So, I turned on ldaptive trace logs and inspected the CAS source code to figure it out.
If you use authentication type AD, ldaptive does not use the baseDn to authenticate, only the dnFormat parameter. So AD authenticates [email protected] regardless of baseDN. CAS then searches for the user using userFilter AFTER the authentication. This fails since the user is not inside baseDn. However, this is ok for CAS who only logs that the attributes for the object could not be found, but authentication succeeds. Changing authentication type to AUTHENTICATED (and removing the dnFormat property) makes CAS search for the user with userFilter and baseDN BEFORE authentication, limiting the users able to authenticate. Em quarta-feira, 31 de março de 2021 às 17:33:04 UTC-3, Alcides Moraes escreveu: > Hello Richard, thanks for replying. > > dnFormat is required for AD type authentication, CAS will not start > without it. The value "[email protected]" apparently is the default for > ADs that authenticate with sAMAccountName, i have seen many examples here > like this. > > I have tested other users outside the OU=Users and they are being > authenticated. Subtree is desired, I have other OUs inside OU=Users > > Em quarta-feira, 31 de março de 2021 às 17:16:41 UTC-3, richard.frovarp > escreveu: > >> My guess is that the bind user is going to ignore the base DN as it >> happens before the search is done. As for the rest, it likely should follow >> the base DN. You may have something effectively double defined there that >> is causing it to work outside. I'm not sure what the dnFormat parameter >> does. You'll want to refer to the ldaptive documentation as to what those >> various values do: >> >> http://www.ldaptive.org/v1/ >> >> Note that you'll want to list your DCs separately instead of just the one >> name to get failover. Also, you have subtree search on, so it will search >> in Users. >> >> On Wed, 2021-03-31 at 12:51 -0700, Alcides Moraes wrote: >> >> >> Hello group, >> >> We have a working installation of CAS 5.2.9 authenticating against Active >> Directory. >> >> However, we have noticed we are able to authenticate using credentials of >> a user outside the BaseDN, including the bind user. How can we fix this? >> Below are my authn.ldap configuration entries: >> >> ldap[0]: >> baseDn: OU=Users,DC=domain3,DC=domain2,DC=domain1 >> bindCredential: bindpassword >> bindDn: bind >> blockWaitTime: 5000 >> connectTimeout: 5000 >> dnFormat: '%[email protected]' >> failFast: true >> idleTime: 5000 >> ldapUrl: ldap://adserver >> maxPoolSize: 10 >> minPoolSize: 3 >> principalAttributeId: sAMAccountName >> principalAttributeList: >> sAMAccountName,displayName,givenName,mail,distinguishedName >> prunePeriod: 5000 >> subtreeSearch: true >> type: AD >> useSsl: false >> useStartTls: false >> userFilter: (sAMAccountName={user}) >> validateOnCheckout: true >> validatePeriod: 600 >> validatePeriodically: true >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/027eea47-acdb-41a4-95d3-62171904fe83n%40apereo.org.
