We use SSL as startTLS tends to complain, saying it has already occurred,
so SSL. You will want the cert from the server you are connecting to,
which you can pull with openssl like so:
echo -n | openssl s_client -connect 192.168.1.225:636 | sed -ne
'/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
This is what we use for our AD auth and attribute resolution
#========================================
# LDAP Auth
#========================================
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldaps://your_ad_server.site.org
cas.authn.ldap[0].connectTimeout=3000
cas.authn.ldap[0].useStartTLS=false
cas.authn.ldap[0].trustedCertificates=file:///etc/ssl/certs/cert_name.crt
#pool settings and validation
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=false
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=300
# Amount of time in milliseconds to block on pool exhausted condition
before giving up.
cas.authn.ldap[0].blockWaitTime=3000
# Attempt to prune connections every N seconds
cas.authn.ldap[0].prunePeriod=300
#max connection idle time, for pool conections
cas.authn.ldap[0].idleTime=600
#search filters and settings
cas.authn.ldap[0].bindDn=<full DN of manager account>
cas.authn.ldap[0].bindCredential=<account password>
cas.authn.ldap[0].baseDn=dc=site,dc=org
cas.authn.ldap[0].userFilter=(sAMAccountName={user})
#construct login as [email protected]
cas.authn.ldap[0].dnFormat=%[email protected]
#principal id and attributes
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributeList=sAMAccountName,dn,sn,cn,givenname,mail,memberOf,displayName
#========================================
# LDAP Attributes Retrival
#========================================
#default attributes to release (you don't have to do this, but you can if
you want)
cas.authn.attributeRepository.defaultAttributesToRelease=sAMAccountName,dn,sn,cn,givenname,mail,displayName
#attributes
cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName=sAMAccountName
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.givenname=givenname
cas.authn.attributeRepository.ldap[0].attributes.sn=sn
cas.authn.attributeRepository.ldap[0].attributes.mail=mail
cas.authn.attributeRepository.ldap[0].attributes.distinguishedName=dn
#connection and search
cas.authn.attributeRepository.ldap[0].ldapUrl=ldaps://
your_ad_server.site.org
cas.authn.attributeRepository.ldap[0].useSsl=true
cas.authn.attributeRepository.ldap[0].useStartTls=false
cas.authn.attributeRepository.ldap[0].baseDn=dc=site,dc=org
cas.authn.attributeRepository.ldap[0].userFilter=(sAMAccountName={user})
cas.authn.attributeRepository.ldap[0].subtreeSearch=true
cas.authn.attributeRepository.ldap[0].bindDn=<account for searching full dn>
cas.authn.attributeRepository.ldap[0].bindCredential=<account password>
On Wed, Dec 13, 2017 at 2:08 PM, Tim Tyler <[email protected]> wrote:
> I am a newbie to CAS. I just installed 5.2 using Maven. I successfully
> logged in via the test account of causer. But now I want to get ldap
> against active directory working. I successfully installed the
> dependencies and that seems ok. My issue is with configuring
> cas.properties. I read on-line that if I use type=AD, I need to use
> dnFormat? Is that true? I don’t really understand how that entry should
> look.
>
>
>
> Also, I would like to use SSL or TLS. Not sure if certs are necessary for
> at least establishing encryption. Can someone share with me the necessary
> settings for getting ldap to auth against AD. I seem to be struggling with
> what I particularly need to get ldap to work against AD. And if I need
> dnFormat, I could use an example of how that should look.
>
>
>
> Below is my config related to ldap.
>
>
>
>
>
>
>
> cas.authn.ldap[0].type=AD
>
>
>
> cas.authn.ldap[0].ldapUrl=ldaps://bcdc3.beloit.edu
>
> cas.authn.ldap[0].connectionStrategy=
>
> cas.authn.ldap[0].useSsl=true
>
> cas.authn.ldap[0].useStartTls=false
>
> cas.authn.ldap[0].connectTimeout=5000
>
> cas.authn.ldap[0].subtreeSearch=true
>
> cas.authn.ldap[0].baseDn=dc=its,dc=beloit,dc=edu
>
> cas.authn.ldap[0].userFilter=cn={sAMAccountName}
>
> cas.authn.ldap[0].bindDn=CN=ldapadmin,CN=Users,DC=its,DC=beloit,DC=edu
>
> cas.authn.ldap[0].bindCredential=xxxxxxxx
>
>
>
> #cas.authn.ldap[0].enhanceWithEntryResolver=false
>
> #cas.authn.ldap[0].dnFormat=%s,dc=its,dc=beloit,dc=edu
>
> #cas.authn.ldap[0].principalAttributeId=sAMAccountName
>
> #cas.authn.ldap[0].principalAttributePassword=password
>
>
>
>
>
> Tim Tyler
>
> Network Engineer
>
> Beloit College
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/22394f2759232d0a1e53c6d61f841f
> 82%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/22394f2759232d0a1e53c6d61f841f82%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALfsmq72po0gCrKM164NRu_H444UEiHse1CcmQOWyapityNjYg%40mail.gmail.com.
