CAS

Installation

[root@server ˜]# yum install unzip
[root@server ˜]# wget http://downloads.jasig.org/cas/cas-server-3.4.11-release.tar.gz
[root@server ˜]# tar xvzf cas-server-3.4.11-release.tar.gz
[root@server ˜]# cp cas-server-3.4.11/modules/cas-server-webapp-3.4.11.war /var/lib/tomcat6/webapps/
[root@server ˜]# wget http://s3.amazonaws.com/dist.springframework.org/release/LDAP/spring-ldap-1.3.1.RELEASE-minimal.zip
[root@server ˜]# unzip spring-ldap-1.3.1.RELEASE-minimal.zip
[root@server ˜]# cp spring-ldap-1.3.1.RELEASE/dist/spring-ldap-1.3.1.RELEASE-all.jar cp spring-ldap-1.3.1.RELEASE/dist/spring-ldap-1.3.1.RELEASE-all.jar
[root@server ˜]# cp cas-server-3.4.11/modules/cas-server-support-ldap-3.4.11.jar /var/lib/tomcat6/webapps/cas-server-webapp-3.4.11/WEB-INF/lib/

Configuration

DNS

192.168.122.191 ... directory.example.com ...

Backend LDAP

cf https://wiki.jasig.org/display/CASUM/LDAP

/var/lib/tomcat6/webapps/cas-server-webapp-3.4.11/META-INF/maven/org.jasig.cas/cas-server-webapp/pom.xml
...
	<dependencies>
	...
		<dependency>
			<groupId>${project.groupId}</groupId>
                        <artifactId>cas-server-support-ldap</artifactId>
                        <version>${project.version}</version>
		</dependency>
                <dependency>
                        <groupId>commons-pool</groupId>
                        <artifactId>commons-pool</artifactId>
                        <version>${apache.commons.pool.version}</version>
                </dependency>
	</dependencies>
...

Paramétrer le support LDAP

/var/lib/tomcat6/webapps/cas-server-webapp-3.4.11/WEB-INF/deployerConfigContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
 
	<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
		<property name="pooled"   value="false"/>
		<property name="url"      value="ldap://directory.example.com:10389" />
		<property name="userDn"   value="uid=admin,ou=system"/>
		<property name="password" value="secret"/>
 
		<!-- Place JNDI environment properties here. -->
		<property name="baseEnvironmentProperties">
			<map>
			<!-- Three seconds is an eternity to users. -->
				<entry key="com.sun.jndi.ldap.connect.timeout"   value="3000" />
				<entry key="com.sun.jndi.ldap.read.timeout"      value="3000" />
				<entry key="java.naming.security.authentication" value="simple" />
			</map>
		</property>
	</bean>
 
	<bean id="pooledContextSource" class="org.springframework.ldap.pool.factory.PoolingContextSource"
		p:minIdle="3"
		p:maxIdle="5"
		p:maxActive="10"
		p:maxWait="10000"
		p:timeBetweenEvictionRunsMillis="600000"
		p:minEvictableIdleTimeMillis="1200000"
		p:testOnBorrow="false"
		p:testWhileIdle="true"
		p:dirContextValidator-ref="dirContextValidator"
		p:contextSource-ref="contextSource" />
 
	<bean id="dirContextValidator" class="org.springframework.ldap.pool.validation.DefaultDirContextValidator"
		p:base=""
		p:filter="objectclass=*">
		<property name="searchControls">
			<bean class="javax.naming.directory.SearchControls"
				p:timeLimit="1000"
				p:countLimit="1"
				p:searchScope="0"
				p:returningAttributes="" />
		</property>
	</bean>
 
	<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
		<property name="credentialsToPrincipalResolvers">
			<list>
				<bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
					<property name="credentialsToPrincipalResolver">
						<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
					</property>
					<property name="filter"                 value="(uid=%u)"/>
					<property name="principalAttributeName" value="uid"/>
					<property name="searchBase"             value="ou=users,dc=example,dc=com"/>
					<property name="contextSource"          ref="contextSource"/>
					<property name="attributeRepository">
						<ref bean="attributeRepository"/>
					</property>
				</bean>
			</list>
		</property>
		<property name="authenticationHandlers">
			<list>
				<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
					p:httpClient-ref="httpClient" />
				<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
					p:filter="uid=%u"
					p:searchBase="ou=users,dc=example,dc=com"
					p:contextSource-ref="contextSource"
					p:searchContextSource-ref="pooledContextSource" />
			</list>
		</property>
		<property name="authenticationMetaDataPopulators">
			<list>
				<bean class="org.jasig.cas.authentication.SamlAuthenticationMetaDataPopulator" />
			</list>
		</property>
	</bean>
 
	<sec:user-service id="userDetailsService">
		<sec:user name="david.delavennat"     password="notused" authorities="ROLE_ADMIN" />
		<sec:user name="jacquelin.charbonnel" password="notused" authorities="ROLE_ADMIN" />
	</sec:user-service>
 
	<bean id="attributeRepository"
		class="org.jasig.services.persondir.support.StubPersonAttributeDao">
		<property name="backingMap">
			<map>
				<entry key="uid"                  value="uid" />
				<entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> 
				<entry key="groupMembership"      value="groupMembership" />
			</map>
		</property>
	</bean>
 
	<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
		<property name="registeredServices">
			<list>
				<bean class="org.jasig.cas.services.RegisteredServiceImpl">
					<property name="id"              value="0" />
					<property name="name"            value="HTTP" />
					<property name="description"     value="Only Allows HTTP Urls" />
					<property name="serviceId"       value="http://**" />
					<property name="evaluationOrder" value="10000001" />
				</bean>
				<bean class="org.jasig.cas.services.RegisteredServiceImpl">
					<property name="id"              value="1" />
					<property name="name"            value="HTTPS" />
					<property name="description"     value="Only Allows HTTPS Urls" />
					<property name="serviceId"       value="https://**" />
					<property name="evaluationOrder" value="10000002" />
				</bean>
				<bean class="org.jasig.cas.services.RegisteredServiceImpl">
					<property name="id"              value="2" />
					<property name="name"            value="SYMPA" />
					<property name="description"     value="Serveur de mailing-listes" />
					<property name="serviceId"       value="http://listes.example.com/sympa/" />
					<property name="evaluationOrder" value="10000003" />
					<property name="allowedAttributes">
						<list>
							<value>uid</value>
							<value>email</value>
						</list>
					</property>
				</bean>
			</list>
		</property>
	</bean>
	<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
</beans>

SSL

Import du certificat racine dans le keystore java (pour que CAS s'authorise lui même à s'authentifier…)

[root@server ˜]# keytool -import -file example.com-cacert.pem -alias example.com --trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit
[root@server ˜]# keytool -list -alias example.com -keystore /etc/pki/java/cacerts -storepass changeit
example.com, 29 déc. 2011, trustedCertEntry,
Empreinte du certificat (MD5) : E8:C2:D0:47:64:1E:2F:78:9A:06:10:2A:E4:4E:DF:DD

[root@server adm]# keytool -import -file etc/tomcat6/sso.example.com-cert.pem -alias sso.example.com -keystore /etc/pki/java/cacerts -storepass changeit
[root@server adm]# keytool -list -alias sso.example.com -keystore /etc/pki/java/cacerts -storepass changeit
sso.example.com, 29 déc. 2011, trustedCertEntry,
Empreinte du certificat (MD5) : 97:8D:A5:1E:DA:76:1D:9E:AF:7B:B6:BE:42:E3:98:82
cas.txt · Last modified: 2012/01/10 20:42 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki