X509 authentication with LDAP integration
61 views
Skip to first unread message
Chad Merritt
May 20, 2019, 12:34:59 PM5/20/19
to CAS Community
Greetings all,
I'm having a heck of time getting X509 with LDAP integration and LDAP attribute resolution working on CAS 6.0. The core issue is that I have to use the certificate UPN for initial authentication and for determining the users DN from LDAP. Then I have to use that DN to lookup other attributes. My hands are tied on how the LDAP schema is setup.
Using this configuration:
cas.authn.x509.name=X509_AUTHENTICATION
cas.authn.x509.order=0
cas.authn.x509.principalType=SUBJECT_ALT_NAME
cas.authn.x509.checkKeyUsage=true
cas.authn.x509.requireKeyUsage=true
cas.authn.x509.order=0
cas.authn.x509.principalType=SUBJECT_ALT_NAME
cas.authn.x509.checkKeyUsage=true
cas.authn.x509.requireKeyUsage=true
cas.authn.attributeRepository.ldap[0].order=0
cas.authn.attributeRepository.ldap[0].name=AD_SERVERS
cas.authn.attributeRepository.ldap[0].ldapUrl=${ldapUrl}
cas.authn.attributeRepository.ldap[0].bindDn=${bindDn}
cas.authn.attributeRepository.ldap[0].bindCredential=${bindCredential}
cas.authn.attributeRepository.ldap[0].baseDn=${baseDn}
cas.authn.attributeRepository.ldap[0].subtreeSearch=true
cas.authn.attributeRepository.ldap[0].searchFilter=(&(sAMAccountType=805306368)(userPrincipalName={0}))
cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.attributeRepository.ldap[0].attributes.distinguishedName=distinguishedName
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.mail=mail
cas.authn.attributeRepository.ldap[0].name=AD_SERVERS
cas.authn.attributeRepository.ldap[0].ldapUrl=${ldapUrl}
cas.authn.attributeRepository.ldap[0].bindDn=${bindDn}
cas.authn.attributeRepository.ldap[0].bindCredential=${bindCredential}
cas.authn.attributeRepository.ldap[0].baseDn=${baseDn}
cas.authn.attributeRepository.ldap[0].subtreeSearch=true
cas.authn.attributeRepository.ldap[0].searchFilter=(&(sAMAccountType=805306368)(userPrincipalName={0}))
cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.attributeRepository.ldap[0].attributes.distinguishedName=distinguishedName
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.mail=mail
CAS gives get the UPN off the certificate creates a Principal ID and returns distinguishedName, displayName, and mail. But I need other attributes with a searchFilter using the distinguishedName. I tired adding a 2nd cas.authn.attributeRepository entry but can't figure out how to use the distinguishedName from the first one. So then I thought I might be able to use LDAP integration to use the UPN to get the DN and then use that in attributeRepository block and it's turned out to be even worse. Just for authentication I've got:
cas.authn.x509.name=X509_AUTHENTICATION
cas.authn.x509.order=0
cas.authn.x509.principalType=SUBJECT_ALT_NAME
cas.authn.x509.principalDescriptor=$username
cas.authn.x509.checkKeyUsage=true
cas.authn.x509.requireKeyUsage=true
cas.authn.x509.order=0
cas.authn.x509.principalType=SUBJECT_ALT_NAME
cas.authn.x509.principalDescriptor=$username
cas.authn.x509.checkKeyUsage=true
cas.authn.x509.requireKeyUsage=true
cas.authn.x509.ldap.name=X509_LDAP_INTEGRATION
cas.authn.x509.ldap.ldapUrl=${ldapUrl}
cas.authn.x509.ldap.bindDn=${bindDn}
cas.authn.x509.ldap.bindCredential=${bindCredential}
cas.authn.x509.ldap.baseDn=${baseDn}
cas.authn.x509.ldap.keystore=${keyStore}
cas.authn.x509.ldap.keystorePassword=${keyPasswd}
cas.authn.x509.ldap.useSsl=true
cas.authn.x509.ldap.useStartTls=false
cas.authn.x509.ldap.subtreeSearch=true
cas.authn.x509.ldap.searchFilter=(&(sAMAccountType=805306368)(userPrincipalName={0}))
cas.authn.x509.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.x509.ldap.allowMultipleDns=false
cas.authn.x509.ldap.allowMultipleEntries=false
cas.authn.x509.ldap.followReferrals=false
cas.authn.x509.ldap.ldapUrl=${ldapUrl}
cas.authn.x509.ldap.bindDn=${bindDn}
cas.authn.x509.ldap.bindCredential=${bindCredential}
cas.authn.x509.ldap.baseDn=${baseDn}
cas.authn.x509.ldap.keystore=${keyStore}
cas.authn.x509.ldap.keystorePassword=${keyPasswd}
cas.authn.x509.ldap.useSsl=true
cas.authn.x509.ldap.useStartTls=false
cas.authn.x509.ldap.subtreeSearch=true
cas.authn.x509.ldap.searchFilter=(&(sAMAccountType=805306368)(userPrincipalName={0}))
cas.authn.x509.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.x509.ldap.allowMultipleDns=false
cas.authn.x509.ldap.allowMultipleEntries=false
cas.authn.x509.ldap.followReferrals=false
The logs shows:
<Creating principal for [merrittc@site]>
<Created seed map='{username=[merrittc@site]}' for uid='merrittc@site'>
Then is thows a NullPointerException:
ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[X509SubjectAlternativeNameUPNPrincipalResolver(super=AbstractX509PrincipalResolver(super=PersonDirectoryPrincipalResolver(attributeRepository=org.apereo.services.persondir.support.CachingPersonAttributeDaoImpl@25109608, principalFactory=org.apereo.cas.authentication.principal.DefaultPrincipalFactory@1, returnNullIfNoAttributes=false, principalNameTransformer=org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver$$Lambda$706/0x0000000840841840@be5226f, principalAttributeNames=username, useCurrentPrincipalId=false), alternatePrincipalAttribute=null))] failed to resolve principal from [AbstractCredential()]>
Followed by:
2019-05-20 12:30:47,903 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Principal resolution handled by [$Proxy160] produced a null principal. This is likely due to misconfiguration or missing attributes; CAS will attempt to use the principal produced by the authentication handler, if any.>
2019-05-20 12:30:47,903 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Principal resolution for authentication by [X509_AUTHENTICATION] produced a null principal.>
2019-05-20 12:30:47,903 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final principal resolved for this authentication event is [null]>
2019-05-20 12:30:47,903 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Principal resolution for authentication by [X509_AUTHENTICATION] produced a null principal.>
2019-05-20 12:30:47,903 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final principal resolved for this authentication event is [null]>
and then AUTHENTICATION FAILED
Any ideas? This is driving me up the wall.
Thanks
r/Chad
Reply all
Reply to author
Forward
0 new messages