We are having trouble getting CAS to get the usernames from LDAP; in our
LDAP server, the "uid" field is not populated ("sAMAccountName" does its
work).
Do any problems jump out, or any "usual suspects" for trouble getting
usernames from LDAP?
<?xml version="1.0" encoding="UTF-8"?>
<!--
| deployerConfigContext.xml centralizes into one file some of
the declarative configuration that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that
make up a CAS deployment.
| The beans declared in this file are instantiated at context
initialization time by the Spring
| ContextLoaderListener declared in web.xml. It finds this file
because this
| file is among those declared in the context parameter
"contextConfigLocation".
|
| By far the most common change you will need to make in this
file is to change the last bean
| declaration to replace the default
SimpleTestUsernamePasswordAuthenticationHandler with
| one implementing your approach for authenticating usernames
and passwords.
+-->
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
<!--
| This bean declares our AuthenticationManager. The
CentralAuthenticationService service bean
| declared in applicationContext.xml picks up this
AuthenticationManager by reference to its id,
| "authenticationManager". Most deployers will be
able to use the default AuthenticationManager
| implementation and so do not need to change the
class of this bean. We include the whole
| AuthenticationManager here in the
userConfigContext.xml so that you can see the things you will
| need to change in context.
+-->
<bean id="contextSource" class="
org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="urls">
<list>
<value>ldap://[DELETED]:389/OU=Accounts,OU=[DELETED],OU=[DELETED],DC=[DELETED],DC=[DELETED],DC=[DELETED]</value>
</list>
</property>
<property name="userName" value="[DELETED]"/>
<property name="password" value="[DELETED]"/>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
<bean id="authenticationManager"
class="
org.jasig.cas.authentication.AuthenticationManagerImpl">
<!--
| This is the List of
CredentialToPrincipalResolvers that identify what Principal is trying to
authenticate.
| The AuthenticationManagerImpl
considers them in order, finding a CredentialToPrincipalResolver which
| supports the presented credentials.
|
| AuthenticationManagerImpl uses these
resolvers for two purposes. First, it uses them to identify the Principal
| attempting to authenticate to CAS
/login . In the default configuration, it is the
DefaultCredentialsToPrincipalResolver
| that fills this role. If you are
using some other kind of credentials than UsernamePasswordCredentials, you
will need to replace
| DefaultCredentialsToPrincipalResolver
with a CredentialsToPrincipalResolver that supports the credentials you are
| using.
|
| Second, AuthenticationManagerImpl uses
these resolvers to identify a service requesting a proxy granting ticket.
| In the default configuration, it is
the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
| You will need to change this list if
you are identifying services by something more or other than their callback
URL.
+-->
<property name="credentialsToPrincipalResolvers">
<list>
<!--
|
UsernamePasswordCredentialsToPrincipalResolver supports the
UsernamePasswordCredentials that we use for /login
| by default and
produces SimplePrincipal instances conveying the username from the
credentials.
|
| If you've
changed your LoginFormAction to use credentials other than
UsernamePasswordCredentials then you will also
| need to change
this bean declaration (or add additional declarations) to declare a
CredentialsToPrincipalResolver that supports the
| Credentials
you are using.
+-->
<bean
class="
org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
>
<property
name="attributeRepository">
<ref
bean="attributeRepository" />
</property>
</bean>
<!--
|
HttpBasedServiceCredentialsToPrincipalResolver supports
HttpBasedCredentials. It supports the CAS 2.0 approach of
| authenticating
services by SSL callback, extracting the callback URL from the Credentials
and representing it as a
| SimpleService
identified by that callback URL.
|
| If you are
representing services by something more or other than an HTTPS URL whereat
they are able to
| receive a
proxy callback, you will need to change this bean declaration (or add
additional declarations).
+-->
<bean
class="
org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
</list>
</property>
<!--
| Whereas
CredentialsToPrincipalResolvers identify who it is some Credentials might
authenticate,
| AuthenticationHandlers actually
authenticate credentials. Here we declare the AuthenticationHandlers that
| authenticate the Principals that the
CredentialsToPrincipalResolvers identified. CAS will try these handlers in
turn
| until it finds one that both supports
the Credentials presented and succeeds in authenticating.
+-->
<property name="authenticationHandlers">
<list>
<!--
| This is the
authentication handler that authenticates services by means of callback via
SSL, thereby validating
| a server side
SSL certificate.
+-->
<bean class="
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
"
p:httpClient-ref="httpClient" />
<!--
| This is the
authentication handler declaration that every CAS deployer will need to
change before deploying CAS
| into
production. The default SimpleTestUsernamePasswordAuthenticationHandler
authenticates UsernamePasswordCredentials
| where the
username equals the password. You will need to replace this with an
AuthenticationHandler that implements your
| local
authentication strategy. You might accomplish this by coding a new such
handler and declaring
|
edu.someschool.its.cas.MySpecialHandler here, or you might use one of the
handlers provided in the adaptors modules.
+-->
<!--
<bean
class="
org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler"
/>
-->
<bean class="
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property
name="filter" value="sAMAccountName=%u" />
<property
name="searchBase" value="DC=[DELETED],DC=[DELETED],DC=[DELETED]" />
<property
name="contextSource" ref="contextSource" />
<property
name="ignorePartialResultException" value="yes" />
</bean>
</list>
</property>
</bean>
<!--
This bean defines the security roles for the Services Management
application. Simple deployments can use the in-memory version.
More robust deployments will want to use another option, such as
the Jdbc version.
The name of this should remain "userDetailsService" in order for
Acegi to find it.
To use this, you should add an entry similar to the following
between the two value tags:
battags=notused,ROLE_ADMIN
where battags is the username you want to grant access to. You
can put one entry per line.
-->
<bean id="userDetailsService" class="
org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
</value>
</property>
</bean>
<!--
Bean that defines the attributes that a service may return.
This example uses the Stub/Mock version. A real implementation
may go against a database or LDAP server. The id should remain
"attributeRepository" though.
-->
<bean id="attributeRepository"
class="
org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="baseDN"
value="OU=[DELETED],OU=[DELETED],OU=[DELETED],DC=[DELETED],DC=[DELETED],DC=[DELETED]"
/>
<property name="principalAttributeName"
value="sAMAccountName" />
<!-- This query is used to find the entry for
populating attributes. {0} will be replaced by the new Principal ID
extracted from the ldap-->
<property name="query" value="(sAMAccountName={0})"
/>
<property name="contextSource" ref="contextSource"
/>
</bean>
<!--
Sample, in-memory data store for the ServiceRegistry. A real
implementation
would probably want to replace this with the JPA-backed
ServiceRegistry DAO
The name of this bean should remain "serviceRegistryDao".
-->
<bean
id="serviceRegistryDao"
class="
org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
</beans>
--
++ Jonathan Hayward, [EMAIL PROTECTED]
** To see an award-winning website with stories, essays, artwork,
** games, and a four-dimensional maze, why not visit my home page?
** All of this is waiting for you at http://JonathansCorner.com
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
