CAS 5.0.0 with Active Directory Authentication
1,485 views
Skip to first unread message
mohammad almodallal
Dec 12, 2016, 2:19:01 AM12/12/16
to CAS Community
Hello,
should we use the deployerConfigContext.xml in CAS-5.0.0 to integrate with Active Directory?
Thanks.
Philippe MARASSE
Dec 12, 2016, 4:01:20 AM12/12/16
to cas-...@apereo.org
Hello,
No, it's neither required nor recommended with this version of CAS.
Regards
No, it's neither required nor recommended with this version of CAS.
Regards
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b613c270-c10a-44c5-ba96-de42a546f57f%40apereo.org.
-- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19
Message has been deleted
mohammad almodallal
Dec 12, 2016, 5:10:24 AM12/12/16
to CAS Community, philippe...@ch-poitiers.fr
Hello Philippe,
On Monday, December 12, 2016 at 12:58:08 PM UTC+3, mohammad almodallal wrote:
also, please I've already configure the cas.properties and still getting the following logs for authentication
er.support.HttpBasedServiceCredentialsAuthenticationHandler@6537e53c, org.apereo.cas.authentication.AcceptUsersAuthenticationHandler@594da5db]>
2016-12-12 13:01:13,716 DEBUG [org.apereo.cas.authentication.AcceptUsersAuthenticationHandler] - <testuser was not found in the map.>
2016-12-12 13:01:13,718 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler failed authenticating testuser>
2016-12-12 13:01:13,719 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler exception details: testuser not found in backing map.>
2016-12-12 13:01:13,721 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [testuser] of type [UsernamePasswordCredential], which suggests a configuration problem.>
2016-12-12 13:01:13,722 DEBUG [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - <Resolving principal at audit point [execution(Authentication org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(AuthenticationTransaction))] with thrown exception [org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes]>
Thanks.
On Monday, December 12, 2016 at 12:58:08 PM UTC+3, mohammad almodallal wrote:
Hell Philippe,So how to we can configure the LDAP authentication handler?Thanks.
Philippe MARASSE
Dec 12, 2016, 6:11:50 AM12/12/16
to mohammad almodallal, CAS Community
Hello,
The reference documentation is https://apereo.github.io/cas/development/installation/Configuration-Properties.html#ldap
cas.authn.ldap[0].ldapUrl=ldap://ldap1.mydomain.com ldap://ldap2.mydomain.com
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
Others parameters depend upon your AD configuration.
According to your log, it seems that LDAP support is not configured. Do you use maven overlay method ? If so, do you have a dependency section like :
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
Regards.
The reference documentation is https://apereo.github.io/cas/development/installation/Configuration-Properties.html#ldap
cas.authn.ldap[0].ldapUrl=ldap://ldap1.mydomain.com ldap://ldap2.mydomain.com
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
Others parameters depend upon your AD configuration.
According to your log, it seems that LDAP support is not configured. Do you use maven overlay method ? If so, do you have a dependency section like :
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
Regards.
mohammad almodallal
Dec 13, 2016, 4:19:59 AM12/13/16
to CAS Community, mmda...@gmail.com, philippe...@ch-poitiers.fr
Hello Philippe,
the cas.properties was containing cas.authn.attributeRepository instead of cas.authn.ldap[0]
anyway I'm using Active Directory does this make diffrence?
for the cas-server-support-ldap yes it is already included
but I still get errors like
2016-12-13 12:14:20,367 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler failed authenticating testuser>
2016-12-13 12:14:20,368 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [testuser] of type [UsernamePasswordCredential], which suggests a configuration problem.>
have you any idea could help?
Thanks.
