...
Excerpt |
---|
This |
HOWTO describes how to set up CAS to authenticate to LDAP using the GSSAPI mechanism with a Kerberos 5 backend. |
Environment:
Server: Fedora Core 6 + CAS 3.1 + Tomcat 5.5.20 + OpenLDAP 2.3.30 + Cyrus SASL 2.1.22 + Kerboeros 1.5-23
...
Windows XP + IE6 SP2
Config DNS:
To make SSL and Kerberos work, I have to config DNS at the very beginning.
1. Edit /etc/named.conf, add langhua zone:
Code Block | ||||
---|---|---|---|---|
| ||||
zone "1.168.192.IN-ADDR.ARPA." IN { type master; file "192.168.1.db"; }; zone "langhua." IN { type master; file "named.langhua"; }; |
2. Create /var/named/named.langhua
Code Block | ||||
---|---|---|---|---|
| ||||
$TTL 1H @ SOA localhost. root.localhost. ( 2 3H 1H 1W 1H ) NS localhost. auth.langhua. IN 1H A 192.168.1.110 _kerberos IN TXT "AUTH.LANGHUA" _kerberos._udp.auth.langhua. IN SRV 0 0 88 auth.langhua. _kerberos-master._udp.auth.langhua. IN SRV 0 0 88 auth.langhua. _kerberos-adm._tcp.auth.langhua. IN SRV 0 0 749 auth.langhua. _kpasswd._udp.auth.langhua. IN SRV 0 0 464 auth.langhua. _ldap._tcp.auth.langhua. IN SRV 0 0 389 auth.langhua. _ldap._tcp.dc._msdcs.auth.langhua. IN SRV 0 0 389 auth.langhua. _kerberos._tcp.dc._msdcs.auth.langhua. IN SRV 0 0 88 auth.langhua. |
3. Create /var/name/192.168.1.db
Code Block | ||||
---|---|---|---|---|
| ||||
$TTL 1H @ SOA localhost. root.localhost. ( 2 3H 1H 1W 1H ) NS localhost. 110 PTR auth.langhua. |
4. nslookup auth.langhua
Server: 192.168.1.110
Address: 192.168.1.110#53
Name: auth.langhua
Address: 192.168.1.110
5. dig -x 192.168.1.110
; <<>> DiG 9.3.4-P1 <<>> -x 192.168.1.110
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3829
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
...
;; Query time: 1 msec
;; SERVER: 192.168.1.110#53(192.168.1.110)
;; WHEN: Thu Nov 29 04:53:02 2007
;; MSG SIZE rcvd: 137
Config Kerberos:
1. Config /etc/krb5.conf
Code Block | ||||
---|---|---|---|---|
| ||||
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = AUTH.LANGHUA dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = true [realms] AUTH.LANGHUA = { kdc = auth.langhua:88 admin_server = auth.langhua:749 default_domain = langhua } [domain_realm] .langhua = AUTH.LANGHUA [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } |
2. kdb5_util create -s
3. Add users to Kerberos
kadmin.local -q "addprinc krbadm@AUTH.LANGHUA"
kadmin.local -q "addprinc ldapadm@AUTH.LANGHUA"
kadmin.local -q "addprinc host/auth.langhua@AUTH.LANGHUA"
kadmin.local -q "addprinc ldap/auth.langhua@AUTH.LANGHUA"
If you face this error in this step, delete the files under /var/kerberos/krb5kdc/ and redo the above step 2 and 3:
kadmin.local: Cannot find/read stored master key while initializing kadmin.local interface
4. Edit /var/kerberos/krb5kdc/kdc.conf
This file is configed in /etc/krb5.conf.
Code Block | ||||
---|---|---|---|---|
| ||||
[kdcdefaults] acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = nopreauth [realms] AUTH.LANGHUA = { master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal } |
5. Edit /var/kerberos/krb5kdc/kadm5.acl
This file is configed in /var/kerberos/krb5kdc/kdc.conf.
