CAS ldap against AD?

[Tim Tyler]

I am a newbie to CAS.   I just installed 5.2 using Maven.   I successfully logged in via the test account of causer.  But now I want to get ldap against active directory working.  I successfully installed the dependencies and that seems ok.  My issue is with configuring cas.properties.   I read on-line that if I use type=AD, I need to use dnFormat?   Is that true?   I don’t really understand how that entry should look.

 

Also, I would like to use SSL or TLS.  Not sure if certs are necessary for at least establishing encryption.  Can someone share with me the necessary settings for getting ldap to auth against AD.  I seem to be struggling with what I particularly need to get ldap to work against AD.  And if I need dnFormat, I could use an example of how that should look.

 

Below is my config related to ldap.

 

 

 

cas.authn.ldap[0].type=AD

 

cas.authn.ldap[0].ldapUrl=ldaps://bcdc3.beloit.edu

cas.authn.ldap[0].connectionStrategy=

cas.authn.ldap[0].useSsl=true

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].baseDn=dc=its,dc=beloit,dc=edu

cas.authn.ldap[0].userFilter=cn={sAMAccountName}

cas.authn.ldap[0].bindDn=CN=ldapadmin,CN=Users,DC=its,DC=beloit,DC=edu

cas.authn.ldap[0].bindCredential=xxxxxxxx

 

#cas.authn.ldap[0].enhanceWithEntryResolver=false

#cas.authn.ldap[0].dnFormat=%s,dc=its,dc=beloit,dc=edu

#cas.authn.ldap[0].principalAttributeId=sAMAccountName

#cas.authn.ldap[0].principalAttributePassword=password

 

 

Tim Tyler

Network Engineer

Beloit College

 

[David Curry]

You might find this link helpful. It's a work in progress and not "official" documentation, but it does include, among other things, an example and step-by-step instructions for how to configure for AD, both authentication and attributes.

https://dacurry-tns.github.io/deploying-apereo-cas/

David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.
   

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/22394f2759232d0a1e53c6d61f841f82%40mail.gmail.com.

[michael kromarek]

We use SSL as startTLS tends to complain, saying it has already occurred, so SSL.  You will want the cert from the server you are connecting to, which you can pull with openssl like so:

echo -n | openssl s_client -connect 192.168.1.225:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem

This is what we use for our AD auth and attribute resolution

#========================================

# LDAP Auth

#========================================

cas.authn.ldap[0].type=AD

cas.authn.ldap[0].ldapUrl=ldaps://your_ad_server.site.org

cas.authn.ldap[0].connectTimeout=3000

cas.authn.ldap[0].useStartTLS=false

cas.authn.ldap[0].trustedCertificates=file:///etc/ssl/certs/cert_name.crt

#pool settings and validation

cas.authn.ldap[0].minPoolSize=3

cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=false

cas.authn.ldap[0].validatePeriodically=true

cas.authn.ldap[0].validatePeriod=300

# Amount of time in milliseconds to block on pool exhausted condition before giving up.

cas.authn.ldap[0].blockWaitTime=3000

# Attempt to prune connections every N seconds

cas.authn.ldap[0].prunePeriod=300

#max connection idle time, for pool conections

cas.authn.ldap[0].idleTime=600

#search filters and settings

cas.authn.ldap[0].bindDn=<full DN of manager account>

cas.authn.ldap[0].bindCredential=<account password>

cas.authn.ldap[0].baseDn=dc=site,dc=org

cas.authn.ldap[0].userFilter=(sAMAccountName={user})

#construct login as user...@site.org

cas.authn.ldap[0].dnFormat=%s...@site.org

#principal id and attributes

cas.authn.ldap[0].principalAttributeId=sAMAccountName

cas.authn.ldap[0].principalAttributeList=sAMAccountName,dn,sn,cn,givenname,mail,memberOf,displayName

#========================================

# LDAP Attributes Retrival 

#========================================

#default attributes to release (you don't have to do this, but you can if you want)

cas.authn.attributeRepository.defaultAttributesToRelease=sAMAccountName,dn,sn,cn,givenname,mail,displayName

#attributes

cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName=sAMAccountName

cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName

cas.authn.attributeRepository.ldap[0].attributes.givenname=givenname

cas.authn.attributeRepository.ldap[0].attributes.sn=sn

cas.authn.attributeRepository.ldap[0].attributes.mail=mail

cas.authn.attributeRepository.ldap[0].attributes.distinguishedName=dn

#connection and search

cas.authn.attributeRepository.ldap[0].ldapUrl=ldaps://your_ad_server.site.org

cas.authn.attributeRepository.ldap[0].useSsl=true

cas.authn.attributeRepository.ldap[0].useStartTls=false

cas.authn.attributeRepository.ldap[0].baseDn=dc=site,dc=org

cas.authn.attributeRepository.ldap[0].userFilter=(sAMAccountName={user})

cas.authn.attributeRepository.ldap[0].subtreeSearch=true

cas.authn.attributeRepository.ldap[0].bindDn=<account for searching full dn>

cas.authn.attributeRepository.ldap[0].bindCredential=<account password>

--

[Tim Tyler]

Michael,

That really helped.  I finally have ldap working.  You filled in some gaps for me.   But I did have one remaining problem that I had to resolve.  Our AD certs are self signed for ldap.  The chain cert wasn’t trusted by just loading the public cert.   So I had to get the CA and install it into the Java native keystore.   After that, it worked.  I think if we had a commercial signed certs, I think your cert instructions would have worked.  Still getting used to Java.

  Thanks! 

Tim

--

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/22394f2759232d0a1e53c6d61f841f82%40mail.gmail.com.

 

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALfsmq72po0gCrKM164NRu_H444UEiHse1CcmQOWyapityNjYg%40mail.gmail.com.