CAS + simple LDAP authorization
91 views
Skip to first unread message
Bartosz Nitkiewicz
Mar 2, 2021, 3:42:59 AM3/2/21
to CAS Community
Hello.
I need your help. I'm trying to use CAS as authentication service for some of my applications. There are user names and passwords stored in AD (LDAP) server. I can't make CAS to authenticate users through LDAP. I have read all documentation an this ML, found some configs and I tried almost everything. Could someone look at my simple cas.properties and tell me if it looks ok?
cas.server.name: https://localhost:8443
cas.server.prefix: ${cas.server.name}/cas
cas.authn.accept.enabled=false
cas.authn.policy.any.try-all=false
cas.authn.policy.any.enabled=true
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldap-url=ldaps://ldpadomainname.org
cas.authn.ldap[0].base-dn=OU=TEST,dc=test,dc=test,dc=test,dc=org
cas.authn.ldap[0].subtree-search=true
cas.authn.ldap[0].searchFilter=(&(objectclass=*)(sAMAccountName={user}))
cas.authn.ldap[0].bind-dn=cn=testaccount,cn=group,dc=test,dc=test,dc=test,dc=com
cas.authn.ldap[0].bind-credential=password
cas.authn.ldap[0].keystore=file:/etc/cas/config/thekeystore
cas.authn.ldap[0].keystorePassword=asd123456
cas.authn.ldap[0].keystoreType=PKCS12
cas.server.prefix: ${cas.server.name}/cas
cas.authn.accept.enabled=false
cas.authn.policy.any.try-all=false
cas.authn.policy.any.enabled=true
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldap-url=ldaps://ldpadomainname.org
cas.authn.ldap[0].base-dn=OU=TEST,dc=test,dc=test,dc=test,dc=org
cas.authn.ldap[0].subtree-search=true
cas.authn.ldap[0].searchFilter=(&(objectclass=*)(sAMAccountName={user}))
cas.authn.ldap[0].bind-dn=cn=testaccount,cn=group,dc=test,dc=test,dc=test,dc=com
cas.authn.ldap[0].bind-credential=password
cas.authn.ldap[0].keystore=file:/etc/cas/config/thekeystore
cas.authn.ldap[0].keystorePassword=asd123456
cas.authn.ldap[0].keystoreType=PKCS12
ldapsearch form commandline works fine. I can filter LDAP tree to find proper username.
Thanks in advance.
Jérôme LELEU
Mar 2, 2021, 3:57:10 AM3/2/21
to CAS Community
Hi,
For the AD LDAP, your type property should be AD:
cas.authn.ldap[0].type=AD
Thanks.
Best regards,
Jérôme
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/88e9b773-d5df-4b8f-ae1e-4b299840d479n%40apereo.org.
Bartosz Nitkiewicz
Mar 2, 2021, 4:01:33 AM3/2/21
to CAS Community, leleuj
Checked. Doesn't work either :(
Bartosz Nitkiewicz
Mar 2, 2021, 4:07:00 AM3/2/21
to CAS Community, Bartosz Nitkiewicz, leleuj
One more thing. This is CAS instance working in docker container but it shouldn't make any difference. After trying to login with LDAP credentials I have:
>
2021-03-02 09:03:22,128 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: 1233412
WHAT: Supplied credentials: [UsernamePasswordCredential(username=1233412, source=null, customFields={})]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Tue Mar 02 09:03:22 GMT 2021
CLIENT IP ADDRESS: IP
SERVER IP ADDRESS: IP
=============================================================
>
2021-03-02 09:03:22,129 WARN [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <0 errors, 0 successes>
2021-03-02 09:03:22,128 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: 1233412
WHAT: Supplied credentials: [UsernamePasswordCredential(username=1233412, source=null, customFields={})]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Tue Mar 02 09:03:22 GMT 2021
CLIENT IP ADDRESS: IP
SERVER IP ADDRESS: IP
=============================================================
>
2021-03-02 09:03:22,129 WARN [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <0 errors, 0 successes>
Jérôme LELEU
Mar 2, 2021, 4:09:05 AM3/2/21
to Bartosz Nitkiewicz, CAS Community
Hi,
I checked an AD configuration I have and there is also a cas.authn.ldap[0].dn-format property I don't see in your configuration.
Thanks.
Best regards,
Jérôme
Bartosz Nitkiewicz
Mar 2, 2021, 4:13:17 AM3/2/21
to CAS Community, leleuj, CAS Community, Bartosz Nitkiewicz
Could you please tell me how it should looks like?
Jérôme LELEU
Mar 2, 2021, 5:30:16 AM3/2/21
to Bartosz Nitkiewicz, CAS Community
Hi,
It looks like: cas.authn.ldap[0].dn-format: '%s@domain'
Thanks.
Best regards,
Jérôme
Bartosz Nitkiewicz
Mar 2, 2021, 6:26:19 AM3/2/21
to CAS Community, leleuj, CAS Community, Bartosz Nitkiewicz
No success. I'm wondering if this config file is enough for proper LDAP authentication. One thing I want is to enter user name and password and then CAS msg logged in.
Kink
Mar 2, 2021, 8:34:00 AM3/2/21
to CAS Community, Bartosz Nitkiewicz, leleuj, CAS Community
Hi Bartosz,
I use simple ldap against an ApacheDS, it works well.
CAS is a marvellous thing ,but a highly sensitive one, you may want to verify you have no white space at the end of lines in your config file.
I ran into that issue once which drove me crazy.
Also, I assume you compiled your CAS war including
compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
in the dependencies.
If I were you I would also make the search filter even simpler by removing the wild card. I know it sounds dull, but with CAS you've got to start small (X_X).
Basically, do not assume that a working ldap search request ran using an LDAP tool will always be interpreted correctly inside CAS, that is not my experience but this could be due to bugs on the versions of CAS I have been using.
Doesn't the full report of the startup give you any hint?
Cheers,
Pierre
Bartosz Nitkiewicz
Mar 2, 2021, 9:35:52 AM3/2/21
to CAS Community, Kink, Bartosz Nitkiewicz, leleuj, CAS Community
Pierre,
Thanks for reply. What do you mean?
compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
in the dependencies."
Isn't those dependencies automatically compiled depending of cas.properties entries?
Where should I add "org.apereo.cas:cas-server-support-ldap:${casServerVersion}" entry?
BN
Bartosz Nitkiewicz
Mar 2, 2021, 10:47:59 AM3/2/21
to CAS Community, Kink, leleuj
I found it I didn't add LDAP dependency to build.graddle.
CAS + LDAP finally working. Thank you for help.
CAS + LDAP finally working. Thank you for help.
Bartosz Nitkiewicz
2 mar 2021 15:36:09 Bartosz Nitkiewicz <bar...@nitkiewicz.eu>:
…
Kink
Mar 2, 2021, 11:38:39 AM3/2/21
to CAS Community, Bartosz Nitkiewicz, Kink, leleuj
As you have probably figured out by now, You decide which dependencies you would like to add. The property file is just there to feed whatever is running, and, of course, breaking it when it lacks something vital for the configuration.
Reply all
Reply to author
Forward
0 new messages