CAS 5.2 LDAP Quert and Output

52 views
Skip to first unread message

Kevin Liu

unread,
Feb 27, 2018, 11:11:12 AM2/27/18
to CAS Community
Hello All,

Is there a way to see the response that CAS gets back from LDAP? Also is there a tutorial anywhere for specific LDAP queries from CAS? For example, if I need to check to see if a member is part of a specific OU?

Thanks,
Kevin

Marc Dufour

unread,
Feb 27, 2018, 3:06:30 PM2/27/18
to CAS Community
Kevin,

Have you tried to add more logs? I added this in my log config file to help debug my LDAP problems: 

<AsyncLogger name="org.ldaptive" level="debug" additivity="false">
    <AppenderRef ref="console"/>
    <AppenderRef ref="file"/> 
</AsyncLogger>

As for the OU membership, maybe you could add that to the user filter.

Kevin Liu

unread,
Feb 27, 2018, 3:41:51 PM2/27/18
to CAS Community
I have but it doesn't fully display what is being returned by LDAP.

How can I constrain to multiple OU? Also maybe I might be going at this the wrong way. I need CAS to use LDAP to authenticate with a specific group in LDAP. How do I constrain to just that and look for users?

Marc Dufour

unread,
Feb 27, 2018, 4:04:17 PM2/27/18
to CAS Community
Atlassian has a nice paper on how to write LDAP filters: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html and should help you if you want to restrict the users able to authenticate with CAS.

The way I see this, CAS should authenticate the user (wide open to the users and restricted to authorized apps only), and the application using CAS should authorize the user. That means the logic of who can use what should be in the application and not in CAS. This is why CAS has the possibility to return LDAP attributes to the application: are you a member of so and so groups? Then go ahead and use my application as an admin or as a user with specific roles. 

This is my point of view and it is based on my experience in my environment.

Kevin Liu

unread,
Feb 27, 2018, 4:10:38 PM2/27/18
to CAS Community
I see, so in other words, I should not have CAS search through LDAP looking for a user and checking to see if they're a member of a group. Rather, that should get passed to application using cas.

Thanks!

Kevin Liu

unread,
Feb 27, 2018, 4:11:22 PM2/27/18
to CAS Community
And somewhat stemming from the other conversation, what get's passed is via the principalAttributeList? Where does the attributes get passed to?

Ray Bon

unread,
Feb 27, 2018, 4:14:46 PM2/27/18
to cas-...@apereo.org
Kevin,

We have multiple ldap definitions, varying only on OU. The userFilter is also set to search everything below the OU. CAS will search each one in sequence until it finds a match.

cas.authn.ldap[0].ldapUrl=ldaps://ldapdev.uvic.ca:636
cas.authn.ldap[0].connectTimeout=3000
cas.authn.ldap[0].baseDn=ou=loadtesters,ou=uportal,ou=applications,dc=uvic,dc=ca
cas.authn.ldap[0].userFilter=uid:2.5.13.5:={user}
...

cas.authn.ldap[1].type=AUTHENTICATED
cas.authn.ldap[1].ldapUrl=ldaps://ldapdev.uvic.ca:636
cas.authn.ldap[1].connectTimeout=3000
cas.authn.ldap[1].baseDn=ou=people,dc=uvic,dc=ca
cas.authn.ldap[1].userFilter=uid:2.5.13.5:={user}
...

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

Ray Bon

unread,
Feb 27, 2018, 4:17:55 PM2/27/18
to cas-...@apereo.org
They will be with the authenticated user in the client application. Accessed something like principal.getAttributes.

Ray

Marc Dufour

unread,
Feb 27, 2018, 4:24:33 PM2/27/18
to CAS Community
You can restrict the users able to authenticate with CAS if you have to, I'm just saying that it may not be only way. Your reality is different than mine.

As for the attributes: they are passed to the application, or in CAS terminology, the service. principalAttributeList contains the attributes available to CAS to pass to the service. When you create a service, you configure the AttributeReleasePolicy that tells CAS what attributes the application has access to (or released to it, in CAS language). See this https://apereo.github.io/cas/5.2.x/installation/Service-Management.html and this https://apereo.github.io/cas/5.2.x/integration/Attribute-Release.html.
Message has been deleted

Kevin Liu

unread,
Feb 28, 2018, 9:14:34 AM2/28/18
to CAS Community
Thank Ray! 

Unfortunately, I realized searching by OU for a user won't work. This is because of a couple of things. 
I originally thought OUs were groups and have since discovered they are not.
I want to authenticate using sAMAccountName and when you search by groups, none of the memberss have sAMAccountNames as a field. It only displays members as their DN which doesn't contain the sAMAccountName. 
Now, I'm thinking of approaching it by pulling a user's entry, and check to see what they're a member of as users do display their group membership

Marc, or anyone else, how would I be able to restrict it down further? I see a cas.authn.ldap[0].searchEntryHandlers[0] but I'm not sure if this is what I want.
Reply all
Reply to author
Forward
0 new messages