Dear all, For many reasons, we would like to be able to use dereferencing in ldap search for cas authentication.
I join to this mail the deployerConfigContext.xml file. When I try to authenticate to the cas server, it fails. The slapd logs are as follow : Oct 12 10:47:41 mystic slapd[11284]: conn=70 fd=12 ACCEPT from IP=195.83.19.11:56509 (IP=0.0.0.0:389) Oct 12 10:47:41 mystic slapd[11284]: conn=70 op=0 BIND dn="cn=Manager,dc=femto-st,dc=fr" method=128 Oct 12 10:47:41 mystic slapd[11284]: conn=70 op=0 BIND dn="cn=Manager,dc=femto-st,dc=fr" mech=SIMPLE ssf=0 Oct 12 10:47:41 mystic slapd[11284]: conn=70 op=0 RESULT tag=97 err=0 text= Oct 12 10:47:41 mystic slapd[11284]: conn=70 op=1 SRCH base="ou=AliasedPeople,dc=femto-st,dc=fr" scope=2 deref=1 filter="(&(uid=emmanuel.aubert)(objectClass=FemtoUser))" Oct 12 10:47:41 mystic slapd[11284]: conn=70 op=1 SRCH attr=1.1 Oct 12 10:47:41 mystic slapd[11284]: conn=70 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 12 10:47:41 mystic slapd[11284]: conn=71 fd=17 ACCEPT from IP=195.83.19.11:56510 (IP=0.0.0.0:389) Oct 12 10:47:41 mystic slapd[11284]: bind: invalid dn (ldap://mailtest.femto-st.fr:389/uid=emmanuel.aubert,ou=People,ou=6,dc=femto-st,dc=fr,ou=AliasedPeople,ou=dc=femto-st,dc=fr) Oct 12 10:47:41 mystic slapd[11284]: conn=71 op=0 RESULT tag=97 err=34 text=invalid DN Oct 12 10:47:41 mystic slapd[11284]: conn=71 fd=17 closed Why is the dn returned by the primary search like this ? Has anybody an idea of what happens ? Thank you for your answer. -- Emmanuel Aubert Femto-ST
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd";> <!-- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that | all CAS deployers will need to modify. | | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml. It finds this file because this | file is among those declared in the context parameter "contextConfigLocation". | | By far the most common change you will need to make in this file is to change the last bean | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with | one implementing your approach for authenticating usernames and passwords. +--> <beans> <!-- | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, | "authenticationManager". Most deployers will be able to use the default AuthenticationManager | implementation and so do not need to change the class of this bean. We include the whole | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will | need to change in context. +--> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <!-- | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate. | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which | supports the presented credentials. | | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are | using. | | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. | You will need to change this list if you are identifying services by something more or other than their callback URL. +--> <property name="credentialsToPrincipalResolvers"> <list> <!-- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login | by default and produces SimplePrincipal instances conveying the username from the credentials. | | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the | Credentials you are using. +--> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <!-- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a | SimpleService identified by that callback URL. | | If you are representing services by something more or other than an HTTPS URL whereat they are able to | receive a proxy callback, you will need to change this bean declaration (or add additional declarations). +--> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <!-- | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn | until it finds one that both supports the Credentials presented and succeeds in authenticating. +--> <property name="authenticationHandlers"> <list> <!-- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating | a server side SSL certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" /> <!-- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your | local authentication strategy. You might accomplish this by coding a new such handler and declaring | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. +--> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="(&(uid=%u)(objectclass=FemtoUser))" /> <!--<property name="searchBase" value="dc=femto-st,dc=fr" />--> <!--<property name="filter" value="(uid=%u)" />--> <property name="searchBase" value="ou=AliasedPeople,dc=femto-st,dc=fr" /> <property name="contextSource" ref="contextSource" /> </bean> </list> </property> </bean> <bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> <property name="authenticatedReadOnly" value="true" /> <property name="password" value="secret" /> <property name="pooled" value="true" /> <property name="urls"> <list> <value>ldap://mailtest.femto-st.fr</value> </list> </property> <property name="userName" value="cn=Manager,dc=femto-st,dc=fr" /> <property name="baseEnvironmentProperties"> <map> <!--<entry> <key><value>java.naming.security.protocol</value></key> <value>ssl</value> </entry> --> <entry> <key><value>java.naming.security.authentication</value></key> <value>simple</value> </entry> <entry> <key><value>java.naming.ldap.derefAliases</value></key> <value>searching</value> </entry> <entry> <key><value>java.naming.referral</value></key> <value>ignore</value> </entry> </map> </property> </bean> </beans>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
