My guess is that the bind user is going to ignore the base DN as it happens before the search is done. As for the rest, it likely should follow the base DN. You may have something effectively double defined there that is causing it to work outside. I'm not sure what the dnFormat parameter does. You'll want to refer to the ldaptive documentation as to what those various values do:
http://www.ldaptive.org/v1/ Note that you'll want to list your DCs separately instead of just the one name to get failover. Also, you have subtree search on, so it will search in Users. On Wed, 2021-03-31 at 12:51 -0700, Alcides Moraes wrote: Hello group, We have a working installation of CAS 5.2.9 authenticating against Active Directory. However, we have noticed we are able to authenticate using credentials of a user outside the BaseDN, including the bind user. How can we fix this? Below are my authn.ldap configuration entries: ldap[0]: baseDn: OU=Users,DC=domain3,DC=domain2,DC=domain1 bindCredential: bindpassword bindDn: bind blockWaitTime: 5000 connectTimeout: 5000 dnFormat: '%[email protected]' failFast: true idleTime: 5000 ldapUrl: ldap://adserver maxPoolSize: 10 minPoolSize: 3 principalAttributeId: sAMAccountName principalAttributeList: sAMAccountName,displayName,givenName,mail,distinguishedName prunePeriod: 5000 subtreeSearch: true type: AD useSsl: false useStartTls: false userFilter: (sAMAccountName={user}) validateOnCheckout: true validatePeriod: 600 validatePeriodically: true -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d867109d751ede146152a1bc67d1069cde5ce16.camel%40ndsu.edu.
