Requirements
1. OpenCms is authenticated by CAS + LDAP.
2. OpenCms is authorized by CAS + LDAP.
3. Support OpenCms OU.
4. CAS will search LDAP for groups and roles when validating, not authenticating.
5. Validation URI can be customised, not /serviceValidate only.
6. Easy to extend the module to support CAS + DATABASE.
Environments
Tested in Fedora 10, OpenJDK 1.6.0, Tomcat 5.5.27, OpenCms7.0.5, CAS3.3.1, OpenLDAP 2.4.12.
Login Procedure
Module Parameters
Module parameters for authentication handler:
Attribute: a expression to mapping the username to an LDAP attribute, such as uid=%u@langhua.cn or cn=Shi Yusen, default is uid=u%. AuthenType: the authen type of LDAP server, default value is simple. AuthenticationHandler: the handler to authen the user's login, can be cn.langhua.opencms.ldap.cas.CmsCasAuthenticationHandler or cn.langhua.opencms.ldap.openldap.CmsLdapAuthenticationHandler, default is the LDAP one. AutoUserRoleName: when a new user added according to the login server, the default role type of this user. If empty, the user will be only in the User group without any role. BaseDN: the base DN of LDAP server, such as dc=example,dc=com. No default value. CasLoginUri: the uri to CAS login, default is /login. CasUrl: the url to visit CAS server, default is https://localhost:8443/cas. CasValidateUri: the uri to CAS validate, default is /validate. Filter: the filter to login LDAP server, default is (objectclass=*). Scope: the scope to search LDAP, default is sub which means search subtree from the BaseDN. URL: the URL of the LDAP server, ldap://localhost:389. UseCmsLoginWhenLDAPFail: When LDAP connection or login failed, whether using OpenCms login instead. Default value is true.
You have to config your CAS server to use LDAP as the above parameters configed.
How to validate service ticket
I use CAS 1.0 protocal to validate service ticket in the login procedure.
String ticket = CmsRequestUtil.getNotEmptyParameter(getRequest(), PARAM_TICKET);
CmsModule ldapModule = OpenCms.getModuleManager().getModule("cn.langhua.opencms.ldap");
if (ldapModule != null) {
String casUrl = ldapModule.getParameter("CasUrl", "https://localhost:8443/cas");
String loginUri = ldapModule.getParameter("CasLoginUri", "/login");
String validateUri = ldapModule.getParameter("CasValidateUri", "/validate");
String serviceUrl = getRequest().getRequestURL().toString();
String url = URLEncoder.encode(serviceUrl, "UTF-8");
if (ticket == null) {
getResponse().sendRedirect(casUrl + loginUri + "?service=" + url);
} else {
// there's a ticket, we should validate the ticket
URL validateURL = new URL(casUrl + validateUri + "?" + PARAM_TICKET + "=" + ticket + "&" + PARAM_SERVICE + "=" + url);
URLConnection conn = validateURL.openConnection();
InputStreamReader result = new InputStreamReader(conn.getInputStream(), "UTF-8");
BufferedReader reader = new BufferedReader(result);
String oneline = reader.readLine();
if (CmsStringUtil.isNotEmpty(oneline) && oneline.equals("yes")) {
// the ticket is true
m_username = reader.readLine().trim();
m_password = "cas_login";
m_actionLogin = "true";
reader.close();
result.close();
} else {
// the ticket is false, forward the request to cas login page
reader.close();
result.close();
getResponse().sendRedirect(casUrl + loginUri + "?service=" + url);
}
}
}
/system/login/index.html
Please replace the /system/login/index.html with /system/modules/cn.langhua.opencms.ldap/login/index_cas.html, and then you'll use CAS login page to login your OpenCms.
Note: Your CAS server must have SSL configured properly or it will return an error. Also this version only works for 7.0.1 and only supports LDAP connection of no authentication.
Check the OpenCMS forums for details on integrating with 7.0.3
How to get the module and the source code
Download the module: http://sourceforge.net/project/showfiles.php?group_id=163225
The source code: http://opencms-ldap.svn.sourceforge.net/viewvc/opencms-ldap/OpenCms-7.0.1-CAS-3.1-OpenLDAP/;
Shi Yusen/Beijing Langhua Ltd.