I think you’d need to implement a custom principal resolver to do this LDAP look up which should return null principal reference if not successful, which would trigger UnresolvedPrincipalException up the authentication transaction stack, etc.
Cheers, D. > On Jun 8, 2016, at 3:23 PM, Nick Couchman <[email protected]> wrote: > > Awesome. So I have looked at that page before, and what I'm struggling with > wrapping my mind around is how to configure the LDAP lookup piece. I've > successfully configured CAS with LDAP, so I can get CAS talking to LDAP, and > the instructions cover the x509 stuff, and LDAP lookup for CRL, but I'm > looking for some hints on how to match Certificate Subject Name to LDAP DN. > I'll poke around more at those pages and see if I can work through it, but > any further hints would be greatly appreciated. Not asking anyone to do my > work for me, just point me in the right direction. > > -Nick > > On Wednesday, June 8, 2016 at 1:19:36 PM UTC-6, Misagh Moayyed wrote: > Everything you described is possible, almost word for word :) > > > See https://apereo.github.io/cas/4.2.x/installation/X509-Authentication.html > <https://apereo.github.io/cas/4.2.x/installation/X509-Authentication.html> > > From: [email protected] <javascript:> [mailto:[email protected] > <javascript:>] On Behalf Of Nick Couchman > Sent: Wednesday, June 8, 2016 11:54 AM > To: CAS Community <[email protected] <javascript:>> > Subject: [cas-user] Assistance with x509 + LDAP > > > First, I'm new to CAS and am still working my way around it, Spring, and > Maven. Have mercy on the newbie. My environment is a Linux server running > Apache Tomcat 8 with JDK 1.8. I've successfully configured LDAP > authentication based on the cas/login page - I can enter an e-mail address > and password for an LDAP user and get a successful login. > > > I'm still working on "CASifying" my apps, or at least finding the ones that > support SAML, OAUTH, and OpenID and beginning to integrate those into CAS. > Very early on in those stages. > > > However, one thing I'd like to do is configure x509 client certificate > ("PKI") authentication to CAS along with LDAP. We issue certificates with a > local CA, and the certificate subject name matches the user's LDAP DN. So, > what I'd like to do with the login flow with CAS is something like this: > > - User/Application directs to CAS login page. > > - CAS looks for/prompts for x509 certificate from user/browser. > > - If user provides a certificate, CAS verifies it is issued by local CA, > looks for the certificate subject name in LDAP, compares provided cert to the > LDAP userCertificate field, and examines CRL distribution point to make sure > certificate is valid. > > - If certificate matches, is valid, etc., login succeeds, and the LDAP mail > attribute is used as the login name/principal name for the login, and control > is returned to app that requested login. > > - If certificate is not provided, does not match, etc., user is directed to > login page. > > - User can enter e-mail address and LDAP password at login page. > > - If LDAP authentication succeeds, user is logged in and control is returned > to the requesting app. > > - Else login fails. > > > So, first, I'd like to know if a configuration like this is possible? I > suspect that it is, based on how flexible and powerful the CAS server is, but > don't want to make that assumption and start working on it only to find out > it doesn't work. If it is possible, can anyone provide any hints, example > configurations, etc., that would get me headed in the right direction? > > > Thanks, > Nick > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] <javascript:>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > <https://groups.google.com/a/apereo.org/group/cas-user/>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/10d0319a-5206-4739-85de-52859f5f5ded%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/10d0319a-5206-4739-85de-52859f5f5ded%40apereo.org?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout > <https://groups.google.com/a/apereo.org/d/optout>. > > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > <https://groups.google.com/a/apereo.org/group/cas-user/>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/aee4e6ba-fda5-4e06-a659-4c42d63e7a68%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/aee4e6ba-fda5-4e06-a659-4c42d63e7a68%40apereo.org?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout > <https://groups.google.com/a/apereo.org/d/optout>. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/FEDB6799-8B15-4EA8-9B96-936FB645AD68%40unicon.net. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
