CAS5.2 Connect to LDAP

[Kevin Liu]

Hello,

I can't seem to make heads or tailed of getting CAS to talk to LDAP

I know my LDAP is working because using the following command, I can see all LDAP entries:

ldapsearch -x -h alpha.beta.gamma -D us...@beta.gamma -W -b "dc=beta,dc=gamma" 

My assumption is that since these credentials are being accepted by LDAP, I just have to configure CAS to use them. Is this correct?

So far, my cas.properties contains the following:

cas.authn.ldap[0].order: 0

cas.authn.ldap[0].name: LDAP

cas.authn.ldap[0].type: AD

cas.authn.ldap[0].ldapUrl: ldap://alpha.beta.gamma:389

cas.authn.ldap[0].baseDn: dc=di2e,dc=civ

This is not working as I get a ton of errors saying that CAS has not connected to LDAP.

[Dmitriy Kopylenko]

You might want to post relevant log entries, so folks are able to look at it and try to help you.

Cheers,

D.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b258f3d5-dc2d-431f-b305-477d3ebbda26%40apereo.org.

[Kevin Liu]

I've now changed it to this:

#AD Configurations

cas.authn.ldap[0].type=AD

cas.authn.ldap[0].ldapUrl=ldap://alpha.beta.gamma:389

#cas.authn.ldap[0].connectionStrategy=

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].baseDn=dc=beta,dc=gamma

cas.authn.ldap[0].userFilter=cn={user}

cas.authn.ldap[0].bindDn=us...@beta.gamma

cas.authn.ldap[0].bindCredential=userPassword

Still not working with the same error.

[David Curry]

You might find the examples here helpful:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_overview.html

There's an Active Directory configuration (two, actually) and an LDAP configuration. Authentication and attribute retrieval.

If those don't help, then please post the relevant line(s) from the log file showing the error, and, if you have it turned on, debug messages.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

On Thu, Feb 22, 2018 at 2:46 PM, Kevin Liu <annih...@gmail.com> wrote:

I've now changed it to this:

#AD Configurations

cas.authn.ldap[0].type=AD

cas.authn.ldap[0].ldapUrl=ldap://alpha.beta.gamma:389

#cas.authn.ldap[0].connectionStrategy=

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].baseDn=dc=beta,dc=gamma

cas.authn.ldap[0].userFilter=cn={user}

cas.authn.ldap[0].bindDn=user@beta.gamma

cas.authn.ldap[0].bindCredential=userPassword

Still not working with the same error.

On Thursday, February 22, 2018 at 1:32:54 PM UTC-6, Kevin Liu wrote:

Hello,

I can't seem to make heads or tailed of getting CAS to talk to LDAP

I know my LDAP is working because using the following command, I can see all LDAP entries:

ldapsearch -x -h alpha.beta.gamma -D us...@beta.gamma -W -b "dc=beta,dc=gamma" 

My assumption is that since these credentials are being accepted by LDAP, I just have to configure CAS to use them. Is this correct?

So far, my cas.properties contains the following:

cas.authn.ldap[0].order: 0

cas.authn.ldap[0].name: LDAP

cas.authn.ldap[0].type: AD

cas.authn.ldap[0].ldapUrl: ldap://alpha.beta.gamma:389

cas.authn.ldap[0].baseDn: dc=di2e,dc=civ

This is not working as I get a ton of errors saying that CAS has not connected to LDAP.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1cdff6f8-36ef-4acd-a5b4-ef1b55fa6691%40apereo.org.

[Kevin Liu]

I tried following that but this is my error still:

2018-02-22 14:40:41,986 DEBUG [org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - <Configured jasyptInstance algorithm [PBEWithMD5AndTripleDES]>

2018-02-22 14:40:41,995 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <No properties were located inside [class path resource [application.yml]]>

2018-02-22 14:40:41,996 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Located CAS standalone configuration directory at [/etc/cas3/config]>

2018-02-22 14:40:41,997 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Looking for configuration files at [/etc/cas3/config] that match the pattern [(cas|standalone|application-cas|a

2018-02-22 14:40:42,009 INFO [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Configuration files found at [/etc/cas3/config] are [[/etc/cas3/config/application.yml, /etc/cas3/config/cas.pro

