I just want to set it so that everybody in our developers group can admin We are running an IPA server so I don't have anyplace (that i know of) to add roles -- and I do not want to muck about with it's underlying ldap store outside of it's GUI
I can already just set the user search path to only accept users in the developers group so I don't need groups/roles I don't understand what the group stuff is supposed to return -- the string 'ROLE_ADMIN' or an array of strings of roles? I wish I could tell it to ignore the group stuff or just hard code the 'ROLE_ADMIN' in there thanks On Wednesday, February 24, 2016 at 11:59:41 AM UTC-5, Misagh Moayyed wrote: > > This basically should allow you configure access roles into the app. You > get the roles for the user, and you decide which of those roles is a match > so access can be granted. Is that what you are trying to do? > > If you search the archives, you will come across > http://comments.gmane.org/gmane.comp.java.jasig.cas.user/24806 which > might help. > > > > *From:* [email protected] <javascript:> [mailto:[email protected] > <javascript:>] *On Behalf Of *Al J > *Sent:* Wednesday, February 24, 2016 9:37 AM > *To:* CAS Community <[email protected] <javascript:>> > *Subject:* [cas-user] having trouble with ldap config for cas-services > mangement webapp > > > > I am having a really tough time getting cas services management webapp to > work w/ldap (against an IPA server) > > > > I can get authentication to work, but I can't figure out what are the > right group-xxx attributes to use, I don't know what they are intended to > do. > > > > Where can I find out how these are used? > > > > I've pulled my ldap values out into a .properties file for easier > maintenance, copying for the most part that which works just fine for my > cas server > > > > in my managementConfigContext.xml -- I have made only this change > > > > <sec:ldap-server id="ldapServer" url="${ldap.url}" > manager-dn="${ldap.authn.managerDN}" > manager-password="${ldap.authn.managerPassword}" /> > > > <sec:ldap-user-service id="userDetailsService" server-ref="ldapServer" > group-search-base="${ldap.authn.group.baseDn}" > group-role-attribute="${ldap.authn.group.roleAttr}" > group-search-filter="${ldap.authn.group.searchFilter}" > user-search-base="${ldap.authn.user.baseDn}" > user-search-filter="${ldap.authn.user.searchFilter}"/> > > > > I have added these values to my cas-mangement.properties > > > > # LDAP Server > ldap.url=<omitted> > > # LDAP connection timeout in milliseconds > > ldap.connectTimeout=3000 > > > > # Whether to use StartTLS (probably needed if not SSL connection) > > ldap.useStartTLS=false > > > # Base DN of users to be authenticated > ldap.authn.user.baseDn=cn=users,cn=accounts,dc=epc-instore,dc=com > > > # Manager DN for authenticated searches > ldap.authn.managerDN=uid=<omitted>,cn=users,cn=accounts,dc=epc-instore,dc= > com > > > # Manager password for authenticated searches > ldap.authn.managerPassword=<omitted> > > > # Search filter used for configurations that require searching for DNs > #ldap.authn.searchFilter=(&(uid={user})(accountState=active)) > ldap.authn.user.searchFilter=(uid={0}) > > > ldap.authn.group.searchFilter=gidNumber=1886200029 > ldap.authn.group.baseDn=cn=groups,cn=accounts,dc=epc-instore,dc=com > ldap.authn.group.roleAttr=cn > > > # Search filter used for configurations that require searching for DNs > #ldap.authn.format=uid=%s,ou=Users,dc=example,dc=org > ldap.authn.format=uid=%s,cn=users,cn=accounts,dc=epc-instore,dc=com > > > # A path to trusted X.509 certificate for StartTLS > ldap.trustedCert=/path/to/cert.cer > > > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
