Mike, I did notice this while going over the instructions:
"The following configuration authenticates users by sAMAccountName without performing a search, which requires manager/administrator credentials in most cases". Is that something special you can do in A/D since sAMAccountName is guarunteed to be unique in the domain? With typical LDAP authN, you need to do a search to get the full DN and then BIND as that DN. Still poking around ... Thanks, Carl ----- Original Message ----- From: "Mike Seiler" <michaelsei...@fuller.edu> To: cas-user@lists.jasig.org Sent: Tuesday, June 30, 2015 3:39:02 PM Subject: Re: [cas-user] Help with CAS 4.0 & AD Here's my cas.properties info: #======================================== # General properties #======================================== ldap.url=ldaps://id.fuller.edu ldap.connectTimeout=3000 ldap.useStartTLS=false #======================================== # LDAP connection pool configuration #======================================== ldap.pool.minSize=3 ldap.pool.maxSize=10 ldap.pool.validateOnCheckout=false ldap.pool.validatePeriodically=true ldap.pool.blockWaitTime=3000 ldap.pool.validatePeriod=300 ldap.pool.prunePeriod=300 ldap.pool.idleTime=600 #======================================== # Authentication #======================================== # Base DN of users to be authenticated ldap.baseDn=ou=fuller,DC=id,DC=fuller,DC=edu # the CN=Users here because the CASADMIN is outside the "ou" we put our normal users into. ldap.authn.managerDN=CN=CASADMIN,CN=Users,DC=id,DC=fuller,DC=edu ldap.authn.managerPassword=XXXXXXXX ldap.domain=fuller.edu ldap.trustedCert=file:/etc/cas/id_app.pem # [The cut and paste deployer config doesn't actually use the below, but I modified them anyway] ldap.authn.searchFilter=(sAMAccountName=%s) ldap.authn.format=%s...@fuller.edu Thanks for taking a looking at this. On Tue, Jun 30, 2015 at 12:06 PM, Waldbieser, Carl <waldb...@lafayette.edu> wrote: > Mike, > > Could you post the non-sensitive parts of your LDAP configuration? > We are using CAS 3.x and usin OpenLDAP so it is not necessarily a good > match, but our settings look like: > > # == LDAP Authentication settings == > ldap.authentication.filter=uid=%u > ldap.authentication.server.urls=ldaps://ldap.lafayette.edu > ldap.authentication.basedn=O=lafayette > ldap.authentication.manager.userdn=cn=casbrowser,o=lafayette > ldap.authentication.manager.password=REDACTED > ldap.authentication.ignorePartialResultException=true > ldap.authentication.scope=2 > ldap.authentication.jndi.connect.timeout=3000 > ldap.authentication.jndi.read.timeout=3000 > ldap.authentication.jndi.security.level=simple > > > Thanks, > Carl > > ----- Original Message ----- > From: "Mike Seiler" <michaelsei...@fuller.edu> > To: cas-user@lists.jasig.org > Sent: Tuesday, June 30, 2015 2:44:32 PM > Subject: Re: [cas-user] Help with CAS 4.0 & AD > > The AD is set to allow global search by all authenticated users; any thing > else (resetting password, etc) requires the administrator credentials - but > we don't use the Password Manager in CAS - we do that externally via other > apps. All we need is to determine that a user's account authenticates and > pass the attributes on to other applications. > > I'm using the deployerConfigContext defined here: > > http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication > (The first code sample, which says "The following configuration > authenticates users by sAMAccountName without performing a search, which > requires manager/administrator credentials in most cases. It is therefore > the most performant and secure solution for the typical Active Directory > deployment.") > > *From the command line:* I am able to do an ldapsearch using my own > credentials (and looking up another user), and, of course, I am also able > to do a search for another user using the Admin credentials: > > ldapsearch -x -H ldaps://id.fuller.edu -b > "ou=fuller,dc=id,dc=fuller,dc=edu" -D "admin_acco...@id.fuller.edu" -w > "admin_password" "(sAMAccountName=michaelseiler)" cn sn displayName > sAMAccountName pwdLastSet lastLogon mail memberof > > With either the admin credentials or my own, I get all requested data back > from the server, but with CAS the validation of my own personal account > credentials fails, and all I can seem to get from the error logs is that my > own personal credentials are invalid -- even though I can use them from the > command line and retrieve data for any user. > > It seems that this is a configuration error in CAS, but the error logs are > insufficient to help debug this. > > Setting up a proxy to track down issues is beyond my knowledge. If there > is other documentation on setting up CAS 4.0 with LDAP that doesn't use the > Maven overlay method or the cut-and-paste code from the above URL, I'd be > happy to try that out at this point. > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > waldb...@lafayette.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > michaelsei...@fuller.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- *Michael Seiler* -------------------------------------------------- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user