CAS Using the ESUP plugin authentication LDAP user single sign-on

ESUP provides LDAP user mode for CAO SSO. This article details the use of LDAP authentication configuration, which is mainly divided into two main forms: fast binding and search mode. In actual use, I use more common search mode.

One of the previous articles I have introduced the way to use Tomcat's simple deployment CAS, but for the username and password, only the verification match verification of the same identity, the following I will change it to the user-certified manner using Sun Directory Server .

Download Esup-Casgeneric-2.0.5-2, deploy it to the CAS source code. The method is simple, modify its Properties file, specify the storage location of the CAS source code, and point it to the CAS application in the Eclipse's Workspace Working Catalog. Subsequently compiled its build.xml scripts using ANT, actually running the tutoring is just a copy of the copy work, copy the source code file and configuration file of the ESUP to the CAS source code.

Modify the authentication method of the original CAS, in Web.xml, change the CAS's authentication controller by the default edu.yale.samplehandler to ESUP GenericHandler, the modified content is as follows: edu.yale.its.tp.cas.authhandler org.esupportail.cas.server.GenericHandler Modify ESUP configuration file GenericHandler.xml, change its default control password and the same type of authentication to the LDAP verification mode, and configure LDAP related information at the same time, the following is the modified content: Modify: < authentication empty_password_accepted = "on" debug = "on"> org.esupportail.cas.server.handlers.test.EmptyPasswordHandler org.esupportail.cas .server.handlers.test.PasswordEqualsUsernameHandler modified: org.esupportail.cas.server.handlers.ldap.BindLdapHandler ou = people, dc = sjtu, dc = edu, DC = cn uid =% u Sub cn = Directory Manager Password ldap: //yuanxz.sjtu.edu.cn: 389 / Modify the ESUP log profile loggerconf.xml, modify the parameters named File, point VALUE to the desired log storage location: <

Param name = "file" value = "c: /tomcat/logs/esup-casgeneric.log" /> Red Deploy CAS App to Tomcat, then run the build.xml of Ant, restart Tomcat, enter servlet-esamples Application example, click the execution, the browser will automatically jump to the CAS authentication login interface. Enter the user information in the username and password column to verify it. Verify the log file, open the log file configured in step 4, you can see that CAS successfully connects the LDAP database and passes the verification, the log is as follows: INFO [http-8443-processor24] root. [] March / 11 14: 04:5-2 - esup-portail generic handler 2.0.5-2, reccess port ... info [http-8443-processor24] root. [] March / 11 14:04:15 - Configuration File Read without Any Error. INFO [HTTP-8443-Processor24] Root. [] March / 11 14:04:20 - Authentication Chengceeded for User `Yuanxz'.ldap Authentication with Cas GH

AS LDAP Became A Standard for User Reference ON An LDAP Directory Is The Most Widely Used Method Nowadays. LDAP Authentication Configuration Consists:

The Mode Used to Access LDAP Servers (see Bellow); An LDAP Server OR A List of LDAP Servers (for Redundance);

Two Access Modes Are Provided (Bind And Fastbind), Depending On The Internal Structure of the LDAP Directory.

Direct Access Mode (Fastbind)

The fastbind method can be used with LDAP directories of which the users' Distinguished Names can be directly deduced from their login name (practically, LDAP directories where all the users are stored at the same hierarchical level).

In this Mode, CAS Tries to Connect To The LDAP Directory with the user's dn and the password provided.

One May USE:

Org.esupportail.cas.server.handlers.ldap.fastbindldaphandler uid =% u, ou = people, dc = esup- Portail, DC = org ldap: //ldap.esup-portail.org ldap: //replica.esup-portail. org When using the ldap_fastbind method, the administrator should only spécify the filter to find the users' DN in the directory. The following tokens (similar to LDAP_SASLAUTHD) CAN BE Used in The Filter String:

%% =%% u = user% u = user portion OF% U (% u = test when% u = test@domain.tld)% d = domain portion OF% u (% d = domain.tld when% u = Test@domain.tld)% 1-9 = Domain tokens (% 1 = TLD,% 2 = Domain when% d = domain.tld)% s = service% r = realm

The% u token has to be used at minimum for the filter to be useful. Defaults to uid =% u.

Search Mode (Bind)

When users are located in different branches of the directory, deducing the users' DN from their login name is impossible. In this case, the ldap_bind mode should be used. It performs a search in the directory before trying to connect.

One May USE:

Org.esupportail.cas.server.handlers.ldap.bindldaphandler ou = people, dc = esup-portail, dc = org UID =% u sub admin second ldap: // ldap .esup-portail.org ldap: //replica.esup-portail.org When Using The Bind Method, The Administrator Should Specify:

. The start point of the search (eg dc = univ-rennes1, dc = fr) Tokens described in the filter attribute (see above) can be used for substitution;. The search scope (can be sub, one or base) Defaults to sub; the filter to find the users' DN in the directory; parameters to connect to the LDAP directory (when ommited, an anonymous connection is used); whether multiple accounts for users are allowed or not, thanks to the and < disable_multiple_accounts> tags (by default, they are not allowed). If the result of the LDAP search has more then one result, no connection to the LDAP directory is done and the authentication is refused. This feature was added in version 2.0.5.

LDAP Servers

The ldap servers area defined by:

Their LDAP URL.

When specifying several servers, all the servers are considered as replicates: when authentication fails on one directory, LDAP authentication fails because directories are intended to contain the same data; next (redundant) servers are tried only if the first one does not respond.Specifying Many Replicas Can Be Done by Specifying a Space-Separated List of LDAP URLS in The Element (Since Urls Will Be Handled By JNDI (Since JDK 1.4) AS PRECITITITITYDI /Tutorial/ldap/misc/url.html. AlternativeLely, Using Several Elements CAN Help DEBUGGING.