Re: CAS and LDAP

Thu, 29 Jan 2009 14:23:31 -0800 

Are you using OpenLDAP or Active Directory?
And, roles would not be CAS related so explain what you're trying to do a little more. 

David

Sent from my iPhone

On Jan 29, 2009, at 5:04 PM, inas inassen <[email protected]> wrote:


Hi all,


I was able to login in using CAS and LDAP authentication  
(BindLdapAuthenticationHandler) but I experience problems retrieving  
a user roles's, so is there any documentation regarding this issue.


thanks a lot.

Inas



From: [email protected]
To: [email protected]
Subject: RE: CAS and LDAP and JAAS
Date: Fri, 16 Jan 2009 20:37:24 +0000

Thanks Matt,


Now is more clear, so I agree with you that CAS LDAP support is  
better but my concern is that I want to keep my applications compliant
after switching from TOMCAT JNDIReal and SSO Valve  to CAS server,  
then how can i make the expected roles available to my application
in order to use the isInRole(string) method from the  
HttpServletRequest object?


Thanks

Inas

> Date: Thu, 15 Jan 2009 17:54:39 -0500
> From: [email protected]
> To: [email protected]
> Subject: Re: CAS and LDAP and JAAS
>
> The CAS LDAP support should be drastically better than the
> JAASAuthenticationHandler using that specific LDAP JAAS module. I
> wrote the JAASAuthenticationHandler and
> edu.uconn.netid.jaas.LDAPLoginModule as a quick hack job due to some
> historical Kerberos/LDAP/ActiveDirectory needs. Scott cleaned up the
> JAASAuthenticationHandler to make it CAS-worthy, but the JAAS

> LDAPLoginModule has suffered from severe bit-rot and should be  
purged

> from this plane of existence.
>
> I'd recommend either using the stock CAS LDAP support, or the more

> popular (at least in the Shib community) Virginia Tech  
LDAPLoginModule

> 
http://www.middleware.vt.edu/doku.php?id=middleware:opensource:ldap#jaas_support
> .
>
> -Matt
>
>

> On Thu, Jan 15, 2009 at 5:13 PM, inas inassen  
<[email protected]> wrote:

> > Thanks Andrew
> >

> > Yes, all my applications are role based autorization using JAAS  
framework

> > inside strust, tiles and taglibs.
> >

> > So my need is that I want to have a CAS server running let say  
in W1 server

> > site that authenticate against an ldap

> > Using a CAS client, my others applications that are running in  
W2, W3 and
> > so one will authenticate against a CAS Server in W1 and I need a  
JAAS
> > subject to keep my application's security (autorization and  
authentication)

> > working.
> >
> > thanks again
> >
> > Inas.
> >
> >
> > ________________________________
> > Date: Thu, 15 Jan 2009 15:01:37 -0600
> > Subject: Re: CAS and LDAP and JAAS
> > From: [email protected]
> > To: [email protected]
> >
> > Inas,
> >

> > Is there any reason you are going through JAAS for LDAP  
authentication

> > instead of using the LDAP authentication handler?
> >
> > LDAP wiki entry: http://www.ja-sig.org/wiki/display/CASUM/LDAP
> > JAAS wiki entry: http://www.ja-sig.org/wiki/display/CASUM/JAAS
> >
> > HTH,
> > A-
> >
> > On 1/15/09 2:51 PM, "inas inassen" <[email protected]> wrote:
> >
> >
> >
> > Hi all,
> >
> > I'm trying to configure CAS to authenticate against an LDAP and my

> > applications are using JAAS as an Authentication and  
Autorization framework.

> >
> > Everything work fine using Tomcat JNDIRealm
> >
> > My Tomcat JNDIRealm
> >
> >
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > connectionURL="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net";
> > userPattern="uid={0},ou=people,ou=ait,o=b2b,dc=net"
> > roleBase="ou=roles,ou=ait,o=b2b,dc=net"
> > roleName="cn"
> > roleSearch="(uniqueMember={0})" />
> >
> >
> > this is my jaas.conf file (configured in
> > -Djava.security.auth.login.config=jaas.conf)
> >
> >
> > CAS {
> > edu.uconn.netid.jaas.LDAPLoginModule sufficient
> > java.naming.provider.url="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net";
> > java.naming.security.principal="cn=Manager,ou=ait,o=b2b,dc=net"
> > java.naming.security.credentials="secret"
> > Attribute="uid"
> > startTLS="true";
> > };
> >
> >
> > and this is my delpoyConfigContext file
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <beans xmlns="http://www.springframework.org/schema/beans";
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> > xmlns:p="http://www.springframework.org/schema/p";
> > xsi:schemaLocation="http://www.springframework.org/schema/beans
> > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
> > <bean id="authenticationManager"
> > class="org.jasig.cas.authentication.AuthenticationManagerImpl">
> > <property name="credentialsToPrincipalResolvers">
> > <list>
> > <bean

