Subject: The mailing list for listmasters using Sympa
List archive
- From: Terry McLaren <address@concealed>
- To: address@concealed
- Subject: [sympa-users] CAS Configuration Issues
- Date: Tue, 9 Nov 2021 08:51:15 -0600
Greetings - I'm running into issues with CAS auth and attributes. Below I describe my findings and issues. I'm hoping someone can clarify Sympa's current implementation and CAS capabilities.
1) I found a paper describing the Sympa's Auth and access
control implementations, "S. Aumont, O. Salaün, Selected Papers from the TERENA Networking Conference (2004)" and section 2.4.3
covers CAS user attributes. It states the CAS auth implementation is separate from
attribute retrieval. So, the workflow appears to require Sympa to do a CAS auth first, and then Sympa needs to query an LDAP for the 'mail' attribute. Is this the case? Using the default CAS auth.conf example, I've run some tests. Here's a sanitized version of our config and log data
# auth.conf
cas
base_url https://cas.ourdomain:8443
auth_service_friendly_name Our CAS Server
auth_service_name our_cas
ldap_host ldap.ourdomain:389
ldap_get_email_by_uid_filter (uid=[uid])
ldap_timeout 7
ldap_suffix dc=ourdomain,dc=fr
ldap_scope sub
ldap_email_attribute mail
Nov 8 18:16:36 sympa wwsympa[85131]: err main::#1350 > Sympa::WWW::Auth::get_email_by_net_id#322 > Sympa::Database::connect#153 > (eval)#153 > Sympa::DatabaseDriver::LDAP::_connect#179 Failed to bind to LDAP server ldap://ldap.ourdomain.edu:389: (1) Unexpected EOF
base_url https://cas.ourdomain:8443
auth_service_friendly_name Our CAS Server
auth_service_name our_cas
ldap_host ldap.ourdomain:389
ldap_get_email_by_uid_filter (uid=[uid])
ldap_timeout 7
ldap_suffix dc=ourdomain,dc=fr
ldap_scope sub
ldap_email_attribute mail
Logs
-------
Nov 8 18:16:36 sympa wwsympa[85131]: notice main:: Login CAS OK server netid=address@concealed
Nov 8 18:16:36 sympa wwsympa[85131]: err main::#1350 > Sympa::WWW::Auth::get_email_by_net_id#322 > Sympa::Database::connect#153 > (eval)#153 > Sympa::DatabaseDriver::LDAP::_connect#179 Failed to bind to LDAP server ldap://ldap.ourdomain.edu:389: (1) Unexpected EOF
Nov 8 18:16:36 sympa wwsympa[85131]: err main::#1350 > Sympa::WWW::Auth::get_email_by_net_id#322 > Sympa::Database::connect#157 Can't connect to Database Sympa::DatabaseDriver::LDAP <host=ldap://ldap.ourdomain.edu:389;timeout=7;use_tls=none>:
Nov 8 18:16:36 sympa wwsympa[85131]: err main::#1350 > Sympa::WWW::Auth::get_email_by_net_id#323 Unable to connect to the LDAP server "ldap.ourdomain.edu:389"
-------------------
Oddly, CAS does return the netid which is the email address we're looking for; so, I tried substituting netid for the mail attribute in the config but I got the same LDAP bind error as above.
ldap_email_attribute netid
Q: Does the CAS config requires us to create an LDAP service account for Sympa to use current CAS implementation and add credentials to the auth.conf CAS config?
bind_dn ldap bind path
bind_password ldap passwd to data
bind_password ldap passwd to data
2) Researching CAS I see it can be configured on a per app basis to release attributes which would keep the LDAP query on the CAS side, https://apereo.github.io/cas/5.0.x/integration/Attribute-Release-Policies.html.
Q: If we configure the CAS server to return the 'mail' attribute will Sympa be able to use it w/o querying the LDAP server?
Ideally, Sympa would recognize the 'netid' value and if it was a valid email pattern then use it to login the user w/o a separate LDAP query. Any insight would be helpful.
Thank you,
Terry McLaren
-
[sympa-users] CAS Configuration Issues,
Terry McLaren, 11/09/2021
- Re: [sympa-users] CAS Configuration Issues, Olivier Salaün, 11/10/2021
Archive powered by MHonArc 2.6.19+.