Thanks Shi.
I agree with you, these issue is related to authorization and my ldap is
already set and it works fine with Tomcat JNDIRealm's.
So what I want is exactly reproducing with CAS what JNDIRealm does.
In my CAS server I used the following objects
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers"> <list> <bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver"> <bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/> </property> <property name="filter" value="(uid=%u)" />
<property name="principalAttributeName" value="uid" /> <property
name="searchBase" value="ou=people,ou=org1,o=org2,dc=ca" />
<property name="contextSource" ref="contextSource" /> <property
name="attributeRepository" ref="attributeRepository" /> </bean> </list>
</property> <property name="authenticationHandlers"> <list> <bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="uid=%u" /> <property
name="searchBase" value="ou=people,ou=org1,o=org2,dc=ca" /> <property
name="contextSource" ref="contextSource" /> </bean> </list> </property>
</bean>
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="baseDN" value="ou=roles,ou=org1,o=org2,dc=ca" /> <property
name="query" value="(uniqueMember={0})" /> <property name="contextSource"
ref="contextSource" /> <property name="ldapAttributesToPortalAttributes">
<map> <entry key="cn" value="Role"/> </map> </property> </bean>
And when using JNDIRealm, I have
<Realm className="org.apache.catalina.realm.JNDIRealm"
userPattern="uid={0},ou=people,ou=org1,o=org2,dc=ca"
roleBase="ou=roles,ou=org1,o=org2,dc=ca" roleName="cn"
roleSearch="(uniqueMember={0})">
So in other word, what is the equivalente of this JNDIRealm configuration and
CAS LDAP configuration?
Regards,
Inas.
> Subject: RE: CAS and LDAP> From: [email protected]> To: [email protected]>
> Date: Sat, 31 Jan 2009 17:40:56 +0800> > > Basically, when I'm authenticated
> in CAS server, I want to have a way> > to retrieve a liste of roles to make
> them available to the> > request.isUserInRole("role") method.> > Your
> requirement belong to authorization, not authentication, so I think> it's
> beyond CAS.> > Anyway, you have to choose member and/or alias to represent
> your> user-role relationship in LDAP. After successfully authenticated in
> CAS> server, searching the user in members or aliases to get the>
> relationship, and then set them to the role attribute of the request.> > How
> would you refresh the role relationship when it changes if you set> it in
> request?> > Regards,> > Shi Yusen/Beijing Langhua Ltd.> > > > > regards> > >
> > Inas.> > > > > > > >
> ______________________________________________________________________> > > >
> From: [email protected]> > To: [email protected]> > Subject: Re: CAS
> and LDAP> > Date: Thu, 29 Jan 2009 17:14:14 -0500> > > > > > Are you using
> OpenLDAP or Active Directory?> > > > > > > > And, roles would not be CAS
> related so explain what you're trying to> > do a little more.> > > > > > > >
> David> > > > Sent from my iPhone> > > > > > On Jan 29, 2009, at 5:04 PM, inas
> inassen <[email protected]>> > wrote:> > > > > > > > > > Hi all,> > > > I
> was able to login in using CAS and LDAP authentication> >
> (BindLdapAuthenticationHandler) but I experience problems> > retrieving a
> user roles's, so is there any documentation> > regarding this issue.> > > >
> thanks a lot.> > > > Inas> > > > > > > >
> ______________________________________________________________> > > > From:
> [email protected]> > To: [email protected]> > Subject: RE: CAS and LDAP
> and JAAS> > Date: Fri, 16 Jan 2009 20:37:24 +0000> > > > Thanks Matt,> > > >
> Now is more clear, so I agree with you that CAS LDAP support> > is better but
> my concern is that I want to keep my> > applications compliant > > after
> switching from TOMCAT JNDIReal and SSO Valve to CAS> > server, then how can i
> make the expected roles available to my> > application > > in order to use
> the isInRole(string) method from the> > HttpServletRequest object?> > > >
> Thanks> > > > Inas> > > > > Date: Thu, 15 Jan 2009 17:54:39 -0500> > > From:
> [email protected]> > > To: [email protected]> > > Subject: Re: CAS and LDAP
> and JAAS> > > > > > The CAS LDAP support should be drastically better than
> the> > > JAASAuthenticationHandler using that specific LDAP JAAS> > module.