2018-02-22 14:40:42,019 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Loading configuration file [/etc/cas3/config/application.yml]>

2018-02-22 14:40:42,042 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Found settings [[info.description]] in YAML file [/etc/cas3/config/application.yml]>

2018-02-22 14:40:42,044 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Loading configuration file [/etc/cas3/config/cas.properties]>

2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Found settings [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch, cas.adminPagesSecurity.loginUrl, cas.adm

2018-02-22 14:40:42,046 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Located setting(s) [[endpoints.sensitive, cas.authn.ldap[0].subtreeSearch, cas.adminPagesSecurity.loginUrl, cas

2018-02-22 14:40:42,102 INFO [org.apereo.cas.web.CasWebApplicationServletInitializer] - <The following profiles are active: standalone>

2018-02-22 14:40:45,698 WARN [org.apereo.cas.config.CasCoreTicketsConfiguration] - <Runtime memory is used as the persistence storage for retrieving and managing tickets. Tickets that are issued during runtime will be LOST

2018-02-22 14:40:45,701 INFO [org.apereo.cas.configuration.support.Beans] - <Ticket registry encryption/signing is turned off. This MAY NOT be safe in a clustered production environment. Consider using other choices to han

2018-02-22 14:40:49,283 DEBUG [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - <Configuring authentication execution plan [CasCoreAuthenticationHandlersConfiguration]>

2018-02-22 14:40:49,289 DEBUG [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - <Configuring authentication execution plan [CasCoreAuthenticationHandlersConfiguration]>

2018-02-22 14:40:49,318 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Registering handler [HttpBasedServiceCredentialsAuthenticationHandler] principal resolver [org.apereo.cas.authenticat

2018-02-22 14:40:49,324 DEBUG [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - <Configuring authentication execution plan [CasCoreAuthenticationMetadataConfiguration]>

2018-02-22 14:40:49,333 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Registering metadata populator [org.apereo.cas.authentication.metadata.SuccessfulHandlerMetaDataPopulator@77551b65[or

2018-02-22 14:40:49,342 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Registering metadata populator [org.apereo.cas.authentication.metadata.RememberMeAuthenticationMetaDataPopulator@3838

2018-02-22 14:40:49,350 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan] - <Registering metadata populator [org.apereo.cas.authentication.metadata.AuthenticationCredentialTypeMetaDataPopulator@

2018-02-22 14:40:49,350 DEBUG [org.apereo.cas.config.CasCoreAuthenticationConfiguration] - <Configuring authentication execution plan [LdapAuthenticationConfiguration]>

2018-02-22 14:40:49,355 DEBUG [org.apereo.cas.authentication.CoreAuthenticationUtils] - <No principal attributes are defined>

2018-02-22 14:40:49,355 DEBUG [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Created and mapped principal attributes [{}] for [ldap://alpha.beta.gamma:389]...>

2018-02-22 14:40:49,357 DEBUG [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Creating LDAP authenticator for [ldap://alpha.beta.gamma:389] and baseDn [dc=beta,dc=gamma]>

2018-02-22 14:40:49,375 DEBUG [org.apereo.cas.util.LdapUtils] - <Creating active directory authenticator for [ldap://alpha.beta.gamma:389]>

2018-02-22 14:40:49,377 WARN [org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframewor

2018-02-22 14:40:49,378 WARN [com.ryantenney.metrics.spring.config.annotation.MetricsConfigurerAdapter] - <Problem stopping reporter>

org.springframework.beans.factory.BeanCreationNotAllowedException: Error creating bean with name 'casMetricsConfiguration': Singleton bean creation not allowed while singletons of this factory are in destruction (Do not re

        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:216) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[David Curry]

I don't see an error there? Did your copy and paste not capture everything.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/80693656-73a4-428d-821b-a59141f1fb22%40apereo.org.

[Kevin Liu]

My apologies Dave, it did get cut off. Thank you taking a look by the way.

