Page Comparison

...

Excerpt
This tutorial describes how to configure CAS for LDAP DIGEST-MD5 authentication using OpenLDAP. It was authored in response to CAS-664.

Environment:

Server: Fedora 10 + CAS 3.3.1

...

+

...

Tomcat

...

5.5.27

...

+

...

OpenLDAP

...

2.4.12

...

+

...

Cyrus

...

SASL

...

2.1.22

...

Client:

...

Fedora

...

10

...

+

...

Firefox

...

3

...

(in

...

the

...

same

...

computor

...

with

...

Server)

...

Realm:

...

dell-d830

...

Config OpenLDAP DIGEST-MD5

...

1.

...

Edit

...

/etc/openldap/slapd.conf,

...

add

...

the

...

following:

...

Code Block

password-hash {CLEARTEXT}
sasl-realm dell-d830

authz-regexp
&nbsp;&nbsp;&nbsp;    uid=(\[^HOWTO Configure CAS for LDAP DIGEST-MD5^,\]*),cn=dell-d830,cn=digest-md5,cn=auth
&nbsp;&nbsp;&nbsp;
    ldap:///o=langhua,c=cn??sub?(uid=$1)



h4.

2.

...

/etc/init.d/ldap

...

restart

3.

...

Add

...

a

...

user

...

to

...

OpenLDAP

...

uid=test,ou=beijing,o=langhua,c=cn
...
userPassword
...
is
...
111111

Configure SASL DIGEST-MD5

...

1.

...

Add

...

a

...

user

...

to

...

SASL

...

Code Block
saslpasswd2 \-c test Password: 111111 Again (for verification): 111111 h4.

2.

...

Test

...

SASL

...

DIGEST-MD5

...

Open

...

a

...

console

...

and

...

run:

...

Code Block
sasl2-sample-server Console output: trying 2, 1, 6 trying 10, 1, 6 bind: Address already in use

Open

...

another

...

console

...

and

...

run:

Code Block


*sasl2-sample-client \-m DIGEST-MD5 localhost*

Console output:

receiving capability list... recv:
{53}
PLAIN CRAM-MD5 ANONYMOUS LOGIN NTLM GSSAPI DIGEST-MD5
PLAIN CRAM-MD5 ANONYMOUS LOGIN NTLM GSSAPI DIGEST-MD5
send:
{10}
DIGEST-MD5
send:
{1}
N
recv:
{114}
nonce="i7iU89Jmqj2S8BmExkXbkTwV8TaMdOrh1T803Q2UHw4=",realm="dell-d830",qop="auth",charset=utf-8,algorithm=md5-sess
please enter an authentication id:
please enter an authorization id: *test*
Password: *111111*
send:
{231}
username="test",realm="dell-d830",nonce="i7iU89Jmqj2S8BmExkXbkTwV8TaMdOrh1T803Q2UHw4=",cnonce="h3prPJs4mCG0XAUJNiEhlISg0BjgS2UcRenpY6S3IuI=",nc=00000001,qop=auth,digest-uri="rcmd/localhost",response=e8f55dabc929152361c6cdcbb0d22532
recv:
{40}
rspauth=44285575e382f452e158665a2727a493
send:
{0}

successful authentication
closing connection
&nbsp;

DIGEST-MD5

...

is

...

ok.

Configure CAS

Refer to the instructions on the LDAP authentication page for configuring CAS for LDAP authentication. In particular, note the sample DIGEST-MD5 configuration example toward the end of the document.

Verify DIGEST-MD5 Authentication in CAS

Ensure that CAS has been deployed with the LDAP authentication handlers configured and that CAS is running. Browse to http://localhost:8080/cas/login, enter test/111111 to login, which should succeed. The following OpenLDAP log showing a successful DIGEST-MD5 authentication is provided for reference.

