3/13/2014

How to Use a CAS with Active Directory


# reconfig authentication handlers
cd /opt/cas-server-3.4.11/cas-server-webapp/src/main/webapp/WEB-INF
vi deployerConfigContext.xml

# replace this this section
<property name="authenticationHandlers">
<list>
<!--
    | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
    | a server side SSL certificate.
    +-->
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
    p:httpClient-ref="httpClient" />
<!--
    | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
    | into production.  The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
    | where the username equals the password.  You will need to replace this with an AuthenticationHandler that implements your
    | local authentication strategy.  You might accomplish this by coding a new such handler and declaring
    | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
    +-->
<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
</list>
</property>

# with this
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:filter="sAMAccountName=%u"
p:searchBase="DC=my,DC=domain,DC=com"
p:contextSource-ref="contextSource"
p:ignorePartialResultException="true"/>
</list>
</property>

# replace this section
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>

# with this
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="baseDN" value="DC=my,DC=domain,DC=com"/>
<property name="contextSource" ref="contextSource"/>
<property name="requireAllQueryAttributes" value="true"/>
<property name="queryAttributeMapping">
<map>
<entry key="username" value="sAMAccountName"/>
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="cn" value="Name"/>
</map>
</property>
</bean>

# add the following before the </beans> tag
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="false"/>
<property name="url" value="ldaps://192.168.2.215:3269" />
<property name="userDn" value="username@my.domain.com"/>
<property name="password" value="**********"/>
<property name="baseEnvironmentProperties">
<map>
<entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
<entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
<entry key="java.naming.security.authentication" value="simple" />
</map>
</property>
</bean>

# reconfig source code dependencies
cd /opt/cas-server-3.4.11/cas-server-webapp
vi pom.xml

# add the following after the <dependencies> tag
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${project.version}</version>
</dependency>

# recompile the jasig cas-server webapp
cd /opt/cas-server-3.4.11
mvn install

# [ if it fails to compile, run "mvn install" again, it often completes without error ]

# copy the webapp (war) file into place
cp /opt/cas-server-3.4.11/cas-server-webapp/target/cas.war /usr/share/tomcat5/webapps
chown root.tomcat cas.war
service tomcat5 restart

# the directory validates a username, using its password
https://localhost:8443/cas/

Log In Successful

cd /var/log/tomcat5/catalina.out
tail catalina.out

ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Mar 11 23:59:08 CDT 2014
CLIENT IP ADDRESS: 192.168.2.12
SERVER IP ADDRESS: 192.168.2.219