Subject: The mailing list for listmasters using Sympa
List archive
- From: Terry McLaren <address@concealed>
- To: address@concealed
- Subject: [sympa-users] CAS LDAP login
- Date: Wed, 1 Dec 2021 15:27:39 -0600
Greetings - I could use a second set of eyes getting the CAS/LDAP login working. I'm configuring sympa v6.2.62 and it appears Sympa::WWW::Auth::get_email_by_net_id() is not getting populated with the user's email address. For a sanity check I configured the LDAP Auth to verify my ldap settings and users can log in as designed.
The CAS config works up to the point where it queries LDAP for the user's email address. At that point any ldap_get_email_by_uid_filter fails to get past the Sympa::WWW::Auth::get_email_by_net_id() and results in the same error message in the logs. I've tried many filters with the same log results.
Notes:
- This school uses the email address for the CAS login vs a userid.
- The LDAP Auth successfully uses the standard filter.
- The CAS Auth filters - I've tried all filters separately and then started stringing them with an OR statement.
Below are the sanitized versions of the auth.conf and log results. Any help or suggestions would be appreciated.
Thank you,
Terry McLaren
-------------------------
#auth.conf
cas
base_url https://cas.school.edu/cas
non_blocking_redirection off
auth_service_name cas-school
auth_service_friendly_name School Login
ldap_host ldap.school.edu:636
ldap_use_tls ldaps
ldap_ssl_version tlsv1_2
ldap_bind_dn CN=sympa,OU=Service Accounts,DC=school,DC=edu
ldap_bind_password xxxxxxxxxxxx
ldap_timeout 10
ldap_suffix dc=school,dc=edu
ldap_get_email_by_uid_filter (|(uid=[sender])(uid=[netid])(mail=[netid])(mail=[sender])(mail=[userPrincipalName])(userPrincipalName=[netid]))
ldap_email_attribute mail
ldap_scope sub
ldap
host ldap.school.edu:636
use_tls ldaps
ssl_version tlsv1_2
bind_dn CN=sympa,OU=Service Accounts,DC=school,DC=edu
bind_password xxxxxxxxxxxxxxx
timeout 20
suffix dc=school,dc=edu
get_dn_by_uid_filter (uid=[sender])
get_dn_by_email_filter (mail=[sender])
email_attribute mail
scope sub
LDAP Log Results
----------------
Dec 1 14:27:53 sympa wwsympa[21904]: info main::do_login() [robot lists.school.edu] [session 15241926984664] [client 100.100.100.100]
Dec 1 14:27:53 sympa wwsympa[21904]: notice main::is_ldap_user() [robot lists.school.edu] [session 15241926984664] [client 100.100.100.100] No entry in the LDAP Directory Tree of ldap.school.edu:636
Dec 1 14:28:06 sympa wwsympa[21905]: info main::do_login(address@concealed) [robot lists.school.edu] [session 15241926984664] [client 100.100.100.100]
Dec 1 14:28:06 sympa wwsympa[21905]: notice main:: Redirecting to https://lists.school.edu/lists
Dec 1 14:28:07 sympa wwsympa[21906]: info main::do_home() [robot lists.school.edu] [session 15241926984664] [client 100.100.100.100] [user address@concealed]
Result: Student is logged into Sympa.
