[cas-user] StartTLS configuration in deployerConfigContext.xml

Wed, 05 Aug 2009 13:15:13 -0700 

Dear list's members,

I read with interest an intervention from Marvin Addison on the CAS Users
forum in a discussion named “How-to deploy the cas.war”. It was written :

 “You either need to communicate with the SSL port, 636, or
configure your LDAP context source to issue a startTLS command to
upgrade your connection to TLS on the standard 389 port.  I can provide
configuration for that if you'd like the latter, [...]”

I actually use shibboleth-idp, with cas-server-3.3.1; the authentication
against our Active Directory server works with the Fast Bind Ldap
Authentication Handler and I’m glad about it.

Obviously, if I “sniff” the traffic between my cas/idp server and the Active
Directory server, I can read user’s passwords in clear. I’m looking to do
exactly what it is suggested on the forum; i.e., to upgrade the connection
to startTLS.

I don't really see how to achieve that. I saw in the documentation that it
is possible to use JAAS Authentication Handler with startTLS. If there is a
mean to use startTLS with *LdapAuthenticationHandler, I would be interested
to try it first. If some could help, I would really appreciate.

Below, I included some extract of my actual DeployerConfigContext.xml file.

Best regards,

 Stéphanie Lanthier

<bean id="contextSource"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
     <property name="urls">
        <list>
           <value>ldap://ad.my.org:3268/</value>
        </list>
     </property>
  </bean>

<property name="authenticationHandlers">
        <list>

           <bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler">

              <property name="httpClient" ref="httpClient" />
           </bean>

           <bean
class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
             <property name="filter" value="%[email protected]" />
             <property name="contextSource" ref="contextSource" />
             <property name="ignorePartialResultException" value="yes" />
           </bean>

           <bean
class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
             <property name="filter" value="%[email protected]" />
             <property name="contextSource" ref="contextSource" />
             <property name="ignorePartialResultException" value="yes" />
           </bean>

        </list>
     </property>



-- 
- Stéphanie Lanthier

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to