Hello Richard, thanks for replying. dnFormat is required for AD type authentication, CAS will not start without it. The value "[email protected]" apparently is the default for ADs that authenticate with sAMAccountName, i have seen many examples here like this.
I have tested other users outside the OU=Users and they are being authenticated. Subtree is desired, I have other OUs inside OU=Users Em quarta-feira, 31 de março de 2021 às 17:16:41 UTC-3, richard.frovarp escreveu: > My guess is that the bind user is going to ignore the base DN as it > happens before the search is done. As for the rest, it likely should follow > the base DN. You may have something effectively double defined there that > is causing it to work outside. I'm not sure what the dnFormat parameter > does. You'll want to refer to the ldaptive documentation as to what those > various values do: > > http://www.ldaptive.org/v1/ > > Note that you'll want to list your DCs separately instead of just the one > name to get failover. Also, you have subtree search on, so it will search > in Users. > > On Wed, 2021-03-31 at 12:51 -0700, Alcides Moraes wrote: > > > Hello group, > > We have a working installation of CAS 5.2.9 authenticating against Active > Directory. > > However, we have noticed we are able to authenticate using credentials of > a user outside the BaseDN, including the bind user. How can we fix this? > Below are my authn.ldap configuration entries: > > ldap[0]: > baseDn: OU=Users,DC=domain3,DC=domain2,DC=domain1 > bindCredential: bindpassword > bindDn: bind > blockWaitTime: 5000 > connectTimeout: 5000 > dnFormat: '%[email protected]' > failFast: true > idleTime: 5000 > ldapUrl: ldap://adserver > maxPoolSize: 10 > minPoolSize: 3 > principalAttributeId: sAMAccountName > principalAttributeList: > sAMAccountName,displayName,givenName,mail,distinguishedName > prunePeriod: 5000 > subtreeSearch: true > type: AD > useSsl: false > useStartTls: false > userFilter: (sAMAccountName={user}) > validateOnCheckout: true > validatePeriod: 600 > validatePeriodically: true > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad43e3bd-0e96-430d-8ff9-abb9cc102a98n%40apereo.org.
