CAS 6.1-RC3 AD LDAP issue

184 views
Skip to first unread message

Mallory, Erik

unread,
Mar 5, 2019, 5:32:14 PM3/5/19
to cas-...@apereo.org

Hello,

I received the following error when trying to authenticate to our AD servers. I’m not sure what bit to flip to get the %s...@site.org to work for the dnFormat property, or if there is a new way to format the DN string for AD. Below is the error:

2019-03-05 16:23:22,455 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response: [[org.ldaptive.auth.AuthenticationResponse@1313847476::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn=no...@wichita.edu, ldapEntry=[dn=no...@wichita.edu[]], accountState=null, result=false, resultCode=INVALID_DN_SYNTAX, message=LDAPException(resultCode=34 (invalid DN syntax), errorMessage='Unable to parse string 'no...@wichita.edu' as a DN because it does not have an equal sign after RDN attribute 'no...@wichita.edu'.', ldapSDKVersion=4.0.9, revision=29290), controls=null]]>

 

Bleow are the relevant AD configuration properties

cas.authn.ldap[0].searchFilter=sAMAccountName={user}

cas.authn.ldap[0].dnFormat=%s...@wichita.edu

cas.authn.ldap[0].derefAliases=ALWAYS

#cas.authn.ldap[0].dnFormat=sAMAccountName=%s,OU=Unix Group,OU=UCATS,OU=Academic Affairs,OU=Wichita State University,DC=ad,DC=wichita,DC=edu

cas.authn.ldap[0].principalAttributeId=sAMAccountName

cas.authn.ldap[0].principalAttributePassword=userPassword

#cas.authn.ldap[0].poolPassivator=NONE|CLOSE|BIND

cas.authn.ldap[0].poolPassivator=NONE

#cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

cas.authn.ldap[0].connectTimeout=PT5S

cas.authn.ldap[0].minPoolSize=3

cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=true

cas.authn.ldap[0].validatePeriodically=true

cas.authn.ldap[0].validatePeriod=PT5M

cas.authn.ldap[0].validateTimeout=PT5S

cas.authn.ldap[0].failFast=true

cas.authn.ldap[0].idleTime=PT10M

cas.authn.ldap[0].prunePeriod=PT2H

cas.authn.ldap[0].blockWaitTime=PT3S

cas.authn.ldap[0].useSsl=true

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].responseTimeout=PT5S

cas.authn.ldap[0].allowMultipleDns=true

cas.authn.ldap[0].allowMultipleEntries=false

cas.authn.ldap[0].followReferrals=true

cas.authn.ldap[0].name=WSUAD

#cas.authn.ldap[0].trustCertificates=

#cas.authn.ldap[0].keystore=

#cas.authn.ldap[0].keystorePassword=

#cas.authn.ldap[0].keystoreType=JKS|JCEKS|PKCS12

#cas.authn.ldap[0].binaryAttributes=objectGUID,someOtherAttribute

cas.authn.ldap[0].principalAttributeList=cn:commonName,sAMAccountName:UDC_IDENTIFIER

cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true

 

Any help would be greatly appreciated.

Thanks,

Erik Mallory

Server Analyst 

Wichita State University

 

Matthieu Belge

unread,
Mar 11, 2019, 7:24:40 PM3/11/19
to CAS Community, Erik.M...@wichita.edu
Hi,

I have exactly the same issue on both 6.1.0-RC2 and 6.1.0-RC3, it works fine with 6.1.0-RC1 so I stick to it but I wanted to have the new OAuth access token as JWT feature.

Any idea ? I looked at code change history on CAS ldap and other modules, maybe I missed something ?

Maybe should we report the issue at the CAS GitHub repository level ?

Thanks for your help,

-Matt

Matthieu Belge

unread,
Mar 17, 2019, 7:50:15 PM3/17/19
to CAS Community, Erik.M...@wichita.edu
Hi,

something is moving here https://github.com/apereo/cas/pull/3864 :)

-Matt


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b734ef53-6543-4426-a1d1-23f532f43b9c%40apereo.org.
Reply all
Reply to author
Forward
0 new messages