration only works for 1 user, user1. How do I expand it such
> that any user can input their credentials for validation?
> Also interesting, for user1, they can input either user1 or
> user1@beta.gamma and be able to login with the correct password.
>
>
>
>
> On Friday, February 23, 2018 at 9:17:02 AM UTC-6, David Curry wrote:
>>
>> Yes, that looks like your DN.
>>
>> But if CAS is not starting, it's something else. Are you using 5.2.2? Can
>> you post your pom.xml and cas.log files as attachments?
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> 
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Fri, Feb 23, 2018 at 9:56 AM, Kevin Liu  wrote:
>>
>>> For my own account, when I execute the LDAP query in my first post, I
>>> can't see my own DN but I can see what I'm a member of. Is the listed
>>> member field my DN?
>>>
>>> member: CN=Kevin Liu,OU=Delta,OU=Alpha,DC=Beta,DC=Gamma
>>>
>>> Would this be my DN?
>>>
>>> On Friday, February 23, 2018 at 6:17:22 AM UTC-6, alberto wrote:

 On Thu, 22 Feb 2018 13:43:05 -0800 (PST)
 Kevin Liu  wrote:

 > Correct me if I'm wrong but looking at the directory, not everyone
 > has a DN. Some users are only members of a group it looks like.

 I don't think so. DN is the ultimate identifier in LDAP/AD. As stated
 in MSDN: «The LDAP API references an LDAP object by its distinguished
 name (DN)». Even a group have a DN so you can perform operations on it.

 ( Source: https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).a
 spx )

 --
 Alberto Cabello Sánchez
 Servicio de Informática
 Universidad de Extremadura

>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/4c960c01-c31d-4c3b-8386-c9dadafaf8
>>> 12%40apereo.org
>>> 
>>> .
>>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web vi

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

I finally got it to talk to my LDAP! I've realized I should also put that 
my LDAP is really a MSDN. It is in a very limited capacity though. Here is 
my cas.properties and I hope someone can help me figure out how to expand 
the scope of authentication. My apologies about the obfuscation. 

#AD Configurations
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://ladpserver:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
cas.authn.ldap[0].userFilter=cn={user}
cas.authn.ldap[0].bindDn=user1@beta.gamma
cas.authn.ldap[0].bindCredential=user1Password
cas.authn.ldap[0].dnFormat=CN=User 1,OU=Test,OU=alpha,DC=beta,DC=gamma

This configuration only works for 1 user, user1. How do I expand it such 
that any user can input their credentials for validation?
Also interesting, for user1, they can input either user1 or 
user1@beta.gamma and be able to login with the correct password.




On Friday, February 23, 2018 at 9:17:02 AM UTC-6, David Curry wrote:
>
> Yes, that looks like your DN.
>
> But if CAS is not starting, it's something else. Are you using 5.2.2? Can 
> you post your pom.xml and cas.log files as attachments?
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Fri, Feb 23, 2018 at 9:56 AM, Kevin Liu  > wrote:
>
>> For my own account, when I execute the LDAP query in my first post, I 
>> can't see my own DN but I can see what I'm a member of. Is the listed 
>> member field my DN? 
>>
>> member: CN=Kevin Liu,OU=Delta,OU=Alpha,DC=Beta,DC=Gamma
>>
>> Would this be my DN?
>>
>> On Friday, February 23, 2018 at 6:17:22 AM UTC-6, alberto wrote:
>>>
>>> On Thu, 22 Feb 2018 13:43:05 -0800 (PST) 
>>> Kevin Liu  wrote: 
>>>
>>> > Correct me if I'm wrong but looking at the directory, not everyone 
>>> > has a DN. Some users are only members of a group it looks like. 
>>>
>>> I don't think so. DN is the ultimate identifier in LDAP/AD. As stated 
>>> in MSDN: «The LDAP API references an LDAP object by its distinguished 
>>> name (DN)». Even a group have a DN so you can perform operations on it. 
>>>
>>> ( Source: 
>>> https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx ) 
>>>
>>> -- 
>>> Alberto Cabello Sánchez 
>>> Servicio de Informática 
>>> Universidad de Extremadura 
>>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c960c01-c31d-4c3b-8386-c9dadafaf812%40apereo.org
>>  
>> 
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/85619ded-76ed-458e-8e23-a887cffb945a%40apereo.org.

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[David Curry]

Yes, that looks like your DN.

But if CAS is not starting, it's something else. Are you using 5.2.2? Can
you post your pom.xml and cas.log files as attachments?