Code Block

title	OpenLDAP slapd.log Showing Successful DIGEST-MD5 Authentication


Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on:
Feb  8 03:48:47 localhost slapd[11389]:
Feb  8 03:48:47 localhost slapd[11389]: slap_listener_activate(7):
Feb  8 03:48:47 localhost slapd[11389]: >>> slap_listener(ldap:///)
Feb  8 03:48:47 localhost slapd[11389]: daemon: listen=7, new connection on 12
Feb  8 03:48:47 localhost slapd[11389]: daemon: added 12r (active) listener=(nil)
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on:
Feb  8 03:48:47 localhost slapd[11389]:
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on:
Feb  8 03:48:47 localhost slapd[11389]:  12r
Feb  8 03:48:47 localhost slapd[11389]:
Feb  8 03:48:47 localhost slapd[11389]: daemon: read active on 12
Feb  8 03:48:47 localhost slapd[11389]: connection_get(12)
Feb  8 03:48:47 localhost slapd[11389]: connection_get(12): got connid=0
Feb  8 03:48:47 localhost slapd[11389]: connection_read(12): checking for input on id=0
Feb  8 03:48:47 localhost slapd[11389]: conn=0 op=0 do_bind
Feb  8 03:48:47 localhost slapd[11389]: >>> dnPrettyNormal: <>
Feb  8 03:48:47 localhost slapd[11389]: <<< dnPrettyNormal: <>, <>
Feb  8 03:48:47 localhost slapd[11389]: do_bind: dn () SASL mech DIGEST-MD5
Feb  8 03:48:47 localhost slapd[11389]: ==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0
Feb  8 03:48:47 localhost slapd[11389]: SASL [conn=0] Debug: DIGEST-MD5 server step 1
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_sasl: err=14 len=182
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_response: msgid=1 tag=97 err=14
Feb  8 03:48:47 localhost slapd[11389]: <== slap_sasl_bind: rc=14
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on:
Feb  8 03:48:47 localhost slapd[11389]:
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on:
Feb  8 03:48:47 localhost slapd[11389]:  12r
Feb  8 03:48:47 localhost slapd[11389]:
Feb  8 03:48:47 localhost slapd[11389]: daemon: read active on 12
Feb  8 03:48:47 localhost slapd[11389]: connection_get(12)
Feb  8 03:48:47 localhost slapd[11389]: connection_get(12): got connid=0
Feb  8 03:48:47 localhost slapd[11389]: connection_read(12): checking for input on id=0
Feb  8 03:48:47 localhost slapd[11389]: conn=0 op=1 do_bind
Feb  8 03:48:47 localhost slapd[11389]: >>> dnPrettyNormal: <>
Feb  8 03:48:47 localhost slapd[11389]: <<< dnPrettyNormal: <>, <>
Feb  8 03:48:47 localhost slapd[11389]: do_bind: dn () SASL mech DIGEST-MD5
Feb  8 03:48:47 localhost slapd[11389]: ==> sasl_bind: dn="" mech=<continuing> datalen=255
Feb  8 03:48:47 localhost slapd[11389]: SASL [conn=0] Debug: DIGEST-MD5 server step 2
Feb  8 03:48:47 localhost slapd[11389]: SASL Canonicalize [conn=0]: authcid="test"
Feb  8 03:48:47 localhost slapd[11389]: slap_sasl_getdn: conn 0 id=test [len=5]
Feb  8 03:48:47 localhost slapd[11389]: slap_sasl_getdn: u:id converted to uid=test,cn=dell-d830,cn=DIGEST-MD5,cn=auth
Feb  8 03:48:47 localhost slapd[11389]: >>> dnNormalize: <uid=test,cn=dell-d830,cn=DIGEST-MD5,cn=auth>
Feb  8 03:48:47 localhost slapd[11389]: <<< dnNormalize: <uid=test,cn=dell-d830,cn=digest-md5,cn=auth>
Feb  8 03:48:47 localhost slapd[11389]: ==>slap_sasl2dn: converting SASL name uid=test,cn=dell-d830,cn=digest-md5,cn=auth to a DN
Feb  8 03:48:47 localhost slapd[11389]: [rw] authid: "uid=test,cn=dell-d830,cn=digest-md5,cn=auth" -> "ldap:///o=langhua,c=cn??sub?(uid=test)"
Feb  8 03:48:47 localhost slapd[11389]: slap_parseURI: parsing ldap:///o=langhua,c=cn??sub?(uid=test)
Feb  8 03:48:47 localhost slapd[11389]: str2filter "(uid=test)"
Feb  8 03:48:47 localhost slapd[11389]: begin get_filter
Feb  8 03:48:47 localhost slapd[11389]: EQUALITY
Feb  8 03:48:47 localhost slapd[11389]: end get_filter 0
Feb  8 03:48:47 localhost slapd[11389]: >>> dnNormalize: <o=langhua,c=cn>
Feb  8 03:48:47 localhost slapd[11389]: <<< dnNormalize: <o=langhua,c=cn>
Feb  8 03:48:47 localhost slapd[11389]: slap_sasl2dn: performing internal search (base=o=langhua,c=cn, scope=2)
Feb  8 03:48:47 localhost slapd[11389]: => bdb_search
Feb  8 03:48:47 localhost slapd[11389]: bdb_dn2entry("o=langhua,c=cn")
Feb  8 03:48:47 localhost slapd[11389]: => bdb_dn2id("o=langhua,c=cn")
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_dn2id: got id=0x1
Feb  8 03:48:47 localhost slapd[11389]: entry_decode: "o=langhua,c=cn"
Feb  8 03:48:47 localhost slapd[11389]: <= entry_decode(o=langhua,c=cn)
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access to "o=langhua,c=cn" "entry" requested
Feb  8 03:48:47 localhost slapd[11389]: => slap_access_allowed: backend default auth access granted to "(anonymous)"
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access granted by read(=rscxd)
Feb  8 03:48:47 localhost slapd[11389]: search_candidates: base="o=langhua,c=cn" (0x00000001) scope=2
Feb  8 03:48:47 localhost slapd[11389]: => bdb_dn2idl("o=langhua,c=cn")
Feb  8 03:48:47 localhost slapd[11389]: => bdb_filter_candidates
Feb  8 03:48:47 localhost slapd[11389]: #011AND
Feb  8 03:48:47 localhost slapd[11389]: => bdb_list_candidates 0xa0
Feb  8 03:48:47 localhost slapd[11389]: => bdb_filter_candidates
Feb  8 03:48:47 localhost slapd[11389]: #011OR
