CAS 6.0 How to authenticate user/password with LDAP

Question

When i tried to connect cas-overlay-6.0 to ldap Oracle directory server 11 with a login/password into cas 6.0 application i have this error :

WHO: myLogin WHAT: Supplied credentials:

[UsernamePasswordCredential(username=myLogin, source=null)] ACTION:

AUTHENTICATION_FAILED APPLICATION: CAS

My cas.properties :

cas.authn.ldap[0].ldapUrl=ldap://monserveur.fr
# Identifiant pour se connecter au LDAP
cas.authn.ldap[0].bindDn=cn=Directory Manager
cas.authn.ldap[0].bindCredential=myPassword

cas.authn.ldap[0].baseDn=ou=pers,ou=XX-XXX-XXXX,ou=subdomain,o=gov,c=country
cas.authn.ldap[0].searchFilter=uid={user}
cas.authn.ldap[0].subtreeSearch=true
#cas.authn.ldap[0].principalAttributeList=cn,givenName,mail,sn
cas.authn.ldap[0].principalAttributePassword=userPassword

Note : password is SSHA encoded in ldap.

How to verify what's wrong ? For example when i put a wrong baseDn or searchFilter i have the same error. How to perform simple login/password test to eliminate error ?

How cas deal with password, ie is the ldap who perform the password compare or cas ?

If it's cas who perform password compare how to configure cas for

Thanks in advance for any helps !

It seems you are not referring to the [6.x documentation](https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#ldap-authenticationsearch-settings) but the 5.x. See the [password encoding](https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#password-encoding) part. Also you need to set principalAttributePassword value to the proper attribute type (eg.`principalAttributePassword=userPassword`). — EricLavault, Sep 27 '19 at 17:23
Thanks for notes. I tried with the good documentation but i have the same problem. I have modify the subject. — ratm, Oct 04 '19 at 08:32
You must provide a full dn for `bindDn` and `baseDn`. Where are located user entries in your directoriy ? Please provide a sample user dn. Also it seems your config is missing some parameters. — EricLavault, Oct 04 '19 at 14:30
Thanks for helping me ! I modify the example. baseDn is a anonymized example of what is used. bindDn is exactly what i use in apache directory studio. — ratm, Oct 04 '19 at 15:02
Ok but bindDn is incomplete as is (it is probably relative to the base components like `cn=Directory Manager,dc=example,dc=com` ?) look for the exact entry's dn in the DIT on the left pane in Apache DS. — EricLavault, Oct 04 '19 at 15:07
Hello, https://docs.oracle.com/cd/E19476-01/821-0510/def-directory-manager.html cn=Directory Manager seems to be the good bindDn. — ratm, Oct 08 '19 at 13:55
It is the default rootdn in Sun OpenDS, so maybe you can edit your post to precise that you are using OpenDS with default config, it could help. Watching ldap logs should help too. — EricLavault, Oct 08 '19 at 14:28
Yes today i watch ldap logs but i'm doing many parallel job. I come back later with more information. Thanks for help ! — ratm, Oct 08 '19 at 19:34
i ran ldapsearch in docker container : ldapsearch -h server_host -D "cn=Directory Manager" -w administrateur -b "ou=personnels,ou=XXXXXX,ou=educ,o=gouv,c=fr" uid=myLogin ldapsearch return the correct card. in the ldap log when i connect with cas i see nothing : [11/Oct/2019:08:26:17 +0200] conn=15 op=7019 msgId=5437415 - RESULT err=0 tag=101 nentries=1 etime=0 [11/Oct/2019:08:26:17 +0200] conn=8 op=13150 msgId=5437416 - SRCH base="ou=XXXXXXXX,ou=educ,o=gouv,c=fr" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="" — ratm, Oct 11 '19 at 09:08
Actually CAS (serveur) makes no request to ldap ! I'm using cas-webapp-docker-master and i have add ldap support into build.gradle file : description = "Apereo Cenrtal Authentication Service" allprojects { apply plugin: 'java' } dependencies { compile "org.apereo.cas:cas-server-support-ldap:${project.cas.version}" } What's wrong ? — ratm, Oct 11 '19 at 12:11

ratm · Answer 1 · 2022-04-07T13:59:24.830

It works for SSHA password without configuration or change.

Exemple for CAS 6.0.5 provided by cas-overlay-6.0 and ldap Oracle Directory Server 11.

cas.properties :

cas.server.name=https://yourServer:8443
cas.server.prefix=${cas.server.name}/cas

# usefull to modifiy log level. Right path for cas-overlay-6.0
logging.config=file:/etc/cas/config/log4j2.xml
 
# connexion au ldap sur votre serveur ldap en anonyme 
############################################################################### 
cas.authn.ldap[0].ldapUrl=ldap://myServer.fr:389/ 
cas.authn.ldap[0].type=ANONYMOUS 
cas.authn.ldap[0].useSsl=false 
cas.authn.ldap[0].useStartTls=false 

# connexion au ldap en mode authentifié 
############################################################################### 
#cas.authn.ldap[0].ldapUrl=ldap://myServer.fr:389/ 
#cas.authn.ldap[0].useSsl=false 
#cas.authn.ldap[0].useStartTls=false 
#cas.authn.ldap[0].type=AUTHENTICATED 
## Identifiant pour se connecter au LDAP 
#cas.authn.ldap[0].bindDn=cn=Directory Manager 
#cas.authn.ldap[0].bindCredential=myPassword 

 
# search for cas user who try to test login connection 
################################################################################ 
cas.authn.ldap[0].baseDn=ou=XXXXXX,ou=subdomain,o=domain,c=country 
cas.authn.ldap[0].subtreeSearch=true 
cas.authn.ldap[0].searchFilter=(&(objectClass=person)(uid={user}))
#cas.authn.ldap[0].searchFilter=uid={user} 
#cas.authn.ldap[0].principalAttributeList=cn,givenName,mail,sn

With cas-overlay-6.0 you need to copy conf : ./build.sh copy

for testing when something goes wrong :

cas server side :

telnet yourLdapServer.fr 389

must works !

ldapsearch -h yourLdapServer.fr -D "cn=Directory Manager" -w yourPassword -b "ou=pers,ou=XXXXX,ou=subdomain,o=domain,c=country"  uid=loginTest

or anonyme connexion

ldapsearch -h yourLdapServer.fr -x -b "ou=pers,ou=XXXXX,ou=subdomain,o=domain,c=country"  uid=loginTest

must provide card

ldap server side

tcpdump -v -i eth0 -s 0 -A 'tcp dst port 389'

must provide line like this (when you run ldapsearch or cas test login connection) :

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:04:23.846472 IP (tos 0x0, ttl  64, id 19303, offset 0, flags [DF], proto 6, length: 60) yourCasServer.fr.59810 > yourLdapServer.ldap: S [tcp sum ok] ...

if connection between cas and ldap fails correct this lines in cas.properties :

cas.authn.ldap[0].ldapUrl=ldap://myServer.fr:389/ 
cas.authn.ldap[0].type=ANONYMOUS 
cas.authn.ldap[0].useSsl=false 
cas.authn.ldap[0].useStartTls=false

when connection between cas and ldap is ok check cas log and acces ldap log for more information !

CAS 6.0 How to authenticate user/password with LDAP

1 Answers1

cas server side :

ldap server side