Hello,
I forgot to mention that I change the "cn" with "uid"
<bean id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="uid"
c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<!--
| This map provides a simple attribute resolution mechanism.
| Keys are LDAP attribute names, values are CAS attribute
names.
| Use this facility instead of a PrincipalResolver if LDAP is
| the only attribute source.
-->
<entry key="uid" value="uid" />
</map>
</property>
</bean>
Regards,
Lutfi
On Thu, Oct 29, 2015 at 6:00 PM, Lutfi Oduncuoglu <lutfioduncuo...@gmail.com
> wrote:
> Hello,
>
> I did your suggestions but problem still occurs. Now my .xml files are
> looks like:
>
> <bean id="authenticationManager"
> class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
> <constructor-arg>
> <map>
> <!--
> | IMPORTANT
> | Every handler requires a unique name.
> | If more than one instance of the same handler class
> is configured, you must explicitly
> | set its name to something other than its default name
> (typically the simple class name).
> -->
> <entry key-ref="proxyAuthenticationHandler"
> value-ref="proxyPrincipalResolver" />
> <entry key-ref="primaryAuthenticationHandler"
> value-ref="primaryPrincipalResolver" />
> <entry key-ref="ldapAuthenticationHandler"
> value-ref="usernamePasswordCredentialsResolver" />
> </map>
>
> and I added the bean <!-- Required for proxy ticket mechanism -->
> <bean id="proxyPrincipalResolver"
>
> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
>
> <bean id="usernamePasswordCredentialsResolver"
>
> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
> <!--
> | Resolves a principal from a credential using an attribute
> repository that is configured to resolve
> | against a deployer-specific store (e.g. LDAP).
> -->
> <bean id="primaryPrincipalResolver"
>
> class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
> >
> <property name="attributeRepository" ref="attributeRepository" />
> </bean>
>
> Also I set TLS to off in cas.propeties. However, when I am trying to login
> I sniffed the traffic on my ldap server with tcpdump and tailed the ldap
> log file but there was nothing. CAS server doing no ldap search or bind.
> CAS does not do anything with ldap. But I could see some logs during maven
> process which are:
>
>
>
> Oct 29 16:58:11 ldap slapd[1236]: conn=1195 fd=20 ACCEPT from IP=
> 10.6.16.16:40967 (IP=0.0.0.0:389)
> Oct 29 16:58:11 ldap slapd[1236]: conn=1196 fd=21 ACCEPT from IP=
> 10.6.16.16:40968 (IP=0.0.0.0:389)
> Oct 29 16:58:11 ldap slapd[1236]: conn=1197 fd=22 ACCEPT from IP=
> 10.6.16.16:40969 (IP=0.0.0.0:389)
> Oct 29 16:58:11 ldap slapd[1236]: conn=1198 fd=23 ACCEPT from IP=
> 10.6.16.16:40970 (IP=0.0.0.0:389)
> Oct 29 16:58:11 ldap slapd[1236]: conn=1198 op=0 BIND
> dn="cn=admin,dc=example,dc=com" method=128
> Oct 29 16:58:11 ldap slapd[1236]: conn=1198 op=0 BIND
> dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
> Oct 29 16:58:11 ldap slapd[1236]: conn=1198 op=0 RESULT tag=97 err=0 text=
> Oct 29 16:58:11 ldap slapd[1236]: conn=1199 fd=24 ACCEPT from IP=
> 10.6.16.16:40971 (IP=0.0.0.0:389)
> Oct 29 16:58:11 ldap slapd[1236]: conn=1199 op=0 BIND
> dn="cn=admin,dc=example,dc=com" method=128
> Oct 29 16:58:11 ldap slapd[1236]: conn=1199 op=0 BIND
> dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
> Oct 29 16:58:11 ldap slapd[1236]: conn=1199 op=0 RESULT tag=97 err=0 text=
> Oct 29 16:58:11 ldap slapd[1236]: conn=1200 fd=25 ACCEPT from IP=
> 10.6.16.16:40972 (IP=0.0.0.0:389)
> Oct 29 16:58:11 ldap slapd[1236]: conn=1200 op=0 BIND
> dn="cn=admin,dc=example,dc=com" method=128
> Oct 29 16:58:11 ldap slapd[1236]: conn=1200 op=0 BIND
> dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
> Oct 29 16:58:11 ldap slapd[1236]: conn=1200 op=0 RESULT tag=97 err=0 text=
> Oct 29 16:58:13 ldap slapd[1236]: conn=1195 fd=20 closed (connection lost)
>
>
> I still got the same error on catalina.out.