CAS Log Results
---------------
Dec 1 11:29:13 sympa wwsympa[90197]: info main::do_home() [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Dec 1 11:29:16 sympa wwsympa[90196]: info main::do_sso_login(cas-school) [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Dec 1 11:29:16 sympa wwsympa[90196]: info main::do_sso_login(https://cas.school.edu/cas/login?service=https://lists.school.edu/lists/sso_login_succeeded/cas-school) [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Dec 1 11:29:40 sympa wwsympa[90195]: notice main:: CAS ticket is detected. in{'ticket'}=ST-46776-5o089uhak49gC0p5mkEC-47mCvE-ip-10-139-20-63 checked_cas=0
Dec 1 11:29:41 sympa wwsympa[90195]: notice main:: Login CAS OK server netid=address@concealed
Dec 1 11:29:41 sympa wwsympa[90195]: notice Sympa::WWW::Auth::get_email_by_net_id() No entry in the LDAP Directory Tree of ldap.school.edu:636
Dec 1 11:29:41 sympa wwsympa[90195]: info main::do_sso_login_succeeded(cas-school) [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Dec 1 11:29:41 sympa wwsympa[90198]: info main::do_home() [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
cas
base_url https://cas.school.edu/cas
non_blocking_redirection off
auth_service_name cas-school
auth_service_friendly_name School Login
ldap_host ldap.school.edu:636
ldap_use_tls ldaps
ldap_ssl_version tlsv1_2
ldap_bind_dn CN=sympa,OU=Service Accounts,DC=school,DC=edu
ldap_bind_password xxxxxxxxxxxx
ldap_timeout 10
ldap_suffix dc=school,dc=edu
ldap_get_email_by_uid_filter (|(uid=[sender])(uid=[netid])(mail=[netid])(mail=[sender])(mail=[userPrincipalName])(userPrincipalName=[netid]))
ldap_email_attribute mail
ldap_scope sub
ldap
host ldap.school.edu:636
use_tls ldaps
ssl_version tlsv1_2
bind_dn CN=sympa,OU=Service Accounts,DC=school,DC=edu
bind_password xxxxxxxxxxxxxxx
timeout 20
suffix dc=school,dc=edu
get_dn_by_uid_filter (uid=[sender])
get_dn_by_email_filter (mail=[sender])
email_attribute mail
scope sub
LDAP Log Results
----------------
Dec 1 14:27:53 sympa wwsympa[21904]: info main::do_login() [robot lists.school.edu] [session 15241926984664] [client 100.100.100.100]
Dec 1 14:27:53 sympa wwsympa[21904]: notice main::is_ldap_user() [robot lists.school.edu] [session 15241926984664] [client 100.100.100.100] No entry in the LDAP Directory Tree of ldap.school.edu:636
Dec 1 14:28:06 sympa wwsympa[21905]: info main::do_login(address@concealed) [robot lists.school.edu] [session 15241926984664] [client 100.100.100.100]
Dec 1 14:28:06 sympa wwsympa[21905]: notice main:: Redirecting to https://lists.school.edu/lists
Dec 1 14:28:07 sympa wwsympa[21906]: info main::do_home() [robot lists.school.edu] [session 15241926984664] [client 100.100.100.100] [user address@concealed]
Result: Student is logged into Sympa.
CAS Log Results
---------------
Dec 1 11:29:13 sympa wwsympa[90197]: info main::do_home() [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Dec 1 11:29:16 sympa wwsympa[90196]: info main::do_sso_login(cas-school) [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Dec 1 11:29:16 sympa wwsympa[90196]: info main::do_sso_login(https://cas.school.edu/cas/login?service=https://lists.school.edu/lists/sso_login_succeeded/cas-school) [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Dec 1 11:29:40 sympa wwsympa[90195]: notice main:: CAS ticket is detected. in{'ticket'}=ST-46776-5o089uhak49gC0p5mkEC-47mCvE-ip-10-139-20-63 checked_cas=0
Dec 1 11:29:41 sympa wwsympa[90195]: notice main:: Login CAS OK server netid=address@concealed
Dec 1 11:29:41 sympa wwsympa[90195]: notice Sympa::WWW::Auth::get_email_by_net_id() No entry in the LDAP Directory Tree of ldap.school.edu:636
Dec 1 11:29:41 sympa wwsympa[90195]: info main::do_sso_login_succeeded(cas-school) [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Dec 1 11:29:41 sympa wwsympa[90198]: info main::do_home() [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Result: While we successfully logged into CAS, the LDAP query fails and student is NOT logged into Sympa.
-
[sympa-users] CAS LDAP login,
Terry McLaren, 12/01/2021
- Re: [sympa-users] CAS LDAP login, Jérôme Pouilloux, 12/02/2021
- Re: [sympa-users] CAS LDAP login, Terry McLaren, 12/02/2021
Archive powered by MHonArc 2.6.19+.