Archive pour October 2006

Setup of a CAS server over AD 2003

Thursday 26 October 2006

Versions used in this document :

  • CAS server 3.0.5
  • Active Directory on Windows 2003 Server

Once you have a working tomcat server with an SSL connection, you’re ready to host the CAS servlet.

In order to customize the CAS servlet and setup certificates, you need to have at least a recent JDK (I’ve used 1.5.0-09) and the ant utility.

Note on AD 2003 vs AD 2000
The 2003 version of AD has improved security over AD 2000 and a bind to the root returns more data than its previous version. This is why the referrals option is necessary if you want the CAS connection to search for users from the root of the AD tree. Without this option, CAS will fail in various ways.

Connection from the CAS server to the AD server using LDAPS

First you need to setup SSL over the LDAP port on the Windows server. There are several tutorials available on the net for this. Once, it’s done you should have a public certificate of the AD server ready to be used on the CAS server side.

To test that the LDAPS connection is properly set and accessible from the CAS server, I have created a PHP page on the CAS machine and accessed it from my workstation. Here is the code of this page :

  1. <?php
  2. $conn = ldap_connect(‘ldaps://server-name’, 636);
  3. ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
  4. $ldapbind = ldap_bind($conn, ‘cn=xxx,dc=yyy,dc=zzz’, ‘******’);
  5. // customize with the proper user/password pair
  6. if ($ldapbind)
  7. {
  8.   echo "Connection LDAP OK";
  9.   $sr=ldap_search($conn,"dc=xxx,dc=yyy", "sn=d*");
  10.   // do a fake search of username starting with d
  11.   echo ‘Connection handle: ‘ . $sr . ‘<br />’;
  12.   echo ‘Number of entries: ‘ . ldap_count_entries($conn, $sr)  . ‘<br />’;
  13. }
  14. else
  15. {
  16.   echo "LDAP connexion failed";
  17.   echo ldap_error($conn);
  18. }
  19. ?>

Then, you have to use the keytool utility (from the JDK) to add the certificate to the keystore. Make sure you add the key to the proper keystore! To find out what keystore you should be using, refer to the tomcat config :

  1. grep keystoreFile <tomcat-home>/conf/server.xml

This will tell you where tomcat will look for the certificate.

Add the certificate to the keystore

  1. $JAVA_HOME/bin/keytool -import –file <certificate-file> -keystore
  2. <keystore-location>/keystore
  3. CAS server setup

The connection settings are located in the webapp/WEB-INF/deployerConfigContext.xml under the cas-server directory.
The authenticationsManager and contextSource beans must be modified as follows (I have added comment to the file) :

  1. <property name="authenticationHandlers">
  2. <list>
  3. <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" />
  4.  
  5.                 <bean
  6.                 class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
  7.  
  8.                         <!– watch out for this one –>
  9.                         <property name="filter" value="cn=%u" />
  10.  
  11. <!– the searchBase can be the root or an OU –>
  12. <property name="searchBase" value="dc=xxx,dc=yyy" />           
  13.  
  14. <property name="contextSource" ref="contextSource" />
  15.                 </bean>
  16.         </list>
  17. </property>
  18.  
  19. <bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
  20.  
  21. <property name="authenticatedReadOnly" value="true" />
  22.  
  23. <!– customize this, here we do not allow anonymous binds so we specify a username
  24. and password for the bind –>
  25.         <property name="userName" value="xxxx" />
  26.         <property name="password" value="******" />
  27.  
  28.         <property name="pooled" value="true" />
  29.         <property name="urls">
  30.                 <list>
  31.                         <value>ldaps://ad-server-1/</value>
  32.                         <value>ldaps://ad-server-2/</value>
  33.                 </list>
  34.         </property>
  35.        
  36. <property name="baseEnvironmentProperties">
  37.                 <map>
  38.                         <!– watch out for this one, it will fail if you try
  39. to access the root without it –>
  40. <entry>
  41.                                 <key><value>java.naming.referral</value></key>
  42.                                 <value>follow</value>
  43.                         </entry>
  44.  
  45.                 <entry>
  46.                                 <key><value>java.naming.security.protocol</value></key>
  47.                                 <value>ssl</value>
  48.                         </entry>
  49.                        
  50. <entry>
  51.                                 <key><value>java.naming.security.authentication</value></key>
  52.                                 <value>simple</value>
  53.                         </entry>
  54.                 </map>
  55.         </property>
  56. </bean>

When this file is modified, you need to deploy the servlet as described in the next section.

To update the CAS server

To update the CAS server, you need to build a new war file (i.e. web archive – yes, I agree, bad file extension). Here is how to do it:

1. Uninstall (they call it undeploy) the current cas servlet:

  • Go to tomcat’s manager (https://server:8443/manager)
  • In the list of applications, find ‘cas’
  • Click Undeploy on the ‘cas’ line. (this unloads the cas.war servlet from tomcat and removes the file)

2. From the localPlugins directory of the cas-server package:

  1. ant clean
  2. ant jar
  3. touch ../webapp/WEB-INF/deployerConfigContext.xml

(this is necessary if you have the tomcat server on a linux box and the cas-server files on a CIFS/SAMBA disk, if you don’t tell the linux box that the file has changed, chances are your cas.war archive will contain an older version of the file)

  1. ant war
  2. cp target/cas.war <tomcat-home>/webapps/

3. Reinstall the servlet inside tomcat

  • Go to tomcat’s manager (https://server:8443/manager)
  • Under the Applications block, go to the Deploy block
  • In the « WAR or Directory URL » field, enter « cas.war »
  • Click Deploy (the error message about the invalid context is normal, if ‘cas’ doesn’t show up in the Applications list, refresh the page, also make sure that the cas applications is started)
  • Go to https://server:8443/cas and enjoy!

Publié dans Code | Aucun commentaire »