Feb  8 03:48:47 localhost slapd[11389]: => bdb_list_candidates 0xa1
Feb  8 03:48:47 localhost slapd[11389]: => bdb_filter_candidates
Feb  8 03:48:47 localhost slapd[11389]: #011EQUALITY
Feb  8 03:48:47 localhost slapd[11389]: => bdb_equality_candidates (objectClass)
Feb  8 03:48:47 localhost slapd[11389]: => key_read
Feb  8 03:48:47 localhost slapd[11389]: bdb_idl_fetch_key: [b49d1940]
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_index_read: failed (-30989)
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_equality_candidates: id=0, first=0, last=0
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_filter_candidates: id=0 first=0 last=0
Feb  8 03:48:47 localhost slapd[11389]: => bdb_filter_candidates
Feb  8 03:48:47 localhost slapd[11389]: #011EQUALITY
Feb  8 03:48:47 localhost slapd[11389]: => bdb_equality_candidates (uid)
Feb  8 03:48:47 localhost slapd[11389]: => key_read
Feb  8 03:48:47 localhost slapd[11389]: bdb_idl_fetch_key: [36e55cac]
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_index_read 1 candidates
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_equality_candidates: id=1, first=79, last=79
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_filter_candidates: id=1 first=79 last=79
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_list_candidates: id=1 first=79 last=79
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_filter_candidates: id=1 first=79 last=79
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_list_candidates: id=1 first=79 last=79
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_filter_candidates: id=1 first=79 last=79
Feb  8 03:48:47 localhost slapd[11389]: bdb_search_candidates: id=1 first=79 last=79
Feb  8 03:48:47 localhost slapd[11389]: entry_decode: "uid=test,ou=beijing,o=langhua,c=cn"
Feb  8 03:48:47 localhost slapd[11389]: <= entry_decode(uid=test,ou=beijing,o=langhua,c=cn)
Feb  8 03:48:47 localhost slapd[11389]: => bdb_dn2id("ou=beijing,o=langhua,c=cn")
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_dn2id: got id=0x3
Feb  8 03:48:47 localhost slapd[11389]: => bdb_dn2id("uid=test,ou=beijing,o=langhua,c=cn")
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_dn2id: got id=0x4f
Feb  8 03:48:47 localhost slapd[11389]: => test_filter
Feb  8 03:48:47 localhost slapd[11389]:     EQUALITY
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access to "uid=test,ou=beijing,o=langhua,c=cn" "uid" requested
Feb  8 03:48:47 localhost slapd[11389]: => slap_access_allowed: backend default auth access granted to "(anonymous)"
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access granted by read(=rscxd)
Feb  8 03:48:47 localhost slapd[11389]: <= test_filter 6
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_result: conn=0 op=1 p=3
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_result: err=0 matched="" text=""
Feb  8 03:48:47 localhost slapd[11389]: <==slap_sasl2dn: Converted SASL name to uid=test,ou=beijing,o=langhua,c=cn
Feb  8 03:48:47 localhost slapd[11389]: slap_sasl_getdn: dn:id converted to uid=test,ou=beijing,o=langhua,c=cn
Feb  8 03:48:47 localhost slapd[11389]: SASL Canonicalize [conn=0]: slapAuthcDN="uid=test,ou=beijing,o=langhua,c=cn"
Feb  8 03:48:47 localhost slapd[11389]: => bdb_search
Feb  8 03:48:47 localhost slapd[11389]: bdb_dn2entry("uid=test,ou=beijing,o=langhua,c=cn")
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access to "uid=test,ou=beijing,o=langhua,c=cn" "entry" requested
Feb  8 03:48:47 localhost slapd[11389]: => slap_access_allowed: backend default auth access granted to "(anonymous)"
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access granted by read(=rscxd)
Feb  8 03:48:47 localhost slapd[11389]: base_candidates: base: "uid=test,ou=beijing,o=langhua,c=cn" (0x0000004f)
Feb  8 03:48:47 localhost slapd[11389]: => test_filter
Feb  8 03:48:47 localhost slapd[11389]:     PRESENT
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access to "uid=test,ou=beijing,o=langhua,c=cn" "objectClass" requested
Feb  8 03:48:47 localhost slapd[11389]: => slap_access_allowed: backend default auth access granted to "(anonymous)"
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access granted by read(=rscxd)
Feb  8 03:48:47 localhost slapd[11389]: <= test_filter 6
Feb  8 03:48:47 localhost slapd[11389]: slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_result: conn=0 op=1 p=3
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_result: err=0 matched="" text=""
Feb  8 03:48:47 localhost slapd[11389]: SASL Canonicalize [conn=0]: authzid="test"
Feb  8 03:48:47 localhost slapd[11389]: SASL proxy authorize [conn=0]: authcid="test@dell-d830" authzid="test@dell-d830"
Feb  8 03:48:47 localhost slapd[11389]: SASL Authorize [conn=0]:  proxy authorization allowed authzDN=""
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on:
Feb  8 03:48:47 localhost slapd[11389]:
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_sasl: err=0 len=40
Feb  8 03:48:47 localhost slapd[11389]: do_bind: SASL/DIGEST-MD5 bind: dn="uid=test,ou=beijing,o=langhua,c=cn" sasl_ssf=0
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_response: msgid=2 tag=97 err=0
Feb  8 03:48:47 localhost slapd[11389]: <== slap_sasl_bind: rc=0

