Junky's IT Notebook

统计

留言簿(8)

积分与排名

WebSphere Studio

阅读排行榜

评论排行榜

CAS 使用 ESUP 插件认证 LDAP 用户的单点登录(转)

ESUP为CAS的SSO提供了LDAP用户模式,本文详细论述了使用LDAP认证的配置方式,它主要分为两种主要形式:快速绑定和搜寻模式。在实际使用时,我使用了更为通用的搜寻模式。

前面的一篇文章我曾经介绍了使用Tomcat简单部署CAS的方法,但对于用户名和密码只是做相同性的校验匹配验证,下面我将一步步将其改变为使用Sun Directory Server进行用户认证的方式。

  1. 下载esup-casgeneric-2.0.5-2,将其部署到CAS源代码中。方法很简单,修改其properties文件,指定CAS源代码的存储位置,在我机器中我将其指向了eclipse的workspace工作目录中的CAS应用。随后使用ant编译其build.xml脚本,实际上运行该教本只是做了一个复制拷贝工作,将ESUP的源代码文件和配置文件复制到CAS源码中。
  2. 修改原有CAS的认证方式,在web.xml中,将CAS的认证控制器由默认的edu.yale.its.tp.cas.auth.provider.SampleHandler改为ESUP的GenericHandler,修改后的内容如下:
    <context-param>
            <param-name>edu.yale.its.tp.cas.authHandler</param-name>
            <param-value>org.esupportail.cas.server.GenericHandler</param-value>
    </context-param>
  3. 修改ESUP的配置文件genericHandler.xml,将其默认的控密码和相同性验证方式改为LDAP验证方式,并同时配置LDAP相关信息,下面是修改前与修改后的内容:
    修改前:
    <authentication empty_password_accepted="on" debug="on">
        <handler>
            <classname>
                org.esupportail.cas.server.handlers.test.EmptyPasswordHandler</classname>
        </handler>
        <handler>
            <classname>
                org.esupportail.cas.server.handlers.test.PasswordEqualsUsernameHandler</classname>
        </handler>
    </authentication>
    修改后:
    <authentication debug="off">
        <handler>
            <classname>
                org.esupportail.cas.server.handlers.ldap.BindLdapHandler</classname>
            <config>
                <search_base>ou=People,dc=sjtu,dc=edu,dc=cn</search_base>
                <filter>uid=%u</filter>
                <scope>sub</scope>
                <bind_dn>cn=Directory Manager</bind_dn>
                <bind_password>password</bind_password>
                <server>
                    <url>ldap://yuanxz.sjtu.edu.cn:389/</url>
                </server>
                <disable_multiple_accounts/>
            </config>
        </handler>
    </authentication>
  4. 修改ESUP日志记录配置文件LoggerConf.xml,修改名为File的参数,将其value指向希望的日志存储位置:<param name="File" value="c:/tomcat/logs/esup-casgeneric.log" />
  5. 重新部署CAS应用到Tomcat,即再次运行build.xml的ant教本,重新启动Tomcat,进入Servlet-Examples的应用实例,点击执行后浏览器仍自动跳转到CAS的认证登录界面,在用户名和密码栏中输入位于LDAP中用户信息,即可通过验证。
  6. 验证日志文件,打开步骤4中配置的日志文件,可以看到CAS成功地连接了LDAP数据库并通过了验证,日志示例如下:
    INFO [http-8443-Processor24] root.[] 三月/11 14:04:14 - ESUP-Portail Generic Handler 2.0.5-2, reading configuration file...
    INFO [http-8443-Processor24] root.[] 三月/11 14:04:15 - Configuration file read without any error.
    INFO [http-8443-Processor24] root.[] 三月/11 14:04:20 - Authentication succeeded for user `yuanxz'.

LDAP authentication with CAS GH

As LDAP became a standard for user referencials, authentication on an LDAP directory is the most widely used method nowadays. LDAP authentication configuration consists in specifying:

  • the mode used to access LDAP servers (see bellow);
  • an LDAP server or a list of LDAP servers (for redundancy);

Two access modes are provided (bind and fastbind), depending on the internal structure of the LDAP directory.

Direct access mode (fastbind)

The fastbind method can be used with LDAP directories of which the users' Distinguished Names can be directly deduced from their login name (practically, LDAP directories where all the users are stored at the same hierarchical level).

In this mode, CAS tries to connect to the LDAP directory with the user's DN and the password provided.

One may use:

<authentication debug="off">
<handler>
<classname>org.esupportail.cas.server.handlers.ldap.FastBindLdapHandler</classname>
<config>
<filter>uid=%u,ou=people,dc=esup-portail,dc=org</filter>
<server>
<url>ldap://ldap.esup-portail.org</url>
</server>
<server>
<url>ldap://replica.esup-portail.org</url>
</server>
</config>
</handler>
</authentication>

When using the ldap_fastbind method, the administrator should only spécify the filter to find the users' DN in the directory. The following tokens (similar to ldap_saslauthd) can be used in the filter string:

  • %% = %
  • %u = user
  • %U = user portion of %u (%U = test when %u = test@domain.tld)
  • %d = domain portion of %u (%d = domain.tld when %u = test@domain.tld)
  • %1-9 = domain tokens (%1 = tld, %2 = domain when %d = domain.tld)
  • %s = service
  • %r = realm

The %u token has to be used at minimum for the filter to be useful. Defaults to uid=%u.

Search mode (bind)

When users are located in different branches of the directory, deducing the users' DN from their login name is impossible. In this case, the ldap_bind mode should be used. It performs a search in the directory before trying to connect.

One may use:

<authentication debug="off">
<handler>
<classname>org.esupportail.cas.server.handlers.ldap.BindLdapHandler</classname>
<config>
<search_base>ou=people,dc=esup-portail,dc=org</search_base>
<filter>uid=%u</filter>
<scope>sub</scope>
<bind_dn>admin</bind_dn>
<bind_password>secret</bind_password>
<server>
<url>ldap://ldap.esup-portail.org</url>
</server>
<server>
<url>ldap://replica.esup-portail.org</url>
</server>
<disable_multiple_accounts/>
</config>
</handler>
</authentication>

When using the bind method, the administrator should specify:

  • the start point of the search (e.g. dc=univ-rennes1,dc=fr). Tokens described in the filter attribute (see above) can be used for substitution;
  • the search scope (can be sub, one or base). Defaults to sub;
  • the filter to find the users' DN in the directory;
  • parameters to connect to the LDAP directory (when ommited, an anonymous connection is used);
  • whether multiple accounts for users are allowed or not, thanks to the <enable_multiple_accounts> and <disable_multiple_accounts> tags (by default, they are not allowed). If the result of the LDAP search has more then one result, no connection to the LDAP directory is done and the authentication is refused. This feature was added in version 2.0.5.

LDAP servers

The LDAP servers are defined by:

  • their LDAP URL.

When specifying several servers, all the servers are considered as replicates: when authentication fails on one directory, LDAP authentication fails because directories are intended to contain the same data; next (redundant) servers are tried only if the first one does not respond.

Specifying many replicas can be done by specifying a space-separated list of LDAP URLs in the <url> element (these URLs will be handled by JNDI (since JDK 1.4) as precised in http://java.sun.com/products/jndi/tutorial/ldap/misc/url.html. Alternatively, using several <server> elements can help debugging.

posted on 2007-06-05 16:35 junky 阅读(1048) 评论(0)  编辑  收藏 所属分类: security


只有注册用户登录后才能发表评论。


网站导航: