my test deployerConfigContext.xml. It's have only 2 ldap handlers, but in poduction it's will be more.
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:p="http://www.springframework.org/schema/p"; xmlns:sec="http://www.springframework.org/schema/security"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd";> <bean id="authenticationManager" class="org.jasig.cas.authentication.MultiThreadedAuthentificationManager"> <constructor-arg index="0"> <map> <entry key-ref="EX-LdapAuthHandler" value-ref="EXCredentialtoPrincipalResolver"/> <entry key-ref="TST-LdapAuthHandler" value-ref="TSTCredentialtoPrincipalResolver"/> <entry key-ref="SPNEGOAuthHandler" value-ref="TESTSPNEGOCredentialtoPrincipalResolver"/> </map> </constructor-arg> </bean> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> <!-- SPNEGO (NTLM,Kerberos) --> <bean id="TESTSPNEGOCredentialtoPrincipalResolver" class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver"> <property name="attributeRepository"> <ref bean="TSTattributeRepository" /> </property> </bean> <bean id="SPNEGOAuthHandler" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"> <property name="authentication"> <bean class="jcifs.spnego.Authentication" /> </property> <property name="principalWithDomainName" value="true" /> <property name="NTLMallowed" value="true"/> </bean> <bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> <property name="jcifsServicePrincipal" value="HTTP/[email protected]" /> <property name="loginConf" value="/opt/tomcat-cas/login.conf" /> <property name="jcifsServicePassword" value="cas1" /> <property name="kerberosDebug" value="true" /> <property name="kerberosRealm" value="TEST.LAN" /> <property name="kerberosKdc" value="192.168.11.121" /> </bean> <!-- START EXAMPLE.LAN ldap --> <bean id="EXCredentialtoPrincipalResolver" class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> <property name="credentialsToPrincipalResolver"> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/> </property> <property name="filter" value="(sAMAccountName=%u)"/> <property name="principalAttributeName" value="sAMAccountName"/> <property name="searchBase" value="cn=Users,dc=example,dc=lan"/> <property name="contextSource" ref="EXcontextSource"/> <property name="attributeRepository"> <ref bean="EXattributeRepository"/> </property> </bean> <bean id="EX-LdapAuthHandler" class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="sAMAccountName=%u" /> <property name="searchBase" value="cn=Users,dc=example,dc=lan" /> <property name="contextSource" ref="EXcontextSource" /> <property name="ignorePartialResultException" value="yes" /> <!-- fix because of how AD returns results --> </bean> <bean id="EXcontextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="urls"> <list> <value>ldap://vm1-w2k3.example.lan/</value> </list> </property> <property name="userDn" value="cn=Administrator,cn=Users,dc=example,dc=lan"/> <property name="password" value="secret"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property> </bean> <!-- END EXAMPLE.LAN ldap --> <!-- START TEST.LAN ldap --> <bean id="TSTCredentialtoPrincipalResolver" class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> <property name="credentialsToPrincipalResolver"> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/> </property> <property name="filter" value="(sAMAccountName=%u)"/> <property name="principalAttributeName" value="sAMAccountName"/> <property name="searchBase" value="cn=Users,dc=test,dc=lan"/> <property name="contextSource" ref="TSTcontextSource"/> <property name="attributeRepository"> <ref bean="TSTattributeRepository"/> </property> </bean> <bean id="TST-LdapAuthHandler" class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="sAMAccountName=%u" /> <property name="searchBase" value="cn=Users,dc=test,dc=lan" /> <property name="contextSource" ref="TSTcontextSource" /> <property name="ignorePartialResultException" value="yes" /> <!-- fix because of how AD returns results --> </bean> <bean id="TSTcontextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="urls"> <list> <value>ldap://vm2-w2k3.test.lan/</value> </list> </property> <property name="userDn" value="cn=Administrator,cn=Users,dc=test,dc=lan"/> <property name="password" value="secret"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property> </bean> <!-- END TEST.LAN ldap --> <!