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Fri, Feb 23, 2018 at 9:56 AM, Kevin Liu  wrote:

> For my own account, when I execute the LDAP query in my first post, I
> can't see my own DN but I can see what I'm a member of. Is the listed
> member field my DN?
>
> member: CN=Kevin Liu,OU=Delta,OU=Alpha,DC=Beta,DC=Gamma
>
> Would this be my DN?
>
> On Friday, February 23, 2018 at 6:17:22 AM UTC-6, alberto wrote:
>>
>> On Thu, 22 Feb 2018 13:43:05 -0800 (PST)
>> Kevin Liu  wrote:
>>
>> > Correct me if I'm wrong but looking at the directory, not everyone
>> > has a DN. Some users are only members of a group it looks like.
>>
>> I don't think so. DN is the ultimate identifier in LDAP/AD. As stated
>> in MSDN: «The LDAP API references an LDAP object by its distinguished
>> name (DN)». Even a group have a DN so you can perform operations on it.
>>
>> ( Source: https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx
>> )
>>
>> --
>> Alberto Cabello Sánchez
>> Servicio de Informática
>> Universidad de Extremadura
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/4c960c01-c31d-4c3b-8386-
> c9dadafaf812%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN%3DWv9mJ3coWpvjcYMOWFUkp3syxLCDRNtvRX8Y3v9tgQ%40mail.gmail.com.

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[David Curry]

My guess would be you don't have enough privileges to see everything you
need to see, but that's just a guess. Your question goes beyond my level of
AD/LDAP knowledge, but I've always been under the impression that
everything has to have a DN.


David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.


On Feb 22, 2018 16:43, "Kevin Liu"  wrote:

> Correct me if I'm wrong but looking at the directory, not everyone has a
> DN. Some users are only members of a group it looks like. Is this because
> my account doesn't have high enough priveledge to see everyone? But at the
> very least I should be able to see myself right? Or is possible for not
> every user to have their own DN.
>
> On Thursday, February 22, 2018 at 3:25:03 PM UTC-6, David Curry wrote:
>>
>> If you look up a user in your directory, what does the DN for that user
>> look like? That's what the dnFormat should look like, except that you
>> replace the username with a "%s" for CAS to fill in.
>>
>> So, for example, the DN for our accounts looks like this:
>>
>> cn=gnarls,ou=TNSUsers,dc=tns,dc=newschool,dc=edu
>>
>>
>> (where "gnarls" is the username) so dnFormat looks like this:
>>
>> cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu
>>
>>
>> Also, if you're really going against AD, you probably want to change
>>
>> cas.authn.ldap[0].userFilter=cn={user}
>>
>>
>> to
>>
>> cas.authn.ldap[0].userFilter=sAMAccountName={user}
>>
>>
>> --Dave
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> 
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Thu, Feb 22, 2018 at 4:01 PM, Kevin Liu  wrote:
>>
>>> So it looks like it's because I'm missing a dnFormat value? I'm not
>>> exactly sure how I should format my dnFormat? Could I get some help?
>>>
>>> On Thursday, February 22, 2018 at 2:47:47 PM UTC-6, David Curry wrote:

 I don't see an error there? Did your copy and paste not capture
 everything.

 --Dave


 --

 DAVID A. CURRY, CISSP
 *DIRECTOR OF INFORMATION SECURITY*
 INFORMATION TECHNOLOGY

 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
 
 +1 212 229-5300 x4728 • david.cu...@newschool.edu

 [image: The New School]

 On Thu, Feb 22, 2018 at 3:43 PM, Kevin Liu  wrote:

> I tried following that but this is my error still:
>
> 2018-02-22 14:40:41,986 DEBUG [org.apereo.cas.configuration.
> support.CasConfigurationJasyptDecryptor] -  algorithm [PBEWithMD5AndTripleDES]>
> 2018-02-22 14:40:41,995 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  located inside [class path resource [application.yml]]>
> 2018-02-22 14:40:41,996 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  standalone configuration directory at [/etc/cas3/config]>
> 2018-02-22 14:40:41,997 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  configuration files at [/etc/cas3/config] that match the pattern
> [(cas|standalone|application-cas|a
> 2018-02-22 14:40:42,009 INFO [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  files found at [/etc/cas3/config] are [[/etc/cas3/config/application.yml,
> /etc/cas3/config/cas.pro
> 2018-02-22 14:40:42,019 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  configuration file [/etc/cas3/config/application.yml]>
> 2018-02-22 14:40:42,042 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  [[info.description]] in YAML file [/etc/cas3/config/application.yml]>
> 2018-02-22 14:40:42,044 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  configuration file [/etc/cas3/config/cas.properties]>
> 2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch,
> cas.adminPagesSecurity.loginUrl, cas.adm
> 2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.
> config.CasCoreBootstrapStandaloneConfiguration] -  [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch,
> cas.adminPagesSecurity.loginUrl, cas
> 2018-02-22 14:40:42,102 INFO 
> [org.apereo.cas.web.CasWebApplicationServletInitializer]
> - 
> 2018-02-22 14:40:45,698 WARN 
> [org.a

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

Correct me if I'm wrong but looking at the directory, not everyone has a 
DN. Some users are only members of a group it looks like. Is this because 
my account doesn't have high enough priveledge to see everyone? But at the 
very least I should be able to see myself right? Or is possible for not 
every user to have their own DN.

