HOWTO Configure CAS for LDAP DIGEST-MD5

This tutorial describes how to configure CAS for LDAP DIGEST-MD5 authentication using OpenLDAP. It was authored in response to CAS-664.

Environment:

Server: Fedora 10 + CAS 3.3.1 + Tomcat 5.5.27 + OpenLDAP 2.4.12 + Cyrus SASL 2.1.22

Client: Fedora 10 + Firefox 3 (in the same computor with Server)

Realm: dell-d830

Config OpenLDAP DIGEST-MD5

1. Edit /etc/openldap/slapd.conf, add the following:

password-hash {CLEARTEXT}
sasl-realm dell-d830
authz-regexp
    uid=(\[HOWTO Configure CAS for LDAP DIGEST-MD5^,\]*),cn=dell-d830,cn=digest-md5,cn=auth
    ldap:///o=langhua,c=cn??sub?(uid=$1)

2. /etc/init.d/ldap restart

3. Add a user to OpenLDAP

uid=test,ou=beijing,o=langhua,c=cn

userPassword is 111111

Configure SASL DIGEST-MD5

1. Add a user to SASL

saslpasswd2 \-c test

Password: 111111

Again (for verification): 111111

2. Test SASL DIGEST-MD5

Open a console and run:

sasl2-sample-server

Console output:

trying 2, 1, 6
trying 10, 1, 6
bind: Address already in use

Open another console and run:

sasl2-sample-client \-m DIGEST-MD5 localhost

Console output:

receiving capability list... recv:
{53}
PLAIN CRAM-MD5 ANONYMOUS LOGIN NTLM GSSAPI DIGEST-MD5
PLAIN CRAM-MD5 ANONYMOUS LOGIN NTLM GSSAPI DIGEST-MD5
send:
{10}
DIGEST-MD5
send:
{1}
N
recv:
{114}
nonce="i7iU89Jmqj2S8BmExkXbkTwV8TaMdOrh1T803Q2UHw4=",realm="dell-d830",qop="auth",charset=utf-8,algorithm=md5-sess
please enter an authentication id:
please enter an authorization id: test
Password: 111111
send:
{231}
username="test",realm="dell-d830",nonce="i7iU89Jmqj2S8BmExkXbkTwV8TaMdOrh1T803Q2UHw4=",cnonce="h3prPJs4mCG0XAUJNiEhlISg0BjgS2UcRenpY6S3IuI=",nc=00000001,qop=auth,digest-uri="rcmd/localhost",response=e8f55dabc929152361c6cdcbb0d22532
recv:
{40}
rspauth=44285575e382f452e158665a2727a493
send:
{0}
successful authentication
closing connection

DIGEST-MD5 is ok.

Configure CAS

Refer to the instructions on the LDAP authentication page for configuring CAS for LDAP authentication. In particular, note the sample DIGEST-MD5 configuration example toward the end of the document.

Verify DIGEST-MD5 Authentication in CAS

Ensure that CAS has been deployed with the LDAP authentication handlers configured and that CAS is running. Browse to http://localhost:8080/cas/login, enter test/111111 to login, which should succeed. The following OpenLDAP log showing a successful DIGEST-MD5 authentication is provided for reference.

