RE:
Distinct Principal Resolvers We began this process with CAS 3.4.2.1. We
have not upgraded simply because we are still at the soft roll out stage
and don't want to make any adjustments that may occur based on later
versions.
So, I think I actually don't need two different principal resolvers, but I
was advised I did earlier. That may be because I did not explain the
implementation we are using well:
We are using AD LDAP to authenticate successfully with this construct:
<!-- AD LDAP Authentication Handler -->
<bean id="AD-LdapAuthHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="${ad.bindAuthHandler.filter}" />
<property name="searchBase" value="${ad.bindAuthHandler.searchBase}"/>
<property name="contextSource" ref="contextSource" />
</bean>
<!-- AD LDAP Credential to Principal Resolver -->
<bean id="ADLdapCredential-to-PrincipalResolver"
class=
"org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean class=
"org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
</property>
<property name="filter" value="${ad.bindAuthHandler.filter}" />
<property name="principalAttributeName" value="sAMAccountName" >
</property>
<property name="searchBase" value=
"${ad.userBindAuthHandler.searchBase}" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
The alternate approach is using the very same LDAP source, but is
evaluating the return via local scripts and can by-pass an expiration date
in the AD LDAP that refers solely to using student labs, etc.
Nevertheless, I must set up different authenticaton handlers based on the
way this program expects data. I was advised I did not need to change the
UsernamePasswordCredentialsToPrincipalResolver class, but I would need to
have a different LDAP Credential to Principal Resolver class.
In our version, the only candidate I find is
org.jasig.cas.autnetication.principal.AbstractPersonDirectoryCredentialsToPrincipalResolvers.
I am about to test this, but may need some support if all does not go
well.
As always, if something leaps out at any of you - let me know.
I have attached the entire deployerConfigContext.xml file for further
reference if that helps.
Linda
Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
Fairbanks, Alaska 99775
Tel: 907-450-8320
Fax: 907-450-8381
[email protected] | www.alaska.edu/oit/
On Mon, Mar 10, 2014 at 2:16 PM, Linda Toth <[email protected]> wrote:
> Marvin
>
> This does help - thanks
>
> Linda Toth
> University of Alaska - Office of Information Technology (OIT) - Identity
> and Access Management
> 910 Yukon Drive, Suite 103
> Fairbanks, Alaska 99775
> Tel: 907-450-8320
> Fax: 907-450-8381
> [email protected] | www.alaska.edu/oit/
>
>
>
> On Sat, Mar 8, 2014 at 3:38 AM, Marvin Addison
> <[email protected]>wrote:
>
>> > I think the CredentialsToLDAPAttributePrincipalResolver is the one that
>> must
>> > be different for multiple LDAPs.
>>
>> That's correct. The inner
>> UsernamePasswordCrednetialsToPrincipalResolver is used to seed the
>> LDAP query with the user name used in the LDAP search filter, but
>> CredentialsToLDAPAttributePrincipalResolver has the directory-specific
>> LDAP details such as host name, base DN, search scope, and filter.
>>
>> Hope that helps,
>> M
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user<?xml version="1.0" encoding="UTF-8"?>
<!--
| deployerConfigContext.xml centralizes into one file some of the
| declarative configuration that all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that
| make up a CAS deployment.
| The beans declared in this file are instantiated at context
| initialization time by the Spring
| ContextLoaderListener declared in web.xml. It finds this file
| because this file is among thos declared in the context
| parameter "contextConfigLocation".
|
| By far the most common change you will need to make in this file is
| to change the last bean declaration to replace the default
| SimpleTestUsernamePasswordAuthenticationHandler with one implementing
| your approach for authenticating usernames and passwords.
-->
<!-- BEIS -->
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:tx="http://www.springframework.org/schema/tx";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:sec="http://www.springframework.org/schema/security";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd";>
<!--
| This bean declares our AuthenticationManager. The
| CentralAuthenticationService service bean declared in
| applicationContext.xml picks up this AuthenticationManager by
| reference to its id, "authenticationManager". Most deployers will
| be able to use the default AuthenticationManager implementation and
| so do not need to change the class of this bean. We include the
| whole AuthenticationManager here in the userConfigContext.xml so that
| you can see the things you will need to change in context.