>
>
>
> Regards
>
>
>
> On Thu, Oct 29, 2015 at 5:01 PM, Alex Bouskine <alex.bousk...@univ-lr.fr>
> wrote:
>
>> Hi Lutfi,
>>
>> In your deployerConfigContext try to replace:
>> <entry key-ref="ldapAuthenticationHandler" value="#{null}" />
>> by:
>> <entry key-ref="ldapAuthenticationHandler"
>> value-ref="usernamePasswordCredentialsResolver" />
>>
>> and add the bean:
>> <bean id="usernamePasswordCredentialsResolver"
>>
>> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
>>
>> plus:
>> <bean id="ldapAuthenticationHandler"
>> ...
>> p:principalIdAttribute="cn"
>> ...
>> <entry key="cn" value="cn" />
>> ...
>> </bean>
>>
>> try with uid attribute instead of cn.
>>
>> an other option in cas.properties, try ldap.useStartTLS=false
>>
>> Regards,
>>
>> Alex
>>
>> Le 29/10/2015 14:57, Lutfi Oduncuoglu a écrit :
>>
>> Hello,
>>
>> I change those values before I added files to my mail. Actually while
>> doing mvn package it connects to ldap and confirms the credential and other
>> stuff. I can send those log if you want.
>>
>> Regards
>>
>> On Thu, Oct 29, 2015 at 4:47 PM, Christopher Myers <
>> <cmy...@mail.millikin.edu>cmy...@mail.millikin.edu> wrote:
>>
>>> It looks like you might have just copied the config from the examples
>>> without modifying it to fit your environment; for example, the
>>> cas.properties file says that your LDAP server is
>>>
>>> ldap.url=ldap://localhost:389
>>>
>>> and the deployerConfigContext file says that your base DN is
>>> p:baseDn="ou=users,dc=example,dc=com"
>>>
>>> with bind credentials of
>>> ldap.authn.baseDn=ou=Users,dc=example,dc=com
>>> ldap.authn.managerDN=cn=admin,dc=example,dc=com
>>> ldap.authn.managerPassword=qwerty123
>>>
>>> so you might want to review the settings and make sure that they've been
>>> tweaked for your environment.
>>>
>>> Chris
>>>
>>>
>>>
>>>
>>> >>> Lutfi Oduncuoglu < <lutfioduncuo...@gmail.com>
>>> lutfioduncuo...@gmail.com> 10/29/15 8:34 AM >>>
>>>
>>> Hello,
>>>
>>> I have just started to use CAS and I want to authenticate users over my
>>> local ldap server. I did the exact configuration at
>>> <http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html>
>>> http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html.
>>> I added that parts to deployerconfig.xml and cas.properties. Tomcat running
>>> in ssl mode, so I connect CAS via https.
>>>
>>> However when I try to login CAS does not connect ldap. As you can see
>>> from catalina.out
>>>
>>> 2015-10-29 15:31:20,466 INFO
>>> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
>>> <AcceptUsersAuthenticationHandler failed authenticating deneme+password>
>>> 2015-10-29 15:31:20,466 INFO
>>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>>> trail record BEGIN
>>> =============================================================
>>> WHO: audit:unknown
>>> WHAT: supplied credentials: [test+password]
>>> ACTION: AUTHENTICATION_FAILED
>>> APPLICATION: CAS
>>> WHEN: Thu Oct 29 15:31:20 EET 2015
>>> CLIENT IP ADDRESS: 10.6.16.15
>>> SERVER IP ADDRESS: 10.6.16.16
>>> =============================================================
>>>
>>> >
>>> 2015-10-29 15:31:20,467 INFO
>>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>>> trail record BEGIN
>>> =============================================================
>>> WHO: audit:unknown
>>> WHAT: 1 errors, 0 successes
>>> ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
>>> APPLICATION: CAS
>>> WHEN: Thu Oct 29 15:31:20 EET 2015
>>> CLIENT IP ADDRESS: 10.6.16.15
>>> SERVER IP ADDRESS: 10.6.16.16
>>> =============================================================
>>>
>>> >
>>> 2015-10-29 15:31:21,039 INFO
>>> [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered
>>> services.>
>>> 2015-10-29 15:31:21,039 INFO
>>> [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 1 services.>
>>>
>>>
>>> My xml files are below.