2018-02-22 14:45:59,086 WARN [org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.be       ans.factory.UnsatisfiedDependencyException: Error creating bean with name 'casReportsConfiguration': Unsatisfied dependency expressed through field 'authenticationSystemSupport'; nested exception is org.springframework.beans.f       actory.UnsatisfiedDependencyException: Error creating bean with name 'defaultAuthenticationSystemSupport' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationSupportConfiguration.class]: Unsatisfied depe       ndency expressed through method 'defaultAuthenticationSystemSupport' parameter 1; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authenticationTransactionMa       nager' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration.class]: Unsatisfied dependency expressed through method 'authenticationTransactionManager' parameter 0; nested exception is org.sp       ringframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'casAuthenticationManager' defined in class path resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration.class]: Unsatisfied        dependency expressed through method 'casAuthenticationManager' parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationEventExecutionPlan' defined        in class path resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instant       iate [org.apereo.cas.authentication.AuthenticationEventExecutionPlan]: Factory method 'authenticationEventExecutionPlan' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creat       ing bean with name 'ldapAuthenticationHandlers' defined in class path resource [org/apereo/cas/config/LdapAuthenticationConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframewor       k.beans.BeanInstantiationException: Failed to instantiate [java.util.Collection]: Factory method 'ldapAuthenticationHandlers' threw exception; nested exception is java.lang.IllegalArgumentException: Dn format cannot be empty/b       lank for active directory authentication>

247337 2018-02-22 14:45:59,086 WARN [com.ryantenney.metrics.spring.config.annotation.MetricsConfigurerAdapter] - <Problem stopping reporter>

247338 org.springframework.beans.factory.BeanCreationNotAllowedException: Error creating bean with name 'casMetricsConfiguration': Singleton bean creation not allowed while singletons of this factory are in destruction (Do not reques       t a bean from a BeanFactory in a destroy method implementation!)

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/80693656-73a4-428d-821b-a59141f1fb22%40apereo.org.

[Kevin Liu]

So it looks like it's because I'm missing a dnFormat value? I'm not exactly sure how I should format my dnFormat? Could I get some help?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/80693656-73a4-428d-821b-a59141f1fb22%40apereo.org.

[David Curry]

If you look up a user in your directory, what does the DN for that user look like? That's what the dnFormat should look like, except that you replace the username with a "%s" for CAS to fill in.

So, for example, the DN for our accounts looks like this:

cn=gnarls,ou=TNSUsers,dc=tns,dc=newschool,dc=edu

(where "gnarls" is the username) so dnFormat looks like this:

cn=%s,ou=TNSUsers,dc=tns,dc=newschool,dc=edu

Also, if you're really going against AD, you probably want to change

cas.authn.ldap[0].userFilter=cn={user}

to

cas.authn.ldap[0].userFilter=sAMAccountName={user}

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/57fd43a0-e5cc-48f4-b0d5-36a6c9837217%40apereo.org.

[Kevin Liu]

Correct me if I'm wrong but looking at the directory, not everyone has a DN. Some users are only members of a group it looks like. Is this because my account doesn't have high enough priveledge to see everyone? But at the very least I should be able to see myself right? Or is possible for not every user to have their own DN.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/57fd43a0-e5cc-48f4-b0d5-36a6c9837217%40apereo.org.

[David Curry]

My guess would be you don't have enough privileges to see everything you need to see, but that's just a guess. Your question goes beyond my level of AD/LDAP knowledge, but I've always been under the impression that everything has to have a DN.

David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.
   

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f920a33a-c9e9-4404-afd6-d804518ae46f%40apereo.org.

[Alberto Cabello Sánchez]

On Thu, 22 Feb 2018 13:43:05 -0800 (PST)
Kevin Liu <annih...@gmail.com> wrote:

> Correct me if I'm wrong but looking at the directory, not everyone
> has a DN. Some users are only members of a group it looks like.

I don't think so. DN is the ultimate identifier in LDAP/AD. As stated
in MSDN: «The LDAP API references an LDAP object by its distinguished
name (DN)». Even a group have a DN so you can perform operations on it.

( Source: https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx )

--
Alberto Cabello Sánchez
Servicio de Informática
Universidad de Extremadura

[Kevin Liu]

For my own account, when I execute the LDAP query in my first post, I can't see my own DN but I can see what I'm a member of. Is the listed member field my DN? 

member: CN=Kevin Liu,OU=Delta,OU=Alpha,DC=Beta,DC=Gamma

Would this be my DN?

