Login with sAMAccountName instead CN
154 views
Skip to first unread message
dp
May 30, 2018, 9:24:41 AM5/30/18
to CAS Community
Hello! I triying to auth CAS with AD. Auth via long CN ("John Smith") working fine. What i can do for login with short sAMAccountName ("JSmith")?
David Curry
May 30, 2018, 11:28:52 AM5/30/18
to cas-...@apereo.org
cas.authn.ldap[0].userFilter: sAMAccountName={user}
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu
On Wed, May 30, 2018 at 9:24 AM dp <d.p...@gmail.com> wrote:
Hello! I triying to auth CAS with AD. Auth via long CN ("John Smith") working fine. What i can do for login with short sAMAccountName ("JSmith")?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3f83ed60-fa18-4fcf-a9e7-95033b5cd393%40apereo.org.
dp
May 30, 2018, 11:44:33 AM5/30/18
to CAS Community
It seems like it generate string for auth via "cas.authn.ldap[0].dnFormat" not via "cas.authn.ldap[0].userFilter". Am i wirong?
I triying to look via tcpdump what it send to AD and i see that it send "CN=jsmith,OU=secondou,OU=firstou,DC=root,DC=ru".
This is because i have:
cas.authn.ldap[0].dnFormat=CN=%s,OU=secondou,OU=firstou,DC=root,DC=ru
If i substitute "CN=%s" to "sAMAccountName=%s" then in tcpdump output i see "sAMAccountName=jsmith,OU=secondou,OU=firstou,DC=root,DC=ru",
but AD no want auth by this string.
BTW I have "cas.authn.ldap[0].userFilter=(sAMAccountName={user})" now =/
среда, 30 мая 2018 г., 18:28:52 UTC+3 пользователь David Curry написал:
I triying to look via tcpdump what it send to AD and i see that it send "CN=jsmith,OU=secondou,OU=firstou,DC=root,DC=ru".
This is because i have:
cas.authn.ldap[0].dnFormat=CN=%s,OU=secondou,OU=firstou,DC=root,DC=ru
If i substitute "CN=%s" to "sAMAccountName=%s" then in tcpdump output i see "sAMAccountName=jsmith,OU=secondou,OU=firstou,DC=root,DC=ru",
but AD no want auth by this string.
BTW I have "cas.authn.ldap[0].userFilter=(sAMAccountName={user})" now =/
среда, 30 мая 2018 г., 18:28:52 UTC+3 пользователь David Curry написал:
David Curry
May 30, 2018, 12:03:32 PM5/30/18
to cas-...@apereo.org
The DN does not change based on which attribute you authenticate with. It is determined by your directory. If you have userFilter set to sAMAccountName you should be able to authenticate with that.
Turn logging level up to debug (you may have to add a line for ldaptive; I forget) and see what the logs say.
David A. Curry, CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.
David A. Curry, CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/63376d73-87d1-4af2-b4a2-bfb6d6cce89f%40apereo.org.
dp
May 30, 2018, 1:46:15 PM5/30/18
to CAS Community
It is working now.
#
# LDAP Authentication
#
# AD|AUTHENTICATED|DIRECT|ANONYMOUS
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://192.168.0.55:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=3000
cas.authn.ldap[0].baseDn=OU=myorg_users,DC=myorg,DC=root,DC=myorgcorp,DC=ru
cas.authn.ldap[0].userFilter=cn={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].dnFormat=%s@myorg
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributePassword=userPassword
среда, 30 мая 2018 г., 19:03:32 UTC+3 пользователь David Curry написал:
#
# LDAP Authentication
#
# AD|AUTHENTICATED|DIRECT|ANONYMOUS
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://192.168.0.55:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=3000
cas.authn.ldap[0].baseDn=OU=myorg_users,DC=myorg,DC=root,DC=myorgcorp,DC=ru
cas.authn.ldap[0].userFilter=cn={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].dnFormat=%s@myorg
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributePassword=userPassword
среда, 30 мая 2018 г., 19:03:32 UTC+3 пользователь David Curry написал:
João Henriques
Jul 9, 2018, 2:31:36 PM7/9/18
to CAS Community, d.p...@gmail.com
Thanks for the hint! I was having the same problem, this worked with me!
Sudhan Samyraj
Nov 26, 2018, 1:31:41 PM11/26/18
to CAS Community, d.p...@gmail.com
Hi Ray
The forum is very helpful for me but my issue was not fixed
by using this cas.authn.ldap[0].userFilter: sAMAccountName={user} am getting login error
can i share my cas.properties file please help me to sort it out
Sudhan Samyraj
Nov 27, 2018, 1:55:38 AM11/27/18
to CAS Community, d.p...@gmail.com
Hi Ray,
I will describe my other problem clearly , please help me to sort it out once the user login with the userprincipalname it is login me fine after changed the below thing mentioned in your forum i will be very much thankful.
if once i click the user must change password at next login checkbox in AD the user in not able to login in CAS.
Sudhan Samyraj
Nov 28, 2018, 3:42:15 AM11/28/18
to CAS Community, d.p...@gmail.com
Great help Ray,
I have one more issue can i discuss that here?
Ray Bon
Nov 28, 2018, 11:53:42 AM11/28/18
to cas-...@apereo.org, d.p...@gmail.com
Sure! This list is all about people helping people.
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
Sudhan Samyraj
Nov 28, 2018, 12:45:25 PM11/28/18
to cas-...@apereo.org, d.p...@gmail.com
Hi Ray,
Now am facing the issue is only with, if iclick "user logon password must change next login" in AD user properties am not able to login in cas with the current password and cas login is not asking for new password to update also
one more point if i uncheck the user logon password must change next login in AD am able to login with current password.
How could we resoleve this issue can you please suggest me any steps need to be done
Rathar then this am able to login into the cas using userprinciplename is now working after your changes was made.
 | S.Sudhanraj Network Engineer
|
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1543424015.2846.36.camel%40uvic.ca.
Ray Bon
Nov 28, 2018, 2:50:37 PM11/28/18
to cas-...@apereo.org, d.p...@gmail.com
Take a look at https://apereo.github.io/cas/5.3.x/installation/Password-Policy-Enforcement.html and https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties-Common.html#password-policy-settings
Essentially, CAS must be set up to listen to the responses from AD/LDAP.
I have not set this up yet so unable to comment on the details.
Ray
Sudhan Samyraj
Nov 28, 2018, 2:55:19 PM11/28/18
to cas-...@apereo.org, d.p...@gmail.com
Thanks ray
I will check it out if anybody having any suggestions please let me know
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1543434630.2846.45.camel%40uvic.ca.
Reply all
Reply to author
Forward
0 new messages