CAS and LDAP

inas inassen mezghena at hotmail.com
Mon Feb 2 14:40:36 EST 2009 

Thanks Shi.
 
I agree with you, these issue is related to authorization and my ldap is already set and it works fine with Tomcat JNDIRealm's.
 
So what I want is exactly reproducing with CAS what JNDIRealm does.
 
In my CAS server I used the following objects
 
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
 <property name="credentialsToPrincipalResolvers">   <list>     <bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">        <property name="credentialsToPrincipalResolver">            <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />            </property>        <property name="filter" value="(uid=%u)" />        <property name="principalAttributeName" value="uid" />        <property name="searchBase"             value="ou=people,ou=org1,o=org2,dc=ca" />        <property name="contextSource"          ref="contextSource" />        <property name="attributeRepository"    ref="attributeRepository" />    </bean>  </list>  </property>  <property name="authenticationHandlers">   <list>     <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">     <property name="filter"        value="uid=%u" />     <property name="searchBase"    value="ou=people,ou=org1,o=org2,dc=ca" />      <property name="contextSource" ref="contextSource" />    </bean>   </list>  </property> </bean> 
<bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">  <property name="baseDN" value="ou=roles,ou=org1,o=org2,dc=ca" />  <property name="query" value="(uniqueMember={0})" />  <property name="contextSource" ref="contextSource" />  <property name="ldapAttributesToPortalAttributes">   <map>    <entry key="cn" value="Role"/>   </map>  </property> </bean>
 
And when using JNDIRealm, I have
<Realm className="org.apache.catalina.realm.JNDIRealm"           userPattern="uid={0},ou=people,ou=org1,o=org2,dc=ca"          roleBase="ou=roles,ou=org1,o=org2,dc=ca"          roleName="cn"          roleSearch="(uniqueMember={0})">
 
So in other word, what is the equivalente of this JNDIRealm configuration and CAS LDAP configuration?
 
Regards,
 
Inas.
 
