Help with LDAP auth

244 views
Skip to first unread message

Марат Бралиев

unread,
Mar 13, 2018, 7:39:05 AM3/13/18
to CAS Community
I need to check user password and member of specific group:

I have CAS 5.2.* 

My config file:

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://example.com
cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].bindDn=cn=portal_manager,ou=System Accounts,dc=example,dc=com
cas.authn.ldap[0].bindCredential=***********
cas.authn.ldap[0].baseDn=DC=example,DC=com
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].userFilter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=SpecificGroupName,OU=Groups,OU=Company,DC=example,DC=com))

cas.authn.ldap[0].usePasswordPolicy=false

cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].principalAttributeList=displayName,commonName,email,memberOf
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true

When I create auth request then CAS response error:

2018-03-13 17:34:38,515 DEBUG [org.ldaptive.SearchOperation] - <execute request=[org.ldaptive.SearchRequest@-384810870::baseDn=DC=hq,DC=bc, searchFilter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)), parameters={context=null, user=braliyev_30424}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1004112938::config=[org.ldaptive.ConnectionConfig@1791270211::ldapUrl=ldap://hq.bc, connectTimeout=PT5S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@887019403::credentialConfig=null, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@727124254::bindDn=cn=kaspi_portal,ou=System Accounts,dc=hq,dc=bc, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@1e7a75fd], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@2104222132::metadata=[ldapUrl=ldap://hq.bc, count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@334577122::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@29c0c417, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@6368ec02]>
2018-03-13 17:34:38,521 DEBUG [org.ldaptive.SearchOperation] - <execute response=[org.ldaptive.Response@626954816::result=[org.ldaptive.SearchResult@-1662255094::entries=[], references=[[org.ldaptive.SearchReference@74822743::referralUrls=[ldap://DomainDnsZones.hq.bc/DC=DomainDnsZones,DC=hq,DC=bc], responseControls=null, messageId=-1, referenceResponse=null], [org.ldaptive.SearchReference@-526386759::referralUrls=[ldap://hq.bc/CN=Configuration,DC=hq,DC=bc], responseControls=null, messageId=-1, referenceResponse=null], [org.ldaptive.SearchReference@-1214994231::referralUrls=[ldap://ForestDnsZones.hq.bc/DC=ForestDnsZones,DC=hq,DC=bc], responseControls=null, messageId=-1, referenceResponse=null]]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1] for request=[org.ldaptive.SearchRequest@-384810870::baseDn=DC=hq,DC=bc, searchFilter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)), parameters={context=null, user=braliyev_30424}], returnAttributes=[1.1], searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1004112938::config=[org.ldaptive.ConnectionConfig@1791270211::ldapUrl=ldap://hq.bc, connectTimeout=PT5S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@887019403::credentialConfig=null, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@727124254::bindDn=cn=kaspi_portal,ou=System Accounts,dc=hq,dc=bc, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy@1e7a75fd], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@2104222132::metadata=[ldapUrl=ldap://hq.bc, count=1], environment={com.sun.jndi.ldap.connect.timeout=5000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.read.timeout=5000}, classLoader=null, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@334577122::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@29c0c417, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@6368ec02]>

2018-03-13 17:34:38,526 INFO [org.ldaptive.auth.PooledSearchDnResolver] - <search for user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424, context=null] failed using filter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)), parameters={context=null, user=braliyev_30424}]>
2018-03-13 17:34:38,526 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolved dn=null for user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424, context=null]>
2018-03-13 17:34:38,526 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate dn=null with request=[org.ldaptive.auth.AuthenticationRequest@1687550059::user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424, context=null], returnAttributes=[commonName, sAMAccountName, displayName, memberOf, email], controls=null]>

CAS search request result is empty.



When I change configuration "userFilter" without checking memberOf  - cas.authn.ldap[0].userFilter=(&(objectCategory=Person)) authorization works corretly.

I checked my search request in LDAPAdmin utility, he works correctly.

Ray Bon

unread,
Mar 13, 2018, 12:26:56 PM3/13/18
to cas-...@apereo.org
Maybe your ldap logs will have more info.

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

Марат Бралиев

unread,
Mar 13, 2018, 2:00:06 PM3/13/18
to CAS Community
I attached ldap log in my question.

Ray Bon

unread,
Mar 13, 2018, 2:03:16 PM3/13/18
to cas-...@apereo.org
Is that the CAS log or the LDAP server log?


On Tue, 2018-03-13 at 11:00 -0700, Марат Бралиев wrote:
I attached ldap log in my question. 

Марат Бралиев

unread,
Mar 13, 2018, 2:17:20 PM3/13/18
to CAS Community
Cas logs))) I undestood you... I will see ldap logs in AD server

Марат Бралиев

unread,
Mar 13, 2018, 2:28:43 PM3/13/18
to CAS Community
how best practice to check member of specific group? check in LDAP search query, or use some CAS (or ldaptive) handler, and check member of group after simple search? Does CAS support such handler?

William E.

unread,
Mar 14, 2018, 10:00:25 AM3/14/18
to CAS Community
We grab the memberof attribute in the user record. Note it's multivalued.

Michael Peterson

unread,
Mar 20, 2018, 12:21:09 PM3/20/18
to CAS Community, marat.b...@gmail.com
Is the issue have to do with nested group membership in the Active Directly group? In order for your LDAP filter to evaluate to true, the user you are testing authenticating with needs to be directly a member of the checked for group. If you want to have it recursively check if the user is a member of the checked group, use something like this instead:

cas.authn.ldap[0].userFilter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf:1.2.840.113556.1.4.1941:=CN=SpecificGroupName,OU=Groups,OU=Company,DC=example,DC=com))

Michael Peterson

unread,
Mar 20, 2018, 12:23:56 PM3/20/18
to CAS Community, marat.b...@gmail.com
I should also add that the userFilter is just limiting what CAS can see for the available pool of user objects. If you merely want to allow users of a certain group access to a particular service, then that is accomplished in the service definition under required attributes. But note I have not yet found how to get it to work with nested Active Directory groups, only direct child of the group.
Reply all
Reply to author
Forward
0 new messages