Skip to Content.
Sympa Menu

en - Re: [sympa-users] CAS LDAP login

Subject: The mailing list for listmasters using Sympa

List archive

Re: [sympa-users] CAS LDAP login

Chronological Thread  
    < Chronological >       < Thread >
  • From: Jérôme Pouilloux <address@concealed>
  • To: address@concealed
  • Subject: Re: [sympa-users] CAS LDAP login
  • Date: Thu, 2 Dec 2021 10:27:26 +0100

Hi,

do you need both authentification?

in my configuration I get :

cas
    base_url                        https://casl2-test.univ-lyon2.fr/cas
        non_blocking_redirection        on
        auth_service_name               Authentification-CAS
        ldap_host                       ldaply2.univ-lyon2.fr:636
        ldap_bind_dn                         cn=Application SYMPA,ou=comptes de service,dc=univ-lyon2,dc=fr
        ldap_bind_password                  *************
        ldap_get_email_by_uid_filter    (uid=[uid])
        ldap_timeout                    20
        ldap_suffix                     ou=people,dc=univ-lyon2,dc=fr
        ldap_scope                      sub
        ldap_email_attribute            mail
        login_path                      /login
        logout_path                     /logout
       ldap_use_ssl                                      1
       ssl_version                                 tlsv1_2

but no specific ldap configuration like you, it is on the cas configuration

Hope this help

On 01/12/2021 22:27, Terry McLaren wrote:
Greetings - I could use a second set of eyes getting the CAS/LDAP login working.   I'm configuring sympa v6.2.62 and it appears Sympa::WWW::Auth::get_email_by_net_id()  is not getting populated with the user's email address.    For a sanity check I configured the LDAP Auth to verify my ldap settings and users can log in as designed.

The CAS config works up to the point where it queries LDAP for the user's email address.  At that point any ldap_get_email_by_uid_filter fails to get past the Sympa::WWW::Auth::get_email_by_net_id()  and results in the same error message in the logs.   I've tried many filters with the same log results.

Notes:
- This school uses the email address for the CAS login vs a userid.   
- The LDAP Auth successfully uses the standard filter.
- The CAS Auth filters - I've tried all filters separately and then started stringing them with an OR statement.

Below are the sanitized versions of the auth.conf and log results.  Any help or suggestions would be appreciated.

Thank you,

Terry McLaren
-------------------------
#auth.conf
cas
    base_url                        https://cas.school.edu/cas    
    non_blocking_redirection        off
    auth_service_name               cas-school
   auth_service_friendly_name       School Login
    ldap_host                       ldap.school.edu:636
    ldap_use_tls                    ldaps
    ldap_ssl_version                tlsv1_2
    ldap_bind_dn                    CN=sympa,OU=Service Accounts,DC=school,DC=edu
    ldap_bind_password              xxxxxxxxxxxx
    ldap_timeout                    10
    ldap_suffix                     dc=school,dc=edu
    ldap_get_email_by_uid_filter    (|(uid=[sender])(uid=[netid])(mail=[netid])(mail=[sender])(mail=[userPrincipalName])(userPrincipalName=[netid]))
    ldap_email_attribute            mail
    ldap_scope                      sub

ldap
    host                        ldap.school.edu:636
    use_tls                     ldaps
    ssl_version                 tlsv1_2
    bind_dn                     CN=sympa,OU=Service Accounts,DC=school,DC=edu
    bind_password               xxxxxxxxxxxxxxx
    timeout                     20
    suffix                      dc=school,dc=edu
    get_dn_by_uid_filter        (uid=[sender])
    get_dn_by_email_filter      (mail=[sender])
    email_attribute             mail
    scope                       sub



LDAP Log Results
----------------
Dec  1 14:27:53 sympa wwsympa[21904]: info main::do_login() [robot lists.school.edu] [session 15241926984664] [client 100.100.100.100]
Dec  1 14:27:53 sympa wwsympa[21904]: notice main::is_ldap_user() [robot lists.school.edu] [session 15241926984664] [client 100.100.100.100] No entry in the LDAP Directory Tree of ldap.school.edu:636
Dec  1 14:28:06 sympa wwsympa[21905]: info main::do_login(address@concealed) [robot lists.school.edu] [session 15241926984664] [client 100.100.100.100]
Dec  1 14:28:06 sympa wwsympa[21905]: notice main:: Redirecting to https://lists.school.edu/lists
Dec  1 14:28:07 sympa wwsympa[21906]: info main::do_home() [robot lists.school.edu] [session 15241926984664] [client 100.100.100.100] [user address@concealed]

Result:  Student is logged into Sympa.

CAS Log Results
---------------
Dec  1 11:29:13 sympa wwsympa[90197]: info main::do_home() [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Dec  1 11:29:16 sympa wwsympa[90196]: info main::do_sso_login(cas-school) [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Dec  1 11:29:16 sympa wwsympa[90196]: info main::do_sso_login(https://cas.school.edu/cas/login?service=https://lists.school.edu/lists/sso_login_succeeded/cas-school) [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Dec  1 11:29:40 sympa wwsympa[90195]: notice main:: CAS ticket is detected. in{'ticket'}=ST-46776-5o089uhak49gC0p5mkEC-47mCvE-ip-10-139-20-63 checked_cas=0
Dec  1 11:29:41 sympa wwsympa[90195]: notice main:: Login CAS OK server address@concealed
Dec  1 11:29:41 sympa wwsympa[90195]: notice Sympa::WWW::Auth::get_email_by_net_id() No entry in the LDAP Directory Tree of ldap.school.edu:636
Dec  1 11:29:41 sympa wwsympa[90195]: info main::do_sso_login_succeeded(cas-school) [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]
Dec  1 11:29:41 sympa wwsympa[90198]: info main::do_home() [robot lists.school.edu] [session 11466335598318] [client 100.100.100.100]

Result:  While we successfully logged into CAS, the LDAP query fails and student is NOT logged into Sympa.  



Archive powered by MHonArc 2.6.19+.

Top of Page