CAS Management Overlay 6.5 LDAP Issues?

[Michael Santangelo]

Hello all,

Forgive me for this, I'm brand new to CAS and I'm trying to get LDAP working.

I built an Ubuntu VM and did initial setup by doing:

1. git clone https://github.com/apereo/cas-overlay-template
   
2. I did some initial config changes in the cas.properties to get SSL up and running
3. Ran sudo ./gradlew clean copyCasConfiguration build run
4. I can login using the casuser and the default password as expected.  This part is all working fine.

So I tried adding LDAP support by:

1. Modify build.gradle by adding 
       implementation "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
   to the dependencies section.
2. Modify cas.properties by adding:
   # Disable casuser
   cas.authn.accept.users=
   # LDAP Servers Authenticated
   cas.authn.ldap[0].ldapUrl=ldap://<ldap server ip>:389
   #cas.authn.ldap[0].usessl=false
   cas.authn.ldap[0].useStartTls=false
   cas.authn.ldap[0].type=AUTHENTICATED
   cas.authn.ldap[0].bindDn=cn=cas bind,CN=Users,DC=...
   cas.authn.ldap[0].bindCredential=<the password>
   # LDAP Servers Authenticated
   
   # Search For CAS User
   cas.authn.ldap[0].baseDn=OU=Technology,OU=Staff,DC=CHS,DC=...
   cas.authn.ldap[0].subtreeSearch=true
   #cas.authn.ldap[0].searchFilter=(&(objectClass=person)(uid={user}))
   #cas.authn.ldap[0].searchFilter=uid={user}
   cas.authn.ldap[0].searchFilter=sAMAaccountName={user}
   #cas.authn.ldap[0].principalAttributeList=cn,givenName,mail,sn
   # Search for CAS User
3. Ran sudo ./gradlew clean copyCasConfiguration build run

The page loads as usual.  I am unable to login as casuser, which is expected.  I cannot login with any domain credentials.

In the log I get an error:
2022-02-08 15:43:49,567 INFO [org.apereo.cas.authentication.DefaultAuthenticationManager] - <[LdapAuthenticationHandler] exception details: [Unable to resolve user dn for <a username>].>

So I tried to verify that the server can connect via LDAP:

ldapsearch -H ldap://<ldap server ip>:389 -D "CN=cas bind,CN=Users,DC=..." -W samaccountname=<a username> -b "OU=Technology,OU=Staff,DC=..." -v

And I receive a valid result.

I'm not sure where the disconnect is, or what else I should search for.  Any tips or suggestions that you could provide would be helpful.

I'm attaching the output of Task :run.

[Felix Schumacher]

Am 08.02.22 um 17:00 schrieb Michael Santangelo:

Is this a typo on your config? You have two a's after the initial SAM.

Felix

PS. Why do you disable startTLS?

1. #cas.authn.ldap[0].principalAttributeList=cn,givenName,mail,sn
   # Search for CAS User
2. Ran sudo ./gradlew clean copyCasConfiguration build run

The page loads as usual.  I am unable to login as casuser, which is expected.  I cannot login with any domain credentials.

In the log I get an error:
2022-02-08 15:43:49,567 INFO [org.apereo.cas.authentication.DefaultAuthenticationManager] - <[LdapAuthenticationHandler] exception details: [Unable to resolve user dn for <a username>].>

So I tried to verify that the server can connect via LDAP:

ldapsearch -H ldap://<ldap server ip>:389 -D "CN=cas bind,CN=Users,DC=..." -W samaccountname=<a username> -b "OU=Technology,OU=Staff,DC=..." -v

And I receive a valid result.

I'm not sure where the disconnect is, or what else I should search for.  Any tips or suggestions that you could provide would be helpful.

I'm attaching the output of Task :run.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5be8d9ff-f43d-4347-9f64-3842676a4a7fn%40apereo.org.

[Michael Santangelo]

That's a typo artifact.  

It should be:

cas.authn.ldap[0].searchFilter=sAMAccountName={user}

I disable StartTLS because I wanted to make sure I could get it working before introducing any sort of TLS/SSL for LDAPS.  Getting the certificates to cooperate has proven to be difficult as I am new to working on these things.  Do you think it would make a difference?

