CAS and LDAP

inas inassen mezghena at hotmail.com
Thu Jan 29 17:04:20 EST 2009 

Hi all,
I was able to login in using CAS and LDAP authentication (BindLdapAuthenticationHandler) but I experience problems retrieving a user roles's, so is there any documentation regarding this issue.
 
thanks a lot.
 
Inas



From: mezghena at hotmail.comTo: cas at tp.its.yale.eduSubject: RE: CAS and LDAP and JAASDate: Fri, 16 Jan 2009 20:37:24 +0000

Thanks Matt, Now is more clear, so I agree with you that CAS LDAP support is better but my concern is that I want to keep my applications compliant after switching from TOMCAT JNDIReal and SSO Valve  to CAS server, then how can i make the expected roles available to my application in order to use the isInRole(string) method from the HttpServletRequest object? Thanks Inas> Date: Thu, 15 Jan 2009 17:54:39 -0500> From: matt at forsetti.com> To: cas at tp.its.yale.edu> Subject: Re: CAS and LDAP and JAAS> > The CAS LDAP support should be drastically better than the> JAASAuthenticationHandler using that specific LDAP JAAS module. I> wrote the JAASAuthenticationHandler and> edu.uconn.netid.jaas.LDAPLoginModule as a quick hack job due to some> historical Kerberos/LDAP/ActiveDirectory needs. Scott cleaned up the> JAASAuthenticationHandler to make it CAS-worthy, but the JAAS> LDAPLoginModule has suffered from severe bit-rot and should be purged> from this plane of existence.> > I'd recommend either using the stock CAS LDAP support, or the more> popular (at least in the Shib community) Virginia Tech LDAPLoginModule> http://www.middleware.vt.edu/doku.php?id=middleware:opensource:ldap#jaas_support> .> > -Matt> > > On Thu, Jan 15, 2009 at 5:13 PM, inas inassen <mezghena at hotmail.com> wrote:> > Thanks Andrew> >> > Yes, all my applications are role based autorization using JAAS framework> > inside strust, tiles and taglibs.> >> > So my need is that I want to have a CAS server running let say in W1 server> > site that authenticate against an ldap> > Using a CAS client, my others applications that are running in W2, W3 and> > so one will authenticate against a CAS Server in W1 and I need a JAAS> > subject to keep my application's security (autorization and authentication)> > working.> >> > thanks again> >> > Inas.> >> >> > ________________________________> > Date: Thu, 15 Jan 2009 15:01:37 -0600> > Subject: Re: CAS and LDAP and JAAS> > From: afelle1 at lsu.edu> > To: cas at tp.its.yale.edu> >> > Inas,> >> > Is there any reason you are going through JAAS for LDAP authentication> > instead of using the LDAP authentication handler?> >> > LDAP wiki entry: http://www.ja-sig.org/wiki/display/CASUM/LDAP> > JAAS wiki entry: http://www.ja-sig.org/wiki/display/CASUM/JAAS> >> > HTH,> > A-> >> > On 1/15/09 2:51 PM, "inas inassen" <mezghena at hotmail.com> wrote:> >> >> >> > Hi all,> >> > I'm trying to configure CAS to authenticate against an LDAP and my> > applications are using JAAS as an Authentication and Autorization framework.> >> > Everything work fine using Tomcat JNDIRealm> >> > My Tomcat JNDIRealm> >> >> > <Realm className="org.apache.catalina.realm.JNDIRealm"> > connectionURL="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net"> > userPattern="uid={0},ou=people,ou=ait,o=b2b,dc=net"> > roleBase="ou=roles,ou=ait,o=b2b,dc=net"> > roleName="cn"> > roleSearch="(uniqueMember={0})" />> >> >> > this is my jaas.conf file (configured in> > -Djava.security.auth.login.config=jaas.conf)> >> >> > CAS {> > edu.uconn.netid.jaas.LDAPLoginModule sufficient> > java.naming.provider.url="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net"> > java.naming.security.principal="cn=Manager,ou=ait,o=b2b,dc=net"> > java.naming.security.credentials="secret"> > Attribute="uid"> > startTLS="true";> > };> >> >> > and this is my delpoyConfigContext file> >> > <?xml version="1.0" encoding="UTF-8"?