>>>
>>> Thank you very much for help
>>>
>>>
>>> pom.xml
>>>
>>>
>>> <!--
>>> ~ Licensed to Jasig under one or more contributor license
>>> ~ agreements. See the NOTICE file distributed with this work
>>> ~ for additional information regarding copyright ownership.
>>> ~ Jasig licenses this file to you under the Apache License,
>>> ~ Version 2.0 (the "License"); you may not use this file
>>> ~ except in compliance with the License. You may obtain a
>>> ~ copy of the License at the following location:
>>> ~
>>> ~ http://www.apache.org/licenses/LICENSE-2.0
>>> ~
>>> ~ Unless required by applicable law or agreed to in writing,
>>> ~ software distributed under the License is distributed on an
>>> ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>> ~ KIND, either express or implied. See the License for the
>>> ~ specific language governing permissions and limitations
>>> ~ under the License.
>>> -->
>>>
>>> <project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="
>>> http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="
>>> http://maven.apache.org/POM/4.0.0
>>> http://maven.apache.org/maven-v4_0_0.xsd";>
>>> <parent>
>>> <groupId>org.jasig.cas</groupId>
>>> <artifactId>cas-server</artifactId>
>>> <version>4.0.0</version>
>>> </parent>
>>> <modelVersion>4.0.0</modelVersion>
>>> <artifactId>cas-server-webapp</artifactId>
>>> <packaging>war</packaging>
>>> <name>Jasig CAS Web Application</name>
>>> <dependencies>
>>> <dependency>
>>> <groupId>org.jasig.cas</groupId>
>>> <artifactId>cas-server-webapp-support</artifactId>
>>> <version>${project.version}</version>
>>> <scope>compile</scope>
>>> </dependency>
>>> <dependency>
>>> <groupId>org.springframework</groupId>
>>> <artifactId>spring-expression</artifactId>
>>> <version>${spring.version}</version>
>>> <scope>runtime</scope>
>>> </dependency>
>>> <dependency>
>>> <groupId>javax.servlet</groupId>
>>> <artifactId>jstl</artifactId>
>>> <version>1.1.2</version>
>>> <type>jar</type>
>>> <scope>runtime</scope>
>>> </dependency>
>>> <dependency>
>>> <groupId>taglibs</groupId>
>>> <artifactId>standard</artifactId>
>>> <version>1.1.2</version>
>>> <type>jar</type>
>>> <scope>runtime</scope>
>>> </dependency>
>>> <dependency>
>>> <groupId>org.jasig.cas</groupId>
>>> <artifactId>cas-server-support-ldap</artifactId>
>>> <version>4.0.0</version>
>>> </dependency>
>>> </dependencies>
>>>
>>> <build>
>>> <plugins>
>>> <plugin>
>>> <groupId>org.apache.maven.plugins</groupId>
>>> <artifactId>maven-war-plugin</artifactId>
>>> <configuration>
>>> <warName>cas</warName>
>>> <webResources>
>>> <resource>
>>> <directory>${basedir}/src/main/webapp/WEB-INF</directory>
>>> <filtering>true</filtering>
>>> <targetPath>WEB-INF</targetPath>
>>> <includes>
>>> <include>**/web.xml</include>
>>> </includes>
>>> </resource>
>>> </webResources>
>>> </configuration>
>>> </plugin>
>>> </plugins>
>>> </build>
>>>
>>> <properties>
>>> <cs.dir>${project.parent.basedir}</cs.dir>
>>> </properties>
>>> </project>
>>>
>>> deployerConfigContext.xml
>>>
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <!--
>>>
>>> Licensed to Jasig under one or more contributor license
>>> agreements. See the NOTICE file distributed with this work
>>> for additional information regarding copyright ownership.
