mod_auth_cas & mod_authz_ldap (Active Directory)

jehan PRocaccia jehan.procaccia at int-evry.fr
Mon Jun 2 12:08:27 EDT 2008 

Here a sample of what I do to authN with cas and authZ with ldap:

<Location /usage>
    AuthType Cas
    AuthName "TMSP auth"
    AuthLDAPUrl "ldap://ldapserver.int-evry.fr/dc=int,dc=fr"
#    Require ldap-group cn=securityclearance,ou=Group,dc=example,dc=com
     Require ldap-attribute     eduPersonAffiliation=employee
</Location>


Chris a écrit :
> Hi all,
>
> I have some trouble with a CAS + LDAP config. Here are some info of my 
> config (2 servers, one dedicated for CAS + 1 web server hosting websites):
>
> - CAS Server configuration:
> 	- CentOS 5
> 	- apache-tomcat-5.5.25
> 	- cas-server-3.1.1
> 	- httpd 2.2.3-11.el5.centos (reverse proxy httpd -> tomcat)
> 	- CAS configuration: 3 LDAP authenticationHandlers using 3 MS Active 
> Directories (Europe, America, Asia)
>
> - Web server configuration (hosting websites):
> 	- CentOS 5
> 	- httpd 2.2.3-11.el5_1.centos.3
> 	- mod_authz_ldap-0.26-8.el5
> 	- mod_auth_cas-1.0.7 (manually added thru /etc/httpd/conf.d/cas.conf 
> config file with:
>  >>>
> LoadModule auth_cas_module modules/mod_auth_cas.so
> <IfModule mod_auth_cas.c>
>            CASDebug On
>            CASCookiePath /tmp/
>            CASLoginURL https://cas-rd.company.com/cas/
>            CASValidateURL https://cas-rd.company.com/cas/serviceValidate
>            CASCertificatePath /etc/pki/tls/certs/casserver.crt
>            CASValidateServer on
> </IfModule>
> <<<
>
> Some tests (.htaccess):
>
> - mod_auth_cas alone:
> 	AuthType CAS
> 	AuthName "CAS"
> 	require valid-user
>
>    This works well. I can login thru CAS.
>
> - mod_authz_ldap alone:
> 	AuthName "TestProtLDAPz AD"
> 	AuthType Basic
> 	AuthzLDAPMethod ldap
> 	AuthzLDAPServer adserver.eu.company.com:389
> 	AuthzLDAPBindDN ldapreader at company.com
> 	AuthzLDAPBindPassword ********
> 	AuthzLDAPSetGroupAuth ldapdn
> 	AuthzLDAPUserKey samaccountname
> 	AuthzLDAPUserBase "OU=Subsidiaries,DC=eu,DC=company,DC=com"
> 	AuthzLDAPUserScope subtree
> 	require group 
> "CN=DL_RD.Soft.France.Employee,OU=Subsidiaries,DC=eu,DC=company,DC=com"
>
>    This works well. I can login thru LDAP.
>
> - mod_auth_cas (authentication) + mod_authz_ldap (authorization)
> 	AuthType CAS
> 	AuthName "CAS Authentication AD"
> 	AuthzLDAPMethod ldap
> 	AuthzLDAPServer adserver.eu.company.com:389
> 	AuthzLDAPBindDN ldapreader at company.com
> 	AuthzLDAPBindPassword ********
> 	AuthzLDAPUserKey samaccountname
> 	AuthzLDAPUserBase "OU=Subsidiaries,DC=eu,DC=company,DC=com"
> 	AuthzLDAPUserScope subtree
> 	AuthzLDAPSetGroupAuth ldapdn
> 	require group 
> "CN=DL_RD.Soft.France.Employee,OU=Subsidiaries,DC=eu,DC=company,DC=com"
>
>    When I try to access the website http://www.company.com/toto.txt , I 
> am first redirected to CAS where I login (no error), then back to the 
> website with:
>
> "Forbidden
> You don't have permission to access /toto.txt on this server."
>
> CAS log shows:
> "2008-06-02 16:48:06,505 INFO 
> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service 
> ticket [ST-23-eKtUCGXPZPsA7EV6aTHW] for service 
> [http://www.company.com/toto.txt] for user [chris]"
>
> Apache log shows:
> "[Mon Jun 02 16:16:40 2008] [error] [client 172.16.48.21] [27479] no 
> password?"
>
>
> Does anyone have had a similar behavior ? Any idea why this does not work?
>
> Best,
>
> Chris
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>

More information about the cas mailing list