ESUP為CAS的SSO提供了LDAP用戶模式,本文詳細論述了使用LDAP認證的配置方式,它主要分為兩種主要形式:快速綁定和搜尋模式。在實際使用時,我使用了更為通用的搜尋模式。
前面的一篇文章我曾經介紹了使用Tomcat簡單部署CAS的方法,但對于用戶名和密碼只是做相同性的校驗匹配驗證,下面我將一步步將其改變為使用Sun Directory Server進行用戶認證的方式。
- 下載esup-casgeneric-2.0.5-2,將其部署到CAS源代碼中。方法很簡單,修改其properties文件,指定CAS源代碼的存儲位置,在我機器中我將其指向了eclipse的workspace工作目錄中的CAS應用。隨后使用ant編譯其build.xml腳本,實際上運行該教本只是做了一個復制拷貝工作,將ESUP的源代碼文件和配置文件復制到CAS源碼中。
- 修改原有CAS的認證方式,在web.xml中,將CAS的認證控制器由默認的edu.yale.its.tp.cas.auth.provider.SampleHandler改為ESUP的GenericHandler,修改后的內容如下:
<context-param>
<param-name>edu.yale.its.tp.cas.authHandler</param-name>
<param-value>org.esupportail.cas.server.GenericHandler</param-value>
</context-param>
- 修改ESUP的配置文件genericHandler.xml,將其默認的控密碼和相同性驗證方式改為LDAP驗證方式,并同時配置LDAP相關信息,下面是修改前與修改后的內容:
修改前:
<authentication empty_password_accepted="on" debug="on">
<handler>
<classname>
org.esupportail.cas.server.handlers.test.EmptyPasswordHandler</classname>
</handler>
<handler>
<classname>
org.esupportail.cas.server.handlers.test.PasswordEqualsUsernameHandler</classname>
</handler>
</authentication>
修改后:
<authentication debug="off">
<handler>
<classname>
org.esupportail.cas.server.handlers.ldap.BindLdapHandler</classname>
<config>
<search_base>ou=People,dc=sjtu,dc=edu,dc=cn</search_base>
<filter>uid=%u</filter>
<scope>sub</scope>
<bind_dn>cn=Directory Manager</bind_dn>
<bind_password>password</bind_password>
<server>
<url>ldap://yuanxz.sjtu.edu.cn:389/</url>
</server>
<disable_multiple_accounts/>
</config>
</handler>
</authentication>
- 修改ESUP日志記錄配置文件LoggerConf.xml,修改名為File的參數,將其value指向希望的日志存儲位置:<param name="File" value="c:/tomcat/logs/esup-casgeneric.log" />
- 重新部署CAS應用到Tomcat,即再次運行build.xml的ant教本,重新啟動Tomcat,進入Servlet-Examples的應用實例,點擊執行后瀏覽器仍自動跳轉到CAS的認證登錄界面,在用戶名和密碼欄中輸入位于LDAP中用戶信息,即可通過驗證。
- 驗證日志文件,打開步驟4中配置的日志文件,可以看到CAS成功地連接了LDAP數據庫并通過了驗證,日志示例如下:
INFO [http-8443-Processor24] root.[] 三月/11 14:04:14 - ESUP-Portail Generic Handler 2.0.5-2, reading configuration file...
INFO [http-8443-Processor24] root.[] 三月/11 14:04:15 - Configuration file read without any error.
INFO [http-8443-Processor24] root.[] 三月/11 14:04:20 - Authentication succeeded for user `yuanxz'.
LDAP authentication with CAS GH
As LDAP became a standard for user referencials, authentication on an LDAP directory is the most widely used method nowadays. LDAP authentication configuration consists in specifying:
- the mode used to access LDAP servers (see bellow);
- an LDAP server or a list of LDAP servers (for redundancy);
Two access modes are provided (bind and fastbind), depending on the internal structure of the LDAP directory.
Direct access mode (fastbind)
The fastbind method can be used with LDAP directories of which the users' Distinguished Names can be directly deduced from their login name (practically, LDAP directories where all the users are stored at the same hierarchical level).
In this mode, CAS tries to connect to the LDAP directory with the user's DN and the password provided.
One may use:
<authentication debug="off">
<handler>
<classname>org.esupportail.cas.server.handlers.ldap.FastBindLdapHandler</classname>
<config>
<filter>uid=%u,ou=people,dc=esup-portail,dc=org</filter>
<server>
<url>ldap://ldap.esup-portail.org</url>
</server>
<server>
<url>ldap://replica.esup-portail.org</url>
</server>
</config>
</handler>
</authentication>
When using the ldap_fastbind method, the administrator should only spécify the filter to find the users' DN in the directory. The following tokens (similar to ldap_saslauthd) can be used in the filter string:
- %% = %
- %u = user
- %U = user portion of %u (%U = test when %u = test@domain.tld)
- %d = domain portion of %u (%d = domain.tld when %u = test@domain.tld)
- %1-9 = domain tokens (%1 = tld, %2 = domain when %d = domain.tld)
- %s = service
- %r = realm
The %u token has to be used at minimum for the filter to be useful. Defaults to uid=%u.
Search mode (bind)
When users are located in different branches of the directory, deducing the users' DN from their login name is impossible. In this case, the ldap_bind mode should be used. It performs a search in the directory before trying to connect.
One may use:
<authentication debug="off">
<handler>
<classname>org.esupportail.cas.server.handlers.ldap.BindLdapHandler</classname>
<config>
<search_base>ou=people,dc=esup-portail,dc=org</search_base>
<filter>uid=%u</filter>
<scope>sub</scope>
<bind_dn>admin</bind_dn>
<bind_password>secret</bind_password>
<server>
<url>ldap://ldap.esup-portail.org</url>
</server>
<server>
<url>ldap://replica.esup-portail.org</url>
</server>
<disable_multiple_accounts/>
</config>
</handler>
</authentication>
When using the bind method, the administrator should specify:
- the start point of the search (e.g. dc=univ-rennes1,dc=fr). Tokens described in the filter attribute (see above) can be used for substitution;
- the search scope (can be sub, one or base). Defaults to sub;
- the filter to find the users' DN in the directory;
- parameters to connect to the LDAP directory (when ommited, an anonymous connection is used);
- whether multiple accounts for users are allowed or not, thanks to the <enable_multiple_accounts> and <disable_multiple_accounts> tags (by default, they are not allowed). If the result of the LDAP search has more then one result, no connection to the LDAP directory is done and the authentication is refused. This feature was added in version 2.0.5.
LDAP servers
The LDAP servers are defined by:
When specifying several servers, all the servers are considered as replicates: when authentication fails on one directory, LDAP authentication fails because directories are intended to contain the same data; next (redundant) servers are tried only if the first one does not respond.
Specifying many replicas can be done by specifying a space-separated list of LDAP URLs in the <url> element (these URLs will be handled by JNDI (since JDK 1.4) as precised in http://java.sun.com/products/jndi/tutorial/ldap/misc/url.html. Alternatively, using several <server> elements can help debugging.