[cas-user] CAS 5.0.3 cannot get yubikey MFA working with LDAP

[Dmytro Havrylov]

Hello All,

Can't get Yubikey MFA authentication working with LDAP (AD). It looks like I am missing some configuration parameter, but do not see which one...

LDAP authentication itself is working. But whatever I do to add yubikey it does not even ask about it during the login process... I would expect second page with yubikey OTP field, but nothing happens.

CAS is built with following dependencies:

    <dependencies>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-webapp</artifactId>
            <version>${cas.version}</version>
            <type>war</type>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-support-yubikey</artifactId>
            <version>${cas.version}</version>
        </dependency>
         <dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-support-ldap</artifactId>
            <version>${cas.version}</version>
        </dependency>
    </dependencies>

cas.properties:

cas.server.name: https://login.example.com
cas.server.prefix: https://login.example.com/cas


cas.adminPagesSecurity.ip=127\.0\.0\.1


logging.config: file:/etc/cas/config/log4j2.xml


cas.authn.policy.all.enabled=true

cas.authn.accept.users=



#MFA
cas.authn.mfa.globalProviderId=mfa-yubikey
cas.authn.mfa.requestParameter=authn_method
cas.authn.mfa.globalFailureMode=CLOSED


#YUBIKEY
cas.authn.mfa.yubikey.clientId=1
cas.authn.mfa.yubikey.secretKey=<HASH=>
cas.authn.mfa.yubikey.rank=0
cas.authn.mfa.yubikey.apiUrls=https://yubi.example.com/wsapi/2.0/verify
cas.authn.mfa.yubikey.trustedDeviceEnabled=true


#LDAP/AD
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://<LDAP_IP>
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=<BASE_DN>
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=<BIND_DN>
cas.authn.ldap[0].bindCredential=*********
cas.authn.ldap[0].dnFormat=<FORMAT_STRING>
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=true
cas.authn.ldap[0].idleTime=500
cas.authn.ldap[0].prunePeriod=600
cas.authn.ldap[0].blockWaitTime=5000

Application also tells something about YubiKeyAccountRegistry

<No YubiKey account registry is defined. All credentials are considered eligible for YubiKey authentication. Consider providing an account registry via [org.apereo.cas.adaptors.yubikey.YubiKeyAccountRegistry]>


But I cannot find any documentation explaining how to configure this feature... 

Any help appreciated.

Dimitri

[Jurica Juren]

Hi Dmytro Havrylov,

did you find solution?
I am in the same situation as you and searching for solution, how to map yubikey with uid.

Best regards,
Jurica