Antony, I've attached is a functional deployerConfigContext.xml for an AD fastbind setup. I've removed our school specific data. Here is scoop:
- The AD name is ad.yourschool.edu - There are 3 domain controllers configured, ldap1/2/3.ad.yourschool.edu - User accounts for CAS are stored below WEB.ad.yourschool.edu - The user binding to search the AD ldap tree to find the login user is cas.AppAccount.ad.yourschool.edu - there is some addtional config to read a couple of AD attributes and returns them to the CAS user object. You can also bind to AD Ldap with SSL, install a proper certificate and the DC's you use, and then change ldap:// to ldaps:// (See more at MS KB 321051) I hope this helps, Good luck! Johan ----- Original Message ----- From: Antony MARTINEAU To: [email protected] Sent: Wednesday, September 23, 2009 8:02 AM Subject: [cas-user] CAS and Active directory. Hello, there is a long time i try to connect CAS whith my active directory. For it, i use cas-toolbox, i have follow this method, because this is the only permit cas to start whith ldap. my config.properties: # Ldap properties ldap.host.1=ldap://192.168.1.211 [email protected] #ldap.Users.basedn=ou=Users,dc=mouthiers,dc=priv #[email protected] # file authenticate layer passfile.encode-algo=MD5 passfile.location=classpath:/../usersFile log.dir=${catalina.home}/logs #cas host cas.host=localhost # cas uri (empty if /) cas.uri= # cas port empty (if standard) cas.port=:8080 #User allow to use services manager (services/manage.html) security.useradmin=admin # graphic theme theme=default views=default # auth layer to use # see build.properties to view all cas.authHandlers=ldapHandler my build.properties #deploy dir deploy.path=/srv/www/tomcat5/base/webapps/cas #configuration file to use config.file=${basedir}/config.properties #config.file=${basedir}/resources/quickstart/quickstart.properties #use maven dependency offline #must run on time inline maven.offline=true #SVN part to get other update svnant.update.url=http://subversion.cru.fr/cas-toolbox/tags/3.3.2-1/update.esup/ svnant.repository.user= svnant.repository.passwd= svnant.update.path=${basedir}/update.esup svnant.update.version=HEAD # do not change after this line #package configuration package.name=cas-toolbox package.version=1 package.build.path=${build.path}/package #quickstart configruation #config.file=${basedir}/resources/quickstart/quickstart.properties quickstart.name=cas-quickstart quickstart.version=1 quickstart.build.path=${build.path}/quickstart quickstart.ressource.path=${resources.path}/quickstart #maven properties maven.ant.task.version=2.0.9 maven.local.dir=maven-repository maven.local.repository=${basedir}/build/${maven.local.dir} maven.package.name=cas-maven-repository maven.proxy.host= maven.proxy.port=8080 maven.proxy.username= maven.proxy.password= update.path=${basedir}/update #${basedir}/update.esup #${basedir}/update.stats #${basedir}/update.memcache custom.path=${basedir}/custom build.path=${basedir}/build resources.path=${basedir}/resources cas.build.path=${build.path}/cas cas.update.webpage.path=${update.path}/webpages cas.custom.webpage.path=${custom.path}/webpages cas.update.source.path=${update.path}/source cas.custom.source.path=${custom.path}/source quickstart.build.path=${build.path}/quickstart quickstart.ressource.path=${resources.path}/quickstart simpleTestHandler.name= simpleTestHandler.conf=simpletest-auth.xml ~ After a ant ini and a ant deploy cas start whith no problem. But the authentification does not work. 2009-09-23 16:51:14,180 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to authenticate the user which provided the following credentials: [username: vme]. Could you help me please, to connect CAS whith my active directory... Cordialement, Antony MARTINEAU Service informatique Technicien Informatique LIPPI Management La Fouillouse 16440 Mouthiers sur Boeme Tel.: 0545673435 Fax: 0545673435 Courriel: [email protected] http://www.lippi.fr Ce message et toutes les pieces jointes sont etablis a l'attention exclusive de ses destinataires et sont strictement confidentiels. Pour en savoir plus cliquer ici This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. More information -- You are currently subscribed to [email protected] as: [email protected] unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
<<image/gif>>
<<image/png>>