> I> > > wrote the JAASAuthenticationHandler and> > >
> edu.uconn.netid.jaas.LDAPLoginModule as a quick hack job due> > to some> > >
> historical Kerberos/LDAP/ActiveDirectory needs. Scott> > cleaned up the> > >
> JAASAuthenticationHandler to make it CAS-worthy, but the> > JAAS> > >
> LDAPLoginModule has suffered from severe bit-rot and should> > be purged> > >
> from this plane of existence.> > > > > > I'd recommend either using the stock
> CAS LDAP support, or> > the more> > > popular (at least in the Shib
> community) Virginia Tech> > LDAPLoginModule> > >> >
> http://www.middleware.vt.edu/doku.php?id=middleware:opensource:ldap#jaas_support>
> > > .> > > > > > -Matt> > > > > > > > > On Thu, Jan 15, 2009 at 5:13 PM,
> inas inassen> > <[email protected]> wrote:> > > > Thanks Andrew> > > >> >
> > > Yes, all my applications are role based autorization using> > JAAS
> framework> > > > inside strust, tiles and taglibs.> > > >> > > > So my need
> is that I want to have a CAS server running let> > say in W1 server> > > >
> site that authenticate against an ldap> > > > Using a CAS client, my others
> applications that are> > running in W2, W3 and> > > > so one will
> authenticate against a CAS Server in W1 and I> > need a JAAS> > > > subject
> to keep my application's security (autorization> > and authentication)> > > >
> working.> > > >> > > > thanks again> > > >> > > > Inas.> > > >> > > >> > > >
> ________________________________> > > > Date: Thu, 15 Jan 2009 15:01:37
> -0600> > > > Subject: Re: CAS and LDAP and JAAS> > > > From: [email protected]>
> > > > To: [email protected]> > > >> > > > Inas,> > > >> > > > Is there any
> reason you are going through JAAS for LDAP> > authentication> > > > instead
> of using the LDAP authentication handler?> > > >> > > > LDAP wiki entry:> >
> http://www.ja-sig.org/wiki/display/CASUM/LDAP> > > > JAAS wiki entry:> >
> http://www.ja-sig.org/wiki/display/CASUM/JAAS> > > >> > > > HTH,> > > > A-> >
> > >> > > > On 1/15/09 2:51 PM, "inas inassen" <[email protected]>> >
> wrote:> > > >> > > >> > > >> > > > Hi all,> > > >> > > > I'm trying to
> configure CAS to authenticate against an> > LDAP and my> > > > applications
> are using JAAS as an Authentication and> > Autorization framework.> > > >> >
> > > Everything work fine using Tomcat JNDIRealm> > > >> > > > My Tomcat
> JNDIRealm> > > >> > > >> > > > <Realm
> className="org.apache.catalina.realm.JNDIRealm"> > > >
> connectionURL="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net";> > > >
> userPattern="uid={0},ou=people,ou=ait,o=b2b,dc=net"> > > >
> roleBase="ou=roles,ou=ait,o=b2b,dc=net"> > > > roleName="cn"> > > >
> roleSearch="(uniqueMember={0})" />> > > >> > > >> > > > this is my jaas.conf
> file (configured in> > > > -Djava.security.auth.login.config=jaas.conf)> > >
> >> > > >> > > > CAS {> > > > edu.uconn.netid.jaas.LDAPLoginModule sufficient>
> > > >> > java.naming.provider.url="ldap://ladpsrv:389/ou=ait,o=b2b,dc=net";> >
> > >> > java.naming.security.principal="cn=Manager,ou=ait,o=b2b,dc=net"> > > >
> java.naming.security.credentials="secret"> > > > Attribute="uid"> > > >
> startTLS="true";> > > > };> > > >> > > >> > > > and this is my
> delpoyConfigContext file> > > >> > > > <?xml version="1.0"
> encoding="UTF-8"?>> > > > <beans
> xmlns="http://www.springframework.org/schema/beans";> > > >
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > > >
> xmlns:p="http://www.springframework.org/schema/p";> > > >> >
> xsi:schemaLocation="http://www.springframework.org/schema/beans> > > >> >
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>> > > >
> <bean id="authenticationManager"> > > >> >
> class="org.jasig.cas.authentication.AuthenticationManagerImpl">> > > >
> <property name="credentialsToPrincipalResolvers">> > > > <list>> > > > <bean>
> > > >> >
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver">
> > > > />> > > > <bean> > > >> >
> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver">
> > > > />> > > > </list>> > > > </property>> > > > <property
> name="authenticationHandlers">> > > > <list>> > > > <bean> > > >> >
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler">
> > > > p:httpClient-ref="httpClient" />> > > > <bean> > > >> >
> class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler">
> > > > />> > > > <bean> >
> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">> > > >
> <property name="filter" value="uid=%u" />> > > > <property name="searchBase">
> > value="ou=people,ou=ait,o=b2b,dc=net" />> > > > <property
> name="contextSource" ref="contextSource" />> > > > </bean>> > > > </list>> >
