SPNEGO : Retrieve Attribute from AD?
80 views
Skip to first unread message
Sparadrus (FR)
Aug 22, 2019, 6:30:55 AM8/22/19
to CAS Community
Hi,
When my users login manually from CAS, attributes from AD are correctly retrieved and pass to my webapp. But with SPNEGO automatic login, i don't see on cas.log the attributes and my webapp (nextcloud) don't update user information (displayName, mail, memberOf). I don't see any row on apereo documentation who permit retrieve attributes from SPNEGO... Maybe I does create a service file specially for SPNEGO..?
If you have any idea :)
Thanks at all ;)
SPENGO section from cas.properties :
cas.authn.spnego.kerberosConf=file:/etc/krb5.conf
cas.authn.spnego.mixedModeAuthentication=true
cas.authn.spnego.cachePolicy=600
cas.authn.spnego.timeout=300000
cas.authn.spnego.jcifsServicePrincipal=HTTP/authentificati...@DOMAIN.LAN
cas.authn.spnego.jcifsServicePassword=MyPassWord
cas.authn.spnego.loginConf=file:/etc/cas/config/login.conf
cas.authn.spnego.ntlmAllowed=false
cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
cas.authn.spnego.hostNameClientActionStrategy=baseSpnegoClientAction
cas.authn.spnego.kerberosKdc=192.168.0.1
cas.authn.spnego.ipsToCheckPattern=10.+
cas.authn.spnego.kerberosDebug=true
cas.authn.spnego.kerberosRealm=DOMAIN.LAN
cas.authn.spnego.send401OnAuthenticationFailure=true
# cas.authn.spnego.jcifsNetbiosWins=
# cas.authn.spnego.hostNamePatternString=.+
# cas.authn.spnego.jcifsUsername=
# cas.authn.spnego.useSubjectCredsOnly=false
# cas.authn.spnego.jcifsDomainController=
# cas.authn.spnego.dnsTimeout=2000
# cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
# cas.authn.spnego.jcifsDomain=
# cas.authn.spnego.ntlm=false
cas.authn.spnego.principalWithDomainName=false
# cas.authn.spnego.jcifsPassword=
cas.authn.spnego.spnegoAttributeName=sAMAccountName
# cas.authn.spnego.name=DOMAIN.LAN
cas.authn.spnego.principal.principalAttribute=sAMAccountName
# cas.authn.spnego.principal.returnNull=false
And the section for AD :
cas.authn.ldap[1].type=AD
cas.authn.ldap[1].ldapUrl=ldap://10.0.0.1
cas.authn.ldap[1].useSsl=false
cas.authn.ldap[1].useStartTls=false
cas.authn.ldap[1].connectTimeout=5000
cas.authn.ldap[1].baseDn=DC=DOMAIN1,DC=LAN
cas.authn.ldap[1].bindDn=DOMAIN1\\mylogin
cas.authn.ldap[1].bindCredential=MyBindPassword
cas.authn.ldap[1].principalAttributeId=sAMAccountName
cas.authn.ldap[1].principalAttributePassword=unicodePwd
cas.authn.ldap[1].principalAttributeList=sAMAccountName,sn,cn,givenName,displayName,mail,memberOf
cas.authn.ldap[1].userFilter=(sAMAccountName={user})
cas.authn.ldap[1].dnFormat=%s...@MYDOMAIN1.LAN
cas.authn.ldap[1].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[1].subtreeSearch=true
cas.authn.ldap[1].usePasswordPolicy=false
cas.authn.ldap[1].failFast=false
When my users login manually from CAS, attributes from AD are correctly retrieved and pass to my webapp. But with SPNEGO automatic login, i don't see on cas.log the attributes and my webapp (nextcloud) don't update user information (displayName, mail, memberOf). I don't see any row on apereo documentation who permit retrieve attributes from SPNEGO... Maybe I does create a service file specially for SPNEGO..?