> Subject: RE: CAS and LDAP> From: shiys at langhua.cn> To: cas at tp.its.yale.edu> Date: Sat, 31 Jan 2009 17:40:56 +0800> > > Basically, when I'm authenticated in CAS server, I want to have a way> > to retrieve a liste of roles to make them available to the> > request.isUserInRole("role") method.> > Your requirement belong to authorization, not authentication, so I think> it's beyond CAS.> > Anyway, you have to choose member and/or alias to represent your> user-role relationship in LDAP. After successfully authenticated in CAS> server, searching the user in members or aliases to get the> relationship, and then set them to the role attribute of the request.> > How would you refresh the role relationship when it changes if you set> it in request?> > Regards,> > Shi Yusen/Beijing Langhua Ltd.> > > > > regards> > > > Inas.> > > > > > > > ______________________________________________________________________> > > > From: dlwhitehurst at gmail.com> > To: cas at tp.its.yale.edu> > Subject: Re: CAS and LDAP> > Date: Thu, 29 Jan 2009 17:14:14 -0500> > > > > > Are you using OpenLDAP or Active Directory?> > > > > > > > And, roles would not be CAS related so explain what you're trying to> > do a little more.> > > > > > > > David> > > > Sent from my iPhone> > > > > > On Jan 29, 2009, at 5:04 PM, inas inassen <mezghena at hotmail.com>> > wrote:> > > > > > > > > > Hi all,> > > > I was able to login in using CAS and LDAP authentication> > (BindLdapAuthenticationHandler) but I experience problems> > retrieving a user roles's, so is there any documentation> > regarding this issue.> > > > thanks a lot.> > > > Inas> > > > > > > > ______________________________________________________________> > > > From: mezghena at hotmail.com> > To: cas at tp.its.yale.edu> > Subject: RE: CAS and LDAP and JAAS> > Date: Fri, 16 Jan 2009 20:37:24 +0000> > > > Thanks Matt,> > > > Now is more clear, so I agree with you that CAS LDAP support> > is better but my concern is that I want to keep my> > applications compliant > > after switching from TOMCAT JNDIReal and SSO Valve to CAS> > server, then how can i make the expected roles available to my> > application > > in order to use the isInRole(string) method from the> > HttpServletRequest object?> > > > Thanks> > > > Inas> > > > > Date: Thu, 15 Jan 2009 17:54:39 -0500> > > From: matt at forsetti.com> > > To: cas at tp.its.yale.edu> > > Subject: Re: CAS and LDAP and JAAS> > > > > > The CAS LDAP support should be drastically better than the> > > JAASAuthenticationHandler using that specific LDAP JAAS> > module. I> > > wrote the JAASAuthenticationHandler and> > > edu.uconn.netid.jaas.LDAPLoginModule as a quick hack job due> > to some> > > historical Kerberos/LDAP/ActiveDirectory needs. Scott> > cleaned up the> > > JAASAuthenticationHandler to make it CAS-worthy, but the> > JAAS> > > LDAPLoginModule has suffered from severe bit-rot and should> > be purged> > > from this plane of existence.> > > > > > I'd recommend either using the stock CAS LDAP support, or> > the more> > > popular (at least in the Shib community) Virginia Tech> > LDAPLoginModule> > >> > http://www.middleware.vt.edu/doku.php?id=middleware:opensource:ldap#jaas_support> > > .> > > > > > -Matt> > > > > > > > > On Thu, Jan 15, 2009 at 5:13 PM, inas inassen> > <mezghena at hotmail.com> wrote:> > > > Thanks Andrew> > > >> > > > Yes, all my applications are role based autorization using> > JAAS framework> > > > inside strust, tiles and taglibs.> > > >> > > > So my need is that I want to have a CAS server running let> > say in W1 server> > > > site that authenticate against an ldap> > > > Using a CAS client, my others applications that are> > running in W2, W3 and> > > > so one will authenticate against a CAS Server in W1 and I> > need a JAAS> > > > subject to keep my application's security (autorization> > and authentication)> > > > working.> > > >> > > > thanks again> > > >> > > > Inas.> > > >> > > >> > > > ________________________________> > > > Date: Thu, 15 Jan 2009 15:01:37 -0600> > > > Subject: Re: CAS and LDAP and JAAS> > > > From: afelle1 at lsu.edu> > > > To: cas at tp.its.yale.edu> > > >> > > > Inas,> > > >> > > > Is there any reason you are going through JAAS for LDAP> > authentication> > > > instead of using the LDAP authentication handler?> > > >> > > > LDAP wiki entry:> > http://www.ja-sig.org/wiki/display/CASUM/LDAP> > > > JAAS wiki entry:> > http://www.ja-sig.org/wiki/display/CASUM/JAAS> > > >> > > > HTH,> > > > A-> > > >> > > > On 1/15/09 2:51 PM, "inas inassen" <mezghena at hotmail.com>> > wrote:> > > >> > > >> > > >> > > > Hi all,> > > >> > > > I'm trying to configure CAS to authenticate against an> > LDAP and my> > > > applications are using JAAS as an Authentication and> > Autorization framework.> > > >> > > > Everything work fine using Tomcat JNDIRealm> > > >> > > > My Tomcat JNDIRealm> > > >> > > >> > > > <Realm className="org.apache.catalina.realm.JNDIRealm"> > > > connectionURL="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net"> > > > userPattern="uid={0},ou=people,ou=ait,o=b2b,dc=net"> > > > roleBase="ou=roles,ou=ait,o=b2b,dc=net"> > > > roleName="cn"> > > > roleSearch="(uniqueMember={0})" />> > > >> > > >> > > > this is my jaas.conf file (configured in> > > > -Djava.security.auth.login.config=jaas.conf)> > > >> > > >> > > > CAS {> > > > edu.uconn.netid.jaas.LDAPLoginModule sufficient> > > >> > java.naming.provider.url="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net"> > > >> > java.naming.security.principal="cn=Manager,ou=ait,o=b2b,dc=net"> > > > java.naming.security.credentials="secret"> > > > Attribute="uid"> > > > startTLS="true";> > > > };> > > >> > > >> > > > and this is my delpoyConfigContext file> > > >> > > > <?xml version="1.0" encoding="UTF-8"?