CAS and LDAP
David Whitehurst
dlwhitehurst at gmail.com
Thu Jan 29 17:14:14 EST 2009
Are you using OpenLDAP or Active Directory?
And, roles would not be CAS related so explain what you're trying to
do a little more.
David
Sent from my iPhone
On Jan 29, 2009, at 5:04 PM, inas inassen <mezghena at hotmail.com> wrote:
> Hi all,
>
> I was able to login in using CAS and LDAP authentication
> (BindLdapAuthenticationHandler) but I experience problems retrieving
> a user roles's, so is there any documentation regarding this issue.
>
> thanks a lot.
>
> Inas
>
>
>
> From: mezghena at hotmail.com
> To: cas at tp.its.yale.edu
> Subject: RE: CAS and LDAP and JAAS
> Date: Fri, 16 Jan 2009 20:37:24 +0000
>
> Thanks Matt,
>
> Now is more clear, so I agree with you that CAS LDAP support is
> better but my concern is that I want to keep my applications compliant
> after switching from TOMCAT JNDIReal and SSO Valve to CAS server,
> then how can i make the expected roles available to my application
> in order to use the isInRole(string) method from the
> HttpServletRequest object?
>
> Thanks
>
> Inas
>
> > Date: Thu, 15 Jan 2009 17:54:39 -0500
> > From: matt at forsetti.com
> > To: cas at tp.its.yale.edu
> > Subject: Re: CAS and LDAP and JAAS
> >
> > The CAS LDAP support should be drastically better than the
> > JAASAuthenticationHandler using that specific LDAP JAAS module. I
> > wrote the JAASAuthenticationHandler and
> > edu.uconn.netid.jaas.LDAPLoginModule as a quick hack job due to some
> > historical Kerberos/LDAP/ActiveDirectory needs. Scott cleaned up the
> > JAASAuthenticationHandler to make it CAS-worthy, but the JAAS
> > LDAPLoginModule has suffered from severe bit-rot and should be
> purged
> > from this plane of existence.
> >
> > I'd recommend either using the stock CAS LDAP support, or the more
> > popular (at least in the Shib community) Virginia Tech
> LDAPLoginModule
> > http://www.middleware.vt.edu/doku.php?id=middleware:opensource:ldap#jaas_support
> > .
> >
> > -Matt
> >
> >
> > On Thu, Jan 15, 2009 at 5:13 PM, inas inassen
> <mezghena at hotmail.com> wrote:
> > > Thanks Andrew
> > >
> > > Yes, all my applications are role based autorization using JAAS
> framework
> > > inside strust, tiles and taglibs.
> > >
> > > So my need is that I want to have a CAS server running let say
> in W1 server
> > > site that authenticate against an ldap
> > > Using a CAS client, my others applications that are running in
> W2, W3 and
> > > so one will authenticate against a CAS Server in W1 and I need a
> JAAS
> > > subject to keep my application's security (autorization and
> authentication)
> > > working.
> > >
> > > thanks again
> > >
> > > Inas.
> > >
> > >
> > > ________________________________
> > > Date: Thu, 15 Jan 2009 15:01:37 -0600
> > > Subject: Re: CAS and LDAP and JAAS
> > > From: afelle1 at lsu.edu
> > > To: cas at tp.its.yale.edu
> > >
> > > Inas,
> > >
> > > Is there any reason you are going through JAAS for LDAP
> authentication
> > > instead of using the LDAP authentication handler?
> > >
> > > LDAP wiki entry: http://www.ja-sig.org/wiki/display/CASUM/LDAP
> > > JAAS wiki entry: http://www.ja-sig.org/wiki/display/CASUM/JAAS
> > >
> > > HTH,
> > > A-
> > >
> > > On 1/15/09 2:51 PM, "inas inassen" <mezghena at hotmail.com> wrote:
> > >
> > >
> > >
> > > Hi all,
> > >
> > > I'm trying to configure CAS to authenticate against an LDAP and my
> > > applications are using JAAS as an Authentication and
> Autorization framework.
> > >
> > > Everything work fine using Tomcat JNDIRealm
> > >
> > > My Tomcat JNDIRealm
> > >
> > >
> > > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > > connectionURL="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net"
> > > userPattern="uid={0},ou=people,ou=ait,o=b2b,dc=net"
> > > roleBase="ou=roles,ou=ait,o=b2b,dc=net"
> > > roleName="cn"
> > > roleSearch="(uniqueMember={0})" />
> > >
> > >
> > > this is my jaas.conf file (configured in
> > > -Djava.security.auth.login.config=jaas.conf)
> > >
> > >
> > > CAS {
> > > edu.uconn.netid.jaas.LDAPLoginModule sufficient
> > > java.naming.provider.url="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net"
> > > java.naming.security.principal="cn=Manager,ou=ait,o=b2b,dc=net"
> > > java.naming.security.credentials="secret"
> > > Attribute="uid"
> > > startTLS="true";
> > > };
> > >
> > >
> > > and this is my delpoyConfigContext file
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > <beans xmlns="http://www.springframework.org/schema/beans"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > xmlns:p="http://www.springframework.org/schema/p"
> > > xsi:schemaLocation="http://www.springframework.org/schema/beans
> > > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
> > > <bean id="authenticationManager"
> > > class="org.jasig.cas.authentication.AuthenticationManagerImpl">
> > > <property name="credentialsToPrincipalResolvers">
> > > <list>
> > > <bean
> > >
> class=
> "org.
