Active Directory

New CAS documentation site

CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

To authenticate users to MS Active Directory both the LDAP interface and the Kerberos interface can be used. See the relevant sections in this manual for more details:

using LDAP
using Kerberos
using SPNEGO (non-interactive login: works only under certain conditions)

The advantage of configuring SPNEGO is that users that are logged in to the AD domain will be logged in automatically at CAS, without any interaction asking for the password yet again. Note that this may not be desirable.

Example Configuration for FastBind and Active Directory

<bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
   <property name="filter" value="%u@domainname.tld" />
   <property name="contextSource" ref="contextSource" />
   <property name="ignorePartialResultException" value="yes" />
</bean>

<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
   <property name="pooled" value="false"/>
   <property name="url" value="ldaps://fir.conncoll.edu" />
</bean>

The example uses something called User Principal Name (UPN) in filter. The full Distinguished Name (DN) was CN=LastName\,
FirstName,OU=Users,DC=domainname,DC=tld.