Configure CAS 5.3 with LDAP

[Alex Samosir]

Im trying to connect CAS with my LDAP Server. And im following The New School Tutorial by the way.

But its no luck

Im facing this error

Ive already tried that configuration with my LDAP Browser
And its success and connected

here is my cas.properties

cas.authn.ldap[0].order:                        0
cas.authn.ldap[0].name:                         LDAP
cas.authn.ldap[0].type:                         AUTHENTICATED
cas.authn.ldap[0].ldapUrl:                      ldaps://10.2.2.64
cas.authn.ldap[0].validatePeriod:               270
#cas.authn.ldap[0].poolPassivator:              BIND
cas.authn.ldap[0].searchFilter:                 cn={user}
cas.authn.ldap[0].baseDn:                       cn=Users,DC=app,DC=lkpp,DC=go,DC=id
#cas.authn.ldap[0].dnFormat:                    cn=%s,CN=Users,DC=app,DC=lkpp,DC=go,DC=id
cas.authn.ldap[0].bindDn:cn=Administrator,cn=Users,dc=app,dc=lkpp,dc=go,dc=id
cas.authn.ldap[0].bindCredential:****************

any suggestion what I did wrong?

[matrix]

Are you using a self signed certificate?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/17449e07-16ac-4650-8b38-9008603a15de%40apereo.org.

--

-Fazla.

[Alex Samosir]

Yes. Because Its in my local PC.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/17449e07-16ac-4650-8b38-9008603a15de%40apereo.org.

--

-Fazla.

[matrix]

You need to add the self sign certificate in thekeystore file of CAS, also check of the port 636 is open or not. Actually you don't need ldaps for cas authentication. Bellow is my ldap config which works for me. Check whether your ports are open or not.

cas.authn.ldap[0].principalAttributeList=sAMAccountName,cn,givenName,memberOf,userPrincipalName,department,title,distinguishedName

cas.authn.ldap[0].collectDnAttribute=false

#cas.authn.ldap[0].principalDnAttributeName=sAMAccountName

# cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true

# cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true

#cas.authn.ldap[0].credentialCriteria=

cas.authn.ldap[0].ldapUrl=ldap://myldap:389

cas.authn.ldap[0].bindDn=CN=myldapadmin,OU=admin,DC=example,DC=edu

cas.authn.ldap[0].bindCredential=mypass

cas.authn.ldap[0].minPoolSize=3

cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=true

cas.authn.ldap[0].validatePeriodically=true

cas.authn.ldap[0].validatePeriod=600

#cas.authn.ldap[0].validateTimeout=PT5S

cas.authn.ldap[0].failFast=true

# cas.authn.ldap[0].idleTime=PT10M

# cas.authn.ldap[0].prunePeriod=PT2H

# cas.authn.ldap[0].blockWaitTime=PT3S

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].useStartTls=false

#cas.authn.ldap[0].responseTimeout=PT5S

cas.authn.ldap[0].allowMultipleDns=false

#cas.authn.ldap[0].name=

cas.authn.ldap[0].type=AUTHENTICATED

cas.authn.ldap[0].baseDn=DC=example,DC=edu

cas.authn.ldap[0].subtreeSearch=true

cas.authn.ldap[0].searchFilter=sAMAccountName={user}

cas.authn.ldap[0].enhanceWithEntryResolver=true

#cas.authn.ldap[0].derefAliases=NEVER|SEARCHING|FINDING|ALWAYS

cas.authn.ldap[0].dnFormat=uid=%s,DC=example,DC=edu

#cas.authn.ldap[0].principalAttributePassword=

cas.authn.ldap[0].followReferrals=false

cas.authn.ldap[0].hostnameVerifier=ANY

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/79e4a05b-07ab-4ca6-abae-ca5095edd10a%40apereo.org.

--

-Fazla.

[Alex Samosir]

> Thank you so much for your answer. But can you guide me where and how to add selfsign certificate in the keystore file?

>Ive tried use ldap with port 389. CAS is loaded, but when im trying to login with my username and password its return error. LDAP: error code 8 - BindSimple: Transport encryption required

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/79e4a05b-07ab-4ca6-abae-ca5095edd10a%40apereo.org.

--

-Fazla.

[Alex Samosir]

Im trying your configuration in my cas
And its return javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - BindSimple: Transport encryption required.]
And the CAS not loaded.

Did I miss something?
Im new to CAS, so Im just following new school documentation, how to implement CAS

[casuser]

The error indicates that transport encryption is required -- this generally means you need to change the LDAP server URI from ldap://server.domain.gTLD to ldaps://server.domain.gTLD but since few LDAP servers use certs issued from a public certificate authority (CA), you'll also need to set up the certificate trust. I use a private CA to sign all certificates, so can import the CA public key into the Java truststore. Just use any keytool and explore your thekeystore and copy and paste your self sign cert inside thekeystore. For authentication you can use LDAP only like me and use the port 389. Can you please post your config as well?