Carl, All of our users are in fact in one distinct OU in the AD (ou=fuller), and we then manage web access by the "memberOf" attribute in each of our individual external apps (e.g. StudentMembers, AlumMembers, EmployeeMembers, etc). Right now, these apps only get the username from CAS -- and not the full attributes list -- and then have to perform a separate query to the AD to get the membership attribute for the authorization portion of logging in to the particular app.
I was hoping to bypass all that with v4.0's attribute mapping (among other added benefits), which is why I'm building out this new server. It would give us a smaller maintenance footprint (fewer firewall mods, fewer certificate installs, fewer network calls, etc.); I know that the attribute mapping is possible in 3.5 (with some additional modifications), so I may just revert back to tinkering with a test instance of the current set up instead. Thanks, Mike On Tue, Jun 30, 2015 at 2:03 PM, Waldbieser, Carl <waldb...@lafayette.edu> wrote: > Mike, > > I think the key part is "without performing a search" in the quote I > pulled from the A/D section. > I am not sure how that is possible in traditional LDAP unless all the > accounts are in a single ou that has been configured beforehand. > Our LDAP DIT is "context-crazy" aka "bushy", with accounts for different > departments in different ous. > > I am not sure how that would work using LDAP. Could just be something > unclear in the text, though. > > Thanks, > Carl > > ----- Original Message ----- > From: "Mike Seiler" <michaelsei...@fuller.edu> > To: cas-user@lists.jasig.org > Sent: Tuesday, June 30, 2015 4:59:00 PM > Subject: Re: [cas-user] Help with CAS 4.0 & AD > > Carl, > > Our current CAS server (3.5.2) simply binds as the manager and then > authenticates the user from the AD with a search. To me, that first > paragraph & sample code seems to suggest that it does the same thing - > using only the manager credentials to authenticate the user. > > Thanks, > > Mike > > On Tue, Jun 30, 2015 at 1:17 PM, Waldbieser, Carl <waldb...@lafayette.edu> > wrote: > > > Mike, > > > > I did notice this while going over the instructions: > > > > "The following configuration authenticates users by sAMAccountName > > without performing a search, which requires manager/administrator > > credentials in most cases". > > > > Is that something special you can do in A/D since sAMAccountName is > > guarunteed to be unique in the domain? With typical LDAP authN, you need > > to do a search to get the full DN and then BIND as that DN. > > > > Still poking around ... > > > > Thanks, > > Carl > > > > ----- Original Message ----- > > From: "Mike Seiler" <michaelsei...@fuller.edu> > > To: cas-user@lists.jasig.org > > Sent: Tuesday, June 30, 2015 3:39:02 PM > > Subject: Re: [cas-user] Help with CAS 4.0 & AD > > > > Here's my cas.properties info: > > #======================================== > > # General properties > > #======================================== > > ldap.url=ldaps://id.fuller.edu > > ldap.connectTimeout=3000 > > ldap.useStartTLS=false > > > > #======================================== > > # LDAP connection pool configuration > > #======================================== > > ldap.pool.minSize=3 > > ldap.pool.maxSize=10 > > ldap.pool.validateOnCheckout=false > > ldap.pool.validatePeriodically=true > > ldap.pool.blockWaitTime=3000 > > ldap.pool.validatePeriod=300 > > ldap.pool.prunePeriod=300 > > ldap.pool.idleTime=600 > > > > #======================================== > > # Authentication > > #======================================== > > # Base DN of users to be authenticated > > ldap.baseDn=ou=fuller,DC=id,DC=fuller,DC=edu > > # the CN=Users here because the CASADMIN is outside the "ou" we put our > > normal users into. > > ldap.authn.managerDN=CN=CASADMIN,CN=Users,DC=id,DC=fuller,DC=edu > > ldap.authn.managerPassword=XXXXXXXX > > ldap.domain=fuller.edu > > ldap.trustedCert=file:/etc/cas/id_app.pem > > # [The cut and paste deployer config doesn't actually use the below, but > I > > modified them anyway] > > ldap.authn.searchFilter=(sAMAccountName=%s) > > ldap.authn.format=%s...@fuller.edu > > > > Thanks for taking a looking at this. > > > > On Tue, Jun 30, 2015 at 12:06 PM, Waldbieser, Carl < > waldb...@lafayette.edu > > > > > wrote: > > > > > Mike, > > > > > > Could you post the non-sensitive parts of your LDAP configuration? > > > We are using CAS 3.x and usin OpenLDAP so it is not necessarily a good > > > match, but our settings look like: > > > > > > # == LDAP Authentication settings == > > > ldap.authentication.filter=uid=%u > > > ldap.authentication.server.urls=ldaps://ldap.lafayette.edu > > > ldap.authentication.basedn=O=lafayette > > > ldap.authentication.manager.userdn=cn=casbrowser,o=lafayette > > > ldap.authentication.manager.password=REDACTED > > > ldap.authentication.ignorePartialResultException=true > > > ldap.authentication.scope=2 > > > ldap.authentication.jndi.connect.timeout=3000 > > > ldap.authentication.jndi.read.timeout=3000 > > > ldap.authentication.jndi.security.level=simple > > > > > > > > > Thanks, > > > Carl > > > > > > ----- Original Message ----- > > > From: "Mike Seiler" <michaelsei...