On Thursday, February 22, 2018 at 3:25:03 PM UTC-6, David Curry wrote:
>
> If you look up a user in your directory, what does the DN for that user 
> look like? That's what the dnFormat should look like, except that you 
> replace the username with a "%s" for CAS to fill in.
>
> So, for example, the DN for our accounts looks like this:
>
> cn=gnarls,ou=TNSUsers,dc=tns,dc=newschool,dc=edu
>
>
> (where "gnarls" is the username) so dnFormat looks like this:
>
> cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu
>
>
> Also, if you're really going against AD, you probably want to change
>
> cas.authn.ldap[0].userFilter=cn={user}
>
>
> to
>
> cas.authn.ldap[0].userFilter=sAMAccountName={user}
>
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Thu, Feb 22, 2018 at 4:01 PM, Kevin Liu  > wrote:
>
>> So it looks like it's because I'm missing a dnFormat value? I'm not 
>> exactly sure how I should format my dnFormat? Could I get some help?
>>
>> On Thursday, February 22, 2018 at 2:47:47 PM UTC-6, David Curry wrote:
>>>
>>> I don't see an error there? Did your copy and paste not capture 
>>> everything.
>>>
>>> --Dave
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
>>> 
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>
>>> [image: The New School]
>>>
>>> On Thu, Feb 22, 2018 at 3:43 PM, Kevin Liu  wrote:
>>>
 I tried following that but this is my error still:

 2018-02-22 14:40:41,986 DEBUG 
 [org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 
 
 2018-02-22 14:40:41,995 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - >>> [application.yml]]>
 2018-02-22 14:40:41,996 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - 
 2018-02-22 14:40:41,997 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - >>> pattern [(cas|standalone|application-cas|a
 2018-02-22 14:40:42,009 INFO 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - >>> [[/etc/cas3/config/application.yml, /etc/cas3/config/cas.pro
 2018-02-22 14:40:42,019 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - 
 2018-02-22 14:40:42,042 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - >>> [/etc/cas3/config/application.yml]>
 2018-02-22 14:40:42,044 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - 
 2018-02-22 14:40:42,046 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - >>> cas.adminPagesSecurity.loginUrl, cas.adm
 2018-02-22 14:40:42,046 DEBUG 
 [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
  
 - >>> cas.authn.ldap[0].subtreeSearch, cas.adminPagesSecurity.loginUrl, cas
 2018-02-22 14:40:42,102 INFO 
 [org.apereo.cas.web.CasWebApplicationServletInitializer] - >>> profiles are active: standalone>
 2018-02-22 14:40:45,698 WARN 
 [org.apereo.cas.config.CasCoreTicketsConfiguration] - >>> used as the persistence storage for retrieving and managing tickets. 
 Tickets that are issued during runtime will be LOST
 2018-02-22 14:40:45,701 INFO 
 [org.apereo.cas.configuration.support.Beans] - >>> encryption/signing is turned off. This MAY NOT be safe in a clustered 
 production environment. Consider using other choices to han
 2018-02-22 14:40:49,283 DEBUG 
 [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - >>> authentication execution plan [CasCoreAuthenticationHandlersConfiguration]>
 2018-02-22 14:40:49,289 DEBUG 
 [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - >>> authentication execution plan [CasCoreAuthenticationHandlersConfiguration]>
 2018-02-22 14:40:49,318 DEBUG 
 [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
 >>> principal resolver [org.apereo.cas.authenticat
 2018-02-22 14:40:49,324 DEBUG 
 [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - >>> authentication execution plan [CasCoreAu

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[David Curry]

If you look up a user in your directory, what does the DN for that user
look like? That's what the dnFormat should look like, except that you
replace the username with a "%s" for CAS to fill in.

