CAS 5 - ldap multiple OUs

Eric Allen

unread,

Nov 22, 2016, 8:02:38 PM11/22/16

to CAS Community

I'm currently stuck on how to setup authentication for two OUs in the same LDAP connector. I want to allow only the users that are in these two OUs but not others.

The two OUs that I want to authenticate against are ou=users,dc=example,dc=org and ou=people,dc=example,dc=org. I'm using example.org to keep the examples easier to understand.

I can get one OU to work just fine. Current config

cas.authn.Ldap[0].type=AD

cas.authn.Ldap[0].LdapUrl=https://ldap.example.org

cas.authn.Ldap[0].baseDn=dc=example,dc=org

cas.authn.Ldap[0].userFilter=cn={user}

cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org

cas.authn.Ldap[0].bindCredential=caspass

cas.authn.Ldap[0].principalAttributeId=sAMAccountName

cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org

I have tried with mulitple different options for the dnFormat trying ldapsearch strings but to no success. Any suggestions on limiting access to two OUs?

Thanks

Eric

Ruslan Mezentsev

unread,

Nov 23, 2016, 12:03:00 AM11/23/16

to CAS Community

Hi, If your ldap implement extensible matching (ms ad not support https://msdn.microsoft.com/en-us/library/cc223241.aspx),

I think you can use (not tested):

cas.authn.Ldap[0].userFilter=(&(cn={user})(|(ou:dn:=users)(ou:dn:=people)))

Misagh Moayyed

unread,

Nov 23, 2016, 11:27:33 AM11/23/16

to cas-...@apereo.org

You may have missed the obvious, which is that that index “[0]” is meant to be incremented by you to support additional blocks and ldap authN schemes. So you what you can do is define a [1], repeat your settings more or less and just narrow the base for both 0 and 1 to those OUs you care about.

Or you come up with a fancier filter.

--Misagh

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/74eb0615-fab6-4abb-b62e-30f9277ab341%40apereo.org.

Misagh Moayyed

unread,

Nov 23, 2016, 1:06:41 PM11/23/16

to cas-...@apereo.org

The second.

--Misagh

From: Eric Allen [mailto:truc...@gmail.com]
Sent: Wednesday, November 23, 2016 10:53 AM
To: jasig-cas-user <jasig-c...@googlegroups.com>
Cc: cas-...@apereo.org; mmoa...@unicon.net
Subject: Re: [cas-user] CAS 5 - ldap multiple OUs

To use that method would it look something like this?

cas.authn.Ldap[0].type=AD

cas.authn.Ldap[0].LdapUrl=https://ldap.example.org

cas.authn.Ldap[0].baseDn=dc=example,dc=org

cas.authn.Ldap[0].userFilter=cn={user}

cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org

cas.authn.Ldap[0].bindCredential=caspass

cas.authn.Ldap[0].principalAttributeId=sAMAccountName

cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org

cas.authn.Ldap[1].dnFormat=cn=%s,ou=people,dc=example,dc=org

or like

cas.authn.Ldap[0].type=AD

cas.authn.Ldap[0].LdapUrl=https://ldap.example.org

cas.authn.Ldap[0].baseDn=dc=example,dc=org

cas.authn.Ldap[0].userFilter=cn={user}

cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org

cas.authn.Ldap[0].bindCredential=caspass

cas.authn.Ldap[0].principalAttributeId=sAMAccountName

cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org

cas.authn.Ldap[1].type=AD

cas.authn.Ldap[1].LdapUrl=https://ldap.example.org

cas.authn.Ldap[1].baseDn=dc=example,dc=org

cas.authn.Ldap[1].userFilter=cn={user}

cas.authn.Ldap[1].bindDn=cn=cas_user,ou=utility,dc=example,dc=org

cas.authn.Ldap[1].bindCredential=caspass

cas.authn.Ldap[1].principalAttributeId=sAMAccountName

cas.authn.Ldap[1].dnFormat=cn=%s,ou=people,dc=example,dc=org

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/00e001d245a6%2479312fc0%246b938f40%24%40unicon.net.

Eric Allen

unread,

Nov 23, 2016, 2:59:45 PM11/23/16

to jasig-cas-user, cas-...@apereo.org, mmoa...@unicon.net

Awesome thanks.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/012f01d245b4%24504402f0%24f0cc08d0%24%40unicon.net.

Eric Allen

unread,

Nov 23, 2016, 2:59:46 PM11/23/16

to jasig-cas-user, cas-...@apereo.org, mmoa...@unicon.net

To use that method would it look something like this?

cas.authn.Ldap[0].type=AD

cas.authn.Ldap[0].LdapUrl=https://ldap.example.org

cas.authn.Ldap[0].baseDn=dc=example,dc=org

cas.authn.Ldap[0].userFilter=cn={user}

cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org

cas.authn.Ldap[0].bindCredential=caspass

cas.authn.Ldap[0].principalAttributeId=sAMAccountName

cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org

cas.authn.Ldap[1].dnFormat=cn=%s,ou=people,dc=example,dc=org

or like

cas.authn.Ldap[0].type=AD

cas.authn.Ldap[0].LdapUrl=https://ldap.example.org

cas.authn.Ldap[0].baseDn=dc=example,dc=org

cas.authn.Ldap[0].userFilter=cn={user}

cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org

cas.authn.Ldap[0].bindCredential=caspass

cas.authn.Ldap[0].principalAttributeId=sAMAccountName

cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org

cas.authn.Ldap[1].type=AD

cas.authn.Ldap[1].LdapUrl=https://ldap.example.org

cas.authn.Ldap[1].baseDn=dc=example,dc=org

cas.authn.Ldap[1].userFilter=cn={user}

cas.authn.Ldap[1].bindDn=cn=cas_user,ou=utility,dc=example,dc=org

cas.authn.Ldap[1].bindCredential=caspass

cas.authn.Ldap[1].principalAttributeId=sAMAccountName

cas.authn.Ldap[1].dnFormat=cn=%s,ou=people,dc=example,dc=org

On Wednesday, November 23, 2016 at 9:27:32 AM UTC-7, Misagh Moayyed wrote:

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/00e001d245a6%2479312fc0%246b938f40%24%40unicon.net.

Erdal Gunyar

unread,

Nov 24, 2016, 5:48:51 AM11/24/16

to CAS Community, jasig-c...@googlegroups.com, mmoa...@unicon.net

The second one as Misagh said because the logic here is to have two totally separate authentication with different settings: it could even be another LDAP server with totally different parameters...

Note that if Ruslan's filter works, you would slightly prefer it as you only have on LDAP w/ a specific need.

More precisely, it will only call LDAP once.

If you use two LDAP auth, CAS will try the first and if it doesn't work it will try the second.

So if your users are let say half and half dispatched on the both groups, you'll have an average of 1.5 calls instead of 1.

That said, depending on environment, LDAP calls from CAS are pretty quick; so I would say just use whatever works :)

Erdal.

Reply all

Reply to author

Forward