If you have any idea :)
Thanks at all ;)
SPENGO section from cas.properties :
cas.authn.spnego.kerberosConf=file:/etc/krb5.conf
cas.authn.spnego.mixedModeAuthentication=true
cas.authn.spnego.cachePolicy=600
cas.authn.spnego.timeout=300000
cas.authn.spnego.jcifsServicePrincipal=HTTP/authentificati...@DOMAIN.LAN
cas.authn.spnego.jcifsServicePassword=MyPassWord
cas.authn.spnego.loginConf=file:/etc/cas/config/login.conf
cas.authn.spnego.ntlmAllowed=false
cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
cas.authn.spnego.hostNameClientActionStrategy=baseSpnegoClientAction
cas.authn.spnego.kerberosKdc=192.168.0.1
cas.authn.spnego.ipsToCheckPattern=10.+
cas.authn.spnego.kerberosDebug=true
cas.authn.spnego.kerberosRealm=DOMAIN.LAN
cas.authn.spnego.send401OnAuthenticationFailure=true
# cas.authn.spnego.jcifsNetbiosWins=
# cas.authn.spnego.hostNamePatternString=.+
# cas.authn.spnego.jcifsUsername=
# cas.authn.spnego.useSubjectCredsOnly=false
# cas.authn.spnego.jcifsDomainController=
# cas.authn.spnego.dnsTimeout=2000
# cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
# cas.authn.spnego.jcifsDomain=
# cas.authn.spnego.ntlm=false
cas.authn.spnego.principalWithDomainName=false
# cas.authn.spnego.jcifsPassword=
cas.authn.spnego.spnegoAttributeName=sAMAccountName
# cas.authn.spnego.name=DOMAIN.LAN
cas.authn.spnego.principal.principalAttribute=sAMAccountName
# cas.authn.spnego.principal.returnNull=false
And the section for AD :
cas.authn.ldap[1].type=AD
cas.authn.ldap[1].ldapUrl=ldap://10.0.0.1
cas.authn.ldap[1].useSsl=false
cas.authn.ldap[1].useStartTls=false
cas.authn.ldap[1].connectTimeout=5000
cas.authn.ldap[1].baseDn=DC=DOMAIN1,DC=LAN
cas.authn.ldap[1].bindDn=DOMAIN1\\mylogin
cas.authn.ldap[1].bindCredential=MyBindPassword
cas.authn.ldap[1].principalAttributeId=sAMAccountName
cas.authn.ldap[1].principalAttributePassword=unicodePwd
cas.authn.ldap[1].principalAttributeList=sAMAccountName,sn,cn,givenName,displayName,mail,memberOf
cas.authn.ldap[1].userFilter=(sAMAccountName={user})
cas.authn.ldap[1].dnFormat=%s...@MYDOMAIN1.LAN
cas.authn.ldap[1].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[1].subtreeSearch=true
cas.authn.ldap[1].usePasswordPolicy=false
cas.authn.ldap[1].failFast=false
Fabrice Bacchella
Aug 27, 2019, 11:50:48 AM8/27/19
to CAS Community
It works for me with the following setup, in CAS6:
spnego:
name: Kerberos
order: 0
mixedModeAuthentication: true
supportedBrowsers: "MSIE,Trident,Firefox,AppleWebKit,curl"
ipsToCheckPattern: .*
principal:
principalAttribute: "sAMAccountName"
system:
kerberosConf: "file:/data/cas/conf/krb5.conf"
loginConf: "file:/data/cas/conf/login.conf"
kerberosDebug: false
properties:
-
jcifsServicePrincipal: "HTTP/host@REALM"
attributeRepository:
ldap:
-
name: AdRealm
# workaroud for https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8217606
providerClass: org.ldaptive.provider.unboundid.UnboundIDProvider
ldapUrl: ldaps://ldap.realm.com
bindDn: "serviceAccount"
baseDn: ou=...,DC=...
searchFilter: "sAMAccountName={user}"
trustCertificates: "file:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
attributes:
displayName: name
givenName: firstName
sn: lastName
ou: ou
uid: uid
mail: mail
sAMAccountName: sAMAccountName
...
personDirectory:
principalAttribute: "sAMAccountName"
useExistingPrincipalId: true
principalResolutionFailureFatal: true
I'm not sure about personDirectory. The documentation about that feature is a (bad) joke, so I never quit understood what those arguments do.
And I have an application-secrets.yml to store secrets:
cas:
authn:
attributeRepository:
ldap:
- bindCredential: "SomeCredentials"
Le 22 août 2019 à 12:30, Sparadrus (FR) <spar...@gmail.com> a écrit :NOTICE : The sender of this email is external to 3DS. Be wary of the content and do not open unexpected attachments or links.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b211705-5ccd-496a-88f3-5637344f5604%40apereo.org.
Sparadrus (FR)
Aug 28, 2019, 4:22:03 AM8/28/19
to CAS Community
Merci Fabrice ! I’ll test this when I have some time. In fact, it seemed to me appropriate to declare an Attribute Repository for the recovery of attributes by Kerberos. On the other hand, I have 3 Active Directory domains connected in triangle (federating/admin domain with 2 domains delegated) so I think I will cry. I’ll make a feedback, I promise!
Thank you again!!
cas.authn.ldap[1].dnFor...@MYDOMAIN1.LAN
cas.authn.ldap[1].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[1].subtreeSearch=true
cas.authn.ldap[1].usePasswordPolicy=false
cas.authn.ldap[1].failFast=false
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.
Reply all
Reply to author
Forward
0 new messages