Hi,
I continue to search a way to use SSo CAS with group filter. I want that only allowed group can access to my nextcloud
I find something that seems to work, but not perfectly :
I first test this LDAP configuration without user_cas .This one work fine and just let uid1 to connect to nextcloud :
+-------------------------------+------------------------------------------------------+
| Configuration | s01 |
+-------------------------------+------------------------------------------------------+
| hasMemberOfFilterSupport | 0 |
| hasPagedResultSupport | |
| homeFolderNamingRule | attr:uid |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | uid=MonAdm,ou=***,ou=***,o=****,c=*** |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | uid;cn |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | ou=***,ou=***,o=***,c=*** |
| ldapBaseGroups | ou=***,ou=***,o=***,c=*** |
| ldapBaseUsers | ou=***,ou=***,o=***,c=*** |
| ldapCacheTTL | 3600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | uid |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | uniqueMember |
| ldapHost | ldap.*****.*** |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(|(uid=uid1))(uid=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | cn |
| ldapUserDisplayName2 | |
| ldapUserFilter | (|(uid=uid1)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+------------------------------------------------------+
then i activate user_cas and use this configuration :
"user_cas": {
"cas_access_allow_groups": "mailuid1@ac-caen.fr",
"cas_access_group_quotas": "",
"cas_autocreate": "1",
"cas_cert_path": "",
"cas_debug_file": "\/var\/log\/phpcas\/phpcas-nextcloud.log",
"cas_default_group": "",
"cas_disable_logout": "0",
"cas_displayName_mapping": "",
"cas_ecas_accepted_strengths": "",
"cas_ecas_assurance_level": "",
"cas_ecas_attributeparserenabled": "0",
"cas_ecas_request_full_userdetails": "0",
"cas_ecas_retrieve_groups": "",
"cas_email_mapping": "email",
"cas_force_login": "1",
"cas_force_login_exceptions": "",
"cas_group_mapping": "email",
"cas_handlelogout_servers": "",
"cas_link_to_ldap_backend": "1",
"cas_php_cas_path": "",
"cas_protected_groups": "admin",
"cas_server_hostname": "***.***.fr",
"cas_server_path": "",
"cas_server_port": "443",
"cas_server_version": "2.0",
"cas_service_url": "",
"cas_update_user_data": "1",
"cas_use_proxy": "0",
"enabled": "yes",
"installed_version": "1.5.6",
"types": "prelogin,authentication"
},
In this configuration I use email as “cas_group_mapping” and then in “cas_access_allow_groups” I only authorized uid1 email to connecte to my nextcloud. This trick is just for test group filter.
And it works but not perfectly :
- If a non allowed user try to connect he get a “forbidden message alert” as expected and can’t connect.
- But if this user try to go back to my nextcloud url, he get LDAP authentification screen instead CAS authentification screen ( if someone can tell me why? I have to clean my cookie to get CAS authentification screen back, why did he create a cookie (token?) for non allowed user? ).
- More in this LDAP authentification screen my LDAP configuration, especially ldapLoginFilter and ldapUserFilter, is completely ignored
- and this non allowed user can connect successfull.
If someone has an idea …
cordialy