mod_auth_cas & mod_authz_ldap (Active Directory)

Chris c.naslain at lectra.com
Mon Jun 2 10:24:25 EDT 2008 

Hi all,

I have some trouble with a CAS + LDAP config. Here are some info of my 
config (2 servers, one dedicated for CAS + 1 web server hosting websites):

- CAS Server configuration:
	- CentOS 5
	- apache-tomcat-5.5.25
	- cas-server-3.1.1
	- httpd 2.2.3-11.el5.centos (reverse proxy httpd -> tomcat)
	- CAS configuration: 3 LDAP authenticationHandlers using 3 MS Active 
Directories (Europe, America, Asia)

- Web server configuration (hosting websites):
	- CentOS 5
	- httpd 2.2.3-11.el5_1.centos.3
	- mod_authz_ldap-0.26-8.el5
	- mod_auth_cas-1.0.7 (manually added thru /etc/httpd/conf.d/cas.conf 
config file with:
 >>>
LoadModule auth_cas_module modules/mod_auth_cas.so
<IfModule mod_auth_cas.c>
           CASDebug On
           CASCookiePath /tmp/
           CASLoginURL https://cas-rd.company.com/cas/
           CASValidateURL https://cas-rd.company.com/cas/serviceValidate
           CASCertificatePath /etc/pki/tls/certs/casserver.crt
           CASValidateServer on
</IfModule>
<<<

Some tests (.htaccess):

- mod_auth_cas alone:
	AuthType CAS
	AuthName "CAS"
	require valid-user

   This works well. I can login thru CAS.

- mod_authz_ldap alone:
	AuthName "TestProtLDAPz AD"
	AuthType Basic
	AuthzLDAPMethod ldap
	AuthzLDAPServer adserver.eu.company.com:389
	AuthzLDAPBindDN ldapreader at company.com
	AuthzLDAPBindPassword ********
	AuthzLDAPSetGroupAuth ldapdn
	AuthzLDAPUserKey samaccountname
	AuthzLDAPUserBase "OU=Subsidiaries,DC=eu,DC=company,DC=com"
	AuthzLDAPUserScope subtree
	require group 
"CN=DL_RD.Soft.France.Employee,OU=Subsidiaries,DC=eu,DC=company,DC=com"

   This works well. I can login thru LDAP.

- mod_auth_cas (authentication) + mod_authz_ldap (authorization)
	AuthType CAS
	AuthName "CAS Authentication AD"
	AuthzLDAPMethod ldap
	AuthzLDAPServer adserver.eu.company.com:389
	AuthzLDAPBindDN ldapreader at company.com
	AuthzLDAPBindPassword ********
	AuthzLDAPUserKey samaccountname
	AuthzLDAPUserBase "OU=Subsidiaries,DC=eu,DC=company,DC=com"
	AuthzLDAPUserScope subtree
	AuthzLDAPSetGroupAuth ldapdn
	require group 
"CN=DL_RD.Soft.France.Employee,OU=Subsidiaries,DC=eu,DC=company,DC=com"

   When I try to access the website http://www.company.com/toto.txt , I 
am first redirected to CAS where I login (no error), then back to the 
website with:

"Forbidden
You don't have permission to access /toto.txt on this server."

CAS log shows:
"2008-06-02 16:48:06,505 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service 
ticket [ST-23-eKtUCGXPZPsA7EV6aTHW] for service 
[http://www.company.com/toto.txt] for user [chris]"

Apache log shows:
"[Mon Jun 02 16:16:40 2008] [error] [client 172.16.48.21] [27479] no 
password?"


Does anyone have had a similar behavior ? Any idea why this does not work?

Best,

Chris

More information about the cas mailing list