Nabble - CAS Users

Re: CAS & LDAP

2008-07-24T11:23:40Z

Scott Battaglia wrote:

> On Thu, Jul 24, 2008 at 1:24 PM, Michael Ströder <michael@...
> <mailto:michael@...>> wrote:
>
> Matthew Jones wrote:
> > We already have OpenLDAP installed (although this is another
> > area of non-expertise on my part - just don't ask why I've got
> this job
> > at all!) and it is set up to be suitable for use by the
> > FastBindLdapAdaptor, i.e. authenticate by binding to LDAP using the
> > users credentials.
>
> LDAP Fast bind is a proprietary feature of MS AD. It likely won't work
> with OpenLDAP.
>
> We've used Fast Bind with Sun's LDAP server. Same name for different
> things?

Maybe Sun implemented that too. I can't check at the moment. But it
makes no sense with OpenLDAP.

AFAIK in MS AD nested group membership is resolved when doing a normal
simple bind and put into an attribute 'tokenGroups'. This is bad for
performance, hence the "fast bind".

Further reading:
http://msdn.microsoft.com/en-us/library/aa367028.aspx

Ciao, Michael.
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Re: ldap onto uportal 3.0.1

2008-07-24T10:54:09Z

In security.properties

Comment out "CLogin Channel Login link" to display local login (admin/admin ...)

#org.jasig.portal.channels.CLogin.CasLoginUrl=...

It should display login form in the left side. So you can login as admin.

SOO

On Thu, Jul 24, 2008 at 1:23 PM, Adnan Tahir <atahir@...> wrote:

Hello,

Thanks for the info. I am doing exactly that. Now I cant even log in using admin admin or staff staff. Does that mean my LDAP settings are incorrect?

Thanks

Adnan

From: cas-bounces@... [mailto:cas-bounces@...] On Behalf Of SOO KIM
Sent: Thursday, July 24, 2008 12:42 PM
To: Yale CAS mailing list
Subject: Re: ldap onto uportal 3.0.1

Hi,

UP3 is now bundled with CAS. You have to configure CAS to authenticate against your ldap.

I have setup UP3 (CAS) to authenticate against AD. It works very well.

In case you miss,

See http://www.ja-sig.org/wiki/display/UPM30/04+Authenticating+Against+LDAP

SOO

On Thu, Jul 24, 2008 at 12:16 PM, Adnan Tahir <atahir@...> wrote:

Hello,

I am trying to setup LDAP onto uPortal 3.0.1. for some reason I am unable to do it. If there is any documentation on this issue, please let me know. Any help from you in this matter will be highly appreciated.

Thanks

Adnan Tahir

Technical Support Specialist 1

Manchester Community College

1066 Front Street, Manchester, NH 03102

603-396-1360 (Cell)

603-668-6706 ext. 380

ndhakar@...

Opportunities. For Now … for Life.

www.manchestercommunitycollege.edu

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

--
-----------------
SOO IL KIM
kimsooil.com
--------------------

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

--
-----------------
SOO IL KIM
kimsooil.com
--------------------

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Re: CAS & LDAP

2008-07-24T10:51:18Z

You may need to add another environmental property:

java.naming.security.protocol=ssl

(similar to the way you have java.naming.security.authentication set up) since you using LDAPS.

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

On Thu, Jul 24, 2008 at 11:41 AM, Matthew Jones <matthew.jones@...> wrote:

Welcome to CAS! I'm not an LDAP expert either (we also don't use Fastbind),
but I'll try to provide some basic guidance and then our OpenLDAP experts
can chime in (we have a few).

Great, I need help.

No need to put anything there! The ContextSource is generic so it can be
used for both the FastBind and the other option.

I tried it without userName and password properties as in the enclosed config file (modified LDAP URL)

That is no userName or password properties so that sounds correct?

The UsernamePasswordCredentialsToPrincipalResolver should actually be
configured already in your deployerConfigContext.xml. Unless you've removed
it, there's no need to do anything with it!

No I haven't removed it and I assumed that part didn't need changing as it wasn't mentioned

Have you tried starting up your CAS server after configuring it with LDAP?
If you've got any Spring configuration issues you'll see them. If you have
authentication issues you may not see them until you turn your logging level
up (in the WEB-INF/classes/log4j.properties you can set it to DEBUG instead
of INFO or WARN).

