Awesome. So I have looked at that page before, and what I'm struggling with wrapping my mind around is how to configure the LDAP lookup piece. I've successfully configured CAS with LDAP, so I can get CAS talking to LDAP, and the instructions cover the x509 stuff, and LDAP lookup for CRL, but I'm looking for some hints on how to match Certificate Subject Name to LDAP DN. I'll poke around more at those pages and see if I can work through it, but any further hints would be greatly appreciated. Not asking anyone to do my work for me, just point me in the right direction.
-Nick On Wednesday, June 8, 2016 at 1:19:36 PM UTC-6, Misagh Moayyed wrote: > > Everything you described is possible, almost word for word :) > > > > See > https://apereo.github.io/cas/4.2.x/installation/X509-Authentication.html > > > > *From:* [email protected] <javascript:> [mailto:[email protected] > <javascript:>] *On Behalf Of *Nick Couchman > *Sent:* Wednesday, June 8, 2016 11:54 AM > *To:* CAS Community <[email protected] <javascript:>> > *Subject:* [cas-user] Assistance with x509 + LDAP > > > > First, I'm new to CAS and am still working my way around it, Spring, and > Maven. Have mercy on the newbie. My environment is a Linux server running > Apache Tomcat 8 with JDK 1.8. I've successfully configured LDAP > authentication based on the cas/login page - I can enter an e-mail address > and password for an LDAP user and get a successful login. > > > > I'm still working on "CASifying" my apps, or at least finding the ones > that support SAML, OAUTH, and OpenID and beginning to integrate those into > CAS. Very early on in those stages. > > > > However, one thing I'd like to do is configure x509 client certificate > ("PKI") authentication to CAS along with LDAP. We issue certificates with > a local CA, and the certificate subject name matches the user's LDAP DN. > So, what I'd like to do with the login flow with CAS is something like > this: > > - User/Application directs to CAS login page. > > - CAS looks for/prompts for x509 certificate from user/browser. > > - If user provides a certificate, CAS verifies it is issued by local CA, > looks for the certificate subject name in LDAP, compares provided cert to > the LDAP userCertificate field, and examines CRL distribution point to make > sure certificate is valid. > > - If certificate matches, is valid, etc., login succeeds, and the LDAP > mail attribute is used as the login name/principal name for the login, and > control is returned to app that requested login. > > - If certificate is not provided, does not match, etc., user is directed > to login page. > > - User can enter e-mail address and LDAP password at login page. > > - If LDAP authentication succeeds, user is logged in and control is > returned to the requesting app. > > - Else login fails. > > > > So, first, I'd like to know if a configuration like this is possible? I > suspect that it is, based on how flexible and powerful the CAS server is, > but don't want to make that assumption and start working on it only to find > out it doesn't work. If it is possible, can anyone provide any hints, > example configurations, etc., that would get me headed in the right > direction? > > > > Thanks, > Nick > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] <javascript:>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/10d0319a-5206-4739-85de-52859f5f5ded%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/10d0319a-5206-4739-85de-52859f5f5ded%40apereo.org?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/aee4e6ba-fda5-4e06-a659-4c42d63e7a68%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