[Kevin Liu]

I should also mention that my error is preventing CAS from even loading. It's not that it's not authenticating but rather the system just won't start.

[David Curry]

Yes, that looks like your DN.

But if CAS is not starting, it's something else. Are you using 5.2.2? Can you post your pom.xml and cas.log files as attachments?

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c960c01-c31d-4c3b-8386-c9dadafaf812%40apereo.org.

[Kevin Liu]

I finally got it to talk to my LDAP! I've realized I should also put that my LDAP is really a MSDN. It is in a very limited capacity though. Here is my cas.properties and I hope someone can help me figure out how to expand the scope of authentication. My apologies about the obfuscation. 

#AD Configurations

cas.authn.ldap[0].type=AD

cas.authn.ldap[0].ldapUrl=ldap://ladpserver:389

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].baseDn=dc=beta,dc=gamma

cas.authn.ldap[0].userFilter=cn={user}

cas.authn.ldap[0].bindDn=us...@beta.gamma

cas.authn.ldap[0].bindCredential=user1Password

cas.authn.ldap[0].dnFormat=CN=User 1,OU=Test,OU=alpha,DC=beta,DC=gamma

This configuration only works for 1 user, user1. How do I expand it such that any user can input their credentials for validation?

Also interesting, for user1, they can input either user1 or us...@beta.gamma and be able to login with the correct password.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[David Curry]

I'm not sure what you mean by your LDAP is really a MSDN, but...

If you're using the "AD" type, then you want (according to the documentation), this:

cas.authn.ldap[0].userFilter=cn={user}

to be:

cas.authn.ldap[0].userFilter=sAMAccountName={user}

And you should not need (and perhaps should not have) these:

cas.authn.ldap[0].bindDn=us...@beta.gamma

cas.authn.ldap[0].bindCredential=user1Password

At least, you don't need them on "real" AD -- maybe you do need them on whatever an "MSDN AD" is.

Finally, and probably most important (I would try changing just this one setting first), you want this:

cas.authn.ldap[0].dnFormat=CN=User 1,OU=Test,OU=alpha,DC=beta,DC=gamma

to be this:

cas.authn.ldap[0].dnFormat=CN=%s,OU=Test,OU=alpha,DC=beta,DC=gamma

so that CAS can fill in the username to the authentication request.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/85619ded-76ed-458e-8e23-a887cffb945a%40apereo.org.

[Kevin Liu]

Just to make sure I understand the LDAP and CAS connection properly, CAS is sending over a set of credentials to first access the LDAP correct? Is that the bindDN and bindCredential? Does it then search through the result query for userFilter for a match? 

Also, I'm a little confused about the dNFormat. I inputed directly what is the DN for user 1. However, for other users, since they belong to different OU, how do I change the code such that it becomes more versatile? 

My eventual goal is for cas to authenticate users from a single OU.

Thank you all for bearing with me so far and all my questions.

[David Curry]

There are smarter (way smarter) LDAP people than me, but yeah, that's kind of it. Some LDAPs (like AD) will let you bind as the user him/herself to authenticate, others require you to use a special account to make the bind, and then authenticate the user. Although come to think of it, I think AD might only permit that over an LDAPS connection, which might be why you were having trouble.

Likewise, some LDAPs will let you retrieve attributes at the same time that you authenticate, and others require you to make a separate request for that. In our particular case, our LDAP contains a superset of the users in AD (AD has "active" people, LDAP has "active" and "alumni"). But the two directories have different (overlapping) sets of attributes, and we always want to get all of them and merge them together, so in my CAS config, I do the authentication and attribute retrieval separately.

I'm not sure how you get a dnFormat that handles multiple OUs, or if you even can. In my case, we have almost everyone in a single OU, except for some administrator accounts, which are in a separate OU. Rather than try and handle them all together, I just punted and defined two different AD configs for them, one for each OU. If you look at my documentation, you'll note that ldap[0] and ldap[2] are actually the SAME AD server, they just have different baseDN and dnFormat settings.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

On Fri, Feb 23, 2018 at 3:12 PM, Kevin Liu <annih...@gmail.com> wrote:

Just to make sure I understand the LDAP and CAS connection properly, CAS is sending over a set of credentials to first access the LDAP correct? Is that the bindDN and bindCredential? Does it then search through the result query for userFilter for a match? 

