Using CAS with two different AD forests

Owned by Chris Peckham
Sept 16, 2012
2 min read

We had deployed a number of internal web pages using CAS for authentication against a MS Active Directory.     After an acquisition, we needed to provide access to these services for users across different AD forests.   While configuration would allow MS applications to work for users in the different forests, that would not work for our web sites until the CAS configuration was updated.     We found many pointers online but the solution was never completely spelled out how to use CAS with two different AD environments.  

We now have a solution is now up and running and I wanted to share it to others that may be interested.  Our deployerConfigContext.xml file is as follows:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

<!--
   | This is the first AD server and has bean id shown.  Here, the value for the URL and username/password is set
   +-->
<bean id="contextSource-D1" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="pooled" value="true"/>
<property name="url" value="ldap://192.168.10.10/" />
 <property name="userName" value="username1@XXX1.YYY1"/>
 <property name="password" value="PASSWORD_FOR_USERNAME1"/>
 <property name="baseEnvironmentProperties">
  <map>
   <entry>
     <key> <value>java.naming.security.authentication</value> </key>
     <value>simple</value>
   </entry>
  </map>
 </property>
</bean>

<!--
   |This is the second AD server and has the beam id shown.  Here, the value for the second server's URL and username/password is set
   +-->
<bean id="contextSource-D2" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="pooled" value="true"/>
<property name="url" value="ldap://10.250.250.250/" />
<property name="userName" value="username2@XXX2.YYY2"/>
<property name="password" value="PASSWORD_FOR_USERNAME2"/>
<property name="baseEnvironmentProperties">
  <map>
   <entry>
     <key> <value>java.naming.security.authentication</value> </key>
     <value>simple</value>
   </entry>
  </map>
 </property>
</bean>

 

<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>

 

<!--
   | Now try the authentication handlers in order and when get a match, all is good!   Dupes across domains with the same sAMAccountName
   | in this case could cause problems so that should be unique in the environment.
   +-->
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" />
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
    <property name="filter" value="sAMAccountName=%u" />
    <property name="searchBase" value="DC=XXX2,DC=YYY2" />
    <property name="contextSource" ref="contextSource-D2" />
    <property name="ignorePartialResultException" value="yes" />
</bean>
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
    <property name="filter" value="sAMAccountName=%u" />
    <property name="searchBase" value="DC=XXX1,DC=YYY1" />
    <property name="contextSource" ref="contextSource-D1" />
    <property name="ignorePartialResultException" value="yes" />
</bean>
</list>
</property>
</bean>

 

<bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value></value>
</property>
</bean>

<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /

</beans>