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:p="http://www.springframework.org/schema/p"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <!-- add LDAP attributes, used for SAML to Google Apps to pass the 'mail' attribute instead of uid See more at http://www.ja-sig.org/wiki/display/CASUM/Attributes --> <bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> <!-- The Principal resolver form the credentials, ie get the username --> <property name="credentialsToPrincipalResolver"> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> </property> <!-- The query made to find the Principal ID. "%u" will be replaced by the resolved Principal --> <property name="filter" value="(sAMAccountName=%u)" /> <!-- The attribute used to define the new Principal ID --> <property name="principalAttributeName" value="sAMAccountName" /> <!-- once the top search problem with AD returning referrals is fixed this will have to point to the top. see ticket at http://www.ja-sig.org/issues/browse/PERSONDIR-53 and --> <property name="searchBase" value="ou=WEB,dc=ad,dc=yourschool,dc=edu" /> <property name="contextSource" ref="contextSource" /> <!-- use the attrib repository defined below --> <property name="attributeRepository"> <ref bean="attribRepository" /> </property> </bean> <!-- the original cred to principal resolvers --> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="sAMAccountName=%u" /> <property name="searchBase" value="ou=WEB,dc=ad,dc=yourschool,dc=edu" /> <property name="contextSource" ref="contextSource" /> <!-- fix because of how AD returns results --> <property name="ignorePartialResultException" value="yes" /> </bean> </list> </property> </bean> <!-- context source for LDAP userDn-search and attribute resolution, used by BindLdapAuthenticationHandler and CredentialsToPrincicalResolver --> <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="urls"> <list> <!-- for testing, a server without ldap <value>ldap://todd.t-bird.edu/</value> --> <value>ldap://ldap1.ad.yourschool.edu/</value> <value>ldap://ldap2.ad.yourschool.edu/</value> <value>ldap://ldap3.ad.yourschool.edu/</value> </list> </property> <property name="userDn" value="cn=cas,ou=AppAccounts,dc=ad,dc=yourschool,dc=edu" /> <property name="password" value="password" /> <!-- fix because of how AD returns results --> <!-- once the top search problem with AD returning referrals is fixed this will have to be added again. see ticket at http://www.ja-sig.org/issues/browse/PERSONDIR-53 <property name="ignorePartialResultException" value="yes" /> --> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> <!-- Set the LDAP connect and read timeout(in ms) for the java ldap class See http://java.sun.com/products/jndi/tutorial/ldap/connect/create.html --> <entry> <key> <value>com.sun.jndi.ldap.connect.timeout</value> </key> <value>2000</value> </entry> <entry> <key> <value>com.sun.jndi.ldap.read.timeout</value> </key> <value>2000</value> </entry> <!-- <entry> <key> <value>java.naming.ldap.derefAliases</value> </key> <value>never</value> </entry> --> </map> </property> </bean> <!-- the attribute repository bean for mapping LDAP attributes to Principal attributes --> <bean id="attribRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="baseDN" value="ou=WEB,dc=ad,dc=yourschool,dc=edu" /> <!-- <property name="baseDN" value="dc=ad,dc=yourschool,dc=edu" /> --> <!-- This query is used to find the entry for populating attributes. {0} will be replaced by the new Principal ID extracted from the ldap --> <property name="query" value="(sAMAccountName={0})" /> <property name="contextSource" ref="contextSource" /> <property name="ldapAttributesToPortalAttributes"> <map> <!-- Mapping beetween LDAP entry's attributes (key) and Principal"s (value) --> <entry key="cn" value="Name"/> <entry key="givenName" value="FirstName" /> <entry key="sn" value="LastName" /> <entry key="mail" value="EmailAddress" /> </map> </property> </bean> <!-- This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version. More robust deployments will want to use another option, such as the Jdbc version. The name of this should remain "userDetailsService" in order for Acegi to find it. To use this, you should add an entry similar to the following between the two value tags: battags=notused,ROLE_ADMIN where battags is the username you want to grant access to. You can put one entry per line. --> <bean id="userDetailsService" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> 1201726=notused,ROLE_ADMIN 1083275=notused,ROLE_ADMIN </value> </property> </bean> <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"> <property name="backingMap"> <map> <entry key="uid" value="uid" /> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> </map> </property> </bean> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> </beans>
