CAS 6.0 How to authenticate user/password with LDAP

Question

When i tried to connect cas-overlay-6.0 to ldap Oracle directory server 11 with a login/password into cas 6.0 application i have this error :

WHO: myLogin WHAT: Supplied credentials:

[UsernamePasswordCredential(username=myLogin, source=null)] ACTION:

AUTHENTICATION_FAILED APPLICATION: CAS

My cas.properties :

cas.authn.ldap[0].ldapUrl=ldap://monserveur.fr
# Identifiant pour se connecter au LDAP
cas.authn.ldap[0].bindDn=cn=Directory Manager
cas.authn.ldap[0].bindCredential=myPassword

cas.authn.ldap[0].baseDn=ou=pers,ou=XX-XXX-XXXX,ou=subdomain,o=gov,c=country
cas.authn.ldap[0].searchFilter=uid={user}
cas.authn.ldap[0].subtreeSearch=true
#cas.authn.ldap[0].principalAttributeList=cn,givenName,mail,sn
cas.authn.ldap[0].principalAttributePassword=userPassword

Note : password is SSHA encoded in ldap.

How to verify what's wrong ? For example when i put a wrong baseDn or searchFilter i have the same error. How to perform simple login/password test to eliminate error ?

How cas deal with password, ie is the ldap who perform the password compare or cas ?

If it's cas who perform password compare how to configure cas for

Thanks in advance for any helps !

Answer 1

It works for SSHA password without configuration or change.

Exemple for CAS 6.0.5 provided by cas-overlay-6.0 and ldap Oracle Directory Server 11.

cas.properties :

cas.server.name=https://yourServer:8443
cas.server.prefix=${cas.server.name}/cas

# usefull to modifiy log level. Right path for cas-overlay-6.0
logging.config=file:/etc/cas/config/log4j2.xml
 
# connexion au ldap sur votre serveur ldap en anonyme 
############################################################################### 
cas.authn.ldap[0].ldapUrl=ldap://myServer.fr:389/ 
cas.authn.ldap[0].type=ANONYMOUS 
cas.authn.ldap[0].useSsl=false 
cas.authn.ldap[0].useStartTls=false 

# connexion au ldap en mode authentifié 
############################################################################### 
#cas.authn.ldap[0].ldapUrl=ldap://myServer.fr:389/ 
#cas.authn.ldap[0].useSsl=false 
#cas.authn.ldap[0].useStartTls=false 
#cas.authn.ldap[0].type=AUTHENTICATED 
## Identifiant pour se connecter au LDAP 
#cas.authn.ldap[0].bindDn=cn=Directory Manager 
#cas.authn.ldap[0].bindCredential=myPassword 

 
# search for cas user who try to test login connection 
################################################################################ 
cas.authn.ldap[0].baseDn=ou=XXXXXX,ou=subdomain,o=domain,c=country 
cas.authn.ldap[0].subtreeSearch=true 
cas.authn.ldap[0].searchFilter=(&(objectClass=person)(uid={user}))
#cas.authn.ldap[0].searchFilter=uid={user} 
#cas.authn.ldap[0].principalAttributeList=cn,givenName,mail,sn

With cas-overlay-6.0 you need to copy conf : ./build.sh copy

for testing when something goes wrong :

cas server side :

telnet yourLdapServer.fr 389

must works !

ldapsearch -h yourLdapServer.fr -D "cn=Directory Manager" -w yourPassword -b "ou=pers,ou=XXXXX,ou=subdomain,o=domain,c=country"  uid=loginTest

or anonyme connexion

ldapsearch -h yourLdapServer.fr -x -b "ou=pers,ou=XXXXX,ou=subdomain,o=domain,c=country"  uid=loginTest 

must provide card

ldap server side

tcpdump -v -i eth0 -s 0 -A 'tcp dst port 389'

must provide line like this (when you run ldapsearch or cas test login connection) :

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:04:23.846472 IP (tos 0x0, ttl  64, id 19303, offset 0, flags [DF], proto 6, length: 60) yourCasServer.fr.59810 > yourLdapServer.ldap: S [tcp sum ok] ...

if connection between cas and ldap fails correct this lines in cas.properties :

cas.authn.ldap[0].ldapUrl=ldap://myServer.fr:389/ 
cas.authn.ldap[0].type=ANONYMOUS 
cas.authn.ldap[0].useSsl=false 
cas.authn.ldap[0].useStartTls=false 

when connection between cas and ldap is ok check cas log and acces ldap log for more information !