Ldap Authentication with Active Directory

455 views
Skip to first unread message

W.Katerji

unread,
Jan 16, 2018, 3:23:10 PM1/16/18
to CAS Community
Hello

I'm a first time CAS user, and working on it as part of my final year project at university. I'm working on a windows server 2016 virtual machine. I've been stuck in the setting up of LDAP Authentication on an active directory in CAS version 5.
The exact steps I followed were the following: I downloaded the template folder from github, created a keystore file and added it in the specified location (C:\etc\cas\). I then ran "build.cmd run" on windows cmd from within the template folder
and was able to open the CAS pageand log in using casuser and Mellon. I set up active directory on the virtual machine, and am now ready to set up the LDAP authentication. I know I need to edit the cas.properties folder and add the attributes related to LDAP,
however I'm not quite sure which attributes I need to use exactly and how to fill in their values. I tried different sets of attribues after reading multiple posts here on the forum, however none seemed to work, and the latest set of attributes I added were as follows
(also note that I added the ldap dependency to the pom.xml file):

cas.authn.accept.users:
cas.authn.ldap[0].order: 0
cas.authn.ldap[0].name: Active Directory
cas.authn.ldap[0].type: AUTHENTICATED
cas.authn.ldap[0].ldapUrl: ldap://Virtual Machine IP Address:389
cas.authn.ldap[0].userFilter: sAMAccountName={user}
cas.authn.ldap[0].baseDn: ou=Users,dc=-----,dc=-----,dc=-----,dc=-----,dc=com
cas.authn.ldap[0].dnFormat: cn=%s,ou=Users,dc=-----,dc=-----,dc=-----,dc=-----,dc=com
cas.authn.ldap[0].connectTimeout=3000
cas.authn.ldap[0].useStartTLS=false
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=false
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=300
cas.authn.ldap[0].blockWaitTime=3000
cas.authn.ldap[0].prunePeriod=300
cas.authn.ldap[0].idleTime=600
cas.authn.ldap[0].bindDn=---
cas.authn.ldap[0].bindCredential=---
cas.authn.ldap[0].userFilter=(sAMAccountName={user})

The error I'm currently getting is related to the LDAP connection to the active directory, more exactly I'm getting a connection reset error. I am not sure how to go forward from here and I'm not quite sure if these are the attributes needed exactly. Any help would be appreciated.

Tom O'Neill

unread,
Jan 17, 2018, 9:10:51 AM1/17/18
to cas-...@apereo.org
The connection reset is a networking issue.
I would confirm the hostname and port that you are using and I would confirm that your VM should be able to hit the port and isn't being blocked by a firewall.

Thanks,

    Tom
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ca277ff4-ad44-4554-a8c4-0abbba019950%40apereo.org.

W.Katerji

unread,
Jan 17, 2018, 12:02:26 PM1/17/18
to CAS Community
Thank you for your reply Tom. In regards to the hostname, do you mean I should check the ldap URL? If so what I did is use the ldp.exe on windows and instantiated a connection to the active directory using the same url that im using and it worked fine. For the port, basically I'm using port 389 and in both the inbound and outbound rules there is a rule that allows communication on that port. I attached most of the errors that I'm getting, and I would really appreciate if you could have a look and give me some advise on what to do ? 
errors.txt

Ray Bon

unread,
Jan 17, 2018, 12:31:34 PM1/17/18
to cas-...@apereo.org
There are some bean creation issues. The last one for 'ldapAuthenticationHandlers'.
Perhaps there is some LDAP config missing (parameters or dependency in the pom).

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

W.Katerji

unread,
Jan 17, 2018, 1:23:51 PM1/17/18
to CAS Community
I kept the pom.xml unchanged with adding only this dependency:

<dependency>
        <groupId>org.apereo.cas</groupId>
        <artifactId>cas-server-support-ldap</artifactId>
        <version>${cas.version}</version>
    </dependency>

In my main question I added the parameters that I used for LDAP, however the error still persisted even when i changed these parameters to be as follows:

cas.authn.ldap[0].order:                0
cas.authn.ldap[0].name:                 Active Directory
cas.authn.ldap[0].type:                 AD
cas.authn.ldap[0].ldapUrl:              ldap://--:389
cas.authn.ldap[0].userFilter:           sAMAccountName={user}
cas.authn.ldap[0].baseDn:               ou=Users,dc=--,dc=--,dc=--,dc=--,dc=com
cas.authn.ldap[0].dnFormat:             cn=%s,ou=Users,dc=--,dc=--,dc=--,dc=--,dc=com

Any idea what is missing in my configurations ? (I also uploaded the pom file)

Thanks,
Wajih
pom.xml

Ray Bon

unread,
Jan 18, 2018, 3:12:56 PM1/18/18
to cas-...@apereo.org
Wajih,

We use oracle LDAP. I have never used AD. These are the fields that we use:
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=
cas.authn.ldap[0].connectTimeout=
cas.authn.ldap[0].baseDn=
cas.authn.ldap[0].userFilter=
cas.authn.ldap[0].bindDn=
cas.authn.ldap[0].bindCredential=
cas.authn.ldap[0].principalAttributeList=

Start with the fewest possible settings and go from there.

To verify your settings add this to log4j2 and restart tomcat:

        <!-- outputs only during startup -->
        <AsyncLogger name="org.apereo.cas.config" level="debug" />

Ray
Reply all
Reply to author
Forward
0 new messages