Here a sample of what I do to authN with cas and authZ with ldap:
<Location /usage>
AuthType Cas
AuthName "TMSP auth"
AuthLDAPUrl "ldap://ldapserver.int-evry.fr/dc=int,dc=fr";
# Require ldap-group cn=securityclearance,ou=Group,dc=example,dc=com
Require ldap-attribute eduPersonAffiliation=employee
</Location>
Chris a écrit :
> Hi all,
>
> I have some trouble with a CAS + LDAP config. Here are some info of my
> config (2 servers, one dedicated for CAS + 1 web server hosting websites):
>
> - CAS Server configuration:
> - CentOS 5
> - apache-tomcat-5.5.25
> - cas-server-3.1.1
> - httpd 2.2.3-11.el5.centos (reverse proxy httpd -> tomcat)
> - CAS configuration: 3 LDAP authenticationHandlers using 3 MS Active
> Directories (Europe, America, Asia)
>
> - Web server configuration (hosting websites):
> - CentOS 5
> - httpd 2.2.3-11.el5_1.centos.3
> - mod_authz_ldap-0.26-8.el5
> - mod_auth_cas-1.0.7 (manually added thru /etc/httpd/conf.d/cas.conf
> config file with:
> >>>
> LoadModule auth_cas_module modules/mod_auth_cas.so
> <IfModule mod_auth_cas.c>
> CASDebug On
> CASCookiePath /tmp/
> CASLoginURL https://cas-rd.company.com/cas/
> CASValidateURL https://cas-rd.company.com/cas/serviceValidate
> CASCertificatePath /etc/pki/tls/certs/casserver.crt
> CASValidateServer on
> </IfModule>
> <<<
>
> Some tests (.htaccess):
>
> - mod_auth_cas alone:
> AuthType CAS
> AuthName "CAS"
> require valid-user
>
> This works well. I can login thru CAS.
>
> - mod_authz_ldap alone:
> AuthName "TestProtLDAPz AD"
> AuthType Basic
> AuthzLDAPMethod ldap
> AuthzLDAPServer adserver.eu.company.com:389
> AuthzLDAPBindDN [EMAIL PROTECTED]
> AuthzLDAPBindPassword ********
> AuthzLDAPSetGroupAuth ldapdn
> AuthzLDAPUserKey samaccountname
> AuthzLDAPUserBase "OU=Subsidiaries,DC=eu,DC=company,DC=com"
> AuthzLDAPUserScope subtree
> require group
> "CN=DL_RD.Soft.France.Employee,OU=Subsidiaries,DC=eu,DC=company,DC=com"
>
> This works well. I can login thru LDAP.
>
> - mod_auth_cas (authentication) + mod_authz_ldap (authorization)
> AuthType CAS
> AuthName "CAS Authentication AD"
> AuthzLDAPMethod ldap
> AuthzLDAPServer adserver.eu.company.com:389
> AuthzLDAPBindDN [EMAIL PROTECTED]
> AuthzLDAPBindPassword ********
> AuthzLDAPUserKey samaccountname
> AuthzLDAPUserBase "OU=Subsidiaries,DC=eu,DC=company,DC=com"
> AuthzLDAPUserScope subtree
> AuthzLDAPSetGroupAuth ldapdn
> require group
> "CN=DL_RD.Soft.France.Employee,OU=Subsidiaries,DC=eu,DC=company,DC=com"
>
> When I try to access the website http://www.company.com/toto.txt , I
> am first redirected to CAS where I login (no error), then back to the
> website with:
>
> "Forbidden
> You don't have permission to access /toto.txt on this server."
>
> CAS log shows:
> "2008-06-02 16:48:06,505 INFO
> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service
> ticket [ST-23-eKtUCGXPZPsA7EV6aTHW] for service
> [http://www.company.com/toto.txt] for user [chris]"
>
> Apache log shows:
> "[Mon Jun 02 16:16:40 2008] [error] [client 172.16.48.21] [27479] no
> password?"
>
>
> Does anyone have had a similar behavior ? Any idea why this does not work?
>
> Best,
>
> Chris
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