>>> Jasig licenses this file to you under the Apache License,
>>> Version 2.0 (the "License"); you may not use this file
>>> except in compliance with the License. You may obtain a
>>> copy of the License at the following location:
>>>
>>> http://www.apache.org/licenses/LICENSE-2.0
>>>
>>> Unless required by applicable law or agreed to in writing,
>>> software distributed under the License is distributed on an
>>> "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>> KIND, either express or implied. See the License for the
>>> specific language governing permissions and limitations
>>> under the License.
>>>
>>> -->
>>> <!--
>>> | deployerConfigContext.xml centralizes into one file some of the
>>> declarative configuration that
>>> | all CAS deployers will need to modify.
>>> |
>>> | This file declares some of the Spring-managed JavaBeans that make up a
>>> CAS deployment.
>>> | The beans declared in this file are instantiated at context
>>> initialization time by the Spring
>>> | ContextLoaderListener declared in web.xml. It finds this file because
>>> this
>>> | file is among those declared in the context parameter
>>> "contextConfigLocation".
>>> |
>>> | By far the most common change you will need to make in this file is to
>>> change the last bean
>>> | declaration to replace the default authentication handler with
>>> | one implementing your approach for authenticating usernames and
>>> passwords.
>>> +-->
>>>
>>> <beans xmlns="http://www.springframework.org/schema/beans";
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>>> xmlns:p="http://www.springframework.org/schema/p";
>>> xmlns:c="http://www.springframework.org/schema/c";
>>> xmlns:tx="http://www.springframework.org/schema/tx";
>>> xmlns:util="http://www.springframework.org/schema/util";
>>> xmlns:sec="http://www.springframework.org/schema/security";
>>> xsi:schemaLocation="
>>> <http://www.springframework.org/schema/beans>
>>> http://www.springframework.org/schema/beans
>>> http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
>>> http://www.springframework.org/schema/tx
>>> http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
>>> http://www.springframework.org/schema/security
>>> http://www.springframework.org/schema/security/spring-security-3.2.xsd
>>> http://www.springframework.org/schema/util
>>> http://www.springframework.org/schema/util/spring-util.xsd";>
>>>
>>> <!--
>>> | The authentication manager defines security policy for
>>> authentication by specifying at a minimum
>>> | the authentication handlers that will be used to authenticate
>>> credential. While the AuthenticationManager
>>> | interface supports plugging in another implementation, the
>>> default PolicyBasedAuthenticationManager should
>>> | be sufficient in most cases.
>>> +-->
>>> <bean id="authenticationManager"
>>> class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
>>> <constructor-arg>
>>> <map>
>>> <!--
>>> | IMPORTANT
>>> | Every handler requires a unique name.
>>> | If more than one instance of the same handler class
>>> is configured, you must explicitly
>>> | set its name to something other than its default
>>> name (typically the simple class name).
>>> -->
>>> <entry key-ref="proxyAuthenticationHandler"
>>> value-ref="proxyPrincipalResolver" />
>>> <entry key-ref="primaryAuthenticationHandler"
>>> value-ref="primaryPrincipalResolver" />
>>> <entry key-ref="ldapAuthenticationHandler"
>>> value="#{null}" />
>>> </map>
>>> </constructor-arg>
>>>
>>> <!-- Uncomment the metadata populator to allow clearpass to
>>> capture and cache the password
>>> This switch effectively will turn on clearpass.
>>> <property name="authenticationMetaDataPopulators">
>>> <util:list>
>>> <bean
>>> class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator"
>>> c:credentialCache-ref="encryptedMap" />
>>> </util:list>
>>> </property>
>>> -->
>>>
>>> <!--
>>> | Defines the security policy around authentication. Some
>>> alternative policies that ship with CAS:
>>> |
>>> | * NotPreventedAuthenticationPolicy - all credential must
>>> either pass or fail authentication
>>> | * AllAuthenticationPolicy - all presented credential must
>>> be authenticated successfully
>>> | * RequiredHandlerAuthenticationPolicy - specifies a handler
>>> that must authenticate its credential to pass
>>> -->
>>> <property name="authenticationPolicy">
>>> <bean
>>> class="org.jasig.cas.authentication.AnyAuthenticationPolicy" />
>>> </property>
>>> </bean>
>>>
>>> <!-- Required for proxy ticket mechanism. -->
>>> <bean id="proxyAuthenticationHandler"
>>>
>>> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
>>> p:httpClient-ref="httpClient" />
>>>
>>> <!--
>>> | TODO: Replace this component with one suitable for your
>>> enviroment.
