It works for me with the following setup, in CAS6:
spnego:
name: Kerberos
order: 0
mixedModeAuthentication: true
supportedBrowsers: "MSIE,Trident,Firefox,AppleWebKit,curl"
ipsToCheckPattern: .*
principal:
principalAttribute: "sAMAccountName"
system:
kerberosConf: "file:/data/cas/conf/krb5.conf"
loginConf: "file:/data/cas/conf/login.conf"
kerberosDebug: false
properties:
-
jcifsServicePrincipal: "HTTP/host@REALM"
attributeRepository:
ldap:
-
name: AdRealm
# workaroud for
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8217606
providerClass:
org.ldaptive.provider.unboundid.UnboundIDProvider
ldapUrl: ldaps://ldap.realm <ldaps://ldap.realm>.com
bindDn: "serviceAccount"
baseDn: ou=...,DC=...
searchFilter: "sAMAccountName={user}"
trustCertificates:
"file:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
attributes:
displayName: name
givenName: firstName
sn: lastName
ou: ou
uid: uid
mail: mail
sAMAccountName: sAMAccountName
...
personDirectory:
principalAttribute: "sAMAccountName"
useExistingPrincipalId: true
principalResolutionFailureFatal: true
I'm not sure about personDirectory. The documentation about that feature is a
(bad) joke, so I never quit understood what those arguments do.
And I have an application-secrets.yml to store secrets:
cas:
authn:
attributeRepository:
ldap:
- bindCredential: "SomeCredentials"
> Le 22 août 2019 à 12:30, Sparadrus (FR) <sparad...@gmail.com> a écrit :
>
> NOTICE : The sender of this email is external to 3DS. Be wary of the content
> and do not open unexpected attachments or links.
>
> Hi,
> When my users login manually from CAS, attributes from AD are correctly
> retrieved and pass to my webapp. But with SPNEGO automatic login, i don't see
> on cas.log the attributes and my webapp (nextcloud) don't update user
> information (displayName, mail, memberOf). I don't see any row on apereo
> documentation who permit retrieve attributes from SPNEGO... Maybe I does
> create a service file specially for SPNEGO..?
> If you have any idea :)
> Thanks at all ;)
>
>
> SPENGO section from cas.properties :
>
> cas.authn.spnego.kerberosConf=file:/etc/krb5.conf
> cas.authn.spnego.mixedModeAuthentication=true
> cas.authn.spnego.cachePolicy=600
> cas.authn.spnego.timeout=300000
> cas.authn.spnego.jcifsServicePrincipal=HTTP/authentification.mydomain...@domain.lan
> cas.authn.spnego.jcifsServicePassword=MyPassWord
> cas.authn.spnego.loginConf=file:/etc/cas/config/login.conf
> cas.authn.spnego.ntlmAllowed=false
> cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
> cas.authn.spnego.hostNameClientActionStrategy=baseSpnegoClientAction
> cas.authn.spnego.kerberosKdc=192.168.0.1
> cas.authn.spnego.ipsToCheckPattern=10.+
> cas.authn.spnego.kerberosDebug=true
> cas.authn.spnego.kerberosRealm=DOMAIN.LAN
> cas.authn.spnego.send401OnAuthenticationFailure=true
> # cas.authn.spnego.jcifsNetbiosWins=
> # cas.authn.spnego.hostNamePatternString=.+
> # cas.authn.spnego.jcifsUsername=
> # cas.authn.spnego.useSubjectCredsOnly=false
> # cas.authn.spnego.jcifsDomainController=
> # cas.authn.spnego.dnsTimeout=2000
> # cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
> # cas.authn.spnego.jcifsDomain=
> # cas.authn.spnego.ntlm=false
> cas.authn.spnego.principalWithDomainName=false
> # cas.authn.spnego.jcifsPassword=
> cas.authn.spnego.spnegoAttributeName=sAMAccountName
> # cas.authn.spnego.name=DOMAIN.LAN
> cas.authn.spnego.principal.principalAttribute=sAMAccountName
> # cas.authn.spnego.principal.returnNull=false
>
> And the section for AD :
>
> cas.authn.ldap[1].type=AD
> cas.authn.ldap[1].ldapUrl=ldap://10.0.0.1
> cas.authn.ldap[1].useSsl=false
> cas.authn.ldap[1].useStartTls=false
> cas.authn.ldap[1].connectTimeout=5000
> cas.authn.ldap[1].baseDn=DC=DOMAIN1,DC=LAN
> cas.authn.ldap[1].bindDn=DOMAIN1\\mylogin
> cas.authn.ldap[1].bindCredential=MyBindPassword
> cas.authn.ldap[1].principalAttributeId=sAMAccountName
> cas.authn.ldap[1].principalAttributePassword=unicodePwd
> cas.authn.ldap[1].principalAttributeList=sAMAccountName,sn,cn,givenName,displayName,mail,memberOf
> cas.authn.ldap[1].userFilter=(sAMAccountName={user})
> cas.authn.ldap[1].dnFormat=%s...@mydomain1.lan
> cas.authn.ldap[1].allowMultiplePrincipalAttributeValues=true
> cas.authn.ldap[1].subtreeSearch=true
> cas.authn.ldap[1].usePasswordPolicy=false
> cas.authn.ldap[1].failFast=false
>
> --
> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
> - Gitter Chatroom: https://gitter.im/apereo/cas <https://gitter.im/apereo/cas>
> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org
> <mailto:cas-user+unsubscr...@apereo.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b211705-5ccd-496a-88f3-5637344f5604%40apereo.org
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b211705-5ccd-496a-88f3-5637344f5604%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/93F601E7-3A9B-4360-9400-5C535879D964%40gmail.com.
