After the trials of running a standalone CAS server, I tried to work with my team on authenticating the user using Microsoft Active Directory. In my company, Active Directory(AD) is the most integrated database on staff information. So the success of authentication on Active Directory almost means the success of implementing central authentication service without changing a lot in the current environment.
However, during the testing stage on connecting the CAS Server to the AD, we have faced a lot of problems. AD is one implementation of Lightweight Directory Access Protocol (LDAP). The default CAS Server package contains two kinds of authentication handler in connecting LDAP servers, which are Fast Bind and Search-and-bind.
Tutorial - http://www.ja-sig.org/products/cas/server/ldapauthhandler/index.html
For the Search-and-bind, since the tutorial uses a secure connection to connect LDAP, but no one in my company know how to turn on the secure channel of LDAP, so we gave it up at a very early stage.
Then, we can only focused on the Fast Bind one. Our experience shows us that the configuration listed in the tutorial is not useful for AD. We can only say the configuration may differentiate when you are using different LDAP servers. The one in the tutorial is for OpenLDAP. According to the post here, I tried changing from “uid” to “cn” accordingly and it succeeded finally. My setting is finally like this.
It is so unexpected that the problem is caused here. It is because I used a software named LDAP Browser before to check the settings of the filter. It showed that using “uid” is valid in connecting the AD.
Besides that, during the investigation in connecting AD, someone told me that I should ignore the PartialResultsException by adding this:
<property name=”ignorePartialResultException” value=”true” />
I don’t know what it is for so far, may need to investigate in a later stage.
http://tp.its.yale.edu/pipermail/cas/2006-September/003417.html
2 comments
Comments feed for this article
Trackback link
http://blog.planner4u.org/blog/2006/10/06/cas-with-active-directory/trackback/
October 6, 2006 at 11:37 am
Scott
I’m not sure that a secure LDAP url is required. We just have it turned on at Rutgers so that’s what the example shows.
We’re also going to update the documentation to reflect the different configuations for the different serveres .
This also may help explain the Partial Results Exception:
http://sourceforge.net/mailarchive/forum.php?thread_id=9976915&forum_id=47521
October 6, 2006 at 11:44 am
Harry
I see. Thanks for your information, Scott.
Let me take a look on information about Partial Results Exception, and I will let you know if I have any findings.