>> > <beans xmlns="http://www.springframework.org/schema/beans"> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> > xmlns:p="http://www.springframework.org/schema/p"> > xsi:schemaLocation="http://www.springframework.org/schema/beans> > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">> > <bean id="authenticationManager"> > class="org.jasig.cas.authentication.AuthenticationManagerImpl">> > <property name="credentialsToPrincipalResolvers">> > <list>> > <bean> > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"> > />> > <bean> > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"> > />> > </list>> > </property>> > <property name="authenticationHandlers">> > <list>> > <bean> > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> > p:httpClient-ref="httpClient" />> > <bean> > class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler"> > />> > <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">> > <property name="filter" value="uid=%u" />> > <property name="searchBase" value="ou=people,ou=ait,o=b2b,dc=net" />> > <property name="contextSource" ref="contextSource" />> > </bean>> > </list>> > </property>> > </bean>> >> > <bean id="userDetailsService"> > class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">> > <property name="userMap">> > <value></value>> > </property>> > </bean>> >> > <bean id="attributeRepository"> > class="org.jasig.services.persondir.support.StubPersonAttributeDao">> > <property name="backingMap">> > <map>> > <entry key="uid" value="uid" />> > <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />> > <entry key="groupMembership" value="groupMembership" />> > </map>> > </property>> > </bean>> >> > <bean id="serviceRegistryDao"> > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />> >> > <!-- LDAP context -->> > <bean id="contextSource"> > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">> > <property name="pooled" value="true"/>> > <property name="urls">> > <list>> > <value>ldap://ladpsrv:389/ou=ait,o=b2b,dc=net</value>> > </list>> > </property>> > <property name="userName" value="cn=Manager,ou=ait,o=b2b,dc=net"/>> > <property name="password" value="secret"/>> > <property name="baseEnvironmentProperties">> > <map>> > <entry>> > <key>> > <value>java.naming.security.authentication</value>> > </key>> > <value>simple</value>> > </entry>> >> > <entry>> > <key>> > <value>ldap.initial.context.factory</value>> > </key>> > <value>com.sun.jndi.ldap.LdapCtxFactory</value>> > </entry>> > </map>> > </property>> > </bean>> >> > </beans>> >> >> > my ldap schema is> >> > ou=ait,o=b2b,dc=net> > ou=people> > uid=user1> > uid=user2> > ou=roles> > cn=role1> > uniqueMember: uid=user1,ou=people,ou=ait,o=b2b,dc=net> > cn=role2> > uniqueMember: uid=user2,ou=people,ou=ait,o=b2b,dc=net> >> >> >> > when I try to login I get a bad credential> >> > any help please?> >> > thanks a lot.> >> > Mezghena.> >> >> > ________________________________> > Découvrez toutes les possibilités de communication avec vos proches> > <http://www.microsoft.com/windows/windowslive/default.aspx>> >> > ________________________________> > Découvrez tout ce que Windows Live a à vous apporter !> > <http://www.microsoft.com/windows/windowslive/>> > ________________________________> > _______________________________________________> > Yale CAS mailing list> > cas at tp.its.yale.edu> > http://tp.its.yale.edu/mailman/listinfo/cas> >> > --> > Andrew Feller, Analyst> > LSU University Information Services> > 200 Frey Computing Services Center> > Baton Rouge, LA 70803> > Office: 225.578.3737> > Fax: 225.578.6400> >> > ________________________________> > Découvrez toutes les possibilités de communication avec vos proches> > _______________________________________________> > Yale CAS mailing list> > cas at tp.its.yale.edu> > http://tp.its.yale.edu/mailman/listinfo/cas> >> >> > > > -- > matt at forsetti.com> Key ID:D6EEC5B5> _______________________________________________> Yale CAS mailing list> cas at tp.its.yale.edu> http://tp.its.yale.edu/mailman/listinfo/cas



Vous voulez savoir ce que vous pouvez faire avec le nouveau Windows Live ? Lancez-vous !
_________________________________________________________________
Découvrez toutes les possibilités de communication avec vos proches
http://www.microsoft.com/windows/windowslive/default.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090129/1dd37065/attachment.html

More information about the cas mailing list