[cas-user] Configuring Active Directory for CAS X509 LDAP authentication

Fri, 29 May 2009 12:30:11 -0700 

Hi All,

I'm using CAS 3.3.2 and wanted to enable X509 PKI Certificate
authentication. I have followed the instructions in the "X.509 Certificates
Authentication Handler" (
http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates), but I have a
question about how my LDAP (Active Directory) should be configured to
support the CredentialsToLDAPAttributePrincipalResolver lookup.

My Environment will consist of:
1. Microsoft (Server 2003) Active Directory
2. I've "published" my public keys for my certs into my User account in AD.
I know they are DER encoded.
2. CAS 3.3.2 configured to use X509 Certificates (webflow, servelet.xml,
deployerConfigContext)
3. I'm initially trying the
X509CertificateCredentialsToDistinguishedNamePrincipalResolver as the bean
for CredentialsToLDAPAttributePrincipalResolver to supply the %u parameter

My question / issue is how do I compare the string DN from the
X509CertificateCredentialsToDistinguishedNamePrincipalResolver to an
attribute (SubjectDn) in the certificate which is DER encoded.

- Can I use an OID number to get to the SubjectDn?

- Do I have to extend the user schema to include a new string attribute for
the SubjectDN of the stored certificate?

- Or have I missed something basic like use LDAP FastBindHandler to validate
the User-supplied PKI Cert against the userCertificate automatically?

Thanks,
Stephen.

~~~~~~~~~~~~~~~~~~~ Sample of the deployerConfigContext.xml
~~~~~~~~~~~~~~~~~~~~~~

<property name="credentialsToPrincipalResolvers">
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"
>
       <property name="credentialsToPrincipalResolver">
<bean class="org.jasig.cas.adaptors.x509.authentication.principal
.X509CertificateCredentialsToDitinguishedNamePrincipalResolver " />
                               </property>
                               <!-- attribute that needs to be matched to in
LDAP: -->
                               <property name="filter" value="<----what do I
filter on?---->=%u" />
                               <!-- to be retrieved from LDAP as the new
principal (logged in user) for CAS: -->
                               <property name="principalAttributeName"
value="sAMAccountName" />
                               <property name="searchBase" value="cn=Users,
ou=people,dc=domain,dc=be" />
                               <!-- reference to LDAP server configuration:
-->
                               <property name="contextSource"
ref="LdapContextSource" />
                       </bean>
[...]

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to