That's it. Good luck!

Shi Yusen/Beijing Langhua Ltd.
http://www.langhua.cn/

Versions Compared

Old Version 1

New Version Current

Key

Environment:

Config OpenLDAP DIGEST-MD5

1.

Edit

/etc/openldap/slapd.conf,

add

the

following:

Code Block
password-hash {CLEARTEXT} sasl-realm dell-d830 authz-regexp     uid=(\[^HOWTO Configure CAS for LDAP DIGEST-MD5^,\]*),cn=dell-d830,cn=digest-md5,cn=auth     ldap:///o=langhua,c=cn??sub?(uid=$1) h4.

2.

/etc/init.d/ldap

restart

3.

Add

a

user

to

OpenLDAP

uid=test,ou=beijing,o=langhua,c=cn
...
userPassword
...
is
...
111111

Configure SASL DIGEST-MD5

1.

Add

a

user

to

SASL

Code Block
saslpasswd2 \-c test Password: 111111 Again (for verification): 111111 h4.

2.

Test

SASL

DIGEST-MD5

Configure CAS

Verify DIGEST-MD5 Authentication in CAS

Page Comparison

Versions Compared

Old Version 1

New Version Current

Key

Environment:

Config OpenLDAP DIGEST-MD5

1.

Edit

/etc/openldap/slapd.conf,

add

the

following:

Code Blockpassword-hash {CLEARTEXT} sasl-realm dell-d830 authz-regexp &nbsp;&nbsp;&nbsp; uid=(\[^HOWTO Configure CAS for LDAP DIGEST-MD5^,\]*),cn=dell-d830,cn=digest-md5,cn=auth &nbsp;&nbsp;&nbsp; ldap:///o=langhua,c=cn??sub?(uid=$1) h4.

2.

/etc/init.d/ldap

restart

3.

Add

a

user

to

OpenLDAP

uid=test,ou=beijing,o=langhua,c=cn...userPassword ... is ...111111

Configure SASL DIGEST-MD5

1.

Add

a

user

to

SASL

Code Block*saslpasswd2 \-c test* Password: *111111* Again (for verification): *111111* h4.

2.

Test

SASL

DIGEST-MD5

Configure CAS

Verify DIGEST-MD5 Authentication in CAS

Code Block
password-hash {CLEARTEXT} sasl-realm dell-d830 authz-regexp uid=(\[^HOWTO Configure CAS for LDAP DIGEST-MD5^,\]*),cn=dell-d830,cn=digest-md5,cn=auth ldap:///o=langhua,c=cn??sub?(uid=$1) h4.

uid=test,ou=beijing,o=langhua,c=cn
...
userPassword
...
is
...
111111

Code Block
saslpasswd2 \-c test Password: 111111 Again (for verification): 111111 h4.