+-->
<bean id="authenticationManager"
class="org.jasig.cas.authentication.LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager">
<constructor-arg index="0">
<map>
<entry key-ref="AD-LdapAuthHandler" value-ref="ADLdapCredential-to-PrincipalResolver" />
<entry key-ref="UAAuthenticator-LdapAuthHandler" value-ref="UAAuthenticatorLdapCredential-to-PrincipalResolver" />
<entry key-ref="HTTPAuthHandler" value-ref="HTTPCredential-to-PrincipalResolver" />
</map>
</constructor-arg>
</bean>
<!-- BEGIN AD Configuration -->
<!-- AD LDAP Authentication Handler -->
<bean id="AD-LdapAuthHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="${ad.bindAuthHandler.filter}" />
<property name="searchBase" value="${ad.bindAuthHandler.searchBase}" />
<property name="contextSource" ref="contextSource" />
</bean>
<!-- AD LDAP Credential to Principal Resolver -->
<bean id="ADLdapCredential-to-PrincipalResolver"
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver" >
<property name="credentialsToPrincipalResolver">
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
</property>
<property name="filter" value="${ad.bindAuthHandler.filter}" />
<property name="principalAttributeName" value="sAMAccountName" >
</property>
<property name="searchBase" value="${ad.userBindAuthHandler.searchBase}" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
<!-- BEGIN UA Authenticator Configuration -->
<!-- UA Authenticator LDAP Authentication Handler -->
<bean id="UAAuthenticator-LdapAuthHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
<property name="filter" value="${ua.auth.bindAuthHandler.filter}" />
<property name="searchBase" value="${ua.auth.bindAuthHandler.searchBase}" />
<property name="contextSource" ref="contextSource" />
</bean>
<!-- UA Authenticator LDAP Credential to Principal Resolver -->
<bean id="UAAuthenticatorLdapCredential-to-PrincipalResolver"
class="org.jasig.cas.authentication.principal.AbstractPersonDirectoryCredentialsToPrincipalResolver" >
<property name="credentialsToPrincipalResolver">
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
</property>
<property name="filter" value="${ua.auth.bindAuthHandler.filter}" />
<property name="principalAttributeName" value="cn" >
</property>
<property name="searchBase" value="${ua.auth.bindAuthHandler.searchBase}" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
<!-- BEGIN HTTP Authentication Handler -->
<!-- HTTP Authentication Handler -->
<bean id="HTTPAuthHandler"
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<!-- Attribute Respository reference -->
<bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="contextSource" />
<property name="baseDN" value="${ad.bindAuthHandler.baseDN}" />
<property name="requireAllQueryAttributes" value="true" />
<!--
Attribute mapping between principal (key) and LDAP (value) names
used to perform the LDAP search. By default, multiple search
criteria are ANDed together. Set the queryType property to change
to OR.
-->
<property name="queryAttributeMapping">
<map>
<entry key="username" value="sAMAccountName" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<!-- Mapping between LDAP entry attributes (key) and
Principal's (value) -->
<entry key="employeeNumber" value="UDC_IDENTIFIER"/>
<entry key="sAMAccountName" value="uid" />
</map>
</property>
</bean>
<!-- Context Source -->
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="false"/>
<property name="urls">
<list>
<value>${ad.bindAuthHandler.url}</value>
</list>
</property>
<property name="userDn" value="${ad.bindAuthHandler.user}" />
<property name="password" value="${ad.bindAuthHandler.pwd}"/>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
<!--
This bean defines the security roles for the Services Management
application. Simple deployments can use the in-memory version.
More robust deployments will want to use another option, such as
the Jdbc version.
The name of this should remain "userDetailsService" in order for
Spring Security to find it.
To use this, you should add an entry similar to the following between
the two value tags:
battags=notused,ROLE_ADMIN
where battags is the username you want to grant access to. You can
put one entry per line.
-->
<!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />-->
<!-- FOR BEIS replace name=battags and password="notused"
with legitimate ADMIN user
-->
<sec:user-service id="userDetailsService">
<sec:user name="${service.user}" password="${service.password}" authorities="ROLE_ADMIN"/>
</sec:user-service>
<!--
Permanent data store for the Service Registry with JPA-backedServiceRegistry
DAO. The name of this bean should remain "serviceRegistryDao".
-->
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.JpaServiceRegistryDaoImpl"
p:entityManagerFactory-ref="entityManagerFactory" />
<bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="dataSource" ref="dataSource"/>
<property name="jpaVendorAdapter">
<bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="generateDdl" value="true"/>
<property name="showSql" value="true"/>
</bean>
</property>
<property name="jpaProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.OracleDialect</prop>
<prop key="hibernate.hbm2ddl.auto">update</prop>
</props>
</property>
</bean>
<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
<property name="entityManagerFactory" ref="entityManagerFactory"/>
</bean>
<tx:annotation-driven transaction-manager="transactionManager"/>
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
p:driverClassName="${db.driverClassName}"
p:url="${db.url}"
p:password="${db.password}"
p:username="${db.user}" />
</beans>