When I tried with the attached deployer config it refused to start. Let me say here that my Tomcat configuration is challenging as I have to run on Centos and it already had an old JDK installed on it. I had to wrestle with an eel just to get the 1.5 Sun JDK on there and used by Tomcat. I had to manually tweak a link to get it to run at all and I couldn't get the update-alternatives thing to work. Anyway, I get some "errors" even when starting tomcat without CAS with LDAP :-

Starting tomcat5: /usr/bin/rebuild-jar-repository: error: JVM_LIBDIR /usr/lib/jvm-exports/java does not exist or is not a directory
/usr/bin/rebuild-jar-repository: error: JVM_LIBDIR
(repeated 3 times)

catalina.out contains:-
log4j:ERROR setFile(null,true) call failed.
java.io.FileNotFoundException: cas.log (Permission denied)

But I can log into CAS using the simple authenticator so it's not completely fatal

Anyway, I then switch to the attached deployerConfigControl.xml and I lose the CAS login page altogether and just receive a message thus:

HTTP Status 404 - /cas-server-webapp-3.2.1/index.jsp

type Status report

message /cas-server-webapp-3.2.1/index.jsp

description The requested resource (/cas-server-webapp-3.2.1/index.jsp) is not available.
Apache Tomcat/5.5.23

Sun also has some LDAP specific logging stuff.

Cheers

--
Matthew Jones
Interactive Data Managed Solutions Ltd
-----------------------------------------------------------------------
Registered in England Company Number 3691868
Registered Office: Suite 1101 Eagle Tower | Montpellier Drive | Cheltenham | Gloucestershire | GL50 1TA
Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109
matthew.jones@...
http://www.interactivedata-ms.com/694133

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Re: CAS & LDAP

2008-07-24T10:46:56Z

On Thu, Jul 24, 2008 at 1:24 PM, Michael Ströder <michael@...> wrote:

Matthew Jones wrote:
> We already have OpenLDAP installed (although this is another
> area of non-expertise on my part - just don't ask why I've got this job
> at all!) and it is set up to be suitable for use by the
> FastBindLdapAdaptor, i.e. authenticate by binding to LDAP using the
> users credentials.

LDAP Fast bind is a proprietary feature of MS AD. It likely won't work
with OpenLDAP.

We've used Fast Bind with Sun's LDAP server. Same name for different things?

-Scott

> Now, I see that I should have an AuthenticatedLdapContextSource bean
> configured but this has parameters (property) such as userName and
> Password. Given that these values should come from the CAS login screen
> what should I put here?

These parameters are for the service user who's searching for user
entries. That's not the user name from the CAS login screen. It's a
bind-DN and the accompanying password. You need that if access control
on the LDAP server is tight and does not allow anonymous searching for
user entries (e.g. that's the default case for MS AD).

Ciao, Michael.

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Re: CAS & LDAP

2008-07-24T10:24:39Z

Matthew Jones wrote:
> We already have OpenLDAP installed (although this is another
> area of non-expertise on my part - just don't ask why I've got this job
> at all!) and it is set up to be suitable for use by the
> FastBindLdapAdaptor, i.e. authenticate by binding to LDAP using the
> users credentials.

LDAP Fast bind is a proprietary feature of MS AD. It likely won't work
with OpenLDAP.

> Now, I see that I should have an AuthenticatedLdapContextSource bean
> configured but this has parameters (property) such as userName and
> Password. Given that these values should come from the CAS login screen
> what should I put here?

These parameters are for the service user who's searching for user
entries. That's not the user name from the CAS login screen. It's a
bind-DN and the accompanying password. You need that if access control
on the LDAP server is tight and does not allow anonymous searching for
user entries (e.g. that's the default case for MS AD).

Ciao, Michael.
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

RE: ldap onto uportal 3.0.1

2008-07-24T10:23:01Z

Hello,

Thanks for the info. I am doing exactly that. Now I cant even log in using admin admin or staff staff. Does that mean my LDAP settings are incorrect?