>>> |
>>> | This component provides authentication for the kind of
>>> credential used in your environment. In most cases
>>> | credential is a username/password pair that lives in a system
>>> of record like an LDAP directory.
>>> | The most common authentication handler beans:
>>> |
>>> | * org.jasig.cas.authentication.LdapAuthenticationHandler
>>> | * org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler
>>> | *
>>> org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler
>>> | *
>>> org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler
>>> -->
>>> <bean id="ldapAuthenticationHandler"
>>> class="org.jasig.cas.authentication.LdapAuthenticationHandler"
>>> p:principalIdAttribute="cn"
>>> c:authenticator-ref="authenticator">
>>> <property name="principalAttributeMap">
>>> <map>
>>> <!--
>>> | This map provides a simple attribute resolution
>>> mechanism.
>>> | Keys are LDAP attribute names, values are CAS attribute
>>> names.
>>> | Use this facility instead of a PrincipalResolver if
>>> LDAP is
>>> | the only attribute source.
>>> -->
>>> <entry key="cn" value="cn" />
>>> </map>
>>> </property>
>>> </bean>
>>>
>>> <bean id="authenticator" class="org.ldaptive.auth.Authenticator"
>>> c:resolver-ref="dnResolver"
>>> c:handler-ref="authHandler" />
>>>
>>> <bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
>>> p:baseDn="ou=users,dc=example,dc=com"
>>> p:subtreeSearch="true"
>>> p:allowMultipleDns="false"
>>> p:connectionFactory-ref="searchPooledLdapConnectionFactory"
>>> p:userFilter="uid={user}" />
>>>
>>> <bean id="searchPooledLdapConnectionFactory"
>>> class="org.ldaptive.pool.PooledConnectionFactory"
>>> p:connectionPool-ref="searchConnectionPool" />
>>>
>>> <bean id="searchConnectionPool" parent="abstractConnectionPool"
>>> p:connectionFactory-ref="searchConnectionFactory" />
>>>
>>> <bean id="searchConnectionFactory"
>>> class="org.ldaptive.DefaultConnectionFactory"
>>> p:connectionConfig-ref="searchConnectionConfig" />
>>>
>>> <bean id="searchConnectionConfig" parent="abstractConnectionConfig"
>>> p:connectionInitializer-ref="bindConnectionInitializer" />
>>>
>>> <bean id="bindConnectionInitializer"
>>> class="org.ldaptive.BindConnectionInitializer"
>>> p:bindDn="cn=admin,dc=example,dc=com">
>>> <property name="bindCredential">
>>> <bean class="org.ldaptive.Credential"
>>> c:password="password" />
>>> </property>
>>> </bean>
>>>
>>> <bean id="abstractConnectionPool" abstract="true"
>>> class="org.ldaptive.pool.BlockingConnectionPool"
>>> init-method="initialize"
>>> p:poolConfig-ref="ldapPoolConfig"
>>> p:blockWaitTime="3000"
>>> p:validator-ref="searchValidator"
>>> p:pruneStrategy-ref="pruneStrategy" />
>>>
>>> <bean id="abstractConnectionConfig" abstract="true"
>>> class="org.ldaptive.ConnectionConfig"
>>> p:ldapUrl="ldap://localhost:389";
>>> p:connectTimeout="3000"
>>> p:useStartTLS="false"/>
>>> <!--p:sslConfig-ref="sslConfig" /-->
>>>
>>> <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
>>> p:minPoolSize="3"
>>> p:maxPoolSize="10"
>>> p:validateOnCheckOut="false"
>>> p:validatePeriodically="true"
>>> p:validatePeriod="300" />
>>>
>>> <!--bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
>>> <property name="credentialConfig">
>>> <bean class="org.ldaptive.ssl.X509CredentialConfig"
>>> p:trustCertificates="${ldap.trustedCert}" />
>>> </property>
>>> </bean-->
>>>
>>> <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
>>> p:prunePeriod="300"
>>> p:idleTime="600" />
>>>
>>> <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
>>>
>>> <bean id="authHandler"
>>> class="org.ldaptive.auth.PooledBindAuthenticationHandler"
>>> p:connectionFactory-ref="bindPooledLdapConnectionFactory" />
>>>
>>> <bean id="bindPooledLdapConnectionFactory"
>>> class="org.ldaptive.pool.PooledConnectionFactory"
>>> p:connectionPool-ref="bindConnectionPool" />
>>>
>>> <bean id="bindConnectionPool" parent="abstractConnectionPool"