So, for example, the DN for our accounts looks like this:

cn=gnarls,ou=TNSUsers,dc=tns,dc=newschool,dc=edu


(where "gnarls" is the username) so dnFormat looks like this:

cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu


Also, if you're really going against AD, you probably want to change

cas.authn.ldap[0].userFilter=cn={user}


to

cas.authn.ldap[0].userFilter=sAMAccountName={user}


--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Feb 22, 2018 at 4:01 PM, Kevin Liu  wrote:

> So it looks like it's because I'm missing a dnFormat value? I'm not
> exactly sure how I should format my dnFormat? Could I get some help?
>
> On Thursday, February 22, 2018 at 2:47:47 PM UTC-6, David Curry wrote:
>>
>> I don't see an error there? Did your copy and paste not capture
>> everything.
>>
>> --Dave
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> 
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Thu, Feb 22, 2018 at 3:43 PM, Kevin Liu  wrote:
>>
>>> I tried following that but this is my error still:
>>>
>>> 2018-02-22 14:40:41,986 DEBUG [org.apereo.cas.configuration.
>>> support.CasConfigurationJasyptDecryptor] - >> algorithm [PBEWithMD5AndTripleDES]>
>>> 2018-02-22 14:40:41,995 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> located inside [class path resource [application.yml]]>
>>> 2018-02-22 14:40:41,996 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> standalone configuration directory at [/etc/cas3/config]>
>>> 2018-02-22 14:40:41,997 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> configuration files at [/etc/cas3/config] that match the pattern
>>> [(cas|standalone|application-cas|a
>>> 2018-02-22 14:40:42,009 INFO [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> found at [/etc/cas3/config] are [[/etc/cas3/config/application.yml,
>>> /etc/cas3/config/cas.pro
>>> 2018-02-22 14:40:42,019 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> configuration file [/etc/cas3/config/application.yml]>
>>> 2018-02-22 14:40:42,042 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> [[info.description]] in YAML file [/etc/cas3/config/application.yml]>
>>> 2018-02-22 14:40:42,044 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> configuration file [/etc/cas3/config/cas.properties]>
>>> 2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch,
>>> cas.adminPagesSecurity.loginUrl, cas.adm
>>> 2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.
>>> config.CasCoreBootstrapStandaloneConfiguration] - >> [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch,
>>> cas.adminPagesSecurity.loginUrl, cas
>>> 2018-02-22 14:40:42,102 INFO 
>>> [org.apereo.cas.web.CasWebApplicationServletInitializer]
>>> - 
>>> 2018-02-22 14:40:45,698 WARN 
>>> [org.apereo.cas.config.CasCoreTicketsConfiguration]
>>> - >> managing tickets. Tickets that are issued during runtime will be LOST
>>> 2018-02-22 14:40:45,701 INFO [org.apereo.cas.configuration.support.Beans]
>>> - >> in a clustered production environment. Consider using other choices to han
>>> 2018-02-22 14:40:49,283 DEBUG 
>>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration]
>>> - >> Configuration]>
>>> 2018-02-22 14:40:49,289 DEBUG 
>>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration]
>>> - >> Configuration]>
>>> 2018-02-22 14:40:49,318 DEBUG [org.apereo.cas.authentication
>>> .DefaultAuthenticationEventExecutionPlan] - >> [HttpBasedServiceCredentialsAuthenticationHandler] principal resolver
>>> [org.apereo.cas.authenticat
>>> 2018-02-22 14:40:49,324 DEBUG 
>>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration]
>>> - >> Configuration]>
>>> 2018-02-22 14:40:49,333 DEBUG [org.apereo.cas.authentication
>>> .DefaultAuthenticationEventExecutionPlan] - >> populator [org.apereo.cas.authentication.metadata.SuccessfulHandlerMet
>>> aDataPopulator@77551b65[or
>>> 2018-02-22 14:40:49,342 DEBUG [org.apereo.cas.authentication
>>> .DefaultAuthenticationEventExecutionPlan] - >> populator [org.apereo.cas.authentication.metadata.RememberMeAuthentica
>>> tionMetaDataPopu

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

So it looks like it's because I'm missing a dnFormat value? I'm not exactly 
sure how I should format my dnFormat? Could I get some help?