@fuller.edu> > > > To: cas-user@lists.jasig.org > > > Sent: Tuesday, June 30, 2015 2:44:32 PM > > > Subject: Re: [cas-user] Help with CAS 4.0 & AD > > > > > > The AD is set to allow global search by all authenticated users; any > > thing > > > else (resetting password, etc) requires the administrator credentials - > > but > > > we don't use the Password Manager in CAS - we do that externally via > > other > > > apps. All we need is to determine that a user's account authenticates > > and > > > pass the attributes on to other applications. > > > > > > I'm using the deployerConfigContext defined here: > > > > > > > > > http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#active_directory_authentication > > > (The first code sample, which says "The following configuration > > > authenticates users by sAMAccountName without performing a search, > which > > > requires manager/administrator credentials in most cases. It is > therefore > > > the most performant and secure solution for the typical Active > Directory > > > deployment.") > > > > > > *From the command line:* I am able to do an ldapsearch using my own > > > credentials (and looking up another user), and, of course, I am also > able > > > to do a search for another user using the Admin credentials: > > > > > > ldapsearch -x -H ldaps://id.fuller.edu -b > > > "ou=fuller,dc=id,dc=fuller,dc=edu" -D "admin_acco...@id.fuller.edu" -w > > > "admin_password" "(sAMAccountName=michaelseiler)" cn sn displayName > > > sAMAccountName pwdLastSet lastLogon mail memberof > > > > > > With either the admin credentials or my own, I get all requested data > > back > > > from the server, but with CAS the validation of my own personal account > > > credentials fails, and all I can seem to get from the error logs is > that > > my > > > own personal credentials are invalid -- even though I can use them from > > the > > > command line and retrieve data for any user. > > > > > > It seems that this is a configuration error in CAS, but the error logs > > are > > > insufficient to help debug this. > > > > > > Setting up a proxy to track down issues is beyond my knowledge. If > there > > > is other documentation on setting up CAS 4.0 with LDAP that doesn't use > > the > > > Maven overlay method or the cut-and-paste code from the above URL, I'd > be > > > happy to try that out at this point. > > > > > > -- > > > You are currently subscribed to cas-user@lists.jasig.org as: > > > waldb...@lafayette.edu > > > To unsubscribe, change settings or access archives, see > > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > > > You are currently subscribed to cas-user@lists.jasig.org as: > > > michaelsei...@fuller.edu > > > To unsubscribe, change settings or access archives, see > > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > > > > > > -- > > *Michael Seiler* > > -------------------------------------------------- > > Systems Integration Engineer > > Fuller Theological Seminary > > Phone: (970) 306-6105 > > michaelsei...@fuller.edu > > > > *Fuller Summer Hours:* Please note that all Fuller offices will be closed > > on Fridays from 7/3-8/28 > > *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays > off, > > and will be out of the office for vacation 7/31 - 8/31 > > > > *Please NOTE:* > > I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more > immediate > > help, please contact TSS (626.584.5675) and they can route the issue to > > the > > appropriate person. If this is a business process life or death > emergency, > > you may call me at the above number. > > > > -- > > You are currently subscribed to cas-user@lists.jasig.org as: > > waldb...@lafayette.edu > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to cas-user@lists.jasig.org as: > > michaelsei...@fuller.edu > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > *Michael Seiler* > -------------------------------------------------- > Systems Integration Engineer > Fuller Theological Seminary > Phone: (970) 306-6105 > michaelsei...@fuller.edu > > *Fuller Summer Hours:* Please note that all Fuller offices will be closed > on Fridays from 7/3-8/28 > *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, > and will be out of the office for vacation 7/31 - 8/31 > > *Please NOTE:* > I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate > help, please contact TSS (626.584.5675) and they can route the issue to the > appropriate person. If this is a business process life or death emergency, > you may call me at the above number. > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > waldb...@lafayette.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > michaelsei...@fuller.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- *Michael Seiler* -------------------------------------------------- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
