Hello All,
Can't get Yubikey MFA authentication working with LDAP (AD). It looks like
I am missing some configuration parameter, but do not see which one...
LDAP authentication itself is working. But whatever I do to add yubikey it
does not even ask about it during the login process... I would expect
second page with yubikey OTP field, but nothing happens.
CAS is built with following dependencies:
<dependencies>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-yubikey</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
</dependencies>
cas.properties:
cas.server.name: https://login.example.com
cas.server.prefix: https://login.example.com/cas
cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.config: file:/etc/cas/config/log4j2.xml
cas.authn.policy.all.enabled=true
cas.authn.accept.users=
#MFA
cas.authn.mfa.globalProviderId=mfa-yubikey
cas.authn.mfa.requestParameter=authn_method
cas.authn.mfa.globalFailureMode=CLOSED
#YUBIKEY
cas.authn.mfa.yubikey.clientId=1
cas.authn.mfa.yubikey.secretKey=<HASH=>
cas.authn.mfa.yubikey.rank=0
cas.authn.mfa.yubikey.apiUrls=https://yubi.example.com/wsapi/2.0/verify
cas.authn.mfa.yubikey.trustedDeviceEnabled=true
#LDAP/AD
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://<LDAP_IP>
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=<BASE_DN>
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=<BIND_DN>
cas.authn.ldap[0].bindCredential=*********
cas.authn.ldap[0].dnFormat=<FORMAT_STRING>
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributePassword=
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=true
cas.authn.ldap[0].idleTime=500
cas.authn.ldap[0].prunePeriod=600
cas.authn.ldap[0].blockWaitTime=5000
Application also tells something about *YubiKeyAccountRegistry*
<No YubiKey account registry is defined. All credentials are considered
eligible for YubiKey authentication. Consider providing an account registry
via [org.apereo.cas.adaptors.yubikey.YubiKeyAccountRegistry]>
But I cannot find any documentation explaining how to configure this
feature...
Any help appreciated.
Dimitri
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c30a895c-91bc-4d51-bf3b-c5935de55c8b%40apereo.org.