On Thursday, February 22, 2018 at 2:47:47 PM UTC-6, David Curry wrote:
>
> I don't see an error there? Did your copy and paste not capture everything.
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Thu, Feb 22, 2018 at 3:43 PM, Kevin Liu  > wrote:
>
>> I tried following that but this is my error still:
>>
>> 2018-02-22 14:40:41,986 DEBUG 
>> [org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 
>> 
>> 2018-02-22 14:40:41,995 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > [application.yml]]>
>> 2018-02-22 14:40:41,996 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - 
>> 2018-02-22 14:40:41,997 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > pattern [(cas|standalone|application-cas|a
>> 2018-02-22 14:40:42,009 INFO 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > [[/etc/cas3/config/application.yml, /etc/cas3/config/cas.pro
>> 2018-02-22 14:40:42,019 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - 
>> 2018-02-22 14:40:42,042 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > [/etc/cas3/config/application.yml]>
>> 2018-02-22 14:40:42,044 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - 
>> 2018-02-22 14:40:42,046 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > cas.adminPagesSecurity.loginUrl, cas.adm
>> 2018-02-22 14:40:42,046 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > cas.authn.ldap[0].subtreeSearch, cas.adminPagesSecurity.loginUrl, cas
>> 2018-02-22 14:40:42,102 INFO 
>> [org.apereo.cas.web.CasWebApplicationServletInitializer] - > profiles are active: standalone>
>> 2018-02-22 14:40:45,698 WARN 
>> [org.apereo.cas.config.CasCoreTicketsConfiguration] - > used as the persistence storage for retrieving and managing tickets. 
>> Tickets that are issued during runtime will be LOST
>> 2018-02-22 14:40:45,701 INFO [org.apereo.cas.configuration.support.Beans] 
>> - > in a clustered production environment. Consider using other choices to han
>> 2018-02-22 14:40:49,283 DEBUG 
>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - > authentication execution plan [CasCoreAuthenticationHandlersConfiguration]>
>> 2018-02-22 14:40:49,289 DEBUG 
>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - > authentication execution plan [CasCoreAuthenticationHandlersConfiguration]>
>> 2018-02-22 14:40:49,318 DEBUG 
>> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
>> > principal resolver [org.apereo.cas.authenticat
>> 2018-02-22 14:40:49,324 DEBUG 
>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - > authentication execution plan [CasCoreAuthenticationMetadataConfiguration]>
>> 2018-02-22 14:40:49,333 DEBUG 
>> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
>> > [org.apereo.cas.authentication.metadata.SuccessfulHandlerMetaDataPopulator@77551b65[or
>> 2018-02-22 14:40:49,342 DEBUG 
>> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
>> > [org.apereo.cas.authentication.metadata.RememberMeAuthenticationMetaDataPopulator@3838
>> 2018-02-22 14:40:49,350 DEBUG 
>> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
>> > [org.apereo.cas.authentication.metadata.AuthenticationCredentialTypeMetaDataPopulator@
>> 2018-02-22 14:40:49,350 DEBUG 
>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - > authentication execution plan [LdapAuthenticationConfiguration]>
>> 2018-02-22 14:40:49,355 DEBUG 
>> [org.apereo.cas.authentication.CoreAuthenticationUtils] - > attributes are defined>
>> 2018-02-22 14:40:49,355 DEBUG 
>> [org.apereo.cas.config.LdapAuthenticationConfiguration] - > mapped principal attributes [{}] for [ldap://alpha.beta.gamma:389]...>
>> 2018-02-22 14:40:49,357 DEBUG 
>> [org.apereo.cas.config.LdapAuthenticationConfiguration] - > authenticator for [ldap://alpha.beta.gamma:389] and baseDn 
>> [dc=beta,dc=gamma]>
>> 2018-02-22 14:40:49,375 DEBUG [org.apereo.cas.util.LdapUtils] - > active directory authenticator for [ldap://alpha.beta.gamma:389]>
>> 2018-02-22 14:40:49,377 WARN 
>> [org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext]
>>  
>> - > attempt: org.springframewor
>> 2018-02-22 14:40:49,378 WARN 
>> [com.ryantenney.metrics.spring.config.annotation.M

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

My apologies Dave, it did get cut off. Thank you taking a look by the way.


2018-02-22 14:45:59,086 WARN 
[org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext]
 
- 
247337 2018-02-22 14:45:59,086 WARN 
[com.ryantenney.metrics.spring.config.annotation.MetricsConfigurerAdapter] 
- 
247338 org.springframework.beans.factory.BeanCreationNotAllowedException: 
Error creating bean with name 'casMetricsConfiguration': Singleton bean 
creation not allowed while singletons of this factory are in destruction 
(Do not reques   t a bean from a BeanFactory in a destroy method 
implementation!)