Also, I'm a little confused about the dNFormat. I inputed directly what is the DN for user 1. However, for other users, since they belong to different OU, how do I change the code such that it becomes more versatile? 

My eventual goal is for cas to authenticate users from a single OU.

Thank you all for bearing with me so far and all my questions.

On Friday, February 23, 2018 at 11:44:35 AM UTC-6, Kevin Liu wrote:

I finally got it to talk to my LDAP! I've realized I should also put that my LDAP is really a MSDN. It is in a very limited capacity though. Here is my cas.properties and I hope someone can help me figure out how to expand the scope of authentication. My apologies about the obfuscation. 

#AD Configurations

cas.authn.ldap[0].type=AD

cas.authn.ldap[0].ldapUrl=ldap://ladpserver:389

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].baseDn=dc=beta,dc=gamma

cas.authn.ldap[0].userFilter=cn={user}

cas.authn.ldap[0].bindDn=user1@beta.gamma

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/197ffc37-0e97-4a1b-b997-30c462259b65%40apereo.org.

[Lorenzo Muttoni]

Sorry if I get involved in the discussion, but I have the same problem.

I dscovered that the property cas.authn.ldap[0].dnFormat is mandatory. However, although I have correcly provided a value for such a property, its value is always null.

I'm trying to use Active Directory as the CAS backend, but I'm getting an error saying "IllegalArgumentException: Dn format cannot be empty/blank for active directory authentication". I opened a question on stackoverflow (https://stackoverflow.com/questions/48949970/apereo-cas-activedirectory-illegalargumentexception-dn-format-cannot-be-empt).

I need to know where the @Bean AbstractLdapAuthenticationProperties is created and filled, so that (maybe) I'll be able to identify why the dnFormat is ALWAYS null, also if in cas.properties I have a correct value for cas.authn.ldap[0].dnFormat.

I'm looking for someone that can put me on the right way.

Thanks in advance for your attention.

Kind regards, Lorenzo

[Kevin Liu]

Thank you Dave for providing additonal insight!

Just to add, my MSDN I was refering above is actually an Microsoft Active Directory Server which I'm using the LDAP protocol to talk to (at least that is my understanding).

I've got a few more questions. Is it possible to see what the LDAP is returning to CAS? Maybe via logs? Getting insight to what is being returned will help me get a better grasp on the LDAP CAS connections and communications.

Also, in addition to multiple OUs, it turns out that the DN that is being used doesn't utilize a user's username but rather a user's full name as part of the DN.  For example, my DN is CN=Kevin Liu, OU=Alpha, DC=beta, DC=gamma instead of CN=kliu. Do you have any ideas on how I might get around that?

cas.authn.ldap[0].bindDn=us...@beta.gamma

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/197ffc37-0e97-4a1b-b997-30c462259b65%40apereo.org.

[David Curry]

Well, you can start with log4j2.xml, and change

<Property name="cas.log.level" >warn</Property>

to

<Property name="cas.log.level" >debug</Property>

which will give you a lot of detail (all in cas.log) about what's going on. If that doesn't give you want you want, you can also (or instead) change

<AsyncLogger name="org.ldaptive" level="warn" />

to

<AsyncLogger name="org.ldaptive" level="debug" />

to get debugging from the LDAP code itself.

As for your second question... you've exceeded my level of knowledge of AD/LDAP. I think the answer might be that you can't use the "AD" type of LDAP setup and will have to switch to the "AUTHENTICATED" type, but I'm not very sure of that answer.

Perhaps someone else on the list can jump in.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

cas.authn.ldap[0].bindDn=user1@beta.gamma

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/73cfed99-5049-4eff-a0f9-880e8edf37df%40apereo.org.

