Use mail attribute and uid for ldap login CAS 5.2.1

[Benjamin K]

Dear all,

 

I currently can’t achieve to enable my cas login with username or email address.

Username works perfectly, but if I enter an email address, it seems to build the wrong dn:

 

Working with CAS 5.2.1

 

My LDAP settings are:

 

cas.authn.ldap[0].type=DIRECT

cas.authn.ldap[0].ldapUrl=ldap://localhost

cas.authn.ldap[0].connectionStrategy=DEFAULT

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].subtreeSearch=true

 

#

# Bind credentials used to connect to the LDAP instance

#

cas.authn.ldap[0].bindDn=cn=admin,dc=winterhalter,dc=biz

cas.authn.ldap[0].bindCredential=MYSECRETPASSWORD

 

 

# BaseDn used to start the LDAP search looking for accounts

cas.authn.ldap[0].baseDn=ou=ExtranetUser,dc=winterhalter,dc=biz

 

 

# The search filter to use while looking for accounts.

cas.authn.ldap[0].userFilter=(|(uid={user})(mail={user}))

 

 

cas.authn.ldap[0].principalAttributeId=uid

cas.authn.ldap[0].principalAttributeList=uid,mail

 

cas.authn.ldap[0].principalAttributePassword=userPassword

cas.authn.ldap[0].enhanceWithEntryResolver=true

 

What am I missing? Help would be appreciated!

 

Thank you,

Benjamin

[William E.]

Maybe try different auth type?

cas.authn.ldap[0].type=AUTHENTICATED

Can't seem to find the doc page, but the source:

* The authentication type.
	* <ul>
	* <li>AD - Users authenticate with sAMAccountName. </li>
	* <li>AUTHENTICATED - Manager bind/search</li>
	* <li>ANONYMOUS</li>
	* <li>DIRECT: Direct Bind - Compute user DN from format string and perform simple bind.
	* This is relevant when no search is required to compute the DN needed for a bind operation.
	* Use cases for this type are:
	* 1) All users are under a single branch in the directory, {@code e.g. ou=Users,dc=example,dc=org.}
	* 2) The username provided on the CAS login form is part of the DN, e.g.
	* {@code uid=%s,ou=Users,dc=example,dc=org}.</li>
	* </ul>

[William E.]

Of course, found it just after I posted.

https://apereo.github.io/cas/development/installation/Configuration-Properties-Common.html#ldap-authenticationsearch-settings

The following authentication types are supported:

Type	Description
AD	Acive Directory - Users authenticate with sAMAccountName typically using a DN format.
AUTHENTICATED	Manager bind/search type of authentication. If principalAttributePassword is empty then a user simple bind is done to validate credentials. Otherwise the given attribute is compared with the given principalAttributePassword using the SHA encrypted value of it.
DIRECT	Compute user DN from a format string and perform simple bind. This is relevant when no search is required to compute the DN needed for a bind operation. This option is useful when all users are under a single branch in the directory, e.g. ou=Users,dc=example,dc=org, or the username provided on the CAS login form is part of the DN, e.g. uid=%s,ou=Users,dc=exmaple,dc=org
ANONYMOUS	Similar semantics as AUTHENTICATED except no bindDn and bindCredential may be specified to initialize the connection. If principalAttributePassword is empty then a user simple bind is done to validate credentials. Otherwise the given attribute is compared with the given principalAttributePassword using the SHA encrypted value of it.