This is the super-down-and-dirty writeup I did internally when I did a
fresh 4.x install to upgrade us from 3.5 (we use Novell eDirectory, but
it should be very similar for any non-AD LDAP) :
Comment by
Christopher
Myers
[
25-Feb-2015
]
Edit
as-server-4.0.0/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml
Comment out
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
<property name="users">
<map>
<entry key="casuser" value="Mellon"/>
</map>
</property>
</bean>
Replace it with
<bean id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="mail"
c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<!--
| This map provides a simple attribute resolution
mechanism.
| Keys are LDAP attribute names, values are CAS attribute
names.
| Use this facility instead of a PrincipalResolver if
LDAP is
| the only attribute source.
-->
<entry key="member" value="member" />
<entry key="mail" value="mail" />
<entry key="displayName" value="displayName" />
</map>
</property>
</bean>
<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
c:resolver-ref="dnResolver"
c:handler-ref="authHandler" />
<bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
p:baseDn="${ldap.baseDn}"
p:allowMultipleDns="false"
p:subtreeSearch="true"
p:connectionFactory-ref="searchPooledLdapConnectionFactory"
p:userFilter="${ldap.authn.searchFilter}" />
<bean id="searchPooledLdapConnectionFactory"
class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="searchConnectionPool" />
<bean id="searchConnectionPool" parent="abstractConnectionPool" />
<bean id="abstractConnectionPool" abstract="true"
class="org.ldaptive.pool.BlockingConnectionPool"
init-method="initialize"
p:poolConfig-ref="ldapPoolConfig"
p:blockWaitTime="${ldap.pool.blockWaitTime}"
p:validator-ref="searchValidator"
p:pruneStrategy-ref="pruneStrategy"
p:connectionFactory-ref="connectionFactory" />
<bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="${ldap.pool.minSize}"
p:maxPoolSize="${ldap.pool.maxSize}"
p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
p:validatePeriodically="${ldap.pool.validatePeriodically}"
p:validatePeriod="${ldap.pool.validatePeriod}" />
<bean id="connectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="connectionConfig" />
<bean id="connectionConfig" class="org.ldaptive.ConnectionConfig"
p:ldapUrl="${ldap.url}"
p:connectTimeout="${ldap.connectTimeout}"
/>
<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriod="${ldap.pool.prunePeriod}"
p:idleTime="${ldap.pool.idleTime}" />
<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
<bean id="authHandler"
class="org.ldaptive.auth.PooledBindAuthenticationHandler"
p:connectionFactory-ref="bindPooledLdapConnectionFactory" />
<bean id="bindPooledLdapConnectionFactory"
class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="bindConnectionPool" />
<bean id="bindConnectionPool" parent="abstractConnectionPool" />
Add the following to the bottom of the file
/opt/cas-server-4.0.0/cas-#========================================
ldap.url=ldap://ldapserver.school.edu
# Base DN of users to be authenticated
ldap.baseDn=o=our_base_dn
# LDAP connection timeout in milliseconds
ldap.connectTimeout=3000
# Whether to use StartTLS (probably needed if not SSL connection)
ldap.useStartTLS=false
#========================================
# LDAP connection pool configuration
#========================================
ldap.pool.minSize=3
ldap.pool.maxSize=10
ldap.pool.validateOnCheckout=false
ldap.pool.validatePeriodically=true
# Amount of time in milliseconds to block on pool exhausted condition
# before giving up.
ldap.pool.blockWaitTime=3000
# Frequency of connection validation in seconds
# Only applies if validatePeriodically=true
ldap.pool.validatePeriod=300
# Attempt to prune connections every N seconds
ldap.pool.prunePeriod=300
# Maximum amount of time an idle connection is allowed to be in
# pool before it is liable to be removed/destroyed
ldap.pool.idleTime=600
#========================================
# Authentication
#========================================
# Search filter used for configurations that require searching for DNs
ldap.authn.searchFilter=(uid={user})
While you're in the cas.properties file, also set up the URLs for the
server, etc.
