[cas-user] FW: [uportal-user] LDAP - AD Authentication

2013-09-19 Thread George Beitis 
Dear all,
actually forwarding a question I asked at the uportal user list, someone here 
might be able to guide me with this.  I want to know if it is possible to 
construct a complex ldap query to filter users based on anything other than 
something of the type "CN=u%,OU=testou,DC=somedomain,DC=com" when using 
fastbindldapauthenticationhandler.  Or if I should be using the 
bindldapauthenticationhandler and if it would be possible to use proper ldap 
filters with it.

Thank you

From: James Wennmacher [mailto:jwennmac...@unicon.net]
Sent: 19 September 2013 01:29
To: George Beitis
Cc: uportal-u...@lists.jasig.org
Subject: Re: [uportal-user] LDAP - AD Authentication

I assume you mean the configuration of filter on 
org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler mentioned on 
https://wiki.jasig.org/display/UPM40/Configuring+the+Bundled+CAS+Server+to+Authenticate+Against+LDAP.

Per https://wiki.jasig.org/display/CASUM/LDAP that is a string used to 
construct the dn that is used to  bind to the ldap server.  The page also 
references another handler BindLdapAuthenticationHandler that looks like it 
might use an ldap filter to search first, then bind afterward.  If you have 
other questions the CAS user group would probably be better at answering them 
as they maintain that code.

I hope that helps.



James Wennmacher - Unicon

480.558.2420
On 09/16/2013 10:23 PM, George Beitis wrote:
Hi James,
That make things clearer thank you! I have another question regarding filters 
used for LDAP authentication, are these filters proper LDAP queries?  The only 
thing I can get working as a filter is in the lines of 
"CN=u%,OU=testou,DC=somedomain,DC=com", but I can't used the sam account name 
for example or even a joint query of any sort.  Any help on this?

George

From: James Wennmacher [mailto:jwennmac...@unicon.net]
Sent: 13 September 2013 22:11
To: uportal-u...@lists.jasig.org
Cc: George Beitis
Subject: Re: [uportal-user] LDAP - AD Authentication

Do you have an external CAS server to authenticate against?  If you have an 
external CAS server, modify the filters/.properties to have the 
URL of the external CAS server.  That CAS server would need to be configured to 
authenticate against LDAP.

It sounds though that you don't have an external CAS server and you are using 
uPortal to present a login form that you want authenticated against SD.  
deployerConfigContext.xml is to configure the internal CAS Server to 
authenticate against source (internal database, or in  your case an external 
LDAP).  ldapContext.xml sets up an LDAP context that can be used by the 
internal login page to authenticate against.  It also sets up an ldapContext 
that the PersonDirectory uses to obtain person attributes for the logged-in 
person.  If I'm understanding you, you would want both of these to refer to 
LDAP as these are separate processes.

You've probably already referred to these, but for more information, see
https://wiki.jasig.org/display/UPM40/CAS
https://wiki.jasig.org/display/UPM40/Active+Directory
https://wiki.jasig.org/display/UPM40/Default+Person+Directory+configuration
https://wiki.jasig.org/display/UPM40/LDAP+User+Attribute+Sources

Note that the internal CAS server isn't really providing CAS SSO capability for 
you (you'd use an external CAS server for that) but simply a login page so you 
could just display the internal login portlet on your guest/unauthenticated 
page to request username/password and have the login portlet authenticate 
against AD.  See Step 6 at 
https://wiki.jasig.org/display/UPM40/Active+Directory.

I hope this clarifies things.
James Wennmacher
Unicon
480.558.2420
On 09/13/2013 12:38 AM, George Beitis wrote:
Dear all,
I need something clarified.  When authenticating against Active Directory 
server, we are given 2 options, either cas or what appears to be in the inbuilt 
method.  I somehow configured both so not sure which one is doing what.  I am 
directed to the /cas/login page which I assume takes precedence.  Is my 
assumption correct?  Should I remove all configuration from the ldapContext.xml 
file? Or stick to the configuration there and remove all configuration from 
deployerConfigContext.xml overlay file?  And if so, where will the user be 
logging from?  The same CAS page?

Regards
George



 --



You are currently subscribed to 
uportal-u...@lists.ja-sig.org as: 
jwennmac...@unicon.net

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/uportal-user



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] FW: [uportal-user] LDAP - AD Authentication

2013-09-19 Thread Marvin S. Addison 

possible to construct a complex ldap query to filter users based on
anything other than something of the type
“CN=u%,OU=testou,DC=somedomain,DC=com” when using
fastbindldapauthenticationhandler.


No, not possible. You're actually constructing the bind DN via string
replacement, so in strict terms it's not an LDAP query filter.

You have to use BindLdapAuthenticationHandler to do complex filtering.
I've seen a number of interesting queries over the years; you should be
able to do what you want. Let us know if you need help formulating a query.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user