> 1) I am using v.3.0.6 and I'd like to verify that the ID is present in > my LDAP server; but I do not understand how to include > CredentialsToLDAPAttributePrincipalResolver.zip > from http://www.ja-sig.org/issues/browse/CAS-373 in my server.
I'm not sure whether that package is compatible with 3.0.6, but if it is: The quick&dirty way is to use the binary class files and copy them into the extracted WEB-INF/classes/.../.../ directory (copy everything in the /bin from the package into the classes dir). Else you'll need to combine the source in that package with the source of 3.0.6 and adjust/recompile. But in that case you're better off using a 3.1rc. > 2) With X509CertificateCredentialsToIdentifierPrincipalResolver my > application gets "$OU $CN" as principal ID; i.e. using esup-phpcas > library I get "Centro di Calcolo Elettronico [EMAIL PROTECTED]" > after a correct x509 authentication. I modify > ./adaptors/x509/src/main/java/org/jasig/cas/adaptors/x509/authentication/principal/X509CertificateCredentialsToIdentifierPrincipalResolver.java > to get only the mail ($CN). Is there any other way, configuring the bean > in ../webapp/WEB-INF/deployerConfigContext.xml, to get the same result? > Is it correct to use: > <bean > class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver"> > <property name="identifier" value="$CN" /> > </bean> > I tried it and it works, but I was not be able to find a page describing > how to use and to configure the different resolvers. The package at http://shib.kuleuven.be/download/idp/1.3/shibboleth-idp13c-cas305-200612051540.zip includes the LDAP principalTesolver for x509 automatically (you can use it to install CAS only). You can check what exactly it does (it's an ant script). Also check the deployerConfigContext.xml example included in the zip: ---------------------------- - <bean class="org.jasig.cas.adaptors.ldap.authentication.principal.CredentialsToLDAPAttributePrincipalResolver" lazy-init="default" autowire="default" dependency-check="default"> - <property name="credentialsToPrincipalResolver"> - <bean class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver" lazy-init="default" autowire="default" dependency-check="default"> <property name="identifier" value="$SERIALNUMBER" /> </bean> </property> <property name="filter" value="employeeNumber=%u" /> <property name="principalAttributeName" value="uid" /> <property name="searchBase" value="ou=people,dc=kuleuven,dc=be" /> <property name="contextSource" ref="contextSource" /> </bean> ---------------------------- > 3) Is there a way to modify the configuration files to make the > authentication a double login, i.e. the user must provide a valid x509 > certificate and use the correct username-password set, where the > username is the same CN from the certificate? I think you can modify the login-webflow so users need to do x509 AND regular password login. It may need some more tweaking though... Good luck! -- Velpi _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