Also edit the line:
<entry key-ref="primaryAuthenticationHandler"
value-ref="primaryPrincipalResolver" />
and replace it with:
<entry key-ref="ldapAuthenticationHandler"
value-ref="primaryPrincipalResolver" />
Comment by
Christopher
Myers
[
26-Feb-2015
]
modify the value of CAS's web.xml file, change the default
login session timeout to 2 hours
<session-config>
<session-timeout>120</session-timeout>
</session-config>
Comment by
Christopher
Myers
[
26-Feb-2015
]
Edit .../cas-server-webapp/pom.xml and add the following
dependency inside the <dependencies /> section:
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${project.version}</version>
</dependency>
Comment by
Christopher
Myers
[
26-Feb-2015
]
You can't use the maven 2 version that was already on the
boxes to build the new version of CAS; instead, need to download the
3.2.5 version from http://maven.apache.org/download.cgi, extract it, and
change the "maven" symlink to point to the new install folder.
Comment by
Christopher
Myers
[
26-Feb-2015
]
The first time I tried to run "mvn package" after doing
this, I got the error:
Non-parseable POM
/root/.m2/repository/org/jasig/parent/jasig-parent/39/jasig-parent-39.pom:
Expected root element 'project' but found 'html'
When I looked at the contents of that .pom file, it was an HTML document
that just said basically "HTTP 301 moved permanently."
I deleted the /root/.m2 folder, and after doing so, things started
running.
]
Now I'm getting the error:
Failed to execute goal
com.mycila.maven-license-plugin:maven-license-plugin:1.9.0:check
(default) on project cas-server: Resource
/opt/cas-server-4.0.0/src/licensing/header.txt not found in file system
Found this: https://github.com/Jasig/cas/issues/745
Modified the pom.xml file, changed
<header>${cs.dir}/src/licensing/header.txt</header>
to
<header>${licenseHeader}</header>
After doing so, that error went away.
Comment by
Christopher
Myers
[
26-Feb-2015
]
Now I'm getting the error:
Caused by: java.io.FileNotFoundException: Could not open ServletContext
resource [/WEB-INF/-servlet.xml]
I found this Jira issue about it:
https://issues.jasig.org/browse/CAS-799
which basically says "we can't reproduce the issue" and someone
recommended to disable the tests since everything else tests fine:
mvn package install -Dmaven.test.skip=true
Comment by
Christopher
Myers
[
26-Feb-2015
]
Finally, after all is completed:
/opt/cas-server-4.0.0 # mv
/opt/cas-server-4.0.0/cas-server-webapp/target/cas.war
/usr/share/tomcat/webapps
Comment by
Christopher
Myers
[
26-Feb-2015
]
CAS 4 is up and running now!
>>> Misagh Moayyed <[email protected]> 08/11/16 3:45 PM >>>
body{font-family:Helvetica,Arial;font-size:13px}If you mean CAS is going
to provide you with an LDAP server, the answer is no. AFAIK, that has
never been the case. If you mean you wish to authenticate via AD/LDAP
and get access to your portal and other CAS-protected apps, then it’s
quite simple. Since the dawn of time, CAS has supported LDAP/AD
authentication. 90% of the deployments use that method of
authentication.
--
Misagh
From: Hank Foss <[email protected]>
Reply: Hank Foss <[email protected]>
Date: August 11, 2016 at 1:38:35 PM
To: CAS Community <[email protected]>
Subject: [cas-user] New to CAS, new to Apereo
Hello,
I'm brand new to CAS and Apereo, and am asking the best way to begin.
We are migrating our CAS from the cloud to on-premise as a cost savings
measure. This will likely save us $60+k annually, as the vendor is also
provides our portal.
The externally hosted portal contains LDAP as well as CAS links. I
understand CAS 5 comes out this fall (October?) which offers LDAP
support, so I am on the fence a bit more. Since AD authentication drives
many of our authentication, I have been told that we will either need to
use ADFS or Shibboleth. The goal for this to be live is December of this
year, so there are learning curve, architecture, installation and
customization components of this project that all come into play.
I built the Linux box, most current version of CentOS, but I believe
being an open source application that the support of at least the OS
should actually be a licensed RHEL instance.
I'm technical, but this is uncharted territory so suggestions,
comments, and criticism are all greatly welcome.
Thanks,
CAS-Newbie
--
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscribe To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ccf659bc-12d9-4cb8-98dd-4dbf926f403a%40apereo.org.
For more options, visit
https://groups.google.com/a/apereo.org/d/optout.
--
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To post to this group, send email to [email protected].
Visit this group at
https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57ace3ef.1956c5d8.295c%40unicon.net.
For more options, visit
https://groups.google.com/a/apereo.org/d/optout.
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57ACA4310200004500074394%40mugwgate.millikin.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
