Wednesday, September 9, 2015

Jasig CAS with LDAP

In this tutorial, we used Linux Centos 6 as our operating system. Below is the items required:
  • CAS server (you can download it from here - https://www.apereo.org/projects/cas/download-cas). But in this tutorial, we're using cas server version 3.5.2
  • Maven (for build CAS Server)
  • Tomcat (we used apache-tomcat-7.0.42)
* In this tutorial, we assumed that LDAP has been installed on your server. We are not going cover anything about LDAP here.
* One more thing, please make sure maven has been setup on your local machine.This will be used for build the CAS Server (See here for tutorial: http://thisismynota.blogspot.com/2014/02/install-maven-on-centos-65.html)

Steps:

  1. Download the CAS Server and extract it.
  2. Go to the extracted file using command line (Console) and edit file pom.xml
    cd cas-­server-­3.5.2/cas­-server­-webapp
    vi pom.xml


  3. Now add the following lines before </dependencies> tag
    <dependency>
    <groupid>org.jasig.cas</groupid>
    <artifactid>cas-­server­-support­-ldap</artifactid>
    <version>3.5.2</version>
    </dependency>


  4. Next, build the CAS Server
    cd cas-server-­3.5.2/cas­-server­-webapp
    mvn install package

    * wait until you see BUILD SUCCESSFUL


  5. Next, copy cas.war file on cas-server-3.5.2/cas-server-webapp/target folder and paste into tomcat webapps folder and start the tomcat server
    cp cas-server-3.5.2/cas-server-webapp/target/cas.war /apache-tomcat-7.0.42/webapps
    ./apache-tomcat-7.0.42/bin/startup.sh


  6. After startup complete, down the tomcat We need to edit deployerConfigContext.xml file
    ./apache-tomcat-7.0.42/bin/shutdown.sh
    vi /apache-tomcat-7.0.42/webapps/cas/WEB-INF/deployerConfigContext.xml


  7. Find the <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /> words and comment it. Add BindLdapAuthenticationHandler tag under the commented line. You'll have something like below:
    <!­­--bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswo rdAuthenticationHandler" / --­­>
    <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" p:filter="cn=%u" p:searchBase="ou=user,dc=example,dc=com,dc=my" p:contextSource­ref="contextSource" />

    * note that, in this example the CAS will authenticate using cn (common name). If you like to using another options of authentication e.g mail or etc, change the red coloured text as per your environment configuration.


  8. On the same file (deployerConfigContext.xml), put the following lines before</beans> tag. (Again, please change all the red coloured text as per your environment configuration):
    <bean id="contextSource"
    class="org.springframework.ldap.core.support.LdapContextSource">
      <!­­ DO NOT enable JNDI pooling for context sources that perform LDAP bind operations. ­­>
      <property name="pooled" value="false"/>
    <!­­-- Although multiple URLs may defined, it's strongly recommended to avoid this configuration since the implementation attempts hosts in sequence and requires a connection timeout prior to attempting the next host, which incurs unacceptable latency on node failure. A proper HA setup for LDAP directories should use a single virtual host that maps to
    multiple real hosts using a hardware load balancer. -->
      <property name="url" value="ldap://your_ldap_server_address:389" />

      <!­­-- Manager credentials are only required if your directory does not support anonymous searches. Never provide these credentials for FastBindLdapAuthenticationHandler since the user's credentials are used for the bind operation. -->
      <property name="userDn" value="cn=Manager,dc=example,dc=com,dc=my"/>
      <property name="password" value="your_ldap_manager_password"/>

      <!­­-- Place JNDI environment properties here. ­­-->
      <property name="baseEnvironmentProperties">
        <map>
          <!--­­ Three seconds is an eternity to users. --­­>
          <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
          <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
    <!­­-- Explained at http://download.oracle.com/javase/1.3/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION ­­-->
          <entry key="java.naming.security.authentication" value="simple" />
        </map>
      </property>
    </bean>


  9. In order tomake CAS work properly, we must enable SSL on tomcat. In this example we used self-signed certificate to make the CAS Server running on SSL protocol. Generate self-signed certificate.
    keytool ­-genkey ­-alias sso -­keyalg RSA -­keysize 2048 -­keystore sso.jks

    Enable SSL on tomcat
    vi /apache-tomcat-7.0.42/conf/server.xml

    <!­­-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 ­­-->
    <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="1000"
    minSpareThreads="25" protocol="HTTP/1.1" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/path/to/sso.jks"
    keystorePass="changeit" />
     
  10. Start the tomcat and access your CAS Server using https://localhost:8443

No comments:

Post a Comment