Code Block | ||||
---|---|---|---|---|
| ||||
kadmin/admin@AUTH.LANGHUA * ldap/auth.langhua@AUTH.LANGHUA * krbadm@AUTH.LANGHUA * */*@AUTH.LANGHUA i host/auth.langhua@AUTH.LANGHUA * |
6. Config /var/kerberos/krb5kdc/kadm5.keytab
This file is configed in /var/kerberos/krb5kdc/kdc.conf.
kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin"
kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw"
7. Edit /etc/krb.realms
Code Block | ||||
---|---|---|---|---|
| ||||
auth.langhua AUTH.LANGHUA .langhua AUTH.LANGHUA |
8. Edit /etc/krb.conf
Code Block | ||||
---|---|---|---|---|
| ||||
AUTH.LANGHUA AUTH.LANGHUA auth.langhua:88 AUTH.LANGHUA auth.langhua:749 admin server |
9. Start Kerberos
/etc/init.d/kadmin start
/etc/init.d/krb5kdc start
Test Kerberos
1. kadmin.local -q "ktadd -k /etc/krb5.keytab host/auth.langhua"
2. kinit -k host/auth.langhua
If the error "kinit(v5): Password incorrect while getting initial credentials" found, delete /etc/krb5.keytab, and redo step 1 and 2.
3. klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/auth.langhua@AUTH.LANGHUA
...
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
4. Make sure kvno numbers are the same
4.1 kvno host/auth.langhua
...
If the numbers are not same, redo step 1, 2, 3.
5. Test ktelnetd, krlogind, krshd
5.1 Edit ~/.k5login
host/auth.langhua@AUTH.LANGHUA
...
Kerberos configuration is OK now.
Config Cyrus SASL GSSAPI
1. Add ldap service
1.1 kadmin.local -q "addprinc -randkey ldap/auth.langhua@AUTH.LANGHUA"
...
1.3 kadmin.local -q "ktadd -k /etc/krb5.keytab ldap/auth.langhua"
2. Add a test user
2.1 kadmin.local -q "addprinc test@AUTH.LANGHUA"
...
2.3 Edit ~/.k5login
test@AUTH.LANGHUA
3. Verify GSSAPI works on your system
3.1 sasl2-sample-server -s ldap -m GSSAPI
...
If the server and client can communicate but cannot authen successfully, perhaps it's caused by the driver of your ethernet card.
Config OpenLDAP GSSAPI
1. ldapsearch -Y GSSAPI -b 'o=langhua,c=cn' '(ou=worldwide)'
SASL/GSSAPI authentication started
SASL username: test@AUTH.LANGHUA
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <o=langhua,c=cn> with scope subtree
# filter: (ou=worldwide)
# requesting: ALL
#
...
# numResponses: 3
# numEntries: 2
2. Edit /etc/slapd.conf
Code Block | ||||
---|---|---|---|---|
| ||||
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/krb5-kdc.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/lib/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/openldap/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem TLSCACertificateFile /etc/pki/demoCA/cacert.pem TLSCertificateFile /etc/pki/demoCA/certs/ldap-cert.pem TLSCertificateKeyFile /etc/pki/demoCA/certs/ldap-key.pem # TLSVerifyClient demand # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # disallow bind_simple # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # access to * by * read ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "o=langhua,c=cn" # rootdn "uid=root,o=langhua,c=cn" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw {SSHA}mpfjTVX6cJ+oMgoB1wIjJ8HTR/2kyBga # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database # replogfile /var/lib/ldap/openldap-master-replog # replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM # authzTo: uid=[^HOWTO Setup LDAP GSSAPI+Kerberos Authentication in CAS^,]*,o=langhua,c=cn sasl-realm AUTH.LANGHUA sasl-host auth.langhua access to attrs=userPassword by self write by dn="uid=test,cn=auth.langhua,cn=gssapi,cn=auth" write by anonymous auth by * none access to * by dn="uid=test,cn=auth.langhua,cn=gssapi,cn=auth" write by self write by * read |
3. /etc/init.d/ldap restart
4. Use JXplorer, select GSSAPI to login auth.langhua:389
If successful login, the OpenLDAP configuration is complete.
