Please move this question to cas-user and we'll try to help. The cas-dev list is for development discussions related to the CAS server and clients. You'll reach more people who can help on cas-user as well, so it's a win-win.
M On Thu, May 21, 2009 at 6:59 AM, Michael A Jones <m.a.jo...@hull.ac.uk> wrote: > Thanks for the advice. I have done as you advised and CAS is now working on > the surface. However I am now having communication problems with my Active > Directory. I am very close to getting it working I think. My AD machine is > called idm-dc1 and my domain is ExampleOrganization.local. At present when I > try to login I am getting a java exception from CAS saying unknown host for > ldap://idm-dc1.ExampleOrganization.local:389. > I am logging in as one of my users as below and their account details in AD > are included for reference. My users are held in an ou called Identities: > > userid=t...@testschool.ac.uk > pw=apassword > > Ldif for this user in AD: > > dn: cn=t...@testschool.ac.uk,OU=Identities,DC=ExampleOrganization,DC=local > changetype: add > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: t...@testschool.ac.uk > sn: MELDRUM > title: MS > givenName: LAURA > distinguishedName: > cn=t...@testschool.ac.uk,OU=Identities,DC=ExampleOrganization,DC=local > instanceType: 4 > whenCreated: 20090508082512.0Z > whenChanged: 20090508082512.0Z > uSNCreated: 15381 > uSNChanged: 15394 > name: t...@testschool.ac.uk > objectGUID:: z0FREwjkVkiMPl67khJCYQ== > userAccountControl: 512 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > pwdLastSet: 128862447125126250 > primaryGroupID: 513 > objectSid:: ZHUAAAAAAAUVAAAAtGO > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: $Z21000-CA6B2SF9KI > sAMAccountType: 805306368 > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=ExampleOrganization,DC=local > mail: t...@hotmail.com > > My relevant segment of my deploycontextconfig.xml settings is as follows: > > <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > <property name="filter" > value="sAMAccountName=%u" /> > <property name="searchBase" > value="ou=Identities,dc=ExampleOrganization,dc=local" /> > <property name="contextSource" > ref="contextSource" /> > <property name="ignorePartialResultException" > value="yes" /> > </bean> > </list> > </property> > </bean> > > <bean id="contextSource" > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > <property name="urls"> > <list> > <value>ldap://idm-dc1.ExampleOrganizaion.local</value> > </list> > </property> > <property name="userDn" > value="CN=Administrator,CN=Users,DC=ExampleOrganization,DC=local"/> > <property name="password" value="password"/> > <property name="baseEnvironmentProperties"> > <map> > <entry> > <key> > <value>java.naming.security.authentication</value> > </key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > > Can anyone offer advice on where I am going wrong? I have followed the info > on settings for communicating with AD and would appreciate advice off someone > who is successfully communicating with CAS and AD just using the LDAP method. > > -----Original Message----- > From: Scott Battaglia [mailto:scott.battag...@gmail.com] > Sent: Wed 20/05/2009 14:18 > To: cas-dev@lists.jasig.org > Subject: Re: [cas-dev] Problem with ActiveDirectory and CAS configuration > > You need to construct the appropriate WAR based on your needs, which is why > all of our documentation always says which dependencies to add to the pom > files. If we enabled everything in the default WAR, we'd have a WAR the size > of a small movie file ;-) > > Cheers, > Scott > > > > On Wed, May 20, 2009 at 9:16 AM, Michael A Jones <m.a.jo...@hull.ac.uk> wrote: > > > Hi, > > I just used the cas war file that came with the latest CAS > distribution. I guess this doesn't work with anything, but the simple > authentication. I will build and create my cas war in Maven instead with that > dependency and redeploy. I will get back with the results. > > > Regards > > Mike Jones > > Identity Management Systems Administrator > IT Systems > University of Hull > > > Tel: 01482 465549 > > Email: m.a.jo...@hull.ac.uk > > > -----Original Message----- > From: David Whitehurst [mailto:dlwhitehu...@gmail.com] > Sent: 20 May 2009 13:28 > To: cas-dev@lists.jasig.org > Subject: Re: [cas-dev] Problem with ActiveDirectory and CAS > configuration > > Michael: > > If it can't find the bean class for the fast bind, it may be because > you didn't build the ldap support JAR into the CAS server. Did you do > that? > > David > > On Wed, May 20, 2009 at 4:32 AM, Michael A Jones > <m.a.jo...