Thanks

Adnan

From: cas-bounces@... [mailto:cas-bounces@...] On Behalf Of SOO KIM
Sent: Thursday, July 24, 2008 12:42 PM
To: Yale CAS mailing list
Subject: Re: ldap onto uportal 3.0.1

Hi,

UP3 is now bundled with CAS. You have to configure CAS to authenticate against your ldap.

I have setup UP3 (CAS) to authenticate against AD. It works very well.

In case you miss,

See http://www.ja-sig.org/wiki/display/UPM30/04+Authenticating+Against+LDAP

SOO

On Thu, Jul 24, 2008 at 12:16 PM, Adnan Tahir <atahir@...> wrote:

Hello,

I am trying to setup LDAP onto uPortal 3.0.1. for some reason I am unable to do it. If there is any documentation on this issue, please let me know. Any help from you in this matter will be highly appreciated.

Thanks

Adnan Tahir

Technical Support Specialist 1

Manchester Community College

1066 Front Street, Manchester, NH 03102

603-396-1360 (Cell)

603-668-6706 ext. 380

ndhakar@...

Opportunities. For Now … for Life.

www.manchestercommunitycollege.edu

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

--
-----------------
SOO IL KIM
kimsooil.com
--------------------

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Re: ldap onto uportal 3.0.1

2008-07-24T09:41:57Z

On Thu, Jul 24, 2008 at 12:16 PM, Adnan Tahir <atahir@...> wrote:

Hello,

I am trying to setup LDAP onto uPortal 3.0.1. for some reason I am unable to do it. If there is any documentation on this issue, please let me know. Any help from you in this matter will be highly appreciated.

Thanks

Adnan Tahir

Technical Support Specialist 1

Manchester Community College

1066 Front Street, Manchester, NH 03102

603-396-1360 (Cell)

603-668-6706 ext. 380

ndhakar@...

Opportunities. For Now … for Life.

www.manchestercommunitycollege.edu

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

--
-----------------
SOO IL KIM
kimsooil.com
--------------------

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

ldap onto uportal 3.0.1

2008-07-24T09:16:28Z

Hello,

Thanks

Adnan Tahir

Technical Support Specialist 1

Manchester Community College

1066 Front Street, Manchester, NH 03102

603-396-1360 (Cell)

603-668-6706 ext. 380

ndhakar@...

Opportunities. For Now … for Life.

www.manchestercommunitycollege.edu

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Re: Why mod_jk ?

2008-07-24T09:07:53Z

Ooops... I forgot THE major feature of mod_jk : the load-balancer/cluster manager :
With mod_jk, you can very easily balance your web load to a cluster of tomcat.
It's safe, easy and highly scalable...! another reason to put an apache httpd
frontend in front of your tomcat(s)...

-Romain

Romain BOURGUE a écrit :

