Hi Ricardo, I have both authentications enabled in my setup (along with kerberos). I don't have any docs, but if you get intro dead ends I can look in my setup and try to help you out.
First, I have a X509CertificateLDAPEntryMapperResolverConfig bean inside my
credentialsToPrincipalResolvers:
<bean class="REPLACED. REPLACED.cas.X509CertificateLDAPEntryMapperResolver"
p:contextSource-ref="contextSource"
p:base="dc= REPLACED,dc= REPLACED "
>
Inside that Bean I have some configuration about the ACs whose x509v3
certificate I allow my users to present, along with a
X509CertificateLDAPEntryMapperResolverConfig
<property name="config">
<list>
<bean class=" REPLACED.
REPLACED.inap.cas.X509CertificateLDAPEntryMapperResolverConfig" >
<property
name="description">
<value>FNMT</value>
</property>
<property
name="lookupRegex">
<value><![CDATA[.*FNMT.*]]></value>
</property>
<property
name="nifRegex">
<value><![CDATA[(?<=NIF )(.*?)(?=\,)]]></value>
</property>
<property
name="cnRegex">
<value><![CDATA[(?<=cn\=)(.*?)(?=\,)]]></value>
</property>
</bean>
<bean class="
REPLACED. REPLACED.inap.cas.X509CertificateLDAPEntryMapperResolverConfig" >
<property
name="description">
<value>Camerfirma</value>
</property>
<property
name="lookupRegex">
<value><![CDATA[.*AC CAMERFIRMA.*]]></value>
</property>
<property
name="nifRegex">
<value><![CDATA[(?<=- )(.*?)(?=\,)]]></value>
</property>
<property
name="cnRegex">
<value><![CDATA[(?<=cn\=)(.*?)(?=\,)]]></value>
</property>
</bean>
<bean class="
REPLACED. REPLACED.inap.cas.X509CertificateLDAPEntryMapperResolverConfig" >
<property
name="description">
<value>Firmaprofessional</value>
</property>
<property
name="lookupRegex">
<value><![CDATA[.*AC Firmaprofesional.*]]></value>
</property>
<property
name="nifRegex">
<value><![CDATA[(?<=DNI )(.*?)(?=\,)]]></value>
</property>
<property
name="cnRegex">
<value><![CDATA[(?<=cn\=)(.*?)(?=\,)]]></value>
</property>
</bean>
<bean class="
REPLACED. REPLACED.inap.cas.X509CertificateLDAPEntryMapperResolverConfig" >
<property
name="description">
<value>DNI Electrónico</value>
</property>
<property
name="lookupRegex">
<value><![CDATA[.*DIRECCION GENERAL DE LA POLICIA.*]]></value>
</property>
<property
name="nifRegex">
<value><![CDATA[(?<=SERIALNUMBER\=)(.*?)(?=\,)]]></value>
</property>
<property
name="cnRegex">
<value><![CDATA[(?<=cn\=)(.*?)(?=\,)]]></value>
</property>
</bean>
</list>
</property>
Then you have to set up your login-webflow.xml to establish the priority of
your auth sources. In my case, it was x509v3 and then user/password.
In my case I used the Spanish ID (DNI) to link a x509v3 certificate to a
openldap user (which has an EmployeeNumber).
Good luck, regards.
Álvaro Reig González
Consejero Técnico
informática - Gerencia
Instituto Nacional de Administración Pública
[email protected]
www.inap.es
Antes de imprimir este e-mail piense bien si es necesario hacerlo
-----Mensaje original-----
De: Ricardo Borillo [mailto:[email protected]]
Enviado el: viernes, 07 de marzo de 2014 8:58
Para: [email protected]
Asunto: [cas-user] Mixed auth: LDAP with user/pass + X509
Hi guys,
We have an up & running installation of CAS 3.5 with LDAP auth. Thanks for such
a great tool :)
Now, we need to add X509 based authentication. The idea is that the user will
be able to choose between regular LDAP auth with login/pass or X509 certificate.
Is this supported by CAS? I have reviewed the main docs, but i only have seen a
description for one or another system, but not both. Is there any documentation
of this use case?
Thanks again!!!!
---
Salut,
====================================
Ricardo Borillo Domenech ~ @borillo
http://xml-utils.com
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