> > > </property>> > > > </bean>> > > >> > > > <bean id="userDetailsService"> >
> > >> >
> class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">> > >
> > <property name="userMap">> > > > <value></value>> > > > </property>> > > >
> </bean>> > > >> > > > <bean id="attributeRepository"> > > >> >
> class="org.jasig.services.persondir.support.StubPersonAttributeDao">> > > >
> <property name="backingMap">> > > > <map>> > > > <entry key="uid" value="uid"
> />> > > > <entry key="eduPersonAffiliation"> > value="eduPersonAffiliation"
> />> > > > <entry key="groupMembership" value="groupMembership" />> > > >
> </map>> > > > </property>> > > > </bean>> > > >> > > > <bean
> id="serviceRegistryDao"> > > >> >
> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />> > > >> > >
> > <!-- LDAP context -->> > > > <bean id="contextSource"> > > >> >
> class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">> > >
> > <property name="pooled" value="true"/>> > > > <property name="urls">> > > >
> <list>> > > > <value>ldap://ladpsrv:389/ou=ait,o=b2b,dc=net</value>> > > >
> </list>> > > > </property>> > > > <property name="userName"> >
> value="cn=Manager,ou=ait,o=b2b,dc=net"/>> > > > <property name="password"
> value="secret"/>> > > > <property name="baseEnvironmentProperties">> > > >
> <map>> > > > <entry>> > > > <key>> > > >
> <value>java.naming.security.authentication</value>> > > > </key>> > > >
> <value>simple</value>> > > > </entry>> > > >> > > > <entry>> > > > <key>> > >
> > <value>ldap.initial.context.factory</value>> > > > </key>> > > >
> <value>com.sun.jndi.ldap.LdapCtxFactory</value>> > > > </entry>> > > >
> </map>> > > > </property>> > > > </bean>> > > >> > > > </beans>> > > >> > >
> >> > > > my ldap schema is> > > >> > > > ou=ait,o=b2b,dc=net> > > >
> ou=people> > > > uid=user1> > > > uid=user2> > > > ou=roles> > > > cn=role1>
> > > > uniqueMember: uid=user1,ou=people,ou=ait,o=b2b,dc=net> > > > cn=role2>
> > > > uniqueMember: uid=user2,ou=people,ou=ait,o=b2b,dc=net> > > >> > > >> >
> > >> > > > when I try to login I get a bad credential> > > >> > > > any help
> please?> > > >> > > > thanks a lot.> > > >> > > > Mezghena.> > > >> > > >> >
> > > ________________________________> > > > Découvrez toutes les possibilités
> de communication avec> > vos proches> > > >> >
> <http://www.microsoft.com/windows/windowslive/default.aspx>> > > >> > > >
> ________________________________> > > > Découvrez tout ce que Windows Live a
> à vous apporter !> > > > <http://www.microsoft.com/windows/windowslive/>> > >
> > ________________________________> > > >
> _______________________________________________> > > > Yale CAS mailing list>
> > > > [email protected]> > > > http://tp.its.yale.edu/mailman/listinfo/cas>
> > > >> > > > --> > > > Andrew Feller, Analyst> > > > LSU University
> Information Services> > > > 200 Frey Computing Services Center> > > > Baton
> Rouge, LA 70803> > > > Office: 225.578.3737> > > > Fax: 225.578.6400> > > >>
> > > > ________________________________> > > > Découvrez toutes les
> possibilités de communication avec> > vos proches> > > >
> _______________________________________________> > > > Yale CAS mailing list>
> > > > [email protected]> > > > http://tp.its.yale.edu/mailman/listinfo/cas>
> > > >> > > >> > > > > > > > > > > > -- > > > [email protected]> > > Key
> ID:D6EEC5B5> > > _______________________________________________> > > Yale
> CAS mailing list> > > [email protected]> > >
> http://tp.its.yale.edu/mailman/listinfo/cas> > > > > > > > > >
> ______________________________________________________________> > > > Vous
> voulez savoir ce que vous pouvez faire avec le nouveau> > Windows Live ?
> Lancez-vous !> > > > > >
> ______________________________________________________________> > Découvrez
> toutes les possibilités de communication avec vos> > proches > >
> _______________________________________________> > Yale CAS mailing list> >
> [email protected]> > http://tp.its.yale.edu/mailman/listinfo/cas> > > > > >
> > > ______________________________________________________________________> >
> Vous voulez savoir ce que vous pouvez faire avec le nouveau Windows> > Live ?
> Lancez-vous !> > _______________________________________________> > Yale CAS
> mailing list> > [email protected]> >
> http://tp.its.yale.edu/mailman/listinfo/cas
_________________________________________________________________
Découvrez toutes les possibilités de communication avec vos proches
http://www.microsoft.com/windows/windowslive/default.aspx_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
