CAS 5.3 WITH AD / LDAP
126 views
Skip to first unread message
Carlos Morales
Nov 27, 2018, 10:18:06 AM11/27/18
to CAS Community
Good afternoon, I have installed CAS in the new version 5.3.0, once modified the application.properties and indicated that the default credentials stop working I have tried to add the follow
cas.authn.ldap[0].type= AD
cas.authn.ldap[0].ldapUrl= ldap://IP:389
cas.authn.ldap[0].useSsl= false
cas.authn.ldap[0].useStartTls= false
cas.authn.ldap[0].connectTimeout= 3000
cas.authn.ldap[0].baseDn= OU=VDI,DC=domain,DC=local
cas.authn.ldap[0].searchFilter= cm={user}
cas.authn.ldap[0].subtreeSearch= true
cas.authn.ldap[0].dnFormat= %s@domain
cas.authn.ldap[0].principalAttributeId= Admin
cas.authn.ldap[0].principalAttributePassword=Password
cas.authn.ldap[0].bindCredential=Password
logging.level.org.apereo= DEBUG
cas.authn.ldap[0].principalAttributePassword=Password
cas.authn.ldap[0].bindCredential=Password
logging.level.org.apereo= DEBUG
When I try to log in with the credentials, the LOG shows the following error:
2018-11-27 12:57:24,594 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication handler [HttpBasedServiceCredentialsAuthenticationHandler] does not support the credential type [UsernamePasswordCredential(username=Test)]. Trying next...>
2018-11-27 12:57:24,629 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: Test
WHAT: Supplied credentials: [UsernamePasswordCredential(username=Test)]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Tue Nov 27 12:57:24 CET 2018
From the server of cas with ldapsearch I can show all the information.
Can you help me in this matter? It is an environment that needs to be authenticated with AD and I do not get it.
Thank you so much.
matrix
Nov 27, 2018, 11:07:25 AM11/27/18
to cas-...@apereo.org
Aren't that supposed to be cn instead of cm in the searchfilter value field
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/57d36eab-e109-42c8-9514-9476e9dcef8e%40apereo.org.
Carlos Morales
Nov 27, 2018, 11:34:52 AM11/27/18
to CAS Community
Sorry, the syntax is correct as you said it is n and not m, but it still does not work showing the same error:
<Authentication handler [HttpBasedServiceCredentialsAuthenticationHandler] does not support the credential type [UsernamePasswordCredential (username = Test)]. Trying next ...>
Any other option?
matrix
Nov 27, 2018, 12:15:20 PM11/27/18
to cas-...@apereo.org
Check your active directory field to verify the username, we had the same problem then we switched it back to sAMAccountName from cn
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/de868633-b559-43a0-8489-73a0a0efe219%40apereo.org.
Carlos Morales
Nov 28, 2018, 5:14:21 AM11/28/18
to CAS Community
I have tried more options like:
cas.authn.ldap[0].searchFilter= cn={user}
cas.authn.ldap[0].userFilter=uid={user}
sAMAccountName
But all of them same error:
<Authentication
handler [HttpBasedServiceCredentialsAuthenticationHandler] does not
support the credential type [UsernamePasswordCredential (username =
Test)]. Trying next ...>
Any option?
Thank you so much.
matrix
Nov 28, 2018, 5:49:10 AM11/28/18
to cas-...@apereo.org
Do you have a user called "test" in the Active Directory?
[HttpBasedServiceCredentialsAuthenticationHandler] does not
support the credential type [UsernamePasswordCredential (username =
Test)].
And try this cas.authn.ldap[0].searchFilter=sAMAccountName={user}
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8378915f-d57a-411c-a8fd-08ce55eb255c%40apereo.org.
--
-Fazla.
