Skip to Content.
Sympa Menu

en - Re: [sympa-users] CAS LDAP login

Subject: The mailing list for listmasters using Sympa

List archive

Chronological Thread  
  • From: Terry McLaren <address@concealed>
  • To: address@concealed
  • Subject: Re: [sympa-users] CAS LDAP login
  • Date: Thu, 2 Dec 2021 12:05:13 -0600

Dev Team - The plot thickens.  I tweaked the debug logging data to distinguish the auth_id and attribute/uid fields in  /usr/share/sympa/lib/Sympa/WWW/  line 302.

302     $log->syslog('debug', 'auth_id is: %s, attributes-uid is: %s', $auth_id, $attributes->{'uid'});

I then enable log level 1 (debug)  and noticed auth_id is 0.     Here's the log data:
Dec  2 11:52:50 sympa wwsympa[54289]: notice main:: Login CAS OK server netid=address@concealed
Dec  2 11:52:50 sympa wwsympa[54289]: debug Sympa::WWW::Auth::get_email_by_net_id() auth_id is: 0, attributes-uid is: address@concealed
Dec  2 11:52:50 sympa wwsympa[54289]: notice Sympa::WWW::Auth::get_email_by_net_id() No entry in the LDAP Directory Tree of
I suspect  auth_id  should represent a user id and this CAS server is returning a value Sympa doesn't recognize, so Sympa defaults to null/zero.     Can someone confirm?

This school has configured their CAS server to use the email address as a unique user ID.   Are there any other CAS users using email address vs. standard userid?    

Since the CAS server returned  netid=address@concealed the step to query LDAP is not needed and bypassing the ldap query would be appropriate.   Sympa Dev Team / Sympa Community - your thoughts or suggestions?

Thank you,

Terry McLaren

On Wed, Dec 1, 2021 at 3:27 PM Terry McLaren <address@concealed> wrote:
Greetings - I could use a second set of eyes getting the CAS/LDAP login working.   I'm configuring sympa v6.2.62 and it appears Sympa::WWW::Auth::get_email_by_net_id()  is not getting populated with the user's email address.    For a sanity check I configured the LDAP Auth to verify my ldap settings and users can log in as designed.

The CAS config works up to the point where it queries LDAP for the user's email address.  At that point any ldap_get_email_by_uid_filter fails to get past the Sympa::WWW::Auth::get_email_by_net_id()  and results in the same error message in the logs.   I've tried many filters with the same log results.

- This school uses the email address for the CAS login vs a userid.   
- The LDAP Auth successfully uses the standard filter.
- The CAS Auth filters - I've tried all filters separately and then started stringing them with an OR statement.

Below are the sanitized versions of the auth.conf and log results.  Any help or suggestions would be appreciated.

Thank you,

Terry McLaren
    non_blocking_redirection        off
    auth_service_name               cas-school
   auth_service_friendly_name       School Login
    ldap_use_tls                    ldaps
    ldap_ssl_version                tlsv1_2
    ldap_bind_dn                    CN=sympa,OU=Service Accounts,DC=school,DC=edu
    ldap_bind_password              xxxxxxxxxxxx
    ldap_timeout                    10
    ldap_suffix                     dc=school,dc=edu
    ldap_get_email_by_uid_filter    (|(uid=[sender])(uid=[netid])(mail=[netid])(mail=[sender])(mail=[userPrincipalName])(userPrincipalName=[netid]))
    ldap_email_attribute            mail
    ldap_scope                      sub

    use_tls                     ldaps
    ssl_version                 tlsv1_2
    bind_dn                     CN=sympa,OU=Service Accounts,DC=school,DC=edu
    bind_password               xxxxxxxxxxxxxxx
    timeout                     20
    suffix                      dc=school,dc=edu
    get_dn_by_uid_filter        (uid=[sender])
    get_dn_by_email_filter      (mail=[sender])
    email_attribute             mail
    scope                       sub

LDAP Log Results
Dec  1 14:27:53 sympa wwsympa[21904]: info main::do_login() [robot] [session 15241926984664] [client]
Dec  1 14:27:53 sympa wwsympa[21904]: notice main::is_ldap_user() [robot] [session 15241926984664] [client] No entry in the LDAP Directory Tree of
Dec  1 14:28:06 sympa wwsympa[21905]: info main::do_login(address@concealed) [robot] [session 15241926984664] [client]
Dec  1 14:28:06 sympa wwsympa[21905]: notice main:: Redirecting to
Dec  1 14:28:07 sympa wwsympa[21906]: info main::do_home() [robot] [session 15241926984664] [client] [user address@concealed]

Result:  Student is logged into Sympa.

CAS Log Results
Dec  1 11:29:13 sympa wwsympa[90197]: info main::do_home() [robot] [session 11466335598318] [client]
Dec  1 11:29:16 sympa wwsympa[90196]: info main::do_sso_login(cas-school) [robot] [session 11466335598318] [client]
Dec  1 11:29:16 sympa wwsympa[90196]: info main::do_sso_login( [robot] [session 11466335598318] [client]
Dec  1 11:29:40 sympa wwsympa[90195]: notice main:: CAS ticket is detected. in{'ticket'}=ST-46776-5o089uhak49gC0p5mkEC-47mCvE-ip-10-139-20-63 checked_cas=0
Dec  1 11:29:41 sympa wwsympa[90195]: notice main:: Login CAS OK server netid=address@concealed
Dec  1 11:29:41 sympa wwsympa[90195]: notice Sympa::WWW::Auth::get_email_by_net_id() No entry in the LDAP Directory Tree of
Dec  1 11:29:41 sympa wwsympa[90195]: info main::do_sso_login_succeeded(cas-school) [robot] [session 11466335598318] [client]
Dec  1 11:29:41 sympa wwsympa[90198]: info main::do_home() [robot] [session 11466335598318] [client]

Result:  While we successfully logged into CAS, the LDAP query fails and student is NOT logged into Sympa.  

Archive powered by MHonArc 2.6.19+.

Top of Page