我做了文档中关于在CAS中设置LDAP身份验证的内容。 (https://apereo.github.io/cas/4.2.x/installation/LDAP-Authentication.html)
CAS服务器目前正在运行,但无法创建用户使用LDAP凭据登录。我正在使用JXplorer添加用户,我将其添加到deployerConfigContext.xml
:
<ldaptive:bind-search-authenticator id="authenticator"
ldapUrl="${ldap.url}"
baseDn="${ldap.baseDn}"
userFilter="${ldap.authn.searchFilter}"
bindDn="${ldap.managerDn}"
bindCredential="${ldap.managerPassword}"
connectTimeout="${ldap.connectTimeout}"
useStartTLS="${ldap.useStartTLS}"
blockWaitTime="${ldap.pool.blockWaitTime}"
maxPoolSize="${ldap.pool.maxSize}"
allowMultipleDns="${ldap.allowMultipleDns:false}"
usePasswordPolicy="${ldap.usePpolicy:false}"
minPoolSize="${ldap.pool.minSize}"
validateOnCheckOut="${ldap.pool.validateOnCheckout}"
validatePeriodically="${ldap.pool.validatePeriodically}"
validatePeriod="${ldap.pool.validatePeriod}"
idleTime="${ldap.pool.idleTime}"
prunePeriod="${ldap.pool.prunePeriod}"
failFastInitialize="true"
subtreeSearch="${ldap.subtree.search:true}"
useSSL="${ldap.use.ssl:false}"
/>
然后,我将其添加到cas.properties
文件中:
#========================================
# General properties
#========================================
ldap.url=ldap://myip:389
# Start TLS for SSL connections
ldap.useStartTLS=false
# Directory root DN
# ldap.rootDn=dc=com
# Base DN of users to be authenticated
ldap.baseDn=ou=people,dc=maxcrc,dc=com
# LDAP connection timeout in milliseconds
ldap.connectTimeout=3000
# Manager credential DN
ldap.managerDn=cn=Manager,dc=maxcrc,dc=com
# Manager credential password
ldap.managerPassword=secret
#========================================
# LDAP connection pool configuration
#========================================
ldap.pool.minSize=1
ldap.pool.maxSize=10
ldap.pool.validateOnCheckout=false
ldap.pool.validatePeriodically=true
# Amount of time in milliseconds to block on pool exhausted condition
# before giving up.
ldap.pool.blockWaitTime=3000
# Frequency of connection validation in seconds
# Only applies if validatePeriodically=true
ldap.pool.validatePeriod=300
# Attempt to prune connections every N seconds
ldap.pool.prunePeriod=300
# Maximum amount of time an idle connection is allowed to be in
# pool before it is liable to be removed/destroyed
ldap.pool.idleTime=600
#========================================
# Authentication
#========================================
ldap.authn.searchFilter=cn={user}
# Ldap domain used to resolve dn
ldap.domain=example.org
# Should LDAP Password Policy be enabled?
ldap.usePpolicy=false
# Allow multiple DNs during authentication?
ldap.allowMultipleDns=false
现在,我找不到有关如何在LDAP for CAS中创建用户的任何信息。是的,我看到了一些似乎合法的属性。所以我在JXplorer中创建了一个organizationalPerson
。我设置了密码并尝试使用用户名(cn=...
)登录。但正如我所料,这不起作用。
那里有什么信息CAS实际上期望从LDAP获得什么?必须有某种指导方针。 cas.properties
信息显示:要验证的用户的基本DN ,但CAS如何知道用户具有哪些属性,或者他甚至必须知道它?
所以总结我的问题:如何在LDAP中创建用户,或者用户如何看待?我如何处理CAS了解我的LDAP服务器的CAS(deployerConfigContext.xml
)?
答案 0 :(得分:1)
CAS不关心您的ldap架构,只要您在配置中正确描述它即可。 CAS也不是LDAP服务器,永远不会填充LDAP服务器和/或创建架构。