>>> p:connectionFactory-ref="bindConnectionFactory" />
>>>
>>> <bean id="bindConnectionFactory"
>>> class="org.ldaptive.DefaultConnectionFactory"
>>> p:connectionConfig-ref="bindConnectionConfig" />
>>>
>>> <bean id="bindConnectionConfig" parent="abstractConnectionConfig" />
>>>
>>> <bean id="primaryAuthenticationHandler"
>>>
>>> class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
>>> <property name="users">
>>> <map>
>>> <entry key="casuser" value="Mellon"/>
>>> </map>
>>> </property>
>>> </bean>
>>>
>>> <!-- Required for proxy ticket mechanism -->
>>> <bean id="proxyPrincipalResolver"
>>>
>>> class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
>>>
>>> <!--
>>> | Resolves a principal from a credential using an attribute
>>> repository that is configured to resolve
>>> | against a deployer-specific store (e.g. LDAP).
>>> -->
>>> <bean id="primaryPrincipalResolver"
>>>
>>> class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
>>> >
>>> <property name="attributeRepository" ref="attributeRepository" />
>>> </bean>
>>>
>>> <!--
>>> Bean that defines the attributes that a service may return. This
>>> example uses the Stub/Mock version. A real implementation
>>> may go against a database or LDAP server. The id should remain
>>> "attributeRepository" though.
>>> +-->
>>> <bean id="attributeRepository"
>>> class="org.jasig.services.persondir.support.StubPersonAttributeDao"
>>> p:backingMap-ref="attrRepoBackingMap" />
>>>
>>> <util:map id="attrRepoBackingMap">
>>> <entry key="uid" value="uid" />
>>> <entry key="eduPersonAffiliation" value="eduPersonAffiliation"
>>> />
>>> <entry key="groupMembership" value="groupMembership" />
>>> </util:map>
>>>
>>> <!--
>>> Sample, in-memory data store for the ServiceRegistry. A real
>>> implementation
>>> would probably want to replace this with the JPA-backed
>>> ServiceRegistry DAO
>>> The name of this bean should remain "serviceRegistryDao".
>>> +-->
>>> <bean id="serviceRegistryDao"
>>> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
>>> p:registeredServices-ref="registeredServicesList" />
>>>
>>> <util:list id="registeredServicesList">
>>> <bean class="org.jasig.cas.services.RegexRegisteredService"
>>> p:id="0" p:name="HTTP and IMAP" p:description="Allows
>>> HTTP(S) and IMAP(S) protocols"
>>> p:serviceId="^(https?|imaps?)://.*"
>>> p:evaluationOrder="10000001" />
>>> <!--
>>> Use the following definition instead of the above to further
>>> restrict access
>>> to services within your domain (including sub domains).
>>> Note that example.com must be replaced with the domain you wish
>>> to permit.
>>> This example also demonstrates the configuration of an attribute
>>> filter
>>> that only allows for attributes whose length is 3.
>>> -->
>>> <!--
>>> <bean class="org.jasig.cas.services.RegexRegisteredService">
>>> <property name="id" value="1" />
>>> <property name="name" value="HTTP and IMAP on example.com"
>>> />
>>> <property name="description" value="Allows HTTP(S) and
>>> IMAP(S) protocols on example.com" />
>>> <property name="serviceId"
>>> value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" />
>>> <property name="evaluationOrder" value="0" />
>>> <property name="attributeFilter">
>>> <bean
>>> class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter"
>>> c:regex="^\w{3}$" />
>>> </property>
>>> </bean>
>>> -->
>>> </util:list>
>>>
>>> <bean id="auditTrailManager"
>>> class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
>>>
>>> <bean id="healthCheckMonitor"
>>> class="org.jasig.cas.monitor.HealthCheckMonitor"
>>> p:monitors-ref="monitorsList" />
>>>
>>> <util:list id="monitorsList">
>>> <bean class="org.jasig.cas.monitor.MemoryMonitor"
>>> p:freeMemoryWarnThreshold="10" />
>>> <!--
>>> NOTE
>>> The following ticket registries support SessionMonitor:
>>> * DefaultTicketRegistry
>>> * JpaTicketRegistry
>>> Remove this monitor if you use an unsupported registry.