> jasig.
> cas.
> authentication.
> principal.UsernamePasswordCredentialsToPrincipalResolver"
> > > />
> > > <bean
> > >
> class=
> "org.
> jasig.
> cas.
> authentication.
> principal.HttpBasedServiceCredentialsToPrincipalResolver"
> > > />
> > > </list>
> > > </property>
> > > <property name="authenticationHandlers">
> > > <list>
> > > <bean
> > >
> class=
> "org.
> jasig.
> cas.
> authentication.
> handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
> > > p:httpClient-ref="httpClient" />
> > > <bean
> > >
> class=
> "org.
> jasig.cas.authentication.handler.support.JaasAuthenticationHandler"
> > > />
> > > <bean
> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
> > > <property name="filter" value="uid=%u" />
> > > <property name="searchBase"
> value="ou=people,ou=ait,o=b2b,dc=net" />
> > > <property name="contextSource" ref="contextSource" />
> > > </bean>
> > > </list>
> > > </property>
> > > </bean>
> > >
> > > <bean id="userDetailsService"
> > >
> class=
> "org.springframework.security.userdetails.memory.InMemoryDaoImpl">
> > > <property name="userMap">
> > > <value></value>
> > > </property>
> > > </bean>
> > >
> > > <bean id="attributeRepository"
> > >
> class="org.jasig.services.persondir.support.StubPersonAttributeDao">
> > > <property name="backingMap">
> > > <map>
> > > <entry key="uid" value="uid" />
> > > <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
> > > <entry key="groupMembership" value="groupMembership" />
> > > </map>
> > > </property>
> > > </bean>
> > >
> > > <bean id="serviceRegistryDao"
> > > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
> > >
> > > <!-- LDAP context -->
> > > <bean id="contextSource"
> > >
> class=
> "org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> > > <property name="pooled" value="true"/>
> > > <property name="urls">
> > > <list>
> > > <value>ldap://ladpsrv:389/ou=ait,o=b2b,dc=net</value>
> > > </list>
> > > </property>
> > > <property name="userName" value="cn=Manager,ou=ait,o=b2b,dc=net"/>
> > > <property name="password" value="secret"/>
> > > <property name="baseEnvironmentProperties">
> > > <map>
> > > <entry>
> > > <key>
> > > <value>java.naming.security.authentication</value>
> > > </key>
> > > <value>simple</value>
> > > </entry>
> > >
> > > <entry>
> > > <key>
> > > <value>ldap.initial.context.factory</value>
> > > </key>
> > > <value>com.sun.jndi.ldap.LdapCtxFactory</value>
> > > </entry>
> > > </map>
> > > </property>
> > > </bean>
> > >
> > > </beans>
> > >
> > >
> > > my ldap schema is
> > >
> > > ou=ait,o=b2b,dc=net
> > > ou=people
> > > uid=user1
> > > uid=user2
> > > ou=roles
> > > cn=role1
> > > uniqueMember: uid=user1,ou=people,ou=ait,o=b2b,dc=net
> > > cn=role2
> > > uniqueMember: uid=user2,ou=people,ou=ait,o=b2b,dc=net
> > >
> > >
> > >
> > > when I try to login I get a bad credential
> > >
> > > any help please?
> > >
> > > thanks a lot.
> > >
> > > Mezghena.
> > >
> > >
> > > ________________________________
> > > Découvrez toutes les possibilités de communication avec vos proc
> hes
> > > <http://www.microsoft.com/windows/windowslive/default.aspx>
> > >
> > > ________________________________
> > > Découvrez tout ce que Windows Live a à vous apporter !
> > > <http://www.microsoft.com/windows/windowslive/>
> > > ________________________________
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > > --
> > > Andrew Feller, Analyst
> > > LSU University Information Services
> > > 200 Frey Computing Services Center
> > > Baton Rouge, LA 70803
> > > Office: 225.578.3737
> > > Fax: 225.578.6400
> > >
> > > ________________________________
> > > Découvrez toutes les possibilités de communication avec vos proc
> hes
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> >
> >
> >
> > --
> > matt at forsetti.com
> > Key ID:D6EEC5B5
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> Vous voulez savoir ce que vous pouvez faire avec le nouveau Windows
> Live ? Lancez-vous !
>
> Découvrez toutes les possibilités de communication avec vos proches
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090129/b292d410/attachment.html
More information about the cas
mailing list