@hull.ac.uk> wrote: > > Could someone help me with the config settings to authenticate to > Active > > Directory with CAS. I cannot get my settings to work. I am trying to > > configure the CAS authentication that comes as part of the latest > uPortal to > > connect to my Active Directory using the CAS website examples. > > > > > > > > I am trying to use the suggested mode of anonoymous authentication > to my AD > > domain named ExampleOrganization.local. I am trying connect to it > using the > > AD servers IP and port 389. > > > > The method I am using is fastbind and my users exist in an OU I > created > > called identities. > > > > > > > > When I try to connect it won't work and gives an error in > catalina.out of my > > Apache Tomcat saying it cannot create inner bean and a > classdefnotfound > > error with the fastbindhandler bean. > > > > > > > > My deployContextConfig.xml is below: > > > > > > > > <?xml version="1.0" encoding="UTF-8"?> > > > > <!-- > > > > > > > > Copyright (c) 2000-2009, Jasig, Inc. > > > > See license distributed with this file and available online at > > > > > https://www.ja-sig.org/svn/jasig-parent/tags/rel-10/license-header.txt > > > > > > > > --> > > > > <!-- > > > > | deployerConfigContext.xml centralizes into one > file some > > of the declarative configuration that > > > > | all CAS deployers will need to modify. > > > > | > > > > | This file declares some of the Spring-managed > JavaBeans > > that make up a CAS deployment. > > > > | The beans declared in this file are instantiated at > > context initialization time by the Spring > > > > | ContextLoaderListener declared in web.xml. It > finds this > > file because this > > > > | file is among those declared in the context > parameter > > "contextConfigLocation". > > > > | > > > > | By far the most common change you will need to > make in > > this file is to change the last bean > > > > | declaration to replace the default > > SimpleTestUsernamePasswordAuthenticationHandler with > > > > | one implementing your approach for authenticating > > usernames and passwords. > > > > +--> > > > > <beans xmlns="http://www.springframework.org/schema/beans"; > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > > > xmlns:p="http://www.springframework.org/schema/p"; > > > > > xsi:schemaLocation="http://www.springframework.org/schema/beans > > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> > > > > <!-- > > > > | This bean declares our > > AuthenticationManager. The CentralAuthenticationService service bean > > > > | declared in applicationContext.xml > picks > > up this AuthenticationManager by reference to its id, > > > > | "authenticationManager". Most > deployers > > will be able to use the default AuthenticationManager > > > > | implementation and so do not need > to > > change the class of this bean. We include the whole > > > > | AuthenticationManager here in the > > userConfigContext.xml so that you can see the things you will > > > > | need to change in context. > > > > +--> > > > > <bean id="authenticationManager" > > > > > > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > > > > <!-- > > > > | This is the List of > > CredentialToPrincipalResolvers that identify what Principal is > trying to > > authenticate. > > > > | The > > AuthenticationManagerImpl considers them in order, finding a > > CredentialToPrincipalResolver which > > > > | supports the > presented > > credentials. > > > > | > > > > | > AuthenticationManagerImpl > > uses these resolvers for two purposes. First, it uses them to > identify the > > Principal > > > > | attempting to > authenticate > > to CAS /login . In the default configuration, it is the > > DefaultCredentialsToPrincipalResolver > > > > | that fills this > role. If > > you are using some other kind of credentials than > > UsernamePasswordCredentials, you will need to replace > > > > | > > DefaultCredentialsToPrincipalResolver with a > CredentialsToPrincipalResolver > > that supports the credentials you are > > > > | using. > > > > | > > > > | Second, > > AuthenticationManagerImpl uses these resolvers to identify a service > > requesting a proxy granting ticket. > > > > | In the default > > configuration, it is the > HttpBasedServiceCredentialsToPrincipalResolver that > > serves this purpose. > > > > | You will need to > change > > this list if you are identifying services by something more or other > than > > their callback URL. > > > > +--> > > > > <property > > name="credentialsToPrincipalResolvers"> > > > > <list> > > > > <!