> Provided you add this mod_ssl directive to your apache configuration
> SSLOptions +ExportCertData
> mod_jk does forward the certData to the tomcat backend server.
>
> I add my 2 cents to the debate : Apache httpd is a an http server. Tomcat is an
> application server with an http connector : It's not tomcat's main objectiv to
> serve http static resources, it's Apache httpd's. Therefore, you'll have much
> more possibilities handling and securing http requests on Apache httpd than
> you'll have with Tomcat.
> Furthermore, with heavy web traffic you need to lighten the load on your Tomcat,
> so it's good pratice to have your static files (html, images, css...) served by
> the Apache httpd and have only the dynamic resources forwarded to the tomcat.
>
> In development environment though, a standalone tomcat is perfect...
>
> -Romain
>
> stephane.gully@... a écrit :
>> Thank you for you answers.
>>
>> As you are speaking about SSL, do you know if client certificats are
>> forwarded to CAS X509 handler when Tomecat is behind the Apache/mod_jk
>> or Apache/mod_proxy_ajp ?
>>
>> Stéphane
>>
>> On 7/24/08, Andrew Ralph Feller, afelle1 <afelle1@...> wrote:
>>> For those who need to support Java applications along with PHP / Perl
>>> applications, they could host both from the same machine by having Apache
>>> httpd front-end Apache Tomcat. There is a another reason why some people
>>> use mod_jk + Tomcat: inexperience in managing Tomcat. When I was starting
>>> out, I hated working with keystores as it wasn¹t nearly as straight forward
>>> as Apache httpd¹s mod_ssl configuration. Once I found how to setup the
>>> Apache Portable Runtime in Tomcat, then I felt comfortable not having Tomcat
>>> front-ended as the APR configuration is extremely similar to mod_ssl.
>>>
>>> On a tangential note, there is an alternative to mod_jk called
>>> mod_proxy_ajp, which comes with Apache httpd 2.2 and works in a similar
>>> manner.
>>>
>>>
>>> On 7/24/08 6:12 AM, "Siegfried Puchbauer" <siegfried.puchbauer@...>
>>> wrote:
>>>
>>>> You can gain a lot of flexibility when you choose to use Apache in front
>>>> of
>>>> your Tomcat backend. For example a very flexible way to perform name-based
>>>> virtual hosting. Also mod_rewrite is great to perform dynamic redirects
>>>> using
>>>> regexes. And the reverse-proxy capabilities by mod_proxy are also very
>>>> useful
>>>> - especially when using other application in the same url-space. You can
>>>> also
>>>> use it to display a service unavailibilty information when you
>>>> upgrade/restart
>>>> you tomcat. If you do not have the need of rewriteing urls, perform
>>>> virtual-hosting there is IMHO no reason to not choose a standalone tomcat.
>>>>
>>>> Cheers, sigi
>>>> _______________________
>>>> Siegfried Puchbauer
>>>> http://siegfried.puchbauer.com/
>>>>
>>>> On Thu, Jul 24, 2008 at 11:55, Stéphane Gully <stephane.gully@...>
>>>> wrote:
>>>>> Hello,
>>>>>
>>>>> This is a generic question, not directly related to CAS. I'm sorry for
>>>>> that.
>>>>> Google didn't helped me so I try here.
>>>>>
>>>>> When I installed CAS, I had the choice to deploy it directly in Tomcat
>>>>> or in Apache/mod_jk+Tomcat. I chosed to deploy it directly in Tomcat
>>>>> because I needed X509 authentication handler and it just looked more
>>>>> easy to configure directly in Tomcat.
>>>>>
>>>>> I often read that mod_jk should be used but I never know why ? could
>>>>> someone tell me the reason(s) ?
>>>>>
>>>>> regards,
>>>>> --
>>>>> Stéphane GULLY
>>>>> _______________________________________________
>>>>> Yale CAS mailing list
>>>>> cas@...
>>>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>>>
>>>> _______________________________________________
>>>> Yale CAS mailing list
>>>> cas@...
>>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>> --
>>> Andrew R. Feller, Analyst
>>> Information Technology Services
>>> 200 Fred Frey Building
>>> Louisiana State University
>>> Baton Rouge, LA 70803
>>> (225) 578-3737 (Office)
>>> (225) 578-6400 (Fax)
>>>
>>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas@...
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
> _______________________________________________
> Yale CAS mailing list
> cas@...
> http://tp.its.yale.edu/mailman/listinfo/cas
>

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Re: Why mod_jk ?

2008-07-24T08:44:40Z

Provided you add this mod_ssl directive to your apache configuration
SSLOptions +ExportCertData
mod_jk does forward the certData to the tomcat backend server.

I add my 2 cents to the debate : Apache httpd is a an http server. Tomcat is an
application server with an http connector : It's not tomcat's main objectiv to
serve http static resources, it's Apache httpd's. Therefore, you'll have much
more possibilities handling and securing http requests on Apache httpd than
you'll have with Tomcat.
Furthermore, with heavy web traffic you need to lighten the load on your Tomcat,
so it's good pratice to have your static files (html, images, css...) served by
the Apache httpd and have only the dynamic resources forwarded to the tomcat.

In development environment though, a standalone tomcat is perfect...

