I should also add that the userFilter is just limiting what CAS can see for
the available pool of user objects. If you merely want to allow users of a
certain group access to a particular service, then that is accomplished in
the service definition under required attributes. But note I have not yet
found how to get it to work with nested Active Directory groups, only
direct child of the group.
On Tuesday, March 20, 2018 at 11:21:09 AM UTC-5, Michael Peterson wrote:
>
> Is the issue have to do with nested group membership in the Active
> Directly group? In order for your LDAP filter to evaluate to true, the user
> you are testing authenticating with needs to be directly a member of the
> checked for group. If you want to have it recursively check if the user is
> a member of the checked group, use something like this instead:
>
>
> cas.authn.ldap[0].userFilter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf:1.2.840.113556.1.4.1941:=CN=SpecificGroupName,OU=Groups,OU=Company,DC=example,DC=com))
>
> On Tuesday, March 13, 2018 at 6:39:05 AM UTC-5, Марат Бралиев wrote:
>>
>> I need to check user password and member of specific group:
>>
>> I have CAS 5.2.*
>>
>> My config file:
>>
>> cas.authn.ldap[0].type=AUTHENTICATED
>> cas.authn.ldap[0].ldapUrl=ldap://example.com
>> cas.authn.ldap[0].useSsl=false
>>
>> cas.authn.ldap[0].bindDn=cn=portal_manager,ou=System
>> Accounts,dc=example,dc=com
>> cas.authn.ldap[0].bindCredential=***********
>> cas.authn.ldap[0].baseDn=DC=example,DC=com
>> cas.authn.ldap[0].subtreeSearch=true
>>
>> cas.authn.ldap[0].userFilter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=SpecificGroupName,OU=Groups,OU=Company,DC=example,DC=com))
>>
>> cas.authn.ldap[0].usePasswordPolicy=false
>>
>> cas.authn.ldap[0].principalAttributeId=sAMAccountName
>> cas.authn.ldap[0].principalAttributePassword=
>>
>> cas.authn.ldap[0].principalAttributeList=displayName,commonName,email,memberOf
>> cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
>>
>> When I create auth request then CAS response error:
>>
>> 2018-03-13 17:34:38,515 DEBUG [org.ldaptive.SearchOperation] - <execute
>> request=[org.ldaptive.SearchRequest@-384810870::baseDn=DC=hq,DC=bc,
>> searchFilter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)),
>>
>> parameters={context=null, user=braliyev_30424}], returnAttributes=[1.1],
>> searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null,
>> typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED,
>> searchEntryHandlers=null, searchReferenceHandlers=null, controls=null,
>> referralHandler=null, intermediateResponseHandlers=null] with
>> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1004112938::config=[org.ldaptive.ConnectionConfig@1791270211::ldapUrl=ldap://hq.bc,
>>
>> connectTimeout=PT5S, responseTimeout=PT5S,
>> sslConfig=[org.ldaptive.ssl.SslConfig@887019403::credentialConfig=null,
>> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null,
>> enabledCipherSuites=null, enabledProtocols=null,
>> handshakeCompletedListeners=null], useSSL=false, useStartTLS=false,
>> connectionInitializer=[org.ldaptive.BindConnectionInitializer@727124254::bindDn=cn=kaspi_portal,ou=System
>>
>> Accounts,dc=hq,dc=bc, bindSaslConfig=null, bindControls=null],
>> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@1e7a75fd],
>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@2104222132::metadata=[ldapUrl=ldap://hq.bc,
>>
>> count=1], environment={com.sun.jndi.ldap.connect.timeout=5000,
>> java.naming.ldap.version=3,
>> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>> com.sun.jndi.ldap.read.timeout=5000}, classLoader=null,
>> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@334577122::operationExceptionResultCodes=[PROTOCOL_ERROR,
>>
>> SERVER_DOWN], properties={},
>> controlProcessor=org.ldaptive.provider.ControlProcessor@29c0c417,
>> environment=null, tracePackets=null, removeDnUrls=true,
>> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
>> PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null,
>> hostnameVerifier=null]],
>> providerConnection=org.ldaptive.provider.jndi.JndiConnection@6368ec02]>