On Thursday, February 22, 2018 at 2:47:47 PM UTC-6, David Curry wrote:
>
> I don't see an error there? Did your copy and paste not capture everything.
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Thu, Feb 22, 2018 at 3:43 PM, Kevin Liu  > wrote:
>
>> I tried following that but this is my error still:
>>
>> 2018-02-22 14:40:41,986 DEBUG 
>> [org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 
>> 
>> 2018-02-22 14:40:41,995 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > [application.yml]]>
>> 2018-02-22 14:40:41,996 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - 
>> 2018-02-22 14:40:41,997 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > pattern [(cas|standalone|application-cas|a
>> 2018-02-22 14:40:42,009 INFO 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > [[/etc/cas3/config/application.yml, /etc/cas3/config/cas.pro
>> 2018-02-22 14:40:42,019 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - 
>> 2018-02-22 14:40:42,042 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > [/etc/cas3/config/application.yml]>
>> 2018-02-22 14:40:42,044 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - 
>> 2018-02-22 14:40:42,046 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > cas.adminPagesSecurity.loginUrl, cas.adm
>> 2018-02-22 14:40:42,046 DEBUG 
>> [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
>>  
>> - > cas.authn.ldap[0].subtreeSearch, cas.adminPagesSecurity.loginUrl, cas
>> 2018-02-22 14:40:42,102 INFO 
>> [org.apereo.cas.web.CasWebApplicationServletInitializer] - > profiles are active: standalone>
>> 2018-02-22 14:40:45,698 WARN 
>> [org.apereo.cas.config.CasCoreTicketsConfiguration] - > used as the persistence storage for retrieving and managing tickets. 
>> Tickets that are issued during runtime will be LOST
>> 2018-02-22 14:40:45,701 INFO [org.apereo.cas.configuration.support.Beans] 
>> - > in a clustered production environment. Consider using other choices to han
>> 2018-02-22 14:40:49,283 DEBUG 
>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - > authentication execution plan [CasCoreAuthenticationHandlersConfiguration]>
>> 2018-02-22 14:40:49,289 DEBUG 
>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - > authentication execution plan [CasCoreAuthenticationHandlersConfiguration]>
>> 2018-02-22 14:40:49,318 DEBUG 
>> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
>> > principal resolver [org.apereo.cas.authenticat
>> 2018-02-22 14:40:49,324 DEBUG 
>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - > authentication execution plan [CasCoreAuthenticationMetadataConfiguration]>
>> 2018-02-22 14:40:49,333 DEBUG 
>> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
>> > [org.apereo.cas.authentication.metadata.SuccessfulHandlerMetaDataPopulator@77551b65[or
>> 2018-02-22 14:40:49,342 DEBUG 
>> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
>> > [org.apereo.cas.authentication.metadata.RememberMeAuthenticationMetaDataPopulator@3838
>> 2018-02-22 14:40:49,350 DEBUG 
>> [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 
>> > [org.apereo.cas.authentication.metadata.AuthenticationCredentialTypeMetaDataPopulator@
>> 2018-02-22 14:40:49,350 DEBUG 
>> [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - > authentication execution plan [LdapAuthenticationConfiguration]>
>> 2018-02-22 14:40:49,355 DEBUG 
>> [org.apereo.cas.authentication.CoreAuthenticationUtils] - > attributes are defined>
>> 2018-02-22 14:40:49,355 DEBUG 
>> [org.apereo.cas.config.LdapAuthenticationConfiguration] - > mapped principal attributes [{}] for [ldap://alpha.beta.gamma:389]...>
>> 2018-02-22 14:40:49,357 DEBUG 
>> [org.apereo.cas.config.LdapAuthentication

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[David Curry]

I don't see an error there? Did your copy and paste not capture everything.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Feb 22, 2018 at 3:43 PM, Kevin Liu  wrote:

