Skip to Content.
Sympa Menu

en - [sympa-users] CAS LDAP login

Subject: The mailing list for listmasters using Sympa

List archive

Chronological Thread  
  • From: Terry McLaren <address@concealed>
  • To: address@concealed
  • Subject: [sympa-users] CAS LDAP login
  • Date: Wed, 1 Dec 2021 15:27:39 -0600

Greetings - I could use a second set of eyes getting the CAS/LDAP login working.   I'm configuring sympa v6.2.62 and it appears Sympa::WWW::Auth::get_email_by_net_id()  is not getting populated with the user's email address.    For a sanity check I configured the LDAP Auth to verify my ldap settings and users can log in as designed.

The CAS config works up to the point where it queries LDAP for the user's email address.  At that point any ldap_get_email_by_uid_filter fails to get past the Sympa::WWW::Auth::get_email_by_net_id()  and results in the same error message in the logs.   I've tried many filters with the same log results.

- This school uses the email address for the CAS login vs a userid.   
- The LDAP Auth successfully uses the standard filter.
- The CAS Auth filters - I've tried all filters separately and then started stringing them with an OR statement.

Below are the sanitized versions of the auth.conf and log results.  Any help or suggestions would be appreciated.

Thank you,

Terry McLaren
    non_blocking_redirection        off
    auth_service_name               cas-school
   auth_service_friendly_name       School Login
    ldap_use_tls                    ldaps
    ldap_ssl_version                tlsv1_2
    ldap_bind_dn                    CN=sympa,OU=Service Accounts,DC=school,DC=edu
    ldap_bind_password              xxxxxxxxxxxx
    ldap_timeout                    10
    ldap_suffix                     dc=school,dc=edu
    ldap_get_email_by_uid_filter    (|(uid=[sender])(uid=[netid])(mail=[netid])(mail=[sender])(mail=[userPrincipalName])(userPrincipalName=[netid]))
    ldap_email_attribute            mail
    ldap_scope                      sub

    use_tls                     ldaps
    ssl_version                 tlsv1_2
    bind_dn                     CN=sympa,OU=Service Accounts,DC=school,DC=edu
    bind_password               xxxxxxxxxxxxxxx
    timeout                     20
    suffix                      dc=school,dc=edu
    get_dn_by_uid_filter        (uid=[sender])
    get_dn_by_email_filter      (mail=[sender])
    email_attribute             mail
    scope                       sub

LDAP Log Results
Dec  1 14:27:53 sympa wwsympa[21904]: info main::do_login() [robot] [session 15241926984664] [client]
Dec  1 14:27:53 sympa wwsympa[21904]: notice main::is_ldap_user() [robot] [session 15241926984664] [client] No entry in the LDAP Directory Tree of
Dec  1 14:28:06 sympa wwsympa[21905]: info main::do_login(address@concealed) [robot] [session 15241926984664] [client]
Dec  1 14:28:06 sympa wwsympa[21905]: notice main:: Redirecting to
Dec  1 14:28:07 sympa wwsympa[21906]: info main::do_home() [robot] [session 15241926984664] [client] [user address@concealed]

Result:  Student is logged into Sympa.

CAS Log Results
Dec  1 11:29:13 sympa wwsympa[90197]: info main::do_home() [robot] [session 11466335598318] [client]
Dec  1 11:29:16 sympa wwsympa[90196]: info main::do_sso_login(cas-school) [robot] [session 11466335598318] [client]
Dec  1 11:29:16 sympa wwsympa[90196]: info main::do_sso_login( [robot] [session 11466335598318] [client]
Dec  1 11:29:40 sympa wwsympa[90195]: notice main:: CAS ticket is detected. in{'ticket'}=ST-46776-5o089uhak49gC0p5mkEC-47mCvE-ip-10-139-20-63 checked_cas=0
Dec  1 11:29:41 sympa wwsympa[90195]: notice main:: Login CAS OK server netid=address@concealed
Dec  1 11:29:41 sympa wwsympa[90195]: notice Sympa::WWW::Auth::get_email_by_net_id() No entry in the LDAP Directory Tree of
Dec  1 11:29:41 sympa wwsympa[90195]: info main::do_sso_login_succeeded(cas-school) [robot] [session 11466335598318] [client]
Dec  1 11:29:41 sympa wwsympa[90198]: info main::do_home() [robot] [session 11466335598318] [client]

Result:  While we successfully logged into CAS, the LDAP query fails and student is NOT logged into Sympa.  

Archive powered by MHonArc 2.6.19+.

Top of Page