CAS and LDAP
Shi Yusen
shiys at langhua.cn
Sat Jan 31 04:40:56 EST 2009
> Basically, when I'm authenticated in CAS server, I want to have a way
> to retrieve a liste of roles to make them available to the
> request.isUserInRole("role") method.
Your requirement belong to authorization, not authentication, so I think
it's beyond CAS.
Anyway, you have to choose member and/or alias to represent your
user-role relationship in LDAP. After successfully authenticated in CAS
server, searching the user in members or aliases to get the
relationship, and then set them to the role attribute of the request.
How would you refresh the role relationship when it changes if you set
it in request?
Regards,
Shi Yusen/Beijing Langhua Ltd.
>
> regards
>
> Inas.
>
>
>
> ______________________________________________________________________
>
> From: dlwhitehurst at gmail.com
> To: cas at tp.its.yale.edu
> Subject: Re: CAS and LDAP
> Date: Thu, 29 Jan 2009 17:14:14 -0500
>
>
> Are you using OpenLDAP or Active Directory?
>
>
>
> And, roles would not be CAS related so explain what you're trying to
> do a little more.
>
>
>
> David
>
> Sent from my iPhone
>
>
> On Jan 29, 2009, at 5:04 PM, inas inassen <mezghena at hotmail.com>
> wrote:
>
>
>
>
> Hi all,
>
> I was able to login in using CAS and LDAP authentication
> (BindLdapAuthenticationHandler) but I experience problems
> retrieving a user roles's, so is there any documentation
> regarding this issue.
>
> thanks a lot.
>
> Inas
>
>
>
> ______________________________________________________________
>
> From: mezghena at hotmail.com
> To: cas at tp.its.yale.edu
> Subject: RE: CAS and LDAP and JAAS
> Date: Fri, 16 Jan 2009 20:37:24 +0000
>
> Thanks Matt,
>
> Now is more clear, so I agree with you that CAS LDAP support
> is better but my concern is that I want to keep my
> applications compliant
> after switching from TOMCAT JNDIReal and SSO Valve to CAS
> server, then how can i make the expected roles available to my
> application
> in order to use the isInRole(string) method from the
> HttpServletRequest object?
>
> Thanks
>
> Inas
>
> > Date: Thu, 15 Jan 2009 17:54:39 -0500
> > From: matt at forsetti.com
> > To: cas at tp.its.yale.edu
> > Subject: Re: CAS and LDAP and JAAS
> >
> > The CAS LDAP support should be drastically better than the
> > JAASAuthenticationHandler using that specific LDAP JAAS
> module. I
> > wrote the JAASAuthenticationHandler and
> > edu.uconn.netid.jaas.LDAPLoginModule as a quick hack job due
> to some
> > historical Kerberos/LDAP/ActiveDirectory needs. Scott
> cleaned up the
> > JAASAuthenticationHandler to make it CAS-worthy, but the
> JAAS
> > LDAPLoginModule has suffered from severe bit-rot and should
> be purged
> > from this plane of existence.
> >
> > I'd recommend either using the stock CAS LDAP support, or
> the more
> > popular (at least in the Shib community) Virginia Tech
> LDAPLoginModule
> >
> http://www.middleware.vt.edu/doku.php?id=middleware:opensource:ldap#jaas_support
> > .
> >
> > -Matt
> >
> >
> > On Thu, Jan 15, 2009 at 5:13 PM, inas inassen
> <mezghena at hotmail.com> wrote:
> > > Thanks Andrew
> > >
> > > Yes, all my applications are role based autorization using
> JAAS framework
> > > inside strust, tiles and taglibs.
> > >
> > > So my need is that I want to have a CAS server running let
> say in W1 server
> > > site that authenticate against an ldap
> > > Using a CAS client, my others applications that are
> running in W2, W3 and
> > > so one will authenticate against a CAS Server in W1 and I
> need a JAAS
> > > subject to keep my application's security (autorization
> and authentication)
> > > working.
> > >
> > > thanks again
> > >
> > > Inas.
> > >
> > >
> > > ________________________________
> > > Date: Thu, 15 Jan 2009 15:01:37 -0600
> > > Subject: Re: CAS and LDAP and JAAS
> > > From: afelle1 at lsu.edu
> > > To: cas at tp.its.yale.edu
> > >
> > > Inas,
> > >
> > > Is there any reason you are going through JAAS for LDAP
> authentication
> > > instead of using the LDAP authentication handler?
> > >
> > > LDAP wiki entry:
> http://www.ja-sig.org/wiki/display/CASUM/LDAP
> > > JAAS wiki entry:
> http://www.ja-sig.org/wiki/display/CASUM/JAAS
> > >
> > > HTH,
> > > A-
> > >
> > > On 1/15/09 2:51 PM, "inas inassen" <mezghena at hotmail.com>
> wrote:
> > >
> > >
> > >
> > > Hi all,
> > >
> > > I'm trying to configure CAS to authenticate against an
> LDAP and my
> > > applications are using JAAS as an Authentication and
> Autorization framework.