OpenLDAP slapd.log Showing Successful DIGEST-MD5 Authentication
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on:
Feb  8 03:48:47 localhost slapd[11389]:
Feb  8 03:48:47 localhost slapd[11389]: slap_listener_activate(7):
Feb  8 03:48:47 localhost slapd[11389]: >>> slap_listener(ldap:///)
Feb  8 03:48:47 localhost slapd[11389]: daemon: listen=7, new connection on 12
Feb  8 03:48:47 localhost slapd[11389]: daemon: added 12r (active) listener=(nil)
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on:
Feb  8 03:48:47 localhost slapd[11389]:
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on:
Feb  8 03:48:47 localhost slapd[11389]:  12r
Feb  8 03:48:47 localhost slapd[11389]:
Feb  8 03:48:47 localhost slapd[11389]: daemon: read active on 12
Feb  8 03:48:47 localhost slapd[11389]: connection_get(12)
Feb  8 03:48:47 localhost slapd[11389]: connection_get(12): got connid=0
Feb  8 03:48:47 localhost slapd[11389]: connection_read(12): checking for input on id=0
Feb  8 03:48:47 localhost slapd[11389]: conn=0 op=0 do_bind
Feb  8 03:48:47 localhost slapd[11389]: >>> dnPrettyNormal: <>
Feb  8 03:48:47 localhost slapd[11389]: <<< dnPrettyNormal: <>, <>
Feb  8 03:48:47 localhost slapd[11389]: do_bind: dn () SASL mech DIGEST-MD5
Feb  8 03:48:47 localhost slapd[11389]: ==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0
Feb  8 03:48:47 localhost slapd[11389]: SASL [conn=0] Debug: DIGEST-MD5 server step 1
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_sasl: err=14 len=182
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_response: msgid=1 tag=97 err=14
Feb  8 03:48:47 localhost slapd[11389]: <== slap_sasl_bind: rc=14
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on:
Feb  8 03:48:47 localhost slapd[11389]:
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on:
Feb  8 03:48:47 localhost slapd[11389]:  12r
Feb  8 03:48:47 localhost slapd[11389]:
Feb  8 03:48:47 localhost slapd[11389]: daemon: read active on 12
Feb  8 03:48:47 localhost slapd[11389]: connection_get(12)
Feb  8 03:48:47 localhost slapd[11389]: connection_get(12): got connid=0
Feb  8 03:48:47 localhost slapd[11389]: connection_read(12): checking for input on id=0
Feb  8 03:48:47 localhost slapd[11389]: conn=0 op=1 do_bind
Feb  8 03:48:47 localhost slapd[11389]: >>> dnPrettyNormal: <>
Feb  8 03:48:47 localhost slapd[11389]: <<< dnPrettyNormal: <>, <>
Feb  8 03:48:47 localhost slapd[11389]: do_bind: dn () SASL mech DIGEST-MD5
Feb  8 03:48:47 localhost slapd[11389]: ==> sasl_bind: dn="" mech=<continuing> datalen=255
Feb  8 03:48:47 localhost slapd[11389]: SASL [conn=0] Debug: DIGEST-MD5 server step 2
Feb  8 03:48:47 localhost slapd[11389]: SASL Canonicalize [conn=0]: authcid="test"
Feb  8 03:48:47 localhost slapd[11389]: slap_sasl_getdn: conn 0 id=test [len=5]
Feb  8 03:48:47 localhost slapd[11389]: slap_sasl_getdn: u:id converted to uid=test,cn=dell-d830,cn=DIGEST-MD5,cn=auth
Feb  8 03:48:47 localhost slapd[11389]: >>> dnNormalize: <uid=test,cn=dell-d830,cn=DIGEST-MD5,cn=auth>
Feb  8 03:48:47 localhost slapd[11389]: <<< dnNormalize: <uid=test,cn=dell-d830,cn=digest-md5,cn=auth>
Feb  8 03:48:47 localhost slapd[11389]: ==>slap_sasl2dn: converting SASL name uid=test,cn=dell-d830,cn=digest-md5,cn=auth to a DN
Feb  8 03:48:47 localhost slapd[11389]: [rw] authid: "uid=test,cn=dell-d830,cn=digest-md5,cn=auth" -> "ldap:///o=langhua,c=cn??sub?(uid=test)"
Feb  8 03:48:47 localhost slapd[11389]: slap_parseURI: parsing ldap:///o=langhua,c=cn??sub?(uid=test)