> I tried following that but this is my error still:
>
> 2018-02-22 14:40:41,986 DEBUG [org.apereo.cas.configuration.support.
> CasConfigurationJasyptDecryptor] -  [PBEWithMD5AndTripleDES]>
> 2018-02-22 14:40:41,995 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  inside [class path resource [application.yml]]>
> 2018-02-22 14:40:41,996 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  configuration directory at [/etc/cas3/config]>
> 2018-02-22 14:40:41,997 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  files at [/etc/cas3/config] that match the pattern
> [(cas|standalone|application-cas|a
> 2018-02-22 14:40:42,009 INFO [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  [/etc/cas3/config] are [[/etc/cas3/config/application.yml,
> /etc/cas3/config/cas.pro
> 2018-02-22 14:40:42,019 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  [/etc/cas3/config/application.yml]>
> 2018-02-22 14:40:42,042 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  [[info.description]] in YAML file [/etc/cas3/config/application.yml]>
> 2018-02-22 14:40:42,044 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  [/etc/cas3/config/cas.properties]>
> 2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch,
> cas.adminPagesSecurity.loginUrl, cas.adm
> 2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.config.
> CasCoreBootstrapStandaloneConfiguration] -  [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch,
> cas.adminPagesSecurity.loginUrl, cas
> 2018-02-22 14:40:42,102 INFO [org.apereo.cas.web.
> CasWebApplicationServletInitializer] -  active: standalone>
> 2018-02-22 14:40:45,698 WARN 
> [org.apereo.cas.config.CasCoreTicketsConfiguration]
> -  managing tickets. Tickets that are issued during runtime will be LOST
> 2018-02-22 14:40:45,701 INFO [org.apereo.cas.configuration.support.Beans]
> -  in a clustered production environment. Consider using other choices to han
> 2018-02-22 14:40:49,283 DEBUG [org.apereo.cas.config.
> CasCoreAuthenticationConfiguration] -  execution plan [CasCoreAuthenticationHandlersConfiguration]>
> 2018-02-22 14:40:49,289 DEBUG [org.apereo.cas.config.
> CasCoreAuthenticationConfiguration] -  execution plan [CasCoreAuthenticationHandlersConfiguration]>
> 2018-02-22 14:40:49,318 DEBUG [org.apereo.cas.authentication.
> DefaultAuthenticationEventExecutionPlan] -  HttpBasedServiceCredentialsAuthenticationHandler] principal resolver
> [org.apereo.cas.authenticat
> 2018-02-22 14:40:49,324 DEBUG [org.apereo.cas.config.
> CasCoreAuthenticationConfiguration] -  execution plan [CasCoreAuthenticationMetadataConfiguration]>
> 2018-02-22 14:40:49,333 DEBUG [org.apereo.cas.authentication.
> DefaultAuthenticationEventExecutionPlan] -  populator [org.apereo.cas.authentication.metadata.
> SuccessfulHandlerMetaDataPopulator@77551b65[or
> 2018-02-22 14:40:49,342 DEBUG [org.apereo.cas.authentication.
> DefaultAuthenticationEventExecutionPlan] -  populator [org.apereo.cas.authentication.metadata.
> RememberMeAuthenticationMetaDataPopulator@3838
> 2018-02-22 14:40:49,350 DEBUG [org.apereo.cas.authentication.
> DefaultAuthenticationEventExecutionPlan] -  populator [org.apereo.cas.authentication.metadata.
> AuthenticationCredentialTypeMetaDataPopulator@
> 2018-02-22 14:40:49,350 DEBUG [org.apereo.cas.config.
> CasCoreAuthenticationConfiguration] -  execution plan [LdapAuthenticationConfiguration]>
> 2018-02-22 14:40:49,355 DEBUG 
> [org.apereo.cas.authentication.CoreAuthenticationUtils]
> - 
> 2018-02-22 14:40:49,355 DEBUG [org.apereo.cas.config.
> LdapAuthenticationConfiguration] -  attributes [{}] for [ldap://alpha.beta.gamma:389]...>
> 2018-02-22 14:40:49,357 DEBUG [org.apereo.cas.config.
> LdapAuthenticationConfiguration] -  [ldap://alpha.beta.gamma:389] and baseDn [dc=beta,dc=gamma]>
> 2018-02-22 14:40:49,375 DEBUG [org.apereo.cas.util.LdapUtils] -  active directory authenticator for [ldap://alpha.beta.gamma:389]>
> 2018-02-22 14:40:49,377 WARN [org.springframework.boot.context.embedded.
> AnnotationConfigEmbeddedWebApplicationContext] -  during context initialization - cancelling refresh attempt:
> org.springframewor
> 2018-02-22 14:40:49,378 WARN [com.ryantenney.metrics.
> spring.config.annotation.MetricsConfigurerAdapter] -  reporter>
> org.springframework.beans.factory.BeanCreationNotAllowedException

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[Kevin Liu]

I tried following that but this is my error still:

2018-02-22 14:40:41,986 DEBUG 
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 

2018-02-22 14:40:41,995 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-02-22 14:40:41,996 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-02-22 14:40:41,997 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-02-22 14:40:42,042 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-02-22 14:40:42,044 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-02-22 14:40:42,046 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- 
2018-02-22 14:40:45,698 WARN 
[org.apereo.cas.config.CasCoreTicketsConfiguration] - 
2018-02-22 14:40:49,289 DEBUG 
[org.apereo.cas.config.CasCoreAuthenticationConfiguration] - 
2018-02-22 14:40:49,318 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 

2018-02-22 14:40:49,333 DEBUG 
[org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - 

2018-02-22 14:40:49,355 DEBUG 
[org.apereo.cas.authentication.CoreAuthenticationUtils] - 
2018-02-22 14:40:49,355 DEBUG 
[org.apereo.cas.config.LdapAuthenticationConfiguration] - ldap://alpha.beta.gamma:389]...>
2018-02-22 14:40:49,357 DEBUG 
[org.apereo.cas.config.LdapAuthenticationConfiguration] - ldap://alpha.beta.gamma:389] and baseDn 
[dc=beta,dc=gamma]>
2018-02-22 14:40:49,375 DEBUG [org.apereo.cas.util.LdapUtils] - ldap://alpha.beta.gamma:389]>
2018-02-22 14:40:49,377 WARN 
[org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext]
 
- 
org.springframework.beans.factory.BeanCreationNotAllowedException: Error 
creating bean with name 'casMetricsConfiguration': Singleton bean creation 
not allowed while singletons of this factory are in destruction (Do not re
at 
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:216)
 
~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]