Config CAS
1. Create /cas-server-support-ldap/src/main/java/org/jasig/cas/adaptors/ldap/BindLdapGssapiAuthenticationHandler.java
Code Block | ||||
---|---|---|---|---|
| ||||
/* * Copyright 2007 The JA-SIG Collaborative. All rights reserved. See license * distributed with this file and available online at * http://www.ja-sig.org/products/cas/overview/license/ */ package org.jasig.cas.adaptors.ldap; import javax.naming.directory.DirContext; import javax.naming.directory.SearchControls; import org.jasig.cas.authentication.handler.AuthenticationException; import org.jasig.cas.authentication.principal.UsernamePasswordCredentials; import org.jasig.cas.util.annotation.IsIn; /** * Handler to do LDAP GSSAPI bind. * * @author Scott Battaglia * @version $Revision: 42053 $ $Date: 2007-06-10 09:17:55 -0400 (Sun, 10 Jun 2007) $ * @since 3.0.3 * @author Shi Yusen, shiys@langhua.cn */ public class BindLdapGssapiAuthenticationHandler extends AbstractLdapGssapiAuthenticationHandler { /** The default maximum number of results to return. */ private static final int DEFAULT_MAX_NUMBER_OF_RESULTS = 1000; /** The default timeout. */ private static final int DEFAULT_TIMEOUT = 1000; /** The search base to find the user under. */ private String searchBase; /** The scope. */ @IsIn({SearchControls.OBJECT_SCOPE, SearchControls.ONELEVEL_SCOPE, SearchControls.SUBTREE_SCOPE}) private int scope = SearchControls.SUBTREE_SCOPE; /** The maximum number of results to return. */ private int maxNumberResults = DEFAULT_MAX_NUMBER_OF_RESULTS; /** The amount of time to wait. */ private int timeout = DEFAULT_TIMEOUT; /** Boolean of whether multiple accounts are allowed. */ private boolean allowMultipleAccounts; protected final boolean authenticateUsernamePasswordInternal( final UsernamePasswordCredentials credentials) throws AuthenticationException { DirContext context; context = this.getContextSource().getDirContext(credentials.getUsername(), credentials.getPassword()); if (context == null) { return false; } return true; } protected String composeCompleteDnToCheck(final String dn, final UsernamePasswordCredentials credentials) { return dn + "," + this.searchBase; } /** * Method to return whether multiple accounts are allowed. * @return true if multiple accounts are allowed, false otherwise. */ protected boolean isAllowMultipleAccounts() { return this.allowMultipleAccounts; } /** * Method to return the max number of results allowed. * @return the maximum number of results. */ protected int getMaxNumberResults() { return this.maxNumberResults; } /** * Method to return the scope. * @return the scope */ protected int getScope() { return this.scope; } /** * Method to return the search base. * @return the search base. */ protected String getSearchBase() { return this.searchBase; } /** * Method to return the timeout. * @return the timeout. */ protected int getTimeout() { return this.timeout; } public final void setScope(final int scope) { this.scope = scope; } /** * @param allowMultipleAccounts The allowMultipleAccounts to set. */ public void setAllowMultipleAccounts(final boolean allowMultipleAccounts) { this.allowMultipleAccounts = allowMultipleAccounts; } /** * @param maxNumberResults The maxNumberResults to set. */ public final void setMaxNumberResults(final int maxNumberResults) { this.maxNumberResults = maxNumberResults; } /** * @param searchBase The searchBase to set. */ public final void setSearchBase(final String searchBase) { this.searchBase = searchBase; } /** * @param timeout The timeout to set. */ public final void setTimeout(final int timeout) { this.timeout = timeout; } } |
2. Create /cas-server-support-ldap/src/main/java/org/jasig/cas/adaptors/ldap/AbstractLdapGssapiAuthenticationHandler.java
Code Block | ||||
---|---|---|---|---|
| ||||
/* * Copyright 2007 The JA-SIG Collaborative. All rights reserved. See license * distributed with this file and available online at * http://www.ja-sig.org/products/cas/overview/license/ */ package org.jasig.cas.adaptors.ldap; import org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapGssapiContextSource; import org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler; import org.jasig.cas.util.annotation.NotNull; import org.springframework.beans.factory.InitializingBean; import org.springframework.ldap.LdapTemplate; import org.springframework.util.Assert; /** * Abstract class to handle common LDAP functionality. * * @author Scott Battaglia * @version $Revision: 42053 $ $Date: 2007-06-10 09:17:55 -0400 (Sun, 10 Jun 2007) $ * @since 3.0.3 * * @author Shi Yusen, shiys@langhua.cn */ public abstract class AbstractLdapGssapiAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler implements InitializingBean { /** LdapTemplate to execute ldap queries. */ @NotNull private LdapTemplate ldapTemplate; /** Instance of ContextSource */ @NotNull private AuthenticatedLdapGssapiContextSource contextSource; /** The filter path to the uid of the user. */ @NotNull private String filter; /** Whether the LdapTemplate should ignore partial results. */ private boolean ignorePartialResultException = false; /** * Method to set the datasource and generate a JdbcTemplate. * * @param dataSource the datasource to use. */ public final void setContextSource(final AuthenticatedLdapGssapiContextSource contextSource) { this.contextSource = contextSource; this.ldapTemplate = new LdapTemplate(contextSource); } public final void setIgnorePartialResultException(final boolean ignorePartialResultException) { this.ignorePartialResultException = ignorePartialResultException; } /** * Method to return the LdapTemplate * * @return a fully created LdapTemplate. */ protected final LdapTemplate getLdapTemplate() { return this.ldapTemplate; } protected final AuthenticatedLdapGssapiContextSource getContextSource() { return this.contextSource; } protected final String getFilter() { return this.filter; } public final void afterPropertiesSet() throws Exception { Assert.isTrue(this.filter.contains("%u"), "filter must contain %u"); this.ldapTemplate.setIgnorePartialResultException(this.ignorePartialResultException); } /** * @param filter The filter to set. */ public final void setFilter(final String filter) { this.filter = filter; } } |
