Hi, -------------------- what is working now --------------------
we are currently deploying a Liferay + CAS + openLDAP solution for our client. The general idea is that Liferay delegates authentication to CAS, CAS is authenticating against data from openLDAP. And everything works just fine. User enters Liferay is redirected to CAS login page, enters login and password and is redirected back to Liferay as logged user. -------------------- new requirement -------------------- One problem remains however. Our client is connecting to its internal network using VPN (Juniper VPN) and when he establish the connection he can then reach Liferay+CAS server. Because client is connecting (and login) into VPN against the same openLDAP that is used by CAS, he persisted that CAS login page should not be visible for the users (login into CAS should be transparent). In other words whenever user logs into VPN network and enters liferay, he should no longer see CAS login page and be transparently logged into system. -------------------- our solution - idea -------------------- What we did, we configured VPN so that whenever user is entering cas login page (http://server/cas/login), VPN should not send the CAS response (login page) to the user, but it should send POST request to the cas/login controller. The values send by this POST (username nad password) would be taken from VPN and would be the exact same values that user entered to login into VPN. Now this didn't work as CAS login page have 4 input fields not 2 as we originaly thought: username, password, eventId and lt. We've set event id to 'submit' but we have problem with lt - login ticket. We now know that login ticket is generated randmly and is required for dealing with some problems in web browsers. Ignoring this field makes POST action failing (we ar redirected back to the login page). When we entered once "by hand" previosuly genereted lt, login succeeded. -------------------- questions ????? -------------------- So the questions are. Is lt obligatory (can we somehow configure CAS not to use or ignore lt field? If not, what can we do make it work? We tried to set a middle man in the communcation - a simple linux script that would use wget to download login page, read the lt value and then add it VPN configuration for given connection - but this did not work. Do you have any other ideas, any solution. Any thing will help. Best regards, Paul Szulc -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