-- > > > > > > | UsernamePasswordCredentialsToPrincipalResolver supports the > > UsernamePasswordCredentials that we use for /login > > > > > > | by default and produces SimplePrincipal instances conveying the > username > > from the credentials. > > > > > > | > > > > > > | If you've changed your LoginFormAction to use credentials other > than > > UsernamePasswordCredentials then you will also > > > > > > | need to change this bean declaration (or add additional > declarations) to > > declare a CredentialsToPrincipalResolver that supports the > > > > > > | Credentials you are using. > > > > > > +--> > > > > <bean > > > > > > > > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > > /> > > > > <!-- > > > > > > | HttpBasedServiceCredentialsToPrincipalResolver supports > > HttpBasedCredentials. It supports the CAS 2.0 approach of > > > > > > | authenticating services by SSL callback, extracting the callback > URL from > > the Credentials and representing it as a > > > > > > | SimpleService identified by that callback URL. > > > > > > | > > > > > > | If you are representing services by something more or other than > an HTTPS > > URL whereat they are able to > > > > > > | receive a proxy callback, you will need to change this bean > declaration > > (or add additional declarations). > > > > > > +--> > > > > <bean > > > > > > > > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > > /> > > > > </list> > > > > </property> > > > > > > > > <!-- > > > > | Whereas > > CredentialsToPrincipalResolvers identify who it is some Credentials > might > > authenticate, > > > > | > AuthenticationHandlers > > actually authenticate credentials. Here we declare the > > AuthenticationHandlers that > > > > | authenticate the > > Principals that the CredentialsToPrincipalResolvers identified. CAS > will > > try these handlers in turn > > > > | until it finds one > that > > both supports the Credentials presented and succeeds in > authenticating. > > > > +--> > > > > <property > name="authenticationHandlers"> > > > > <list> > > > > <!-- > > > > > > | This is the authentication handler that authenticates services by > means of > > callback via SSL, thereby validating > > > > > > | a server side SSL certificate. > > > > > > +--> > > > > <bean > > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > > > > > > p:httpClient-ref="httpClient" > > > > > > > <!-- THIS IS NOT SECURE. PLEASE CHANGE BEFORE DEPLOYING TO > PRODUCTION > > ENVIRONMENTS. --> > > > > > > <property name="requireSecure" value="false"/> > > > > > </bean> > > > > <!-- > > > > > > | This is the authentication handler declaration that every CAS > deployer > > will need to change before deploying CAS > > > > > > | into production. The default > > SimpleTestUsernamePasswordAuthenticationHandler authenticates > > UsernamePasswordCredentials > > > > > > | where the username equals the password. You will need to replace > this > > with an AuthenticationHandler that implements your > > > > > > | local authentication strategy. You might accomplish this by > coding a new > > such handler and declaring > > > > > > | edu.someschool.its.cas.MySpecialHandler here, or you might use one > of the > > handlers provided in the adaptors modules. > > > > > > +--> > > > > <!-- > > > > <bean > > > class="org.jasig.portal.cas.authentication.handler.support.PersonDirAuthenticationHandler" > > p:user-password-dao-ref="userPasswordDao" /> > > > > --> > > > > > > > > <bean > > > class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"> > > > > > <property > > name="filter" value="%...@exampleorganization.local" /> > > > > > <property > > name="contextSource" ref="contextSource" /> > > > > > <property > > name="ignorePartialResultException" value="yes" /> > > > > > </bean> > > > > > > > > </list> > > > > </property> > > > > </bean> > > > > > > > > <bean id="contextSource" > > > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > > > > <property name="urls"> > > > > <list> > > > > > > <value>ldap://my_AD_server_ip:389</value> > > > > </list> > > > > </property> > > > > </bean> > > > > > > > > > > > > <bean id="userPasswordDao" > > > class="org.jasig.portal.cas.authentication.handler.support.PortalPersonDirUserPasswordDao" > > > > p:data-source-ref="dataSource" /> > > > > > > > > <bean id="dataSource" > class="org.apache.commons.dbcp.BasicDataSource"> > > > > <property name="driverClassName" > value="com.mysql.jdbc.Driver" /> > > > > <property name="url" > value="jdbc:mysql://localhost:3306/portal" /> > > > > <property name="username" value="myuser" /> > > > > <property name="password" value="mypassword" /> > > > > > > > > <property name="minIdle" value="1" /> > > > > <property name="maxIdle" value="2" /> > > > > <property name="maxActive" value="16" /> > > > > </bean> > > > > > > > > > > > > <!