>> > > > <beans xmlns="http://www.springframework.org/schema/beans"> > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> > > > xmlns:p="http://www.springframework.org/schema/p"> > > >> > xsi:schemaLocation="http://www.springframework.org/schema/beans> > > >> > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">> > > > <bean id="authenticationManager"> > > >> > class="org.jasig.cas.authentication.AuthenticationManagerImpl">> > > > <property name="credentialsToPrincipalResolvers">> > > > <list>> > > > <bean> > > >> > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"> > > > />> > > > <bean> > > >> > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"> > > > />> > > > </list>> > > > </property>> > > > <property name="authenticationHandlers">> > > > <list>> > > > <bean> > > >> > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> > > > p:httpClient-ref="httpClient" />> > > > <bean> > > >> > class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler"> > > > />> > > > <bean> > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">> > > > <property name="filter" value="uid=%u" />> > > > <property name="searchBase"> > value="ou=people,ou=ait,o=b2b,dc=net" />> > > > <property name="contextSource" ref="contextSource" />> > > > </bean>> > > > </list>> > > > </property>> > > > </bean>> > > >> > > > <bean id="userDetailsService"> > > >> > class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">> > > > <property name="userMap">> > > > <value></value>> > > > </property>> > > > </bean>> > > >> > > > <bean id="attributeRepository"> > > >> > class="org.jasig.services.persondir.support.StubPersonAttributeDao">> > > > <property name="backingMap">> > > > <map>> > > > <entry key="uid" value="uid" />> > > > <entry key="eduPersonAffiliation"> > value="eduPersonAffiliation" />> > > > <entry key="groupMembership" value="groupMembership" />> > > > </map>> > > > </property>> > > > </bean>> > > >> > > > <bean id="serviceRegistryDao"> > > >> > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />> > > >> > > > <!-- LDAP context -->> > > > <bean id="contextSource"> > > >> > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">> > > > <property name="pooled" value="true"/>> > > > <property name="urls">> > > > <list>> > > > <value>ldap://ladpsrv:389/ou=ait,o=b2b,dc=net</value>> > > > </list>> > > > </property>> > > > <property name="userName"> > value="cn=Manager,ou=ait,o=b2b,dc=net"/>> > > > <property name="password" value="secret"/>> > > > <property name="baseEnvironmentProperties">> > > > <map>> > > > <entry>> > > > <key>> > > > <value>java.naming.security.authentication</value>> > > > </key>> > > > <value>simple</value>> > > > </entry>> > > >> > > > <entry>> > > > <key>> > > > <value>ldap.initial.context.factory</value>> > > > </key>> > > > <value>com.sun.jndi.ldap.LdapCtxFactory</value>> > > > </entry>> > > > </map>> > > > </property>> > > > </bean>> > > >> > > > </beans>> > > >> > > >> > > > my ldap schema is> > > >> > > > ou=ait,o=b2b,dc=net> > > > ou=people> > > > uid=user1> > > > uid=user2> > > > ou=roles> > > > cn=role1> > > > uniqueMember: uid=user1,ou=people,ou=ait,o=b2b,dc=net> > > > cn=role2> > > > uniqueMember: uid=user2,ou=people,ou=ait,o=b2b,dc=net> > > >> > > >> > > >> > > > when I try to login I get a bad credential> > > >> > > > any help please?> > > >> > > > thanks a lot.> > > >> > > > Mezghena.> > > >> > > >> > > > ________________________________> > > > Découvrez toutes les possibilités de communication avec> > vos proches> > > >> > <http://www.microsoft.com/windows/windowslive/default.aspx>> > > >> > > > ________________________________> > > > Découvrez tout ce que Windows Live a à vous apporter !> > > > <http://www.microsoft.com/windows/windowslive/>> > > > ________________________________> > > > _______________________________________________> > > > Yale CAS mailing list> > > > cas at tp.its.yale.edu> > > > http://tp.its.yale.edu/mailman/listinfo/cas> > > >> > > > --> > > > Andrew Feller, Analyst> > > > LSU University Information Services> > > > 200 Frey Computing Services Center> > > > Baton Rouge, LA 70803> > > > Office: 225.578.3737> > > > Fax: 225.578.6400> > > >> > > > ________________________________> > > > Découvrez toutes les possibilités de communication avec> > vos proches> > > > _______________________________________________> > > > Yale CAS mailing list> > > > cas at tp.its.yale.edu> > > > http://tp.its.yale.edu/mailman/listinfo/cas> > > >> > > >> > > > > > > > > > > > -- > > > matt at forsetti.com> > > Key ID:D6EEC5B5> > > _______________________________________________> > > Yale CAS mailing list> > > cas at tp.its.yale.edu> > > http://tp.its.yale.edu/mailman/listinfo/cas> > > > > > > > > > ______________________________________________________________> > > > Vous voulez savoir ce que vous pouvez faire avec le nouveau> > Windows Live ? Lancez-vous !> > > > > > ______________________________________________________________> > Découvrez toutes les possibilités de communication avec vos> > proches > > _______________________________________________> > Yale CAS mailing list> > cas at tp.its.yale.edu> > http://tp.its.yale.edu/mailman/listinfo/cas> > > > > > > > ______________________________________________________________________> > Vous voulez savoir ce que vous pouvez faire avec le nouveau Windows> > Live ? Lancez-vous !> > _______________________________________________> > Yale CAS mailing list> > cas at tp.its.yale.edu> > http://tp.its.yale.edu/mailman/listinfo/cas
_________________________________________________________________
Découvrez toutes les possibilités de communication avec vos proches
http://www.microsoft.com/windows/windowslive/default.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090202/73ad598f/attachment.html

More information about the cas mailing list