> > >
> > > Everything work fine using Tomcat JNDIRealm
> > >
> > > My Tomcat JNDIRealm
> > >
> > >
> > > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > > connectionURL="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net"
> > > userPattern="uid={0},ou=people,ou=ait,o=b2b,dc=net"
> > > roleBase="ou=roles,ou=ait,o=b2b,dc=net"
> > > roleName="cn"
> > > roleSearch="(uniqueMember={0})" />
> > >
> > >
> > > this is my jaas.conf file (configured in
> > > -Djava.security.auth.login.config=jaas.conf)
> > >
> > >
> > > CAS {
> > > edu.uconn.netid.jaas.LDAPLoginModule sufficient
> > >
> java.naming.provider.url="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net"
> > >
> java.naming.security.principal="cn=Manager,ou=ait,o=b2b,dc=net"
> > > java.naming.security.credentials="secret"
> > > Attribute="uid"
> > > startTLS="true";
> > > };
> > >
> > >
> > > and this is my delpoyConfigContext file
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > <beans xmlns="http://www.springframework.org/schema/beans"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > xmlns:p="http://www.springframework.org/schema/p"
> > >
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> > >
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
> > > <bean id="authenticationManager"
> > >
> class="org.jasig.cas.authentication.AuthenticationManagerImpl">
> > > <property name="credentialsToPrincipalResolvers">
> > > <list>
> > > <bean
> > >
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> > > />
> > > <bean
> > >
> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
> > > />
> > > </list>
> > > </property>
> > > <property name="authenticationHandlers">
> > > <list>
> > > <bean
> > >
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
> > > p:httpClient-ref="httpClient" />
> > > <bean
> > >
> class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler"
> > > />
> > > <bean
> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
> > > <property name="filter" value="uid=%u" />
> > > <property name="searchBase"
> value="ou=people,ou=ait,o=b2b,dc=net" />
> > > <property name="contextSource" ref="contextSource" />
> > > </bean>
> > > </list>
> > > </property>
> > > </bean>
> > >
> > > <bean id="userDetailsService"
> > >
> class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
> > > <property name="userMap">
> > > <value></value>
> > > </property>
> > > </bean>
> > >
> > > <bean id="attributeRepository"
> > >
> class="org.jasig.services.persondir.support.StubPersonAttributeDao">
> > > <property name="backingMap">
> > > <map>
> > > <entry key="uid" value="uid" />
> > > <entry key="eduPersonAffiliation"
> value="eduPersonAffiliation" />
> > > <entry key="groupMembership" value="groupMembership" />
> > > </map>
> > > </property>
> > > </bean>
> > >
> > > <bean id="serviceRegistryDao"
> > >
> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
> > >
> > > <!-- LDAP context -->
> > > <bean id="contextSource"
> > >
> class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> > > <property name="pooled" value="true"/>
> > > <property name="urls">
> > > <list>
> > > <value>ldap://ladpsrv:389/ou=ait,o=b2b,dc=net</value>
> > > </list>
> > > </property>
> > > <property name="userName"
> value="cn=Manager,ou=ait,o=b2b,dc=net"/>
> > > <property name="password" value="secret"/>
> > > <property name="baseEnvironmentProperties">
> > > <map>
> > > <entry>
> > > <key>
> > > <value>java.naming.security.authentication</value>
> > > </key>
> > > <value>simple</value>
> > > </entry>
> > >
> > > <entry>
> > > <key>
> > > <value>ldap.initial.context.factory</value>
> > > </key>
> > > <value>com.sun.jndi.ldap.LdapCtxFactory</value>
> > > </entry>
> > > </map>
> > > </property>
> > > </bean>
> > >
> > > </beans>
> > >
> > >
> > > my ldap schema is
> > >
> > > ou=ait,o=b2b,dc=net
> > > ou=people
> > > uid=user1
> > > uid=user2
> > > ou=roles
> > > cn=role1
> > > uniqueMember: uid=user1,ou=people,ou=ait,o=b2b,dc=net
> > > cn=role2
> > > uniqueMember: uid=user2,ou=people,ou=ait,o=b2b,dc=net
> > >
> > >
> > >
> > > when I try to login I get a bad credential
> > >
> > > any help please?
> > >
> > > thanks a lot.
> > >
> > > Mezghena.
> > >
> > >
> > > ________________________________
> > > Découvrez toutes les possibilités de communication avec
> vos proches
> > >
> <http://www.microsoft.com/windows/windowslive/default.aspx>
> > >
> > > ________________________________
> > > Découvrez tout ce que Windows Live a à vous apporter !
> > > <http://www.microsoft.com/windows/windowslive/>
> > > ________________________________
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > > --
> > > Andrew Feller, Analyst
> > > LSU University Information Services
> > > 200 Frey Computing Services Center
> > > Baton Rouge, LA 70803
> > > Office: 225.578.3737
> > > Fax: 225.578.6400
> > >
> > > ________________________________
> > > Découvrez toutes les possibilités de communication avec
> vos proches
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> >
> >
> >
> > --
> > matt at forsetti.com
> > Key ID:D6EEC5B5
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> ______________________________________________________________
>
> Vous voulez savoir ce que vous pouvez faire avec le nouveau
> Windows Live ? Lancez-vous !
>
>
> ______________________________________________________________
> Découvrez toutes les possibilités de communication avec vos
> proches
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> ______________________________________________________________________
> Vous voulez savoir ce que vous pouvez faire avec le nouveau Windows
> Live ? Lancez-vous !
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap_member.png
Type: image/png
Size: 67063 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20090131/4e720852/attachment-0001.png
More information about the cas
mailing list