Disabling escaping of special characters such as '#' in MS Active Directory usernames
65 views
Skip to first unread message
Bogdan Badz
Mar 22, 2024, 4:05:55 PM3/22/24
to CAS Community
Hello CAS Community
We are using CAS v6.5 as Federated Sign-In Module for MS Active Directory users. There is a requirement to support usernames starting with a hash symbol '#'.
For example: #te...@domain.com.
We noticed that for integration with LDAP, CAS uses the Ldaptive library.
The documentation says that in this case special characters are escaped. And this is working correctly.
But we would also need the ability to disable this feature for certain characters.
org.ldaptive.auth.FormatDnResolver contains boolean value 'escapeUser' which is 'true' by default.
At the Ldaptive library level this parameter can be configured, but based on what we saw in the CAS sources, only the default state is used there which does not help us authenticate AD users beginning with #.
Could anyone help us solve this problem?
We are using CAS v6.5 as Federated Sign-In Module for MS Active Directory users. There is a requirement to support usernames starting with a hash symbol '#'.
For example: #te...@domain.com.
We noticed that for integration with LDAP, CAS uses the Ldaptive library.
The documentation says that in this case special characters are escaped. And this is working correctly.
But we would also need the ability to disable this feature for certain characters.
org.ldaptive.auth.FormatDnResolver contains boolean value 'escapeUser' which is 'true' by default.
At the Ldaptive library level this parameter can be configured, but based on what we saw in the CAS sources, only the default state is used there which does not help us authenticate AD users beginning with #.
Could anyone help us solve this problem?
Ray Bon
Mar 22, 2024, 11:58:54 PM3/22/24
to cas-...@apereo.org
Bogdan,
Perhaps you can use the ldap filter
search-filter=#{user}
You can have multiple ldap configs and they are processed in order.
Ray
On Fri, 2024-03-22 at 11:04 -0700, Bogdan Badz wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Bogdan Badz
Apr 1, 2024, 2:23:17 PM4/1/24
to CAS Community, Ray Bon
Hello, Ray
I've tried different ways to configure this setting ".searchFilter". But nothing works
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://<url>:389
cas.authn.ldap[0].baseDn=<baseDn>
cas.authn.ldap[0].dnFormat=%s@<domain>
#cas.authn.ldap[0].dnFormat=#%s@<domain>
#cas.authn.ldap[0].dnFormat=%s
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].userFilter=(sAMAccountName={user})
#cas.authn.ldap[0].userFilter=(|(sAMAccountName=#{user})(sAMAccountName={user}))
#cas.authn.ldap[0].userFilter=(UserPrincipalName={0})
#cas.authn.ldap[0].userFilter=(UserPrincipalName={user})
cas.authn.ldap[0].searchFilter=(sAMAccountName=#{user})
#cas.authn.ldap[0].searchFilter=(|(sAMAccountName=#{user})(sAMAccountName={user}))
#cas.authn.ldap[0].searchFilter=(sAMAccountName={user})
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].usePasswordPolicy=false
cas.authn.ldap[0].principalAttributeId=
cas.authn.ldap[0].principalAttributeList=
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
Regards,
Bogdan Badz
I've tried different ways to configure this setting ".searchFilter". But nothing works
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://<url>:389
cas.authn.ldap[0].baseDn=<baseDn>
cas.authn.ldap[0].dnFormat=%s@<domain>
#cas.authn.ldap[0].dnFormat=#%s@<domain>
#cas.authn.ldap[0].dnFormat=%s
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].userFilter=(sAMAccountName={user})
#cas.authn.ldap[0].userFilter=(|(sAMAccountName=#{user})(sAMAccountName={user}))
#cas.authn.ldap[0].userFilter=(UserPrincipalName={0})
#cas.authn.ldap[0].userFilter=(UserPrincipalName={user})
cas.authn.ldap[0].searchFilter=(sAMAccountName=#{user})
#cas.authn.ldap[0].searchFilter=(|(sAMAccountName=#{user})(sAMAccountName={user}))
#cas.authn.ldap[0].searchFilter=(sAMAccountName={user})
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].usePasswordPolicy=false
cas.authn.ldap[0].principalAttributeId=
cas.authn.ldap[0].principalAttributeList=
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
Regards,
Bogdan Badz
суббота, 23 марта 2024 г. в 05:58:54 UTC+2, Ray Bon:
Reply all
Reply to author
Forward
0 new messages