I'm not sure what you mean by your LDAP is really a MSDN, but...
If you're using the "AD" type, then you want (according to the
documentation), this:
cas.authn.ldap[0].userFilter=cn={user}
to be:
cas.authn.ldap[0].userFilter=sAMAccountName={user}
And you should not need (and perhaps should not have) these:
cas.authn.ldap[0].bindDn=user1@beta.gamma
cas.authn.ldap[0].bindCredential=user1Password
At least, you don't need them on "real" AD -- maybe you do need them on
whatever an "MSDN AD" is.
Finally, and probably most important (I would try changing just this one
setting first), you want this:
cas.authn.ldap[0].dnFormat=CN=User 1,OU=Test,OU=alpha,DC=beta,DC=gamma
to be this:
cas.authn.ldap[0].dnFormat=CN=%s,OU=Test,OU=alpha,DC=beta,DC=gamma
so that CAS can fill in the username to the authentication request.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
[image: The New School]
On Fri, Feb 23, 2018 at 12:44 PM, Kevin Liu <annihil8...@gmail.com> wrote:
> I finally got it to talk to my LDAP! I've realized I should also put that
> my LDAP is really a MSDN. It is in a very limited capacity though. Here is
> my cas.properties and I hope someone can help me figure out how to expand
> the scope of authentication. My apologies about the obfuscation.
>
> #AD Configurations
> cas.authn.ldap[0].type=AD
> cas.authn.ldap[0].ldapUrl=ldap://ladpserver:389
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].baseDn=dc=beta,dc=gamma
> cas.authn.ldap[0].userFilter=cn={user}
> cas.authn.ldap[0].bindDn=user1@beta.gamma
> cas.authn.ldap[0].bindCredential=user1Password
> cas.authn.ldap[0].dnFormat=CN=User 1,OU=Test,OU=alpha,DC=beta,DC=gamma
>
> This configuration only works for 1 user, user1. How do I expand it such
> that any user can input their credentials for validation?
> Also interesting, for user1, they can input either user1 or
> user1@beta.gamma and be able to login with the correct password.
>
>
>
>
> On Friday, February 23, 2018 at 9:17:02 AM UTC-6, David Curry wrote:
>>
>> Yes, that looks like your DN.
>>
>> But if CAS is not starting, it's something else. Are you using 5.2.2? Can
>> you post your pom.xml and cas.log files as attachments?
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Fri, Feb 23, 2018 at 9:56 AM, Kevin Liu <annih...@gmail.com> wrote:
>>
>>> For my own account, when I execute the LDAP query in my first post, I
>>> can't see my own DN but I can see what I'm a member of. Is the listed
>>> member field my DN?
>>>
>>> member: CN=Kevin Liu,OU=Delta,OU=Alpha,DC=Beta,DC=Gamma
>>>
>>> Would this be my DN?
>>>
>>> On Friday, February 23, 2018 at 6:17:22 AM UTC-6, alberto wrote:
>>>>
>>>> On Thu, 22 Feb 2018 13:43:05 -0800 (PST)
>>>> Kevin Liu <annih...@gmail.com> wrote:
>>>>
>>>> > Correct me if I'm wrong but looking at the directory, not everyone
>>>> > has a DN. Some users are only members of a group it looks like.
>>>>
>>>> I don't think so. DN is the ultimate identifier in LDAP/AD. As stated
>>>> in MSDN: «The LDAP API references an LDAP object by its distinguished
>>>> name (DN)». Even a group have a DN so you can perform operations on it.
>>>>
>>>> ( Source: https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).a
>>>> spx )
>>>>
>>>> --
>>>> Alberto Cabello Sánchez
>>>> Servicio de Informática
>>>> Universidad de Extremadura
>>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/4c960c01-c31d-4c3b-8386-c9dadafaf8
>>> 12%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c960c01-c31d-4c3b-8386-c9dadafaf812%40apereo.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/85619ded-76ed-458e-8e23-
> a887cffb945a%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/85619ded-76ed-458e-8e23-a887cffb945a%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANU_urtGVkJcBa%3Dit_i1MfEkXaJZv1iwzYJ369XsN9DqQ%40mail.gmail.com.