-- START ATTR REPOS --> <bean id="attributeRepository" class="org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl"> <property name="personAttributeDaos"> <list> <ref bean="EXattributeRepository" /> <ref bean="TSTattributeRepository" /> </list> </property> <property name="recoverExceptions"> <value>false</value> </property> <property name="merger"> <bean class="org.jasig.services.persondir.support.merger.NoncollidingAttributeAdder"/> </property> </bean> <bean id="EXattributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="contextSource" ref="EXcontextSource" /> <property name="baseDN" value="cn=Users,dc=example,dc=lan" /> <property name="requireAllQueryAttributes" value="true" /> <property name="queryAttributeMapping"> <map> <entry key="username" value="sAMAccountName" /> </map> </property> <property name="resultAttributeMapping"> <map> <entry key="cn" value="cn"/> <entry value="mail" key="Mail" /> <entry value="description" key="description" /> <entry value="memberOf" key="memberOf" /> <entry value="displayName" key="displayName" /> <entry value="givenName" key="givenName" /> <entry value="employeeID" key="employeeID" /> <entry value="sn" key="sn" /> </map> </property> </bean> <bean id="TSTattributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="contextSource" ref="TSTcontextSource" /> <property name="baseDN" value="cn=Users,dc=test,dc=lan" /> <property name="requireAllQueryAttributes" value="true" /> <property name="queryAttributeMapping"> <map> <entry key="username" value="sAMAccountName" /> </map> </property> <property name="resultAttributeMapping"> <map> <entry key="cn" value="cn"/> <entry value="mail" key="Mail" /> <entry value="description" key="description" /> <entry value="memberOf" key="memberOf" /> <entry value="displayName" key="displayName" /> <entry value="givenName" key="givenName" /> <entry value="employeeID" key="employeeID" /> <entry value="sn" key="sn" /> </map> </property> </bean> <!-- END ATTR REPOS --> <!-- Sample, in-memory data store for the ServiceRegistry. A real implementation would probably want to replace this with the JPA-backed ServiceRegistry DAO The name of this bean should remain "serviceRegistryDao". --> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="0" /> <property name="name" value="HTTP" /> <property name="description" value="Only Allows HTTP Urls" /> <property name="serviceId" value="http://**"; /> <property name="ignoreAttributes" value="true" /> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="1" /> <property name="name" value="HTTPS" /> <property name="description" value="Only Allows HTTPS Urls" /> <property name="serviceId" value="https://**"; /> <property name="ignoreAttributes" value="true" /> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="2" /> <property name="name" value="IMAPS" /> <property name="description" value="Only Allows HTTPS Urls" /> <property name="serviceId" value="imaps://**" /> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="3" /> <property name="name" value="IMAP" /> <property name="description" value="Only Allows IMAP Urls" /> <property name="serviceId" value="imap://**" /> </bean> </list> </property> </bean> <sec:user-service id="userDetailsService"> <sec:user name="leonko" password="notused" authorities="ROLE_ADMIN" /> </sec:user-service> <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> </beans> Leonid S. Batizhevsky On Thu, Sep 15, 2011 at 21:40, Leonid Batizhevsky <[email protected]>wrote: > >> >> Are these servers part of a typical AD topology like trees and >> forests? If so I believe you could authenticate against the global >> catalog. (I'm not a Windows AD expert by any means.) >> >> No, these are standalone domain. > > > All deployerConfigContext.xml does not make sense. >> >> I'm asking you to share it so I can see whether there are >> opportunities for simplification. If there are different base DNs, >> manager credentials and the like, you'll simply need to repeat the >> bean definitions. That said, it may be helpful to factor out common >> properties into abstract bean definitions. See the link below for >> more information on Spring bean inheritance. >> >> >> http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/beans.html#beans-child-bean-definitions >> >> > I can it do only tomorrow. Code that I posted realy repeated many times, > canged only host names. > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