2016-12-13 12:14:20,367 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler failed authenticating testuser>
2016-12-13 12:14:20,368 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [testuser] of type [UsernamePasswordCredential], which suggests a configuration problem.>
dkopy...@unicon.net
Dec 13, 2016, 5:38:08 AM12/13/16
to CAS Community, mmda...@gmail.com
You want to make sure that the following property is set: cas.authn.ldap[0].type
with either one of these values: AD, AUTHENTICATED, DIRECT, ANONYMOUS, SASL
with either one of these values: AD, AUTHENTICATED, DIRECT, ANONYMOUS, SASL
Best,
D.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9cb14d4b-cc9c-4ec6-a8cf-b1afd37e1e7c%40apereo.org.
mohammad almodallal
Dec 13, 2016, 5:40:46 AM12/13/16
to CAS Community, mmda...@gmail.com, dkopy...@unicon.net
already set
cas.authn.ldap[0].type=AD
mohammad almodallal
Dec 13, 2016, 5:46:34 AM12/13/16
to CAS Community, mmda...@gmail.com, dkopy...@unicon.net
Hell,
it works with cas.authn.ldap[0].type=AUTHENTICATED not with AD
what is the difference between them?
Thanks.
dkopy...@unicon.net
Dec 13, 2016, 5:51:46 AM12/13/16
to CAS Community, mohammad almodallal, mmda...@gmail.com
Basically different ldaptive Authenticator implementation is instantiated under the hood, based on the value.
If you want to learn the details there are two options: a) Dive deep into the CAS server code and learn yourself b) higher some CAS experts to do the training and explain all of this to you.
If you want to learn the details there are two options: a) Dive deep into the CAS server code and learn yourself b) higher some CAS experts to do the training and explain all of this to you.
Best,
D.
mohammad almodallal
Dec 13, 2016, 6:00:27 AM12/13/16
to CAS Community, mmda...@gmail.com, dkopy...@unicon.net
Thank you, but I think it needs to be documented.
Philippe MARASSE
Dec 13, 2016, 9:10:27 AM12/13/16
to mohammad almodallal, CAS Community
Hello,
I don't think it make a lot of differences, as dkopylenko said.
But have you overloaded application.properties ? your log shows AcceptUsersAuthenticationHandler which is not related to LDAP but is related to default distribution of CAS which works out of the box with casuser/mellon user.
Regards.
I don't think it make a lot of differences, as dkopylenko said.
But have you overloaded application.properties ? your log shows AcceptUsersAuthenticationHandler which is not related to LDAP but is related to default distribution of CAS which works out of the box with casuser/mellon user.
Regards.
Richard Frovarp
Dec 13, 2016, 9:17:36 AM12/13/16
to cas-...@apereo.org
+1
I know that documentation is a work in progress, and that patches are welcome. Right now the most difficult part of setting it up is figuring out what each configuration value is used for and how it works. In general this new configuration method is less painful than the XML method, but it does hide some of the details, which did help in figuring things out.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0216a7db-bad2-4d5f-bed1-d34288c5dfdc%40apereo.org.
mohammad almodallal
Dec 13, 2016, 2:49:24 PM12/13/16
to CAS Community, mmda...@gmail.com, philippe...@ch-poitiers.fr
Hello,
yes but later I added (cas.authn.accept.users=)
Thanks.
mohammad almodallal
Dec 13, 2016, 2:51:16 PM12/13/16
to CAS Community
Hello Richard,
Yes, and many thanks for the greet efforts done.
Regards.
Hal Deadman
Dec 13, 2016, 3:58:46 PM12/13/16
to CAS Community
I got authentication working against Active Directory and used type=AD.
Below is the config I used in yaml format. I can't say that all the
configuration is necessary and I am not doing much at this point beyond
logging in to cas (using sAMAccountName as username).