3. Create /cas-server-support-ldap/src/main/java/org/jasig/cas/adaptors/ldap/util/AuthenticatedLdapGssapiContextSource.java
Code Block | ||||
---|---|---|---|---|
| ||||
/* * Copyright 2007 The JA-SIG Collaborative. All rights reserved. See license * distributed with this file and available online at * http://www.ja-sig.org/products/cas/overview/license/ */ package org.jasig.cas.adaptors.ldap.util; import java.util.Enumeration; import java.util.Hashtable; import java.util.Iterator; import javax.naming.Context; import javax.naming.directory.DirContext; import javax.security.auth.Subject; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import org.springframework.dao.DataAccessResourceFailureException; import org.springframework.ldap.support.LdapContextSource; import sun.security.krb5.Credentials; public class AuthenticatedLdapGssapiContextSource extends LdapContextSource { private DirContext context; public Hashtable<String, String> environment; public DirContext getDirContext(final String principal, final String credentials) { if (context == null) { environment = (Hashtable) getAnonymousEnv().clone(); Enumeration keys = environment.keys(); while (keys.hasMoreElements()) { String key = (String)keys.nextElement(); System.setProperty(key, environment.get(key)); } environment.put(Context.SECURITY_PRINCIPAL, principal); environment.put(Context.SECURITY_CREDENTIALS, credentials); LoginContext lc = null; try { lc = new LoginContext(AuthenticatedLdapGssapiContextSource.class.getName(), new UsernamePasswordCallbackHandler(principal, credentials)); lc.login(); } catch (LoginException ex) { ex.printStackTrace(); throw new DataAccessResourceFailureException("GSSAPI login problem: " + ex); } context = (DirContext) Subject.doAs(lc.getSubject(), new LDAPAction(environment)); if (context == null) { throw new DataAccessResourceFailureException("a problem with GSSAPI occurred - couldn't create a GSSAPI directory context"); } else { Iterator i = lc.getSubject().getPrivateCredentials().iterator(); while (i.hasNext()) { Credentials creds = (Credentials) i.next(); if (creds.isForwardable()) { return context; } } throw new DataAccessResourceFailureException("a problem with GSSAPI occurred - please make sure your Credentials is forwardable. Try to use \"kinit -f yourpricinpal\"."); } } else { return context; } } /** * A simple JAAS CallbackHandler which accepts a Name String and Password * String in the constructor. Only NameCallbacks and PasswordCallbacks are * accepted in the callback array. This code based loosely on example given * in Sun's javadoc for CallbackHandler interface. * * Copied from org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler */ protected class UsernamePasswordCallbackHandler implements CallbackHandler { /** The username of the principal we are trying to authenticate. */ private final String userName; /** The password of the principal we are trying to authenticate. */ private final String password; /** * Constuctor accepts name and password to be used for authentication. * * @param userName name to be used for authentication * @param password Password to be used for authentication */ protected UsernamePasswordCallbackHandler(final String userName, final String password) { this.userName = userName; this.password = password; } public void handle(final Callback[] callbacks) throws UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { final Callback callback = callbacks[i]; if (callback.getClass().equals(NameCallback.class)) { ((NameCallback) callback).setName(this.userName); } else if (callback.getClass().equals(PasswordCallback.class)) { ((PasswordCallback) callback).setPassword(this.password .toCharArray()); } else { throw new UnsupportedCallbackException(callback, "Unrecognized Callback"); } } } } } |
4. Create /cas-server-support-ldap/src/main/java/org/jasig/cas/adaptors/ldap/util/LDAPAction.java
Code Block | ||||
---|---|---|---|---|
| ||||
/* * Copyright 2008 The JA-SIG Collaborative. All rights reserved. See license * distributed with this file and available online at * http://www.ja-sig.org/products/cas/overview/license/ */ package org.jasig.cas.adaptors.ldap.util; import java.security.PrivilegedAction; import java.util.Hashtable; import javax.naming.NamingException; import javax.naming.directory.DirContext; import javax.naming.directory.InitialDirContext; /** * @author Shi Yusen * * Ref: http://forum.java.sun.com/thread.jspa?threadID=395518&messageID=2444444 */ public class LDAPAction implements PrivilegedAction { private Hashtable env; public LDAPAction(Hashtable env){ this.env = env; } /* (non-Javadoc) * @see java.security.PrivilegedAction#run() */ public Object run() { DirContext result = null; try{ result = new InitialDirContext(env); }catch(NamingException ex){ ex.printStackTrace(); } return result; } } |