[Kevin Liu]

I'm messing with the logger. Is it possible to have just LDAP debug codes output? If so, how? Cause I can't seem to be able to shut off the others without shutting off debug all together.

cas.authn.ldap[0].bindDn=us...@beta.gamma

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/73cfed99-5049-4eff-a0f9-880e8edf37df%40apereo.org.

[David Curry]

I haven't tried it myself, but you ought to be able to put cas.log.level back to "warn" and then add something like

<AsyncLogger name="org.apereo.cas.authentication" level="debug" includeLocation="true"/>

in the <Loggers> section (down around line 61). See the comment right there in the file for a little more info.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

cas.authn.ldap[0].bindDn=user1@beta.gamma

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8568e68-b156-44fc-b2fd-5d42841b47a9%40apereo.org.

[Kevin Liu]

Thanks, got it working! 

I hope you don't mind me picking your brain a little further.  Do you have any experience with principalAttributeId fields? I'm wondering if I can first bind to LDAP, and then use username and password to authenticate instead and it looks like principalAttribute fields might be it.

cas.authn.ldap[0].bindDn=us...@beta.gamma

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8568e68-b156-44fc-b2fd-5d42841b47a9%40apereo.org.

[David Curry]

Sorry, I don't. But some other folks on the list have been doing other kinds of logins, so maybe they do.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

cas.authn.ldap[0].bindDn=user1@beta.gamma

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e69a02bf-4b0f-4ccf-a8f2-2a2540d91fc0%40apereo.org.

[Kevin Liu]

No worries! Reading the documents again, it looks like I may confused a couple of things.

AD	Acive Directory - Users authenticate with sAMAccountName typically using a DN format.

It says that it authenticates using the sAMAccountName which should get passed in if we use cas.authn.ldap[0].userFilter=sAMAccountName={user} correct?

Right now, I can put anything in the username field and it gets authenticated. That can't be right?

cas.authn.ldap[0].bindDn=us...@beta.gamma

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e69a02bf-4b0f-4ccf-a8f2-2a2540d91fc0%40apereo.org.

[David Curry]

Correct. If you're using the AD type, you should be using

cas.authn.ldap[0].userFilter:           sAMAccountName={user}

Putting "anything" in the username field and getting authenticated doesn't sound right.

But if you're using AD and dnFormat, I'm almost positive that you DO NOT want to have a "bindDn" or "bindCredential" in there. Those are for the AUTHENTICATED (and other) types, not for the AD type.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

cas.authn.ldap[0].bindDn=user1@beta.gamma

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfcb11c7-2b31-4c02-9128-4deab371f77c%40apereo.org.

[Kevin Liu]

Okay so I've changed my cas.properties to reflect what you're saying. 

I'm getting an error which requires me to input an dnFormat. Fair enough but looking at your documentation, it says to put %s which will get the username entered into the query. Does this mean that in your AD, your CN and sAMAccountName are the same? If so, I don't understand why it would be neccessary to put a userFilter because otherwise you would be verifying twice right? Once via dNFormat and then again with the userFilter. Sorry if I'm just being dumb and not seeing things. 

cas.authn.ldap[0].bindDn=us...@beta.gamma

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfcb11c7-2b31-4c02-9128-4deab371f77c%40apereo.org.

[Marc Dufour]

Since my DN is not fixed as I authenticate users at the Forest level, I could not use AD and used AUTHENTICATED instead, and used cas.authn.ldap[0].userFilter=(userPrincipalName={user}) as filter, with subtreeSearch set to true, and was able to authenticate on two different domains (but this is our setup, you should use sAMAccountName if this is what you need).

- Gitter Chatroom: <a href="https://gitter.im/apereo/cas" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgitter.im%2Fapereo%2Fcas\x26sa\x3dD\x

[Matthew Hannay]

Send me your POM and cas.properties

In the mean time install ldapadmin

http://www.ldapadmin.org/

I can help with working out your config.

--Matt

On 23 February 2018 at 05:32, Kevin Liu <annih...@gmail.com> wrote:

Hello,

I can't seem to make heads or tailed of getting CAS to talk to LDAP

I know my LDAP is working because using the following command, I can see all LDAP entries:

ldapsearch -x -h alpha.beta.gamma -D us...@beta.gamma -W -b "dc=beta,dc=gamma" 

My assumption is that since these credentials are being accepted by LDAP, I just have to configure CAS to use them. Is this correct?

