The second one as Misagh said because the logic here is to have two totally separate authentication with different settings: it could even be another LDAP server with totally different parameters...
Note that if Ruslan's filter works, you would slightly prefer it as you only have on LDAP w/ a specific need. More precisely, it will only call LDAP once. If you use two LDAP auth, CAS will try the first and if it doesn't work it will try the second. So if your users are let say half and half dispatched on the both groups, you'll have an average of 1.5 calls instead of 1. That said, depending on environment, LDAP calls from CAS are pretty quick; so I would say just use whatever works :) Erdal. Le mercredi 23 novembre 2016 20:59:46 UTC+1, Eric Allen a écrit : > > To use that method would it look something like this? > > cas.authn.Ldap[0].type=AD > cas.authn.Ldap[0].LdapUrl=https://ldap.example.org > cas.authn.Ldap[0].baseDn=dc=example,dc=org > cas.authn.Ldap[0].userFilter=cn={user} > cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org > cas.authn.Ldap[0].bindCredential=caspass > cas.authn.Ldap[0].principalAttributeId=sAMAccountName > cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org > cas.authn.Ldap[1].dnFormat=cn=%s,ou=people,dc=example,dc=org > > or like > cas.authn.Ldap[0].type=AD > cas.authn.Ldap[0].LdapUrl=https://ldap.example.org > cas.authn.Ldap[0].baseDn=dc=example,dc=org > cas.authn.Ldap[0].userFilter=cn={user} > cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org > cas.authn.Ldap[0].bindCredential=caspass > cas.authn.Ldap[0].principalAttributeId=sAMAccountName > cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org > > cas.authn.Ldap[1].type=AD > cas.authn.Ldap[1].LdapUrl=https://ldap.example.org > cas.authn.Ldap[1].baseDn=dc=example,dc=org > cas.authn.Ldap[1].userFilter=cn={user} > cas.authn.Ldap[1].bindDn=cn=cas_user,ou=utility,dc=example,dc=org > cas.authn.Ldap[1].bindCredential=caspass > cas.authn.Ldap[1].principalAttributeId=sAMAccountName > cas.authn.Ldap[1].dnFormat=cn=%s,ou=people,dc=example,dc=org > > > On Wednesday, November 23, 2016 at 9:27:32 AM UTC-7, Misagh Moayyed wrote: >> >> You may have missed the obvious, which is that that index “[0]” is meant >> to be incremented by you to support additional blocks and ldap authN >> schemes. So you what you can do is define a [1], repeat your settings more >> or less and just narrow the base for both 0 and 1 to those OUs you care >> about. >> >> >> >> Or you come up with a fancier filter. >> >> >> >> --Misagh >> >> >> >> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org] *On Behalf Of *Eric >> Allen >> *Sent:* Tuesday, November 22, 2016 6:03 PM >> *To:* CAS Community <cas-...@apereo.org> >> *Subject:* [cas-user] CAS 5 - ldap multiple OUs >> >> >> >> I'm currently stuck on how to setup authentication for two OUs in the >> same LDAP connector. I want to allow only the users that are in these two >> OUs but not others. >> >> The two OUs that I want to authenticate against are >> ou=users,dc=example,dc=org and ou=people,dc=example,dc=org. I'm using >> example.org to keep the examples easier to understand. >> >> I can get one OU to work just fine. Current config >> >> >> >> cas.authn.Ldap[0].type=AD >> >> cas.authn.Ldap[0].LdapUrl=https://ldap.example.org >> >> cas.authn.Ldap[0].baseDn=dc=example,dc=org >> >> cas.authn.Ldap[0].userFilter=cn={user} >> >> cas.authn.Ldap[0].bindDn=cn=cas_user,ou=utility,dc=example,dc=org >> >> cas.authn.Ldap[0].bindCredential=caspass >> >> cas.authn.Ldap[0].principalAttributeId=sAMAccountName >> >> cas.authn.Ldap[0].dnFormat=cn=%s,ou=users,dc=example,dc=org >> >> >> >> >> >> I have tried with mulitple different options for the dnFormat trying >> ldapsearch strings but to no success. Any suggestions on limiting access >> to two OUs? >> >> >> >> Thanks >> >> Eric >> >> >> >> -- >> - CAS gitter chatroom: https://gitter.im/apereo/cas >> - CAS mailing list guidelines: >> https://apereo.github.io/cas/Mailing-Lists.html >> - CAS documentation website: https://apereo.github.io/cas >> - CAS project website: https://github.com/apereo/cas >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+u...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/74eb0615-fab6-4abb-b62e-30f9277ab341%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/74eb0615-fab6-4abb-b62e-30f9277ab341%40apereo.org?utm_medium=email&utm_source=footer> >> . >> >> -- >> - CAS gitter chatroom: https://gitter.im/apereo/cas >> - CAS mailing list guidelines: >> https://apereo.github.io/cas/Mailing-Lists.html >> - CAS documentation website: https://apereo.github.io/cas >> - CAS project website: https://github.com/apereo/cas >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+u...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00e001d245a6%2479312fc0%246b938f40%24%40unicon.net >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00e001d245a6%2479312fc0%246b938f40%24%40unicon.net?utm_medium=email&utm_source=footer> >> . >> > -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5e53d5a-e951-4584-a902-196df7033d5a%40apereo.org.