5. build and deploy CAS 3.1
6. Create $CAS/WEB-INF/gssapi.conf
Code Block | ||||
---|---|---|---|---|
| ||||
org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapGssapiContextSource { com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=TRUE; }; |
7. Edit $CAS/WEB-INF/deployerConfigContext.xml
Code Block | ||||
---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd"> <!-- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that | all CAS deployers will need to modify. | | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml. It finds this file because this | file is among those declared in the context parameter "contextConfigLocation". | | By far the most common change you will need to make in this file is to change the last bean | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with | one implementing your approach for authenticating usernames and passwords. +--> <beans> <!-- | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, | "authenticationManager". Most deployers will be able to use the default AuthenticationManager | implementation and so do not need to change the class of this bean. We include the whole | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will | need to change in context. +--> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <!-- | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate. | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which | supports the presented credentials. | | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are | using. | | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. | You will need to change this list if you are identifying services by something more or other than their callback URL. +--> <property name="credentialsToPrincipalResolvers"> <list> <!-- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login | by default and produces SimplePrincipal instances conveying the username from the credentials. | | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the | Credentials you are using. +--> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <!-- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a | SimpleService identified by that callback URL. | | If you are representing services by something more or other than an HTTPS URL whereat they are able to | receive a proxy callback, you will need to change this bean declaration (or add additional declarations). +--> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <!-- | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn | until it finds one that both supports the Credentials presented and succeeds in authenticating. +--> <property name="authenticationHandlers"> <list> <!-- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating | a server side SSL certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" /> <!-- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your | local authentication strategy. You might accomplish this by coding a new such handler and declaring | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. +--> <bean class="org.jasig.cas.adaptors.ldap.BindLdapGssapiAuthenticationHandler"> <property name="filter" value="uid=%u" /> <property name="searchBase" value="o=langhua,c=cn" /> <property name="contextSource" ref="contextSource" /> </bean> </list> </property> </bean> <bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapGssapiContextSource"> <property name="anonymousReadOnly" value="true" /> <property name="password" value="{password_goes_here}" /> <property name="pooled" value="true" /> <property name="urls"> <list> <value>ldap://auth.langhua:389/</value> </list> </property> <property name="userName" value="{username_goes_here}" /> <property name="baseEnvironmentProperties"> <map> <entry> <key><value>java.naming.factory.initial</value></key> <value>com.sun.jndi.ldap.LdapCtxFactory</value> </entry> <entry> <key><value>java.naming.referral</value></key> <value>ignore</value> </entry> <entry> <key><value>java.naming.ldap.attributes.binary</value></key> <value>photo jpegphoto jpegPhoto</value> </entry> <entry> <key><value>java.naming.ldap.version</value></key> <value>3</value> </entry> <entry> <key><value>java.naming.ldap.deleteRDN</value></key> <value>false</value> </entry> <entry> <key><value>java.naming.ldap.derefAliases</value></key> <value>searching</value> </entry> <entry> <key><value>javax.security.sasl.qop</value></key> <value>auth-conf</value> </entry> <entry> <key><value>java.naming.provider.url</value></key> <value>ldap://auth.langhua</value> </entry> <entry> <key><value>java.naming.security.authentication</value></key> <value>GSSAPI</value> </entry> <entry> <key><value>java.security.auth.login.config</value></key> <value>/usr/share/tomcat5/webapps/cas/WEB-INF/gssapi.conf</value> </entry> <entry> <key><value>javax.security.sasl.server.authentication</value></key> <value>true</value> </entry> <entry> <key><value>javax.security.auth.useSubjectCredsOnly</value></key> <value>false</value> </entry> </map> </property> </bean> </beans> |
8. restart tomcat
9. kadmin.local -q "cpw -pw 111111 test"
Make CAS use password to authorize test.
Visit https://auth.langhua:8443/cas/
In client, use IE6 or firefox to visit https://auth.langhua:8443/cas/
username: test or test@AUTH.LANGHUA
password: 111111
...