>>> -->
>>> <bean class="org.jasig.cas.monitor.SessionMonitor"
>>> p:ticketRegistry-ref="ticketRegistry"
>>> p:serviceTicketCountWarnThreshold="5000"
>>> p:sessionCountWarnThreshold="100000" />
>>> </util:list>
>>> </beans>
>>>
>>>
>>> and cas.properties file
>>>
>>> #
>>> # Licensed to Jasig under one or more contributor license
>>> # agreements. See the NOTICE file distributed with this work
>>> # for additional information regarding copyright ownership.
>>> # Jasig licenses this file to you under the Apache License,
>>> # Version 2.0 (the "License"); you may not use this file
>>> # except in compliance with the License. You may obtain a
>>> # copy of the License at the following location:
>>> #
>>> # http://www.apache.org/licenses/LICENSE-2.0
>>> #
>>> # Unless required by applicable law or agreed to in writing,
>>> # software distributed under the License is distributed on an
>>> # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>> # KIND, either express or implied. See the License for the
>>> # specific language governing permissions and limitations
>>> # under the License.
>>> #
>>>
>>> server.name= <http://localhost:8080>http://localhost:8080
>>> server.prefix=${server.name}/cas
>>> # IP address or CIDR subnet allowed to access the /status URI of CAS
>>> that exposes health check information
>>> cas.securityContext.status.allowedSubnet=127.0.0.1
>>>
>>>
>>> cas.themeResolver.defaultThemeName=cas-theme-default
>>> cas.viewResolver.basename=default_views
>>>
>>> ##
>>> # Unique CAS node name
>>> # host.name is used to generate unique Service Ticket IDs and
>>> SAMLArtifacts. This is usually set to the specific
>>> # hostname of the machine running the CAS node, but it could be any
>>> label so long as it is unique in the cluster.
>>> host.name=cas01.example.org
>>>
>>> ##
>>> # Database flavors for Hibernate
>>> #
>>> # One of these is needed if you are storing Services or Tickets in an
>>> RDBMS via JPA.
>>> #
>>> # database.hibernate.dialect=org.hibernate.dialect.OracleDialect
>>> # database.hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect
>>> # database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
>>>
>>> ##
>>> # CAS Logout Behavior
>>> # WEB-INF/cas-servlet.xml
>>> #
>>> # Specify whether CAS should redirect to the specified service parameter
>>> on /logout requests
>>> # cas.logout.followServiceRedirects=false
>>>
>>> ##
>>> # Single Sign-On Session Timeouts
>>> # Defaults sourced from
>>> WEB-INF/spring-configuration/ticketExpirationPolices.xml
>>> #
>>> # Maximum session timeout - TGT will expire in maxTimeToLiveInSeconds
>>> regardless of usage
>>> # tgt.maxTimeToLiveInSeconds=28800
>>> #
>>> # Idle session timeout - TGT will expire sooner than
>>> maxTimeToLiveInSeconds if no further requests
>>> # for STs occur within timeToKillInSeconds
>>> # tgt.timeToKillInSeconds=7200
>>>
>>> ##
>>> # Service Ticket Timeout
>>> # Default sourced from
>>> WEB-INF/spring-configuration/ticketExpirationPolices.xml
>>> #
>>> # Service Ticket timeout - typically kept short as a control against
>>> replay attacks, default is 10s. You'll want to
>>> # increase this timeout if you are manually testing service ticket
>>> creation/validation via tamperdata or similar tools
>>> # st.timeToKillInSeconds=10
>>>
>>> ##
>>> # Single Logout Out Callbacks
>>> # Default sourced from
>>> WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml
>>> #
>>> # To turn off all back channel SLO requests set slo.disabled to true
>>> # slo.callbacks.disabled=false
>>>
>>> ##
>>> # Service Registry Periodic Reloading Scheduler
>>> # Default sourced from
>>> WEB-INF/spring-configuration/applicationContext.xml
>>> #
>>> # Force a startup delay of 2 minutes.