Feb  8 03:48:47 localhost slapd[11389]: str2filter "(uid=test)"
Feb  8 03:48:47 localhost slapd[11389]: begin get_filter
Feb  8 03:48:47 localhost slapd[11389]: EQUALITY
Feb  8 03:48:47 localhost slapd[11389]: end get_filter 0
Feb  8 03:48:47 localhost slapd[11389]: >>> dnNormalize: <o=langhua,c=cn>
Feb  8 03:48:47 localhost slapd[11389]: <<< dnNormalize: <o=langhua,c=cn>
Feb  8 03:48:47 localhost slapd[11389]: slap_sasl2dn: performing internal search (base=o=langhua,c=cn, scope=2)
Feb  8 03:48:47 localhost slapd[11389]: => bdb_search
Feb  8 03:48:47 localhost slapd[11389]: bdb_dn2entry("o=langhua,c=cn")
Feb  8 03:48:47 localhost slapd[11389]: => bdb_dn2id("o=langhua,c=cn")
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_dn2id: got id=0x1
Feb  8 03:48:47 localhost slapd[11389]: entry_decode: "o=langhua,c=cn"
Feb  8 03:48:47 localhost slapd[11389]: <= entry_decode(o=langhua,c=cn)
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access to "o=langhua,c=cn" "entry" requested
Feb  8 03:48:47 localhost slapd[11389]: => slap_access_allowed: backend default auth access granted to "(anonymous)"
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access granted by read(=rscxd)
Feb  8 03:48:47 localhost slapd[11389]: search_candidates: base="o=langhua,c=cn" (0x00000001) scope=2
Feb  8 03:48:47 localhost slapd[11389]: => bdb_dn2idl("o=langhua,c=cn")
Feb  8 03:48:47 localhost slapd[11389]: => bdb_filter_candidates
Feb  8 03:48:47 localhost slapd[11389]: #011AND
Feb  8 03:48:47 localhost slapd[11389]: => bdb_list_candidates 0xa0
Feb  8 03:48:47 localhost slapd[11389]: => bdb_filter_candidates
Feb  8 03:48:47 localhost slapd[11389]: #011OR
Feb  8 03:48:47 localhost slapd[11389]: => bdb_list_candidates 0xa1
Feb  8 03:48:47 localhost slapd[11389]: => bdb_filter_candidates
Feb  8 03:48:47 localhost slapd[11389]: #011EQUALITY
Feb  8 03:48:47 localhost slapd[11389]: => bdb_equality_candidates (objectClass)
Feb  8 03:48:47 localhost slapd[11389]: => key_read
Feb  8 03:48:47 localhost slapd[11389]: bdb_idl_fetch_key: [b49d1940]
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_index_read: failed (-30989)
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_equality_candidates: id=0, first=0, last=0
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_filter_candidates: id=0 first=0 last=0
Feb  8 03:48:47 localhost slapd[11389]: => bdb_filter_candidates
Feb  8 03:48:47 localhost slapd[11389]: #011EQUALITY
Feb  8 03:48:47 localhost slapd[11389]: => bdb_equality_candidates (uid)
Feb  8 03:48:47 localhost slapd[11389]: => key_read
Feb  8 03:48:47 localhost slapd[11389]: bdb_idl_fetch_key: [36e55cac]
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_index_read 1 candidates
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_equality_candidates: id=1, first=79, last=79
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_filter_candidates: id=1 first=79 last=79
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_list_candidates: id=1 first=79 last=79
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_filter_candidates: id=1 first=79 last=79
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_list_candidates: id=1 first=79 last=79
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_filter_candidates: id=1 first=79 last=79
Feb  8 03:48:47 localhost slapd[11389]: bdb_search_candidates: id=1 first=79 last=79
Feb  8 03:48:47 localhost slapd[11389]: entry_decode: "uid=test,ou=beijing,o=langhua,c=cn"
Feb  8 03:48:47 localhost slapd[11389]: <= entry_decode(uid=test,ou=beijing,o=langhua,c=cn)
Feb  8 03:48:47 localhost slapd[11389]: => bdb_dn2id("ou=beijing,o=langhua,c=cn")
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_dn2id: got id=0x3
Feb  8 03:48:47 localhost slapd[11389]: => bdb_dn2id("uid=test,ou=beijing,o=langhua,c=cn")
Feb  8 03:48:47 localhost slapd[11389]: <= bdb_dn2id: got id=0x4f
Feb  8 03:48:47 localhost slapd[11389]: => test_filter
Feb  8 03:48:47 localhost slapd[11389]:     EQUALITY
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access to "uid=test,ou=beijing,o=langhua,c=cn" "uid" requested
Feb  8 03:48:47 localhost slapd[11389]: => slap_access_allowed: backend default auth access granted to "(anonymous)"
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access granted by read(=rscxd)
Feb  8 03:48:47 localhost slapd[11389]: <= test_filter 6
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_result: conn=0 op=1 p=3
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_result: err=0 matched="" text=""
Feb  8 03:48:47 localhost slapd[11389]: <==slap_sasl2dn: Converted SASL name to uid=test,ou=beijing,o=langhua,c=cn
Feb  8 03:48:47 localhost slapd[11389]: slap_sasl_getdn: dn:id converted to uid=test,ou=beijing,o=langhua,c=cn
Feb  8 03:48:47 localhost slapd[11389]: SASL Canonicalize [conn=0]: slapAuthcDN="uid=test,ou=beijing,o=langhua,c=cn"
Feb  8 03:48:47 localhost slapd[11389]: => bdb_search
Feb  8 03:48:47 localhost slapd[11389]: bdb_dn2entry("uid=test,ou=beijing,o=langhua,c=cn")
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access to "uid=test,ou=beijing,o=langhua,c=cn" "entry" requested
Feb  8 03:48:47 localhost slapd[11389]: => slap_access_allowed: backend default auth access granted to "(anonymous)"
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access granted by read(=rscxd)
Feb  8 03:48:47 localhost slapd[11389]: base_candidates: base: "uid=test,ou=beijing,o=langhua,c=cn" (0x0000004f)
Feb  8 03:48:47 localhost slapd[11389]: => test_filter
Feb  8 03:48:47 localhost slapd[11389]:     PRESENT
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access to "uid=test,ou=beijing,o=langhua,c=cn" "objectClass" requested
Feb  8 03:48:47 localhost slapd[11389]: => slap_access_allowed: backend default auth access granted to "(anonymous)"
Feb  8 03:48:47 localhost slapd[11389]: => access_allowed: auth access granted by read(=rscxd)
Feb  8 03:48:47 localhost slapd[11389]: <= test_filter 6
Feb  8 03:48:47 localhost slapd[11389]: slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_result: conn=0 op=1 p=3
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_result: err=0 matched="" text=""
Feb  8 03:48:47 localhost slapd[11389]: SASL Canonicalize [conn=0]: authzid="test"
Feb  8 03:48:47 localhost slapd[11389]: SASL proxy authorize [conn=0]: authcid="test@dell-d830" authzid="test@dell-d830"
Feb  8 03:48:47 localhost slapd[11389]: SASL Authorize [conn=0]:  proxy authorization allowed authzDN=""
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor
Feb  8 03:48:47 localhost slapd[11389]: daemon: activity on:
Feb  8 03:48:47 localhost slapd[11389]:
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_sasl: err=0 len=40
Feb  8 03:48:47 localhost slapd[11389]: do_bind: SASL/DIGEST-MD5 bind: dn="uid=test,ou=beijing,o=langhua,c=cn" sasl_ssf=0
Feb  8 03:48:47 localhost slapd[11389]: send_ldap_response: msgid=2 tag=97 err=0
Feb  8 03:48:47 localhost slapd[11389]: <== slap_sasl_bind: rc=0




That's it. Good luck!

Shi Yusen/Beijing Langhua Ltd.
http://www.langhua.cn/