CAS LDAP authentication with OpenLDAP aliases?

[Carl Waldbieser]

If I have an entry and an alias in an OpenLDAP DIT such that searching on "alias" dereferences "entry", is it possible to configure CAS to perform a 2 stage BIND in this way?

I.e.

1. User enters "alias" and password at the CAS login form.
2. CAS searches the DIT with LDAP base "uid=alias,ou=aliases,o=myorg" and a filter like "(objectClass=*)".
3. The actual entry dereferenced has DN "uid=entry,ou=somedepartment,o=myorg".
4. CAS attempts a BIND against this DN with the provided password.

It's not obvious from the documentation how one might configure that, or even if it is possible.

Thanks,

Carl Waldbieser

[Ray Bon]

Carl,

Are you referring to surrogate authentication?

https://apereo.github.io/cas/6.4.x/authentication/Surrogate-Authentication.html

Ray

On Wed, 2022-05-18 at 16:23 -0400, Carl Waldbieser wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[Carl Waldbieser]

Ray,

No-- I don't want person "A" to be able to authenticate on behalf of person "B".

Currently, our users log on with a system assigned username.  I'd like them to also be able to claim their own username alias and be able to log on with that.  So for example, user "smithe" could have an alias "catlover86" and use that as their username.

OpenLDAP has a concept of alias entries for its DIT that can refer to other entries.  Potentially, I could use this, but there are some caveats:

1. The LDAP client has to explicitly dereference aliases.
2. When an entry is being dereferenced, it won't be returned in a search if you are searching for attributes on the alias itself.  This is because the filter matches the attributes on the dereferenced entry.

The 2nd rule is very counter-intuitive in my opinion.  It took me a while to wrap my head around what was going on.  But you can set the LDAP base DN to the alias during a SEARCH operation, and the dereferenced target will be returned assuming you have a filter that matches the target.

Typically, our 2 step BIND in CAS looks like this:

1. SEARCH the LDAP DIT for an entry with an attribute (let's say "uid") that matches the username provided.  This search is done while BINDed as a DN with elevated search privs.
2. Once a matching entry is found, BIND to it using the password provided.

CAS lets me set up a search filter like "(uid={user})" where it will do the substitution for "user", so this works fine.

To use aliases, I'd want to do something like:

1. SEARCH the LDAP DIT for an entry with a base DN of "uid={user},ou=aliases,o=myorg".  Again, the search would be done while BINDed as a DN with elevated search privs.
2. Once a matching *dereferenced* entry is found, BIND to it using the password provided.

The configuration I'm not sure about is that CAS would need to be able to substitute {user} into the base DN for the search, making sure to escape it properly.  Also, the SEARCH would need to indicate that alias entries should be dereferenced.

I'm not sure if CAS supports this without getting into some magical Java bean territory.

Thanks,

Carl Waldbieser

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/868a2f900c274818b9e38f466497d550f92d75a7.camel%40uvic.ca.

[Daniel Fisher]

On Wed, May 18, 2022 at 4:23 PM Carl Waldbieser <wald...@lafayette.edu> wrote:

If I have an entry and an alias in an OpenLDAP DIT such that searching on "alias" dereferences "entry", is it possible to configure CAS to perform a 2 stage BIND in this way?

I.e.

1. User enters "alias" and password at the CAS login form.
2. CAS searches the DIT with LDAP base "uid=alias,ou=aliases,o=myorg" and a filter like "(objectClass=*)".
3. The actual entry dereferenced has DN "uid=entry,ou=somedepartment,o=myorg".
4. CAS attempts a BIND against this DN with the provided password.

It sounds like you need to set derefAliases to something other than the default (NEVER).

https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#ldap-authenticationsearch-settings

 

--Daniel Fisher

[Ray Bon]

Carl,

Cas uses ldaptive, https://www.ldaptive.org/. Its docs may shed some light.

Ray