-Romain

stephane.gully@... a écrit :

> Thank you for you answers.
>
> As you are speaking about SSL, do you know if client certificats are
> forwarded to CAS X509 handler when Tomecat is behind the Apache/mod_jk
> or Apache/mod_proxy_ajp ?
>
> Stéphane
>
> On 7/24/08, Andrew Ralph Feller, afelle1 <afelle1@...> wrote:
>> For those who need to support Java applications along with PHP / Perl
>> applications, they could host both from the same machine by having Apache
>> httpd front-end Apache Tomcat. There is a another reason why some people
>> use mod_jk + Tomcat: inexperience in managing Tomcat. When I was starting
>> out, I hated working with keystores as it wasn¹t nearly as straight forward
>> as Apache httpd¹s mod_ssl configuration. Once I found how to setup the
>> Apache Portable Runtime in Tomcat, then I felt comfortable not having Tomcat
>> front-ended as the APR configuration is extremely similar to mod_ssl.
>>
>> On a tangential note, there is an alternative to mod_jk called
>> mod_proxy_ajp, which comes with Apache httpd 2.2 and works in a similar
>> manner.
>>
>>
>> On 7/24/08 6:12 AM, "Siegfried Puchbauer" <siegfried.puchbauer@...>
>> wrote:
>>
>>> You can gain a lot of flexibility when you choose to use Apache in front
>>> of
>>> your Tomcat backend. For example a very flexible way to perform name-based
>>> virtual hosting. Also mod_rewrite is great to perform dynamic redirects
>>> using
>>> regexes. And the reverse-proxy capabilities by mod_proxy are also very
>>> useful
>>> - especially when using other application in the same url-space. You can
>>> also
>>> use it to display a service unavailibilty information when you
>>> upgrade/restart
>>> you tomcat. If you do not have the need of rewriteing urls, perform
>>> virtual-hosting there is IMHO no reason to not choose a standalone tomcat.
>>>
>>> Cheers, sigi
>>> _______________________
>>> Siegfried Puchbauer
>>> http://siegfried.puchbauer.com/
>>>
>>> On Thu, Jul 24, 2008 at 11:55, Stéphane Gully <stephane.gully@...>
>>> wrote:
>>>> Hello,
>>>>
>>>> This is a generic question, not directly related to CAS. I'm sorry for
>>>> that.
>>>> Google didn't helped me so I try here.
>>>>
>>>> When I installed CAS, I had the choice to deploy it directly in Tomcat
>>>> or in Apache/mod_jk+Tomcat. I chosed to deploy it directly in Tomcat
>>>> because I needed X509 authentication handler and it just looked more
>>>> easy to configure directly in Tomcat.
>>>>
>>>> I often read that mod_jk should be used but I never know why ? could
>>>> someone tell me the reason(s) ?
>>>>
>>>> regards,
>>>> --
>>>> Stéphane GULLY
>>>> _______________________________________________
>>>> Yale CAS mailing list
>>>> cas@...
>>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>>
>>>
>>> _______________________________________________
>>> Yale CAS mailing list
>>> cas@...
>>> http://tp.its.yale.edu/mailman/listinfo/cas
>> --
>> Andrew R. Feller, Analyst
>> Information Technology Services
>> 200 Fred Frey Building
>> Louisiana State University
>> Baton Rouge, LA 70803
>> (225) 578-3737 (Office)
>> (225) 578-6400 (Fax)
>>
>>
> _______________________________________________
> Yale CAS mailing list
> cas@...
> http://tp.its.yale.edu/mailman/listinfo/cas
>

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Re: CAS & LDAP

2008-07-24T08:41:27Z

> Welcome to CAS! I'm not an LDAP expert either (we also don't use Fastbind),
> but I'll try to provide some basic guidance and then our OpenLDAP experts
> can chime in (we have a few).

Great, I need help.

> No need to put anything there! The ContextSource is generic so it can be
> used for both the FastBind and the other option.

I tried it without userName and password properties as in the enclosed
config file (modified LDAP URL)

That is no userName or password properties so that sounds correct?

> The UsernamePasswordCredentialsToPrincipalResolver should actually be
> configured already in your deployerConfigContext.xml. Unless you've removed
> it, there's no need to do anything with it!

No I haven't removed it and I assumed that part didn't need changing as
it wasn't mentioned

> Have you tried starting up your CAS server after configuring it with LDAP?
> If you've got any Spring configuration issues you'll see them. If you have
> authentication issues you may not see them until you turn your logging level
> up (in the WEB-INF/classes/log4j.properties you can set it to DEBUG instead
> of INFO or WARN).