So far, my cas.properties contains the following:

cas.authn.ldap[0].order: 0

cas.authn.ldap[0].name: LDAP

cas.authn.ldap[0].type: AD

cas.authn.ldap[0].ldapUrl: ldap://alpha.beta.gamma:389

cas.authn.ldap[0].baseDn: dc=di2e,dc=civ

This is not working as I get a ton of errors saying that CAS has not connected to LDAP.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b258f3d5-dc2d-431f-b305-477d3ebbda26%40apereo.org.

[Matthew Hannay]

[Matthew Hannay]

Can you post your logs, cas.properties and pom.xml

And I can have a look.

Also try installing http://www.ldapadmin.org/

to do some testing

--Matt

[Kevin Liu]

So I've included an extra ldap index to get around multiple OUs. I can now authenticate users but only with their full name and not their sAMAccountName. For example, on the cas login screen, if I put my sAMAccountName kliu as the username and the associated password, I get denied but if I put Kevin Liu I can login. It doesn't seem like userFilter=sAMAccountName={name} get used as my sAMAccountName is kliu. Maybe I don't understand userFilter completely.

Marc, what other properties did you have to add to cas.properties. Your situation sounds very similar to mine.

Mathew:

Standard pom.xml with the following added:

<dependencies>

        <dependency>

            <groupId>org.apereo.cas</groupId>

            <artifactId>cas-server-webapp${app.server}</artifactId>

            <version>${cas.version}</version>

            <type>war</type>

            <scope>runtime</scope>

        </dependency>

        <dependency>

            <groupId>org.apereo.cas</groupId>

            <artifactId>cas-server-support-json-service-registry</artifactId>

            <version>${cas.version}</version>

        </dependency>

        <dependency>

            <groupId>org.apereo.cas</groupId>

            <artifactId>cas-server-support-ldap</artifactId>

            <version>${cas.version}</version>

        </dependency>

    </dependencies>

cas.properties:

cas.authn.ldap[0].type=AD

cas.authn.ldap[0].ldapUrl=ldap://xxx.xxx.xxx.xxx:xxx

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].baseDn=dc=beta,dc=gamma

cas.authn.ldap[0].userFilter=sAMAccountName={user}

cas.authn.ldap[0].dnFormat=CN=%s,OU=Delta,OU=alpha,DC=beta,DC=gamma

--
- Website: <a href="https://apereo.github.io/cas" rel="nofollow" target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fapereo.github.io%2Fcas\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFAB1DouAblVCB_fs7OnjIPeObKcw';return true;" onclick="this.href='https://www.google.com/url?q\x3

[Marc Dufour]

Kevin, here are the properties that are working for me.

cas.authn.ldap[0].order=0

cas.authn.ldap[0].name=AD

cas.authn.ldap[0].type=AUTHENTICATED

cas.authn.ldap[0].ldapUrl=ldaps://servername:3269

cas.authn.ldap[0].useSsl=true

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=TLD

cas.authn.ldap[0].userFilter=(userPrincipalName={user})

cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].principalAttributeList=sn,givenName,memberOf,cn

cas.authn.ldap[0].bindDn=DN of user

cas.authn.ldap[0].bindCredential=Password

Le lundi 26 février 2018 17:41:37 UTC-5, Kevin Liu a écrit :

So I've included an extra ldap index to get around multiple OUs. I can now authenticate users but only with their full name and not their sAMAccountName. For example, on the cas login screen, if I put my sAMAccountName kliu as the username and the associated password, I get denied but if I put Kevin Liu I can login. It doesn't seem like userFilter=sAMAccountName={name} get used as my sAMAccountName is kliu. Maybe I don't understand userFilter completely.

Marc, what other properties did you have to add to cas.properties. Your situation sounds very similar to mine.

<SNIP>

[Kevin Liu]

Marc, what is the sn,givenName,memberOf,cn? Rather what is the principalAttributeList?

For your bindDN and bindCredentials, are you using an authenticating admin account or the user who's trying to get in?

[Marc Dufour]

I only need these attributes, so I limit the size of what it returned.