> >  
class= 
"org. 
jasig. 
cas. 
authentication. 
principal.UsernamePasswordCredentialsToPrincipalResolver"

> > />
> > <bean

> >  
class= 
"org. 
jasig. 
cas. 
authentication. 
principal.HttpBasedServiceCredentialsToPrincipalResolver"

> > />
> > </list>
> > </property>
> > <property name="authenticationHandlers">
> > <list>
> > <bean

> >  
class= 
"org. 
jasig. 
cas. 
authentication. 
handler.support.HttpBasedServiceCredentialsAuthenticationHandler"

> > p:httpClient-ref="httpClient" />
> > <bean

> >  
class= 
"org. 
jasig.cas.authentication.handler.support.JaasAuthenticationHandler"

> > />

> > <bean  
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">

> > <property name="filter" value="uid=%u" />

> > <property name="searchBase"  
value="ou=people,ou=ait,o=b2b,dc=net" />

> > <property name="contextSource" ref="contextSource" />
> > </bean>
> > </list>
> > </property>
> > </bean>
> >
> > <bean id="userDetailsService"

> >  
class= 
"org.springframework.security.userdetails.memory.InMemoryDaoImpl">

> > <property name="userMap">
> > <value></value>
> > </property>
> > </bean>
> >
> > <bean id="attributeRepository"

> >  
class="org.jasig.services.persondir.support.StubPersonAttributeDao">

> > <property name="backingMap">
> > <map>
> > <entry key="uid" value="uid" />
> > <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
> > <entry key="groupMembership" value="groupMembership" />
> > </map>
> > </property>
> > </bean>
> >
> > <bean id="serviceRegistryDao"
> > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
> >
> > <!-- LDAP context -->
> > <bean id="contextSource"

> >  
class= 
"org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">

> > <property name="pooled" value="true"/>
> > <property name="urls">
> > <list>
> > <value>ldap://ladpsrv:389/ou=ait,o=b2b,dc=net</value>
> > </list>
> > </property>
> > <property name="userName" value="cn=Manager,ou=ait,o=b2b,dc=net"/>
> > <property name="password" value="secret"/>
> > <property name="baseEnvironmentProperties">
> > <map>
> > <entry>
> > <key>
> > <value>java.naming.security.authentication</value>
> > </key>
> > <value>simple</value>
> > </entry>
> >
> > <entry>
> > <key>
> > <value>ldap.initial.context.factory</value>
> > </key>
> > <value>com.sun.jndi.ldap.LdapCtxFactory</value>
> > </entry>
> > </map>
> > </property>
> > </bean>
> >
> > </beans>
> >
> >
> > my ldap schema is
> >
> > ou=ait,o=b2b,dc=net
> > ou=people
> > uid=user1
> > uid=user2
> > ou=roles
> > cn=role1
> > uniqueMember: uid=user1,ou=people,ou=ait,o=b2b,dc=net
> > cn=role2
> > uniqueMember: uid=user2,ou=people,ou=ait,o=b2b,dc=net
> >
> >
> >
> > when I try to login I get a bad credential
> >
> > any help please?
> >
> > thanks a lot.
> >
> > Mezghena.
> >
> >
> > ________________________________

> > Découvrez toutes les possibilités de communication avec vos proc 
hes

> > <http://www.microsoft.com/windows/windowslive/default.aspx>
> >
> > ________________________________
> > Découvrez tout ce que Windows Live a à vous apporter !
> > <http://www.microsoft.com/windows/windowslive/>
> > ________________________________
> > _______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> > --
> > Andrew Feller, Analyst
> > LSU University Information Services
> > 200 Frey Computing Services Center
> > Baton Rouge, LA 70803
> > Office: 225.578.3737
> > Fax: 225.578.6400
> >
> > ________________________________

> > Découvrez toutes les possibilités de communication avec vos proc 
hes

> > _______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
>
> --
> [email protected]
> Key ID:D6EEC5B5
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas





Vous voulez savoir ce que vous pouvez faire avec le nouveau Windows  
Live ? Lancez-vous !


Découvrez toutes les possibilités de communication avec vos proches
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas






















					Reply via email to