I couldn't get spring-boot:run to work with any support dependencies (ldap,
x509, etc) until I made one maven project that builds a war using the stock
overlay plus dependencies like cas-server-support-ldap, etc and I use
another maven module that overlays config and let's me run "mvn
spring-boot:run" using the war built in the first project. I was having
classloading issues trying to do it in one project.
cas:
authn:
accept.users:
ldap:
- type: AD
ldapUrl: ldap://10.123.123.123:389
useSsl: false
useStartTls: false
baseDn: cn=Users,dc=somedomain,dc=org
dnFormat: '%s...@somedomain.org'
userFilter: sAMAccountName={user}
subtreeSearch: true
usePasswordPolicy: false
bindDn: some...@somedomain.org
bindCredential: someusersP@ssw0rd
principalAttributeId: sAMAccountName
principalAttributePassword: unicodePwd
principalAttributeList: sn, cn, givenName, sAMAccountName
allowMultiplePrincipalAttributeValues: true
additionalAttributes: memberOf
minPoolSize: 0
maxPoolSize: 10
validateOnCheckout: true
validatePeriodically: true
validatePeriod: 600
principalTransformation.caseConversion: LOWERCASE
failFast: false
Below is the config I used in yaml format. I can't say that all the
configuration is necessary and I am not doing much at this point beyond
logging in to cas (using sAMAccountName as username).
I couldn't get spring-boot:run to work with any support dependencies (ldap,
x509, etc) until I made one maven project that builds a war using the stock
overlay plus dependencies like cas-server-support-ldap, etc and I use
another maven module that overlays config and let's me run "mvn
spring-boot:run" using the war built in the first project. I was having
classloading issues trying to do it in one project.
cas:
authn:
accept.users:
ldap:
- type: AD
ldapUrl: ldap://10.123.123.123:389
useSsl: false
useStartTls: false
baseDn: cn=Users,dc=somedomain,dc=org
dnFormat: '%s...@somedomain.org'
userFilter: sAMAccountName={user}
subtreeSearch: true
usePasswordPolicy: false
bindDn: some...@somedomain.org
bindCredential: someusersP@ssw0rd
principalAttributeId: sAMAccountName
principalAttributePassword: unicodePwd
principalAttributeList: sn, cn, givenName, sAMAccountName
allowMultiplePrincipalAttributeValues: true
additionalAttributes: memberOf
minPoolSize: 0
maxPoolSize: 10
validateOnCheckout: true
validatePeriodically: true
validatePeriod: 600
principalTransformation.caseConversion: LOWERCASE
failFast: false
R Mars
Jan 25, 2017, 11:23:44 AM1/25/17
to CAS Community, mmda...@gmail.com, dkopy...@unicon.net
Hello All,
I am working through setting up a CAS server and came across this post since I was here I figured I would give some background for anyone else trying to figure out how the authenticators are selected. See the class: LdapAuthenticationConfiguration.ldapAuthenticationHandlers() this processes the cas properties and sets the authenticator.
private static Authenticator getAuthenticator(final LdapAuthenticationProperties l) {
if (l.getType() == LdapAuthenticationProperties.AuthenticationTypes.AD) {
LOGGER.debug("Creating active directory authenticator for {}", l.getLdapUrl());
return getActiveDirectoryAuthenticator(l);
}
if (l.getType() == LdapAuthenticationProperties.AuthenticationTypes.DIRECT) {
LOGGER.debug("Creating direct-bind authenticator for {}", l.getLdapUrl());
return getDirectBindAuthenticator(l);
}
if (l.getType() == LdapAuthenticationProperties.AuthenticationTypes.SASL) {
LOGGER.debug("Creating SASL authenticator for {}", l.getLdapUrl());
return getSaslAuthenticator(l);
}
if (l.getType() == LdapAuthenticationProperties.AuthenticationTypes.AUTHENTICATED) {
LOGGER.debug("Creating authenticated authenticator for {}", l.getLdapUrl());
return getAuthenticatedOrAnonSearchAuthenticator(l);
}
LOGGER.debug("Creating anonymous authenticator for {}", l.getLdapUrl());
return getAuthenticatedOrAnonSearchAuthenticator(l);
}
Reply all
Reply to author
Forward
0 new messages