>>> # service.registry.quartz.reloader.startDelay=120000
>>> #
>>> # Reload services every 2 minutes
>>> # service.registry.quartz.reloader.repeatInterval=120000
>>>
>>> ##
>>> # Log4j
>>> # Default sourced from
>>> WEB-INF/spring-configuration/log4jConfiguration.xml:
>>> #
>>> # It is often time helpful to externalize log4j.xml to a system path to
>>> preserve settings between upgrades.
>>> # e.g. log4j.config.location=/etc/cas/log4j.xml
>>> # log4j.config.location=classpath:log4j.xml
>>> #
>>> # log4j refresh interval in millis
>>> # log4j.refresh.interval=60000
>>>
>>> ##
>>> # Password Policy
>>> #
>>> # Warn all users of expiration date regardless of warningDays value.
>>> password.policy.warnAll=false
>>>
>>> # Threshold number of days to begin displaying password expiration
>>> warnings.
>>> password.policy.warningDays=30
>>>
>>> # URL to which the user will be redirected to change the passsword.
>>> password.policy.url=https://password.example.edu/change
>>>
>>> #========================================
>>> # General properties
>>> #========================================
>>> ldap.url=ldap://localhost:389
>>>
>>> # LDAP connection timeout in milliseconds
>>> ldap.connectTimeout=3000
>>>
>>> # Whether to use StartTLS (probably needed if not SSL connection)
>>> ldap.useStartTLS=true
>>>
>>> #========================================
>>> # LDAP connection pool configuration
>>> #========================================
>>> ldap.pool.minSize=3
>>> ldap.pool.maxSize=10
>>> ldap.pool.validateOnCheckout=false
>>> ldap.pool.validatePeriodically=true
>>>
>>> # Amount of time in milliseconds to block on pool exhausted condition
>>> # before giving up.
>>> ldap.pool.blockWaitTime=3000
>>>
>>> # Frequency of connection validation in seconds
>>> # Only applies if validatePeriodically=true
>>> ldap.pool.validatePeriod=300
>>>
>>> # Attempt to prune connections every N seconds
>>> ldap.pool.prunePeriod=300
>>>
>>> # Maximum amount of time an idle connection is allowed to be in
>>> # pool before it is liable to be removed/destroyed
>>> ldap.pool.idleTime=600
>>>
>>> #========================================
>>> # Authentication
>>> #========================================
>>>
>>> # Base DN of users to be authenticated
>>> ldap.authn.baseDn=ou=Users,dc=example,dc=com
>>>
>>> # Manager DN for authenticated searches
>>> #ldap.authn.managerDN=uid=manager,ou=Users,dc=example,dc=org
>>> ldap.authn.managerDN=cn=admin,dc=example,dc=com
>>>
>>> # Manager password for authenticated searches
>>> ldap.authn.managerPassword=qwerty123
>>>
>>> # Search filter used for configurations that require searching for DNs
>>> #ldap.authn.searchFilter=(&(uid={user})(accountState=active))
>>> ldap.authn.searchFilter=(uid={user})
>>>
>>> # Search filter used for configurations that require searching for DNs
>>> #ldap.authn.format=uid=%s,ou=Users,dc=example,dc=org
>>> ldap.authn.format=uid=%s,ou=users,dc=example,dc=com
>>> #ldap.authn.format=%s...@example.com
>>>
>>> --
>>> You are currently subscribed to cas-user@lists.jasig.org as:
>>> cmy...@mail.millikin.edu
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>
>>> --
>>> You are currently subscribed to cas-user@lists.jasig.org as:
>>> lutfioduncuo...@gmail.com
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>
>>>
>> --
>> You are currently subscribed to cas-user@lists.jasig.org as:
>> alex.bousk...@univ-lr.fr
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>> --
>> You are currently subscribed to cas-user@lists.jasig.org as:
>> lutfioduncuo...@gmail.com
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
