The mailing list for listmasters using Sympa

[Olivier Salaün <address@concealed>]

Hi Terry,

If you read https://sympa-community.github.io/gpldoc/man/auth.conf.5.html#cas-paragraph you will note that:

• you can define ldap_bind_dn and ldap_bind_password parameters; if not anonymous LDAP bind is performed,
• ldap_suffix should refer to your People LDAP branch. For example our auth.conf includes: "ldap_suffix ou=people,dc=univ-rennes1,dc=fr"

If your LDAP bind fails, you should have a look at your LDAP server logs.

Hope it helps...

Le 09/11/2021 à 15:51, Terry McLaren a écrit :

Greetings - I'm running into issues with CAS auth and attributes.   Below I describe my findings and issues.  I'm hoping someone can clarify Sympa's current implementation and CAS capabilities.

1)  I found a paper describing the Sympa's Auth and access control implementations, "S. Aumont, O. Salaün, Selected Papers from the TERENA Networking Conference (2004)" and section 2.4.3 covers CAS user attributes.   It states the CAS auth implementation is separate from attribute retrieval.  So, the workflow appears to require Sympa to do a CAS auth first, and then Sympa needs to query an LDAP for the 'mail' attribute.  Is this the case?   Using the default CAS auth.conf example, I've run some tests.   Here's a sanitized version of our config and log data

# auth.conf

cas
       base_url                        https://cas.ourdomain:8443
       auth_service_friendly_name      Our CAS Server
       auth_service_name               our_cas
       ldap_host                       ldap.ourdomain:389
       ldap_get_email_by_uid_filter    (uid=[uid])
       ldap_timeout                    7
       ldap_suffix                     dc=ourdomain,dc=fr
       ldap_scope                      sub
       ldap_email_attribute            mail

Logs

-------

Nov  8 18:16:36 sympa wwsympa[85131]: notice main:: Login CAS OK server address@concealed

Nov  8 18:16:36 sympa wwsympa[85131]: err main::#1350 > Sympa::WWW::Auth::get_email_by_net_id#322 > Sympa::Database::connect#153 > (eval)#153 > Sympa::DatabaseDriver::LDAP::_connect#179 Failed to bind to LDAP server ldap://ldap.ourdomain.edu:389: (1) Unexpected EOF

Nov  8 18:16:36 sympa wwsympa[85131]: err main::#1350 > Sympa::WWW::Auth::get_email_by_net_id#322 > Sympa::Database::connect#157 Can't connect to Database Sympa::DatabaseDriver::LDAP <host=ldap://ldap.ourdomain.edu:389;timeout=7;use_tls=none>:

Nov  8 18:16:36 sympa wwsympa[85131]: err main::#1350 > Sympa::WWW::Auth::get_email_by_net_id#323 Unable to connect to the LDAP server "ldap.ourdomain.edu:389"

-------------------

Oddly, CAS does return the netid which is the email address we're looking for; so, I tried substituting netid for the mail attribute in the config but I got the same LDAP bind error as above. 

       ldap_email_attribute            netid

Q:   Does the CAS config requires us to create an LDAP service account for Sympa to use current CAS implementation and add credentials to the auth.conf CAS config?

        bind_dn                         ldap bind path
        bind_password                   ldap passwd to data

2)   Researching CAS I see it can be configured on a per app basis to release attributes which  would keep the LDAP query on the CAS side,  https://apereo.github.io/cas/5.0.x/integration/Attribute-Release-Policies.html.      

Q:  If we configure the CAS server to return the 'mail' attribute will Sympa be able to use it w/o querying the LDAP server?

Ideally, Sympa would recognize the 'netid' value and if it was a valid email pattern then use it to login the user w/o a separate LDAP query.   Any insight would be helpful.

Thank you,

Terry McLaren

-- 
Olivier Salaün
DSI / pôle SI / équipe SNUM
Tel : 02 23 23 74 54