On Thursday, February 22, 2018 at 2:36:17 PM UTC-6, David Curry wrote:
>
> You might find the examples here helpful:
>
>
> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_overview.html
>
> There's an Active Directory configuration (two, actually) and an LDAP 
> configuration. Authentication and attribute retrieval.
>
> If those don't help, then please post the relevant line(s) from the log 
> file showing the error, and, if you have it turned on, debug messages.
>
> --Dave
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Thu, Feb 22, 2018 at 2:46 PM, Kevin Liu  > wrote:
>
>> I've now changed it to this:
>>
>>
>> #AD Configurations
>> cas.authn.ldap[0].type=AD
>> cas.authn.ldap[0].ldapUrl=ldap://alpha.beta.gamma:389
>> #cas.authn.ldap[0].connectionStrategy=
>> cas.authn.ldap[0].useSsl=false
>> cas.authn.ldap[0].useStartTls=false
>> cas.authn.ldap[0].connectTimeout=5000
>> cas.authn.ldap[0].subtreeSearch=true
>>
>> cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
>> cas.authn.ldap[0].userFilter=cn={user}
>> cas.authn.ldap[0].bindDn=user@beta.gamma
>> cas.authn.ldap[0].bindCredential=userPassword
>>
>> Still not working with the same error.
>>
>>
>>
>> On Thursday, February 22, 2018 at 1:32:54 PM UTC-6, Kevin Liu wrote:
>>>
>>> Hello,
>>>
>>> I can't seem to make heads or tailed of getting CAS to talk to LDAP
>>>
>>> I know my LDAP is working because using the following command, I can see 
>>> all LDAP entries:
>>>
>>> ldapsearch -x -h alpha.beta.gamma -D user@beta.gamma -W -b 
>>> "dc=beta,dc=gamma" 
>>>
>>> My assumption is that since these credentials are being accepted by 
>>> LDAP, I just have to configure CAS to use them. Is this correct?
>>>
>>> So far, my cas.properties contains the following:
>>>
>>> cas.authn.ldap[0].order: 0
>>> cas.authn.ldap[0].name: LDAP
>>> cas.authn.ldap[0].type: AD
>>> cas.authn.ldap[0].ldapUrl: ldap://alpha.beta.gamma:389
>>> cas.authn.ldap[0].baseDn: dc=di2e,dc=civ
>>>
>>> This is not working as I get a ton of errors saying that CAS has not 
>>> connected to LDAP.
>>>
>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1cdff6f8-36ef-4acd-

Re: [cas-user] Re: CAS5.2 Connect to LDAP

[David Curry]

You might find the examples here helpful:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_overview.html

There's an Active Directory configuration (two, actually) and an LDAP
configuration. Authentication and attribute retrieval.

If those don't help, then please post the relevant line(s) from the log
file showing the error, and, if you have it turned on, debug messages.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Feb 22, 2018 at 2:46 PM, Kevin Liu  wrote:

> I've now changed it to this:
>
>
> #AD Configurations
> cas.authn.ldap[0].type=AD
> cas.authn.ldap[0].ldapUrl=ldap://alpha.beta.gamma:389
> #cas.authn.ldap[0].connectionStrategy=
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].subtreeSearch=true
>
> cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
> cas.authn.ldap[0].userFilter=cn={user}
> cas.authn.ldap[0].bindDn=user@beta.gamma
> cas.authn.ldap[0].bindCredential=userPassword
>
> Still not working with the same error.
>
>
>
> On Thursday, February 22, 2018 at 1:32:54 PM UTC-6, Kevin Liu wrote:
>>
>> Hello,
>>
>> I can't seem to make heads or tailed of getting CAS to talk to LDAP
>>
>> I know my LDAP is working because using the following command, I can see
>> all LDAP entries:
>>
>> ldapsearch -x -h alpha.beta.gamma -D user@beta.gamma -W -b
>> "dc=beta,dc=gamma"
>>
>> My assumption is that since these credentials are being accepted by LDAP,
>> I just have to configure CAS to use them. Is this correct?
>>
>> So far, my cas.properties contains the following:
>>
>> cas.authn.ldap[0].order: 0
>> cas.authn.ldap[0].name: LDAP
>> cas.authn.ldap[0].type: AD
>> cas.authn.ldap[0].ldapUrl: ldap://alpha.beta.gamma:389
>> cas.authn.ldap[0].baseDn: dc=di2e,dc=civ
>>
>> This is not working as I get a ton of errors saying that CAS has not
>> connected to LDAP.
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/1cdff6f8-36ef-4acd-a5b4-
> ef1b55fa6691%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPjdhS8PUHrSU6v3Y9KoxA-Bd9aZ2ano4O-p%2BUgLqabYQ%40mail.gmail.com.