Carlos Morales
Nov 28, 2018, 7:26:12 AM11/28/18
to CAS Community
Hello,
Here mi AD:
My ldapsearch works correctly and bind OK, but my CAS dosn't connect with AD and give me the following error:
2018-11-28 13:22:47,186 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication handler [HttpBasedServiceCredentialsAuthenticationHandler] does not support the credential type [UsernamePasswordCredential(username=asdf)]. Trying next...>
My application.properties:
cas.authn.ldap[0].type= AD
cas.authn.ldap[0].ldapUrl= ldap://IP:389
cas.authn.ldap[0].useSsl= false
cas.authn.ldap[0].useStartTls= false
cas.authn.ldap[0].connectTimeout= 3000
cas.authn.ldap[0].baseDn= OU=VDI,DC=domain,DC=local
cas.authn.ldap[0].ldapUrl= ldap://IP:389
cas.authn.ldap[0].useSsl= false
cas.authn.ldap[0].useStartTls= false
cas.authn.ldap[0].connectTimeout= 3000
cas.authn.ldap[0].baseDn= OU=VDI,DC=domain,DC=local
cas.authn.ldap[0].searchFilter= sAMAaccountName={user}
cas.authn.ldap[0].subtreeSearch= true
cas.authn.ldap[0].dnFormat= %s@domain
cas.authn.ldap[0].principalAttributeId= asdf
cas.authn.ldap[0].principalAttributePassword=nPASS
cas.authn.ldap[0].bindCredential=PASS
logging.level.org.apereo= DEBUG
cas.authn.ldap[0].allowMultipleDns= false
#
cas.authn.ldap[0].principalAttributePassword=nPASS
cas.authn.ldap[0].bindCredential=PASS
logging.level.org.apereo= DEBUG
cas.authn.ldap[0].allowMultipleDns= false
#
Thank you so much
Any option?
Tepe, Dirk
Nov 28, 2018, 9:07:25 AM11/28/18
to cas-...@apereo.org
Have you included LDAP support in your POM dependencies when you built the WAR file?
That error seems to indicate your CAS instance is not even capable of using LDAP.
-dirk
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/adbf480d-ad7e-42a0-9226-880dc4310843%40apereo.org.
João Henriques
Nov 28, 2018, 10:06:23 AM11/28/18
to CAS Community
Check this thread:
Maybe it helps.
Carlos Morales
Nov 28, 2018, 10:53:10 AM11/28/18
to CAS Community
Yep,
I included LDAP support in my POM dependencies in a new deploy but continue without working.
Carlos Morales
Nov 28, 2018, 11:03:31 AM11/28/18
to CAS Community
I follow this guide, but this seems impossible....
SSO with LDAP dosn't work but my ldapsearch it's working anb binding all users.
Any suggestion?
Thank in advantage.
Ray Bon
Nov 28, 2018, 11:52:30 AM11/28/18
to cas-...@apereo.org
Carlos,
Do you have access to your AD/LDAP logs? Sanitize and post here (both successful ldapsearch and failed SSO). They may give a reason for the failure.
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
Carlos Morales
Nov 29, 2018, 8:45:05 AM11/29/18
to CAS Community
Hi Ray,
LDAP SEARCH
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=local> with scope subtree
# filter: uid=*
# requesting: ALL
#
# search reference
ref: ldap://ForestDnsZones.TEST.LOCAL/DC=ForestDnsZones,DC=TEST,DC=LOCAL
# search reference
ref: ldap://DomainDnsZones.TEST.LOCAL/DC=DomainDnsZones,DC=TEST,DC=LOCAL
# search reference
ref: ldap://TEST.LOCAL/CN=Configuration,DC=TEST,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 4
# numReferences: 3
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=local> with scope subtree
# filter: uid=*
# requesting: ALL
#
# search reference
ref: ldap://ForestDnsZones.TEST.LOCAL/DC=ForestDnsZones,DC=TEST,DC=LOCAL
# search reference
ref: ldap://DomainDnsZones.TEST.LOCAL/DC=DomainDnsZones,DC=TEST,DC=LOCAL
# search reference
ref: ldap://TEST.LOCAL/CN=Configuration,DC=TEST,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 4
# numReferences: 3
Active Directory:
The registry does not show us any type of error with the LDAP.
Any suggestion?
Ray Bon
Nov 29, 2018, 4:33:55 PM11/29/18
to cas-...@apereo.org
Carlos,
In your cas config you have OU=VDI. But this does not show anywhere in your ldapsearch.
Your ldapsearch also has 'filter: uid=*' instead of cn or sAMAccountName.
I am not an LDAP expert, but get these items the same to eliminate unknowns.
Ray
Todd Higgins '95
Nov 30, 2018, 10:46:28 AM11/30/18
to cas-...@apereo.org
Hi Carlos.
Check out this blog post from Apereo:
I had success stripping down my configuration and using type=AUTHENTICATED when connecting to my Active Directory.
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://ad.fandm.edu
cas.authn.ldap[0].baseDn=ou=Users,dc=fandm,dc=edu
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].bindDn=CN=CAS AD Lookup,CN=Robots,DC=fandm,DC=edu
cas.authn.ldap[0].bindCredential=aPassword
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/57d36eab-e109-42c8-9514-9476e9dcef8e%40apereo.org.
Reply all
Reply to author
Forward
0 new messages