>> 2018-03-13 17:34:38,521 DEBUG [org.ldaptive.SearchOperation] - <execute
>> response=[org.ldaptive.Response@626954816::result=[org.ldaptive.SearchResult@-1662255094::entries=[],
>>
>> references=[[org.ldaptive.SearchReference@74822743::referralUrls=[ldap://DomainDnsZones.hq.bc/DC=DomainDnsZones,DC=hq,DC=bc],
>>
>> responseControls=null, messageId=-1, referenceResponse=null],
>> [org.ldaptive.SearchReference@-526386759::referralUrls=[ldap://hq.bc/CN=Configuration,DC=hq,DC=bc],
>>
>> responseControls=null, messageId=-1, referenceResponse=null],
>> [org.ldaptive.SearchReference@-1214994231::referralUrls=[ldap://ForestDnsZones.hq.bc/DC=ForestDnsZones,DC=hq,DC=bc],
>>
>> responseControls=null, messageId=-1, referenceResponse=null]]],
>> resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null,
>> referralURLs=null, messageId=-1] for
>> request=[org.ldaptive.SearchRequest@-384810870::baseDn=DC=hq,DC=bc,
>> searchFilter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)),
>>
>> parameters={context=null, user=braliyev_30424}], returnAttributes=[1.1],
>> searchScope=SUBTREE, timeLimit=PT0S, sizeLimit=0, derefAliases=null,
>> typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED,
>> searchEntryHandlers=null, searchReferenceHandlers=null, controls=null,
>> referralHandler=null, intermediateResponseHandlers=null] with
>> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1004112938::config=[org.ldaptive.ConnectionConfig@1791270211::ldapUrl=ldap://hq.bc,
>>
>> connectTimeout=PT5S, responseTimeout=PT5S,
>> sslConfig=[org.ldaptive.ssl.SslConfig@887019403::credentialConfig=null,
>> trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null,
>> enabledCipherSuites=null, enabledProtocols=null,
>> handshakeCompletedListeners=null], useSSL=false, useStartTLS=false,
>> connectionInitializer=[org.ldaptive.BindConnectionInitializer@727124254::bindDn=cn=kaspi_portal,ou=System
>>
>> Accounts,dc=hq,dc=bc, bindSaslConfig=null, bindControls=null],
>> connectionStrategy=org.ldaptive.DefaultConnectionStrategy@1e7a75fd],
>> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@2104222132::metadata=[ldapUrl=ldap://hq.bc,
>>
>> count=1], environment={com.sun.jndi.ldap.connect.timeout=5000,
>> java.naming.ldap.version=3,
>> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>> com.sun.jndi.ldap.read.timeout=5000}, classLoader=null,
>> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@334577122::operationExceptionResultCodes=[PROTOCOL_ERROR,
>>
>> SERVER_DOWN], properties={},
>> controlProcessor=org.ldaptive.provider.ControlProcessor@29c0c417,
>> environment=null, tracePackets=null, removeDnUrls=true,
>> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
>> PARTIAL_RESULTS], classLoader=null, sslSocketFactory=null,
>> hostnameVerifier=null]],
>> providerConnection=org.ldaptive.provider.jndi.JndiConnection@6368ec02]>
>>
>> 2018-03-13 17:34:38,526 INFO [org.ldaptive.auth.PooledSearchDnResolver] -
>> <search for
>> user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424,
>> context=null] failed using
>> filter=[org.ldaptive.SearchFilter@-1831897358::filter=(&(objectCategory=Person)(sAMAccountName={user})(memberOf=CN=ManagersPortal,OU=Groups,OU=БАНК,DC=hq,DC=bc)),
>>
>> parameters={context=null, user=braliyev_30424}]>
>> 2018-03-13 17:34:38,526 DEBUG [org.ldaptive.auth.PooledSearchDnResolver]
>> - <resolved dn=null for
>> user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424,
>> context=null]>
>> 2018-03-13 17:34:38,526 DEBUG [org.ldaptive.auth.Authenticator] -
>> <authenticate dn=null with
>> request=[org.ldaptive.auth.AuthenticationRequest@1687550059::user=[org.ldaptive.auth.User@1756715488::identifier=braliyev_30424,
>>
>> context=null], returnAttributes=[commonName, sAMAccountName, displayName,
>> memberOf, email], controls=null]>
>>
>> CAS search request result is empty.
>>
>>
>>
>> When I change configuration "userFilter" without checking memberOf -
>> cas.authn.ldap[0].userFilter=(&(objectCategory=Person)) authorization works
>> corretly.
>>
>> I checked my search request in LDAPAdmin utility, he works correctly.
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d2b20ffd-b118-4a49-a080-da8163360876%40apereo.org.
