CAS 5.2.9 Authenticating LDAP users outside baseDn
44 views
Skip to first unread message
Alcides Moraes
Mar 31, 2021, 3:51:45 PM3/31/21
to CAS Community
Hello group,
We have a working installation of CAS 5.2.9 authenticating against Active Directory.
However, we have noticed we are able to authenticate using credentials of a user outside the BaseDN, including the bind user. How can we fix this?
Below are my authn.ldap configuration entries:
ldap[0]:
baseDn: OU=Users,DC=domain3,DC=domain2,DC=domain1
bindCredential: bindpassword
bindDn: bind
blockWaitTime: 5000
connectTimeout: 5000
dnFormat: '%s...@domain3.domain2.domain1'
failFast: true
idleTime: 5000
ldapUrl: ldap://adserver
maxPoolSize: 10
minPoolSize: 3
principalAttributeId: sAMAccountName
principalAttributeList: sAMAccountName,displayName,givenName,mail,distinguishedName
prunePeriod: 5000
subtreeSearch: true
type: AD
useSsl: false
useStartTls: false
userFilter: (sAMAccountName={user})
validateOnCheckout: true
validatePeriod: 600
validatePeriodically: true
baseDn: OU=Users,DC=domain3,DC=domain2,DC=domain1
bindCredential: bindpassword
bindDn: bind
blockWaitTime: 5000
connectTimeout: 5000
dnFormat: '%s...@domain3.domain2.domain1'
failFast: true
idleTime: 5000
ldapUrl: ldap://adserver
maxPoolSize: 10
minPoolSize: 3
principalAttributeId: sAMAccountName
principalAttributeList: sAMAccountName,displayName,givenName,mail,distinguishedName
prunePeriod: 5000
subtreeSearch: true
type: AD
useSsl: false
useStartTls: false
userFilter: (sAMAccountName={user})
validateOnCheckout: true
validatePeriod: 600
validatePeriodically: true
Richard Frovarp
Mar 31, 2021, 4:16:41 PM3/31/21
to cas-...@apereo.org
My guess is that the bind user is going to ignore the base DN as it happens before the search is done. As for the rest, it likely should follow the base DN. You may have something effectively double defined there that is causing it to work outside. I'm
not sure what the dnFormat parameter does. You'll want to refer to the ldaptive documentation as to what those various values do:
Note that you'll want to list your DCs separately instead of just the one name to get failover. Also, you have subtree search on, so it will search in Users.
Alcides Moraes
Mar 31, 2021, 4:33:04 PM3/31/21
to CAS Community
Hello Richard, thanks for replying.
dnFormat is required for AD type authentication, CAS will not start without it. The value "us...@domain.com" apparently is the default for ADs that authenticate with sAMAccountName, i have seen many examples here like this.
I have tested other users outside the OU=Users and they are being authenticated. Subtree is desired, I have other OUs inside OU=Users
Alcides Moraes
Mar 31, 2021, 7:51:33 PM3/31/21
to CAS Community, Alcides Moraes
So, I turned on ldaptive trace logs and inspected the CAS source code to figure it out.
If you use authentication type AD, ldaptive does not use the baseDn to authenticate, only the dnFormat parameter. So AD authenticates any...@domain.com regardless of baseDN.
CAS then searches for the user using userFilter AFTER the authentication. This fails since the user is not inside baseDn.
However, this is ok for CAS who only logs that the attributes for the object could not be found, but authentication succeeds.
Changing authentication type to AUTHENTICATED (and removing the dnFormat property) makes CAS search for the user with userFilter and baseDN BEFORE authentication, limiting the users able to authenticate.
Reply all
Reply to author
Forward
0 new messages