[Ray Bon]

Michael,

What do the ldap logs show?

Ray

On Tue, 2022-02-08 at 08:00 -0800, Michael Santangelo wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[Michael Santangelo]

I can see the bind hit the LDAP server but no other requests seem to make it there.

I'll check wireshark and make sure the requests are being sent, then will check back.

[Michael Santangelo]

I changed my config to:

cas.authn.ldap[0].order=0
cas.authn.ldap[0].name=Tech Active Directory
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://<hostname>:389
cas.authn.ldap[0].validatePeriod=270
cas.authn.ldap[0].poolPassivator=NONE
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].baseDn=OU=Technology,OU=Staff,DC=CHS,DC=...
cas.authn.ldap[0].dnFormat=CN=%s,OU=Technology,OU=Staff,DC=...
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].bindDn=CN=casbind,CN=Users,DC=...
cas.authn.ldap[0].bindCredential=<a password>

And now it's working for people in that OU... Time to see if I can expand it to the entire Staff OU... 

[Michael Santangelo]

I am modifying the file project file not the file in the local /etc folder.  the full path is /home/<user>/cas-management-overlay/etc/cas/config/cas.properties

On Tue, Feb 8, 2022 at 12:38 PM Pablo Vidaurri <psvid...@gmail.com> wrote:

Are you modifying the cas.properties created in /etc/cas or the one in your project folder? I don't think you want to do a  copyCasConfiguration on each run as it will overwrite the cas.properies file in your /etc/cas folder

Anyhow, my config looks similar to yours. One think I did run a problem with is the password policy. If you don't plan on managing passwords via CAS then also use this setting:

cas.authn.ldap[0].passwordPolicy.enabled:       false

--

: Michael A. Santangelo

:: Owner, https://talesofatech.com
:: Primary: (908) 285-8760
:: Rutgers University, Class of 2007 & 2011
:::: B.A. in Mathematics
:::: B.S. in Information Technology

[Pablo Vidaurri]

Are you modifying the cas.properties created in /etc/cas or the one in your project folder? I don't think you want to do a  copyCasConfiguration on each run as it will overwrite the cas.properies file in your /etc/cas folder

Anyhow, my config looks similar to yours. One think I did run a problem with is the password policy. If you don't plan on managing passwords via CAS then also use this setting:

cas.authn.ldap[0].passwordPolicy.enabled:       false

On Tuesday, February 8, 2022 at 10:03:31 AM UTC-6 michael.s...@gmail.com wrote:

[Felix Schumacher]

Are you sure, that you need to set dnFormat? If you have users in different ou's, it will be difficult to use with a template as cn=%s,ou=... and should not the dn be found by the searchFilter?

Felix

Am 08.02.22 um 19:13 schrieb Michael Santangelo:

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bff98751-3a50-4786-81a9-cc38a6228cc4n%40apereo.org.

[Michael Santangelo]

The finalized working bit for Active Directory LDAP was:

# Working LDAP Auth
cas.authn.ldap[0].order=0
cas.authn.ldap[0].name=Active Directory
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://<DC FQDN>:389

cas.authn.ldap[0].validatePeriod=270
cas.authn.ldap[0].poolPassivator=NONE
cas.authn.ldap[0].searchFilter=sAMAccountName={user}

cas.authn.ldap[0].baseDn=OU=Staff,DC=...
cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].bindDn=CN=casbind,CN=Users,DC=...

cas.authn.ldap[0].bindCredential=<password>
# Working LDAP Auth

:D

I even got Duo MFA working today. Thanks all!

[Ray Bon]

Michael,

To follow up on Felix's post.

You can create multiple ldap (ldap entries, one for each ou. cas will search them the order they are in your properties file.

Ray

On Tue, 2022-02-08 at 10:13 -0800, Michael Santangelo wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Felix Schumacher]

I think you should use only one entry for "type". (Currently you will probably use AUTHENTICATED)

Felix

Am 08.02.22 um 22:07 schrieb Michael Santangelo:

[Ray Bon]

I was not quite done the previous email.

cas.authn.ldap[0]...

cas.authn.ldap[1]...

etc.

Ray

On Tue, 2022-02-08 at 10:13 -0800, Michael Santangelo wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.