As for the bindDN, it is a regular Domain user, not an admin. It should only need read access to Active Directory.

[Kevin Liu]

Gotcha! Still a little confused about the principal attributes. Could you give a brief summary of how it works? What is a sn? And how the parsing works?

Thanks 

Sent from my iPhone

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/Rtej6h-Bky0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d8a96be7-ab97-4eb4-80fe-6caeeee8d6cf%40apereo.org.

[Marc Dufour]

sn is an attribute in the AD schema used to store the last name of the user.

I did a quick search in Google and found this info that could help you: http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm

[Ganesh Prasad]

HI Dave,

I've just come up to facing the same issue that you have touched on here.

I have more than one OU under which there are users to be authenticated. If I specify only one of them, like

cas.authn.ldap[0].dnFormat=cn=%s,ou=agencies,dc=bidonprint,dc=com,dc=au

then it won't work for other users for whom the definition should be

cas.authn.ldap[0].dnFormat=cn=%s,ou=publishers,dc=bidonprint,dc=com,dc=au

Isn't there some way to wildcard the OU also, like

cas.authn.ldap[0].dnFormat=cn=%s,ou=%ou,dc=bidonprint,dc=com,dc=au

It seems a shame to have to repeat essentially the same definition under ldap[0], ldap[1], ldap[2], etc., for every group of users in the system, and it's wasteful because CAS will try each one in turn before it finds a match.

Regards,

Ganesh

cas.authn.ldap[0].bindDn=us...@beta.gamma

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/197ffc37-0e97-4a1b-b997-30c462259b65%40apereo.org.

[David Curry]

I don't believe you can wildcard the dnFormat with OU, although I could be wrong about that.

I have ldap[0] and ldap[2] configured with different OUs and otherwise all the same (ldap[1] is a completely different LDAP), and it works just fine. Although in my case, the ldap[2] is sort of a "rare" OU of just the admin accounts that we let log in to the management webapp, so evaluation usually stops before it gets there and it's not a big deal. So it does work, although I don't know about performance.

What happens if you just leave the OU out of the dnFormat:

cas.authn.ldap[0].dnFormat=cn=%s,dc=bidonprint,dc=com,dc=au

I don't know for sure that this will work, but it might be worth a shot.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc037ada-7544-4d3d-a221-7acfed24f5ae%40apereo.org.

[Ganesh and Sashi Prasad]

//  What happens if you just leave the OU out of the dnFormat //

It doesn't like it :-(

I've resigned myself to providing four different sets of values from ldap[0] to ldap[3], corresponding to the four types of users we have. For the fourth kind of user, CAS queries LDAP 4 times, which is wasteful, but it's actually very fast in practice, so the extra lookups don't have a practical impact.

Until someone shows me a better way, I guess I'll have to stick to this.

Thanks and regards,

Ganesh

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc037ada-7544-4d3d-a221-7acfed24f5ae%40apereo.org.

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOune%3DDPWW4ak44fEGm%2BFWF70TS_6FT1OFbR2GSJ0jW0A%40mail.gmail.com.

[Sean Day]

Hi,

We have about 20 OU's for LDAP accounts so did not want to create ldap config entries for all of these. I have found that using a UPN type entry and setting the dnFormat to %s...@domain.com you can authenticate users in any OU.

an example of the properties I have used are:

cas.authn.ldap[0].order:                0

cas.authn.ldap[0].useSsl: false

cas.authn.ldap[0].name:                 Active Directory

cas.authn.ldap[0].type:                 AD

cas.authn.ldap[0].ldapUrl:              ldap://my-dc.domain.com

cas.authn.ldap[0].validatePeriod:       270

cas.authn.ldap[0].poolPassivator:       NONE

cas.authn.ldap[0].searchFilter:         sAMAccountName={user}

cas.authn.ldap[0].baseDn:               dc=domain,dc=com

cas.authn.ldap[0].dnFormat:             %s...@domain.com

Sean

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc037ada-7544-4d3d-a221-7acfed24f5ae%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOune%3DDPWW4ak44fEGm%2BFWF70TS_6FT1OFbR2GSJ0jW0A%40mail.gmail.com.