mod_auth_cas & mod_authz_ldap (Active Directory)

Mon, 02 Jun 2008 07:35:45 -0700 

Hi all,

I have some trouble with a CAS + LDAP config. Here are some info of my 
config (2 servers, one dedicated for CAS + 1 web server hosting websites):

- CAS Server configuration:
        - CentOS 5
        - apache-tomcat-5.5.25
        - cas-server-3.1.1
        - httpd 2.2.3-11.el5.centos (reverse proxy httpd -> tomcat)
        - CAS configuration: 3 LDAP authenticationHandlers using 3 MS Active 
Directories (Europe, America, Asia)

- Web server configuration (hosting websites):
        - CentOS 5
        - httpd 2.2.3-11.el5_1.centos.3
        - mod_authz_ldap-0.26-8.el5
        - mod_auth_cas-1.0.7 (manually added thru /etc/httpd/conf.d/cas.conf 
config file with:
 >>>
LoadModule auth_cas_module modules/mod_auth_cas.so
<IfModule mod_auth_cas.c>
           CASDebug On
           CASCookiePath /tmp/
           CASLoginURL https://cas-rd.company.com/cas/
           CASValidateURL https://cas-rd.company.com/cas/serviceValidate
           CASCertificatePath /etc/pki/tls/certs/casserver.crt
           CASValidateServer on
</IfModule>
<<<

Some tests (.htaccess):

- mod_auth_cas alone:
        AuthType CAS
        AuthName "CAS"
        require valid-user

   This works well. I can login thru CAS.

- mod_authz_ldap alone:
        AuthName "TestProtLDAPz AD"
        AuthType Basic
        AuthzLDAPMethod ldap
        AuthzLDAPServer adserver.eu.company.com:389
        AuthzLDAPBindDN [EMAIL PROTECTED]
        AuthzLDAPBindPassword ********
        AuthzLDAPSetGroupAuth ldapdn
        AuthzLDAPUserKey samaccountname
        AuthzLDAPUserBase "OU=Subsidiaries,DC=eu,DC=company,DC=com"
        AuthzLDAPUserScope subtree
        require group 
"CN=DL_RD.Soft.France.Employee,OU=Subsidiaries,DC=eu,DC=company,DC=com"

   This works well. I can login thru LDAP.

- mod_auth_cas (authentication) + mod_authz_ldap (authorization)
        AuthType CAS
        AuthName "CAS Authentication AD"
        AuthzLDAPMethod ldap
        AuthzLDAPServer adserver.eu.company.com:389
        AuthzLDAPBindDN [EMAIL PROTECTED]
        AuthzLDAPBindPassword ********
        AuthzLDAPUserKey samaccountname
        AuthzLDAPUserBase "OU=Subsidiaries,DC=eu,DC=company,DC=com"
        AuthzLDAPUserScope subtree
        AuthzLDAPSetGroupAuth ldapdn
        require group 
"CN=DL_RD.Soft.France.Employee,OU=Subsidiaries,DC=eu,DC=company,DC=com"

   When I try to access the website http://www.company.com/toto.txt , I 
am first redirected to CAS where I login (no error), then back to the 
website with:

"Forbidden
You don't have permission to access /toto.txt on this server."

CAS log shows:
"2008-06-02 16:48:06,505 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service 
ticket [ST-23-eKtUCGXPZPsA7EV6aTHW] for service 
[http://www.company.com/toto.txt] for user [chris]"

Apache log shows:
"[Mon Jun 02 16:16:40 2008] [error] [client 172.16.48.21] [27479] no 
password?"


Does anyone have had a similar behavior ? Any idea why this does not work?

Best,

Chris

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to