Trusted LDAP module - transparent CAS authentication for trusted network clients

Description

Novell's eDirectory stores the I.P. address of authenticated users in their networkAddress within eDirectory.
Novell leverage this to provide automatic logon for authenticated users to other network services.

This CAS module builds upon functionality within the existing LDAP and Trusted Principal authentication modules to provide the same transparent login to CAS as Novell provides to its own services. The end result is that users once authenticated to the Novell network are by extension authenticated with CAS and all CAS-enabled applications.

This functionality could easily be extended to other LDAP sources that record the I.P. addresses of authenticated clients. This being said I do not know of any other LDAP servers which offer such functionality.

Environment

None

Activity

Show:
David David
May 25, 2008, 12:16 PM

Attached is the source code for this cas-server-support-trustedldap module. It is based on the cas-server-support-trusted module and leverages classes from the cas-server-support-ldap module.

ScottS
June 13, 2008, 6:54 PM

Dave,

I merged your code in. I made some changes so that it follows our structure a little more (so it requires a little more XML configuration but fits in better).

The only thing I did actually change functionality-wise is that the address range check is required. Do you envision people not wanting to configure that? If so, we can change it.

Thanks
-Scott

David David
June 15, 2008, 6:19 AM

That looks good and I can't imagine anyone not wanting to do an address range check.

I am not sure how this new configuration would work, can you elaborate on this?

From what I can make out there will be two beans that need setting up:

<bean id="remoteAddressAuthenticationHandler"
class="org.jasig.cas.adaptors.ldap.remote.RemoteAddressAuthenticationHandler" >

<property name="ipNetworkRange" value="${accepted_iprange_goes_here}" />

</bean>

<bean id="remoteIpLookupCredentialsToPrincipalResolver"
class="org.jasig.cas.adaptors.ldap.remote.RemoteIpLookupCredentialsToPrincipalResolver" >

<property name="ipAddressFormat" value="${ipaddressformat_goes_here}" />
<property name="filter" value="${ldap_search_filter_goes_here}" />
<property name="principalAttributeName" value="${principal_attribute_goes_here}" />
<property name="searchBase" value="${ldap_search_base_goes_here}" />
<property name="contextSource" ref="contextSource" />

</bean>

What I am uncertain about is whether or not they slot into the credentialsToPrincipalResolvers and authenticationHandlers lists in the authenticationManager bean or sit as standalone objects.

Also do any changes need to be made to the login-weblow.xml or does this new configuration avoid this step?

Once I understand this bit I will do some testing and document it in the wiki.

David

ScottS
June 16, 2008, 1:44 PM

David,

The CredentialsToPrincipalResolver and AuthenticationHandler would be configured where you would normally configure those two items.

The Spring WebFlow Action should be configured the same way you normally configure them (it should be the same as you were doing). Let me know if you see any problems!

Thanks
-Scott

David David
November 14, 2008, 1:25 AM

I have finally got around to documenting this functionality. It can be found on the CAS wiki here:

http://www.ja-sig.org/wiki/display/CASUM/Transparent+LDAP-based+Remote+Address+Authentication+Handler

The document heavily leverages the style and text of the X.509 wiki entry.

Assignee

ScottS

Reporter

David David

Labels

None

Estimated End Date

2008/05/30

Time tracking

2h

Components

Fix versions

Affects versions

Priority

Minor
Configure