When I tried with the attached deployer config it refused to start. Let
me say here that my Tomcat configuration is challenging as I have to run
on Centos and it already had an old JDK installed on it. I had to
wrestle with an eel just to get the 1.5 Sun JDK on there and used by
Tomcat. I had to manually tweak a link to get it to run at all and I
couldn't get the update-alternatives thing to work. Anyway, I get some
"errors" even when starting tomcat without CAS with LDAP :-

Starting tomcat5: /usr/bin/rebuild-jar-repository: error: JVM_LIBDIR
/usr/lib/jvm-exports/java does not exist or is not a directory
/usr/bin/rebuild-jar-repository: error: JVM_LIBDIR
(repeated 3 times)

catalina.out contains:-
log4j:ERROR setFile(null,true) call failed.
java.io.FileNotFoundException: cas.log (Permission denied)

But I can log into CAS using the simple authenticator so it's not
completely fatal

Anyway, I then switch to the attached deployerConfigControl.xml and I
lose the CAS login page altogether and just receive a message thus:

HTTP Status 404 - /cas-server-webapp-3.2.1/index.jsp

type Status report

message /cas-server-webapp-3.2.1/index.jsp

description The requested resource (/cas-server-webapp-3.2.1/index.jsp)
is not available.
Apache Tomcat/5.5.23

> Sun also has some LDAP specific logging stuff.

Cheers

--
Matthew Jones
Interactive Data Managed Solutions Ltd
-----------------------------------------------------------------------
Registered in England Company Number 3691868
Registered Office: Suite 1101 Eagle Tower | Montpellier Drive |
Cheltenham | Gloucestershire | GL50 1TA
Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109
matthew.jones@...
http://www.interactivedata-ms.com/694133

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">

<property name="credentialsToPrincipalResolvers">
<list>

<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />

<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>


<property name="authenticationHandlers">
<list>

<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />

<bean
class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
<property name="filter" value="uid=%u,ou=idms,dc=interactivedata,dc=com" />
<property name="contextSource" ref="contextSource" />
</bean>

<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
</list>
</property>
</bean>



<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="pooled" value="true"/>
<property name="urls">
<list>
<value>ldaps://our-ldap-server/</value>
</list>
</property>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
</map>
</property>
</bean>


<bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>

</value>
</property>
</bean>


<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>


<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
</beans>

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

smime.p7s (3K) Download Attachment

JDK 1.5.0_8, AD and Debian

2008-07-24T07:48:54Z

Hi,

i tested CAS 3.2.1.1 successful under Ubuntu 8.04 with JDK 1.6 - now I
try under Debian etch width JDK 1.5.0_8 and i can Login with
ldap-connect - but not with ldaps!

The Logfiles just say that the User with ID xy could not be verified...

Configuration is the same as on the Ubuntu-Server - only different is
the JDK-Version...

Any ideas?!?

Best regards,
M.L.
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Re: Why mod_jk ?

2008-07-24T07:45:23Z

I think so. It is mentioned in the AJP Protocol Reference for AJP 1.3...

http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html

hth, cheers
_______________________
Siegfried Puchbauer
http://siegfried.puchbauer.com/

On Thu, Jul 24, 2008 at 15:09, <stephane.gully@...> wrote:

Thank you for you answers.

As you are speaking about SSL, do you know if client certificats are
forwarded to CAS X509 handler when Tomecat is behind the Apache/mod_jk
or Apache/mod_proxy_ajp ?

Stéphane

On 7/24/08, Andrew Ralph Feller, afelle1 <afelle1@...> wrote:
> For those who need to support Java applications along with PHP / Perl
> applications, they could host both from the same machine by having Apache
> httpd front-end Apache Tomcat. There is a another reason why some people
> use mod_jk + Tomcat: inexperience in managing Tomcat. When I was starting
> out, I hated working with keystores as it wasn¹t nearly as straight forward
> as Apache httpd¹s mod_ssl configuration. Once I found how to setup the
> Apache Portable Runtime in Tomcat, then I felt comfortable not having Tomcat
> front-ended as the APR configuration is extremely similar to mod_ssl.
>
> On a tangential note, there is an alternative to mod_jk called
> mod_proxy_ajp, which comes with Apache httpd 2.2 and works in a similar
> manner.
>
>
> On 7/24/08 6:12 AM, "Siegfried Puchbauer" <siegfried.puchbauer@...>
> wrote:
>
>> You can gain a lot of flexibility when you choose to use Apache in front
>> of
>> your Tomcat backend. For example a very flexible way to perform name-based
>> virtual hosting. Also mod_rewrite is great to perform dynamic redirects
>> using
>> regexes. And the reverse-proxy capabilities by mod_proxy are also very
>> useful
>> - especially when using other application in the same url-space. You can
>> also
>> use it to display a service unavailibilty information when you
>> upgrade/restart
>> you tomcat. If you do not have the need of rewriteing urls, perform
>> virtual-hosting there is IMHO no reason to not choose a standalone tomcat.
>>
>> Cheers, sigi
>> _______________________
>> Siegfried Puchbauer
>> http://siegfried.puchbauer.com/
>>
>> On Thu, Jul 24, 2008 at 11:55, Stéphane Gully <stephane.gully@...>
>> wrote:
>>> Hello,
>>>
>>> This is a generic question, not directly related to CAS. I'm sorry for
>>> that.
>>> Google didn't helped me so I try here.
>>>
>>> When I installed CAS, I had the choice to deploy it directly in Tomcat
>>> or in Apache/mod_jk+Tomcat. I chosed to deploy it directly in Tomcat
>>> because I needed X509 authentication handler and it just looked more
>>> easy to configure directly in Tomcat.
>>>
>>> I often read that mod_jk should be used but I never know why ? could
>>> someone tell me the reason(s) ?
>>>
>>> regards,
>>> --
>>> Stéphane GULLY
>>> _______________________________________________
>>> Yale CAS mailing list
>>> cas@...
>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas@...
>> http://tp.its.yale.edu/mailman/listinfo/cas
>
> --
> Andrew R. Feller, Analyst
> Information Technology Services
> 200 Fred Frey Building
> Louisiana State University
> Baton Rouge, LA 70803
> (225) 578-3737 (Office)
> (225) 578-6400 (Fax)
>
>
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Re: CAS & LDAP

2008-07-24T07:31:28Z

Hi,

Welcome to CAS! I'm not an LDAP expert either (we also don't use Fastbind), but I'll try to provide some basic guidance and then our OpenLDAP experts can chime in (we have a few).

On Thu, Jul 24, 2008 at 10:07 AM, Matthew Jones <matthew.jones@...> wrote:

<snip />

Now, I see that I should have an AuthenticatedLdapContextSource bean
configured but this has parameters (property) such as userName and
Password. Given that these values should come from the CAS login screen
what should I put here?

No need to put anything there! The ContextSource is generic so it can be used for both the FastBind and the other option.

<snip />

Maybe I have got the wrong end of the stick altogether but I thought
that using the bind directly to LDAP ought to be the simplest form of
LDAP authentication. However, when username & password are mentioned I
get confused. The configuration file (and some posts) mention the
UsernamePasswordCredentialsToPrincipalResolver and a produced
SimplePrincipal instance. Should I be making use of these and if so how?

The UsernamePasswordCredentialsToPrincipalResolver should actually be configured already in your deployerConfigContext.xml. Unless you've removed it, there's no need to do anything with it!

Have you tried starting up your CAS server after configuring it with LDAP? If you've got any Spring configuration issues you'll see them. If you have authentication issues you may not see them until you turn your logging level up (in the WEB-INF/classes/log4j.properties you can set it to DEBUG instead of INFO or WARN).

Sun also has some LDAP specific logging stuff.

-Scott

Sorry for the very basic nature of these questions but it isn't obvious
to me what I should be trying to do.

Thanks

--
Matthew Jones
Interactive Data Managed Solutions Ltd
-----------------------------------------------------------------------
Registered in England Company Number 3691868
Registered Office: Suite 1101 Eagle Tower | Montpellier Drive |
Cheltenham | Gloucestershire | GL50 1TA
Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109
matthew.jones@...
http://www.interactivedata-ms.com/694133

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas