HOWTO Configure CAS for LDAP DIGEST-MD5
This tutorial describes how to configure CAS for LDAP DIGEST-MD5 authentication using OpenLDAP. It was authored in response to CAS-664.
Environment:
Server: Fedora 10 + CAS 3.3.1 + Tomcat 5.5.27 + OpenLDAP 2.4.12 + Cyrus SASL 2.1.22
Client: Fedora 10 + Firefox 3 (in the same computor with Server)
Realm: dell-d830
Config OpenLDAP DIGEST-MD5
1. Edit /etc/openldap/slapd.conf, add the following:
password-hash {CLEARTEXT} sasl-realm dell-d830 authz-regexp uid=(\[HOWTO Configure CAS for LDAP DIGEST-MD5^,\]*),cn=dell-d830,cn=digest-md5,cn=auth ldap:///o=langhua,c=cn??sub?(uid=$1)
2. /etc/init.d/ldap restart
3. Add a user to OpenLDAP
uid=test,ou=beijing,o=langhua,c=cn
userPassword is 111111
Configure SASL DIGEST-MD5
1. Add a user to SASL
saslpasswd2 \-c test Password: 111111 Again (for verification): 111111
2. Test SASL DIGEST-MD5
Open a console and run:
sasl2-sample-server Console output: trying 2, 1, 6 trying 10, 1, 6 bind: Address already in use
Open another console and run:
sasl2-sample-client \-m DIGEST-MD5 localhost Console output: receiving capability list... recv: {53} PLAIN CRAM-MD5 ANONYMOUS LOGIN NTLM GSSAPI DIGEST-MD5 PLAIN CRAM-MD5 ANONYMOUS LOGIN NTLM GSSAPI DIGEST-MD5 send: {10} DIGEST-MD5 send: {1} N recv: {114} nonce="i7iU89Jmqj2S8BmExkXbkTwV8TaMdOrh1T803Q2UHw4=",realm="dell-d830",qop="auth",charset=utf-8,algorithm=md5-sess please enter an authentication id: please enter an authorization id: test Password: 111111 send: {231} username="test",realm="dell-d830",nonce="i7iU89Jmqj2S8BmExkXbkTwV8TaMdOrh1T803Q2UHw4=",cnonce="h3prPJs4mCG0XAUJNiEhlISg0BjgS2UcRenpY6S3IuI=",nc=00000001,qop=auth,digest-uri="rcmd/localhost",response=e8f55dabc929152361c6cdcbb0d22532 recv: {40} rspauth=44285575e382f452e158665a2727a493 send: {0} successful authentication closing connection
DIGEST-MD5 is ok.
Configure CAS
Refer to the instructions on the LDAP authentication page for configuring CAS for LDAP authentication. In particular, note the sample DIGEST-MD5 configuration example toward the end of the document.
Verify DIGEST-MD5 Authentication in CAS
Ensure that CAS has been deployed with the LDAP authentication handlers configured and that CAS is running. Browse to http://localhost:8080/cas/login, enter test/111111 to login, which should succeed. The following OpenLDAP log showing a successful DIGEST-MD5 authentication is provided for reference.
Feb 8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor Feb 8 03:48:47 localhost slapd[11389]: daemon: activity on: Feb 8 03:48:47 localhost slapd[11389]: Feb 8 03:48:47 localhost slapd[11389]: slap_listener_activate(7): Feb 8 03:48:47 localhost slapd[11389]: >>> slap_listener(ldap:///) Feb 8 03:48:47 localhost slapd[11389]: daemon: listen=7, new connection on 12 Feb 8 03:48:47 localhost slapd[11389]: daemon: added 12r (active) listener=(nil) Feb 8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor Feb 8 03:48:47 localhost slapd[11389]: daemon: activity on: Feb 8 03:48:47 localhost slapd[11389]: Feb 8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor Feb 8 03:48:47 localhost slapd[11389]: daemon: activity on: Feb 8 03:48:47 localhost slapd[11389]: 12r Feb 8 03:48:47 localhost slapd[11389]: Feb 8 03:48:47 localhost slapd[11389]: daemon: read active on 12 Feb 8 03:48:47 localhost slapd[11389]: connection_get(12) Feb 8 03:48:47 localhost slapd[11389]: connection_get(12): got connid=0 Feb 8 03:48:47 localhost slapd[11389]: connection_read(12): checking for input on id=0 Feb 8 03:48:47 localhost slapd[11389]: conn=0 op=0 do_bind Feb 8 03:48:47 localhost slapd[11389]: >>> dnPrettyNormal: <> Feb 8 03:48:47 localhost slapd[11389]: <<< dnPrettyNormal: <>, <> Feb 8 03:48:47 localhost slapd[11389]: do_bind: dn () SASL mech DIGEST-MD5 Feb 8 03:48:47 localhost slapd[11389]: ==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0 Feb 8 03:48:47 localhost slapd[11389]: SASL [conn=0] Debug: DIGEST-MD5 server step 1 Feb 8 03:48:47 localhost slapd[11389]: send_ldap_sasl: err=14 len=182 Feb 8 03:48:47 localhost slapd[11389]: send_ldap_response: msgid=1 tag=97 err=14 Feb 8 03:48:47 localhost slapd[11389]: <== slap_sasl_bind: rc=14 Feb 8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor Feb 8 03:48:47 localhost slapd[11389]: daemon: activity on: Feb 8 03:48:47 localhost slapd[11389]: Feb 8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor Feb 8 03:48:47 localhost slapd[11389]: daemon: activity on: Feb 8 03:48:47 localhost slapd[11389]: 12r Feb 8 03:48:47 localhost slapd[11389]: Feb 8 03:48:47 localhost slapd[11389]: daemon: read active on 12 Feb 8 03:48:47 localhost slapd[11389]: connection_get(12) Feb 8 03:48:47 localhost slapd[11389]: connection_get(12): got connid=0 Feb 8 03:48:47 localhost slapd[11389]: connection_read(12): checking for input on id=0 Feb 8 03:48:47 localhost slapd[11389]: conn=0 op=1 do_bind Feb 8 03:48:47 localhost slapd[11389]: >>> dnPrettyNormal: <> Feb 8 03:48:47 localhost slapd[11389]: <<< dnPrettyNormal: <>, <> Feb 8 03:48:47 localhost slapd[11389]: do_bind: dn () SASL mech DIGEST-MD5 Feb 8 03:48:47 localhost slapd[11389]: ==> sasl_bind: dn="" mech=<continuing> datalen=255 Feb 8 03:48:47 localhost slapd[11389]: SASL [conn=0] Debug: DIGEST-MD5 server step 2 Feb 8 03:48:47 localhost slapd[11389]: SASL Canonicalize [conn=0]: authcid="test" Feb 8 03:48:47 localhost slapd[11389]: slap_sasl_getdn: conn 0 id=test [len=5] Feb 8 03:48:47 localhost slapd[11389]: slap_sasl_getdn: u:id converted to uid=test,cn=dell-d830,cn=DIGEST-MD5,cn=auth Feb 8 03:48:47 localhost slapd[11389]: >>> dnNormalize: <uid=test,cn=dell-d830,cn=DIGEST-MD5,cn=auth> Feb 8 03:48:47 localhost slapd[11389]: <<< dnNormalize: <uid=test,cn=dell-d830,cn=digest-md5,cn=auth> Feb 8 03:48:47 localhost slapd[11389]: ==>slap_sasl2dn: converting SASL name uid=test,cn=dell-d830,cn=digest-md5,cn=auth to a DN Feb 8 03:48:47 localhost slapd[11389]: [rw] authid: "uid=test,cn=dell-d830,cn=digest-md5,cn=auth" -> "ldap:///o=langhua,c=cn??sub?(uid=test)" Feb 8 03:48:47 localhost slapd[11389]: slap_parseURI: parsing ldap:///o=langhua,c=cn??sub?(uid=test) Feb 8 03:48:47 localhost slapd[11389]: str2filter "(uid=test)" Feb 8 03:48:47 localhost slapd[11389]: begin get_filter Feb 8 03:48:47 localhost slapd[11389]: EQUALITY Feb 8 03:48:47 localhost slapd[11389]: end get_filter 0 Feb 8 03:48:47 localhost slapd[11389]: >>> dnNormalize: <o=langhua,c=cn> Feb 8 03:48:47 localhost slapd[11389]: <<< dnNormalize: <o=langhua,c=cn> Feb 8 03:48:47 localhost slapd[11389]: slap_sasl2dn: performing internal search (base=o=langhua,c=cn, scope=2) Feb 8 03:48:47 localhost slapd[11389]: => bdb_search Feb 8 03:48:47 localhost slapd[11389]: bdb_dn2entry("o=langhua,c=cn") Feb 8 03:48:47 localhost slapd[11389]: => bdb_dn2id("o=langhua,c=cn") Feb 8 03:48:47 localhost slapd[11389]: <= bdb_dn2id: got id=0x1 Feb 8 03:48:47 localhost slapd[11389]: entry_decode: "o=langhua,c=cn" Feb 8 03:48:47 localhost slapd[11389]: <= entry_decode(o=langhua,c=cn) Feb 8 03:48:47 localhost slapd[11389]: => access_allowed: auth access to "o=langhua,c=cn" "entry" requested Feb 8 03:48:47 localhost slapd[11389]: => slap_access_allowed: backend default auth access granted to "(anonymous)" Feb 8 03:48:47 localhost slapd[11389]: => access_allowed: auth access granted by read(=rscxd) Feb 8 03:48:47 localhost slapd[11389]: search_candidates: base="o=langhua,c=cn" (0x00000001) scope=2 Feb 8 03:48:47 localhost slapd[11389]: => bdb_dn2idl("o=langhua,c=cn") Feb 8 03:48:47 localhost slapd[11389]: => bdb_filter_candidates Feb 8 03:48:47 localhost slapd[11389]: #011AND Feb 8 03:48:47 localhost slapd[11389]: => bdb_list_candidates 0xa0 Feb 8 03:48:47 localhost slapd[11389]: => bdb_filter_candidates Feb 8 03:48:47 localhost slapd[11389]: #011OR Feb 8 03:48:47 localhost slapd[11389]: => bdb_list_candidates 0xa1 Feb 8 03:48:47 localhost slapd[11389]: => bdb_filter_candidates Feb 8 03:48:47 localhost slapd[11389]: #011EQUALITY Feb 8 03:48:47 localhost slapd[11389]: => bdb_equality_candidates (objectClass) Feb 8 03:48:47 localhost slapd[11389]: => key_read Feb 8 03:48:47 localhost slapd[11389]: bdb_idl_fetch_key: [b49d1940] Feb 8 03:48:47 localhost slapd[11389]: <= bdb_index_read: failed (-30989) Feb 8 03:48:47 localhost slapd[11389]: <= bdb_equality_candidates: id=0, first=0, last=0 Feb 8 03:48:47 localhost slapd[11389]: <= bdb_filter_candidates: id=0 first=0 last=0 Feb 8 03:48:47 localhost slapd[11389]: => bdb_filter_candidates Feb 8 03:48:47 localhost slapd[11389]: #011EQUALITY Feb 8 03:48:47 localhost slapd[11389]: => bdb_equality_candidates (uid) Feb 8 03:48:47 localhost slapd[11389]: => key_read Feb 8 03:48:47 localhost slapd[11389]: bdb_idl_fetch_key: [36e55cac] Feb 8 03:48:47 localhost slapd[11389]: <= bdb_index_read 1 candidates Feb 8 03:48:47 localhost slapd[11389]: <= bdb_equality_candidates: id=1, first=79, last=79 Feb 8 03:48:47 localhost slapd[11389]: <= bdb_filter_candidates: id=1 first=79 last=79 Feb 8 03:48:47 localhost slapd[11389]: <= bdb_list_candidates: id=1 first=79 last=79 Feb 8 03:48:47 localhost slapd[11389]: <= bdb_filter_candidates: id=1 first=79 last=79 Feb 8 03:48:47 localhost slapd[11389]: <= bdb_list_candidates: id=1 first=79 last=79 Feb 8 03:48:47 localhost slapd[11389]: <= bdb_filter_candidates: id=1 first=79 last=79 Feb 8 03:48:47 localhost slapd[11389]: bdb_search_candidates: id=1 first=79 last=79 Feb 8 03:48:47 localhost slapd[11389]: entry_decode: "uid=test,ou=beijing,o=langhua,c=cn" Feb 8 03:48:47 localhost slapd[11389]: <= entry_decode(uid=test,ou=beijing,o=langhua,c=cn) Feb 8 03:48:47 localhost slapd[11389]: => bdb_dn2id("ou=beijing,o=langhua,c=cn") Feb 8 03:48:47 localhost slapd[11389]: <= bdb_dn2id: got id=0x3 Feb 8 03:48:47 localhost slapd[11389]: => bdb_dn2id("uid=test,ou=beijing,o=langhua,c=cn") Feb 8 03:48:47 localhost slapd[11389]: <= bdb_dn2id: got id=0x4f Feb 8 03:48:47 localhost slapd[11389]: => test_filter Feb 8 03:48:47 localhost slapd[11389]: EQUALITY Feb 8 03:48:47 localhost slapd[11389]: => access_allowed: auth access to "uid=test,ou=beijing,o=langhua,c=cn" "uid" requested Feb 8 03:48:47 localhost slapd[11389]: => slap_access_allowed: backend default auth access granted to "(anonymous)" Feb 8 03:48:47 localhost slapd[11389]: => access_allowed: auth access granted by read(=rscxd) Feb 8 03:48:47 localhost slapd[11389]: <= test_filter 6 Feb 8 03:48:47 localhost slapd[11389]: send_ldap_result: conn=0 op=1 p=3 Feb 8 03:48:47 localhost slapd[11389]: send_ldap_result: err=0 matched="" text="" Feb 8 03:48:47 localhost slapd[11389]: <==slap_sasl2dn: Converted SASL name to uid=test,ou=beijing,o=langhua,c=cn Feb 8 03:48:47 localhost slapd[11389]: slap_sasl_getdn: dn:id converted to uid=test,ou=beijing,o=langhua,c=cn Feb 8 03:48:47 localhost slapd[11389]: SASL Canonicalize [conn=0]: slapAuthcDN="uid=test,ou=beijing,o=langhua,c=cn" Feb 8 03:48:47 localhost slapd[11389]: => bdb_search Feb 8 03:48:47 localhost slapd[11389]: bdb_dn2entry("uid=test,ou=beijing,o=langhua,c=cn") Feb 8 03:48:47 localhost slapd[11389]: => access_allowed: auth access to "uid=test,ou=beijing,o=langhua,c=cn" "entry" requested Feb 8 03:48:47 localhost slapd[11389]: => slap_access_allowed: backend default auth access granted to "(anonymous)" Feb 8 03:48:47 localhost slapd[11389]: => access_allowed: auth access granted by read(=rscxd) Feb 8 03:48:47 localhost slapd[11389]: base_candidates: base: "uid=test,ou=beijing,o=langhua,c=cn" (0x0000004f) Feb 8 03:48:47 localhost slapd[11389]: => test_filter Feb 8 03:48:47 localhost slapd[11389]: PRESENT Feb 8 03:48:47 localhost slapd[11389]: => access_allowed: auth access to "uid=test,ou=beijing,o=langhua,c=cn" "objectClass" requested Feb 8 03:48:47 localhost slapd[11389]: => slap_access_allowed: backend default auth access granted to "(anonymous)" Feb 8 03:48:47 localhost slapd[11389]: => access_allowed: auth access granted by read(=rscxd) Feb 8 03:48:47 localhost slapd[11389]: <= test_filter 6 Feb 8 03:48:47 localhost slapd[11389]: slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined Feb 8 03:48:47 localhost slapd[11389]: send_ldap_result: conn=0 op=1 p=3 Feb 8 03:48:47 localhost slapd[11389]: send_ldap_result: err=0 matched="" text="" Feb 8 03:48:47 localhost slapd[11389]: SASL Canonicalize [conn=0]: authzid="test" Feb 8 03:48:47 localhost slapd[11389]: SASL proxy authorize [conn=0]: authcid="test@dell-d830" authzid="test@dell-d830" Feb 8 03:48:47 localhost slapd[11389]: SASL Authorize [conn=0]: proxy authorization allowed authzDN="" Feb 8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 8 03:48:47 localhost slapd[11389]: daemon: activity on 1 descriptor Feb 8 03:48:47 localhost slapd[11389]: daemon: activity on: Feb 8 03:48:47 localhost slapd[11389]: Feb 8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 8 03:48:47 localhost slapd[11389]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 8 03:48:47 localhost slapd[11389]: send_ldap_sasl: err=0 len=40 Feb 8 03:48:47 localhost slapd[11389]: do_bind: SASL/DIGEST-MD5 bind: dn="uid=test,ou=beijing,o=langhua,c=cn" sasl_ssf=0 Feb 8 03:48:47 localhost slapd[11389]: send_ldap_response: msgid=2 tag=97 err=0 Feb 8 03:48:47 localhost slapd[11389]: <== slap_sasl_bind: rc=0
That's it. Good luck!
Shi Yusen/Beijing Langhua Ltd.
http://www.langhua.cn/