-- > > > > This bean defines the security roles for the Services > > Management application. Simple deployments can use the in-memory > version. > > > > More robust deployments will want to use another > option, > > such as the Jdbc version. > > > > > > > > The name of this should remain "userDetailsService" > in order > > for Acegi to find it. > > > > > > > > To use this, you should add an entry similar to the > > following between the two value tags: > > > > battags=notused,ROLE_ADMIN > > > > > > > > where battags is the username you want to grant > access to. > > You can put one entry per line. > > > > --> > > > > <bean id="userDetailsService" > > > class="org.springframework.security.userdetails.memory.InMemoryDaoImpl"> > > > > <property name="userMap"> > > > > <value> > > > > > > > > </value> > > > > </property> > > > > </bean> > > > > > > > > <!-- > > > > Bean that defines the attributes that a service may > return. > > This example uses the Stub/Mock version. A real implementation > > > > may go against a database or LDAP server. The id > should > > remain "attributeRepository" though. > > > > --> > > > > <bean id="attributeRepository" > > > > > > class="org.jasig.services.persondir.support.StubPersonAttributeDao"> > > > > <property name="backingMap"> > > > > <map> > > > > > <entry > > key="uid" value="uid" /> > > > > > <entry > > key="eduPersonAffiliation" value="eduPersonAffiliation" /> > > > > > <entry > > key="groupMembership" value="groupMembership" /> > > > > </map> > > > > </property> > > > > </bean> > > > > > > > > <!-- > > > > Sample, in-memory data store for the > ServiceRegistry. A real > > implementation > > > > would probably want to replace this with the > JPA-backed > > ServiceRegistry DAO > > > > The name of this bean should remain > "serviceRegistryDao". > > > > --> > > > > <bean > > > > id="serviceRegistryDao" > > > > > > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> > > > > </beans> > > > > > > > > Regards > > > > > > > > Mike Jones > > > > > > > > Identity Management Systems Administrator > > > > IT Systems > > > > University of Hull > > > > > > > > Email: m.a.jo...@hull.ac.uk > > > > > > > > -- > > You are currently subscribed to cas-dev@lists.jasig.org as: > > dlwhitehu...@gmail.com > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > > > ***************************************************************************************** > > To view the terms under which this email is distributed, please go to > > http://www.hull.ac.uk/legal/email_disclaimer.html > > > ***************************************************************************************** > > > > > > -- > David L. Whitehurst > http://www.capehenrytech.com . Providing software instruction through > a sea of Technology. > > -- > > You are currently subscribed to cas-dev@lists.jasig.org as: > m.a.jo...@hull.ac.uk > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > scott.battag...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > > ***************************************************************************************** > To view the terms under which this email is distributed, please go to > http://www.hull.ac.uk/legal/email_disclaimer.html > > ***************************************************************************************** > > > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > m.a.jo...@hull.ac.uk > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > marvin.addi...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > ***************************************************************************************** > To view the terms under which this email is distributed, please go to > http://www.hull.ac.uk/legal/email_disclaimer.html > ***************************************************************************************** > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
