[[CAS 4]]
Trace: CAS 4
Show pagesourceOld revisions
AdminRecent ChangesSitemap

* ancien site

Table of Contents

CAS 4

ref

autres

rpm package system installés

java 

[root@cas4 ~]# rpm -qa | grep java
java-1.7.0-openjdk-1.7.0.71-2.5.3.1.el7_0.x86_64
java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.el7_0.x86_64
python-javapackages-3.4.1-6.el7_0.noarch
tzdata-java-2014j-1.el7_0.noarch
java-1.7.0-openjdk-headless-1.7.0.71-2.5.3.1.el7_0.x86_64
javamail-1.4.6-8.el7.noarch
javassist-3.16.1-10.el7.noarch
javapackages-tools-3.4.1-6.el7_0.noarch

tomcat 

[root@cas4 ~]# rpm -qa | grep tomcat
tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch
tomcat-lib-7.0.42-8.el7_0.noarch
tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch
tomcat-admin-webapps-7.0.42-8.el7_0.noarch
tomcat-7.0.42-8.el7_0.noarch
tomcat-el-2.2-api-7.0.42-8.el7_0.noarch

maven 

[root@cas4 ~]# rpm -qa | grep maven
maven-3.0.5-16.el7.noarch
maven-wagon-2.4-3.el7.noarch

tomcat

Activation avec systemctl 

[root@cas4 ~]# systemctl list-unit-files | grep -i tomcat 
tomcat.service                              disabled
[root@cas4 ~]# systemctl enable tomcat.service
ln -s '/usr/lib/systemd/system/tomcat.service' '/etc/systemd/system/multi-user.target.wants/tomcat.service'
[root@cas4 ~]# systemctl list-unit-files | grep -i tomcat 
tomcat.service                              enabled 


[root@cas4 ~]# systemctl status tomcat.service
tomcat.service - Apache Tomcat Web Application Container
   Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled)
   Active: inactive (dead)

[root@cas4 ~]# systemctl start tomcat.service
[root@cas4 ~]# systemctl status tomcat.service
tomcat.service - Apache Tomcat Web Application Container
   Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled)
   Active: active (running) since mer. 2014-12-10 15:54:18 CET; 1s ago
  Process: 10811 ExecStart=/usr/sbin/tomcat-sysd start (code=exited, status=0/SUCCESS)
 Main PID: 10829 (java)
   CGroup: /system.slice/tomcat.service
           └─10829 java -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/...

déc. 10 15:54:18 cas4.exemple.fr systemd[1]: Started Apache Tomcat Web Application Container.

firewalld

centos/redhat 7 arrive avec firewalld , tout un monde !

ref https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

on va recopier la definition du service ssh vers un service tomcat afin d'ouvrir via un service firewalld notre port tomcat 8080 . 

[root@cas4 ~]# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/tomcat.xml
[root@cas4 ~]# vim /etc/firewalld/services/tomcat.xml
[root@cas4 ~]# cat /etc/firewalld/services/tomcat.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>tomcat</short>
  <description>tomcat is a java servlet container/server</description>
  <port protocol="tcp" port="8080"/>
</service>

[root@cas4 ~]# firewall-cmd --state
running
[root@cas4 ~]# firewall-cmd --get-active-zones
public
  interfaces: eth0
[root@cas4 ~]# firewall-cmd --get-service
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
[root@cas4 ~]# firewall-cmd --get-service --permanent
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client tomcat transmission-client vnc-server wbem-https

l'ajout c'est bien passé au niveau filesystem, il faut recharger la lecture des services via 

[root@cas4 ~]# firewall-cmd --reload
success

on ajoute de maniere permanente (disponible aux prochains boot) le service tomcat 

[root@cas4 ~]# firewall-cmd --zone=public --add-service=tomcat
success

la visibilité via iptables est toujours possible 

[root@cas4 ~]# iptables -L -n | grep 8080
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 ctstate NEW

malgres tout, pour abtenir cette ouverture de maniere stable, un ajout du service dans la zone active (ici public) est necessaire 

[root@cas4 ~]# grep tomcat /etc/firewalld/zones/public.xml
  <service name="tomcat"/>
  
[root@cas4 ~]# systemctl restart firewalld.service

firewalld rich-format rules

autre option plus precise 

# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" log prefix="http_192_168" accept'
# firewall-cmd --reload

tomcat manager user

pour une administration web via le manager de tomcat, il faut definir un username et des roles manager-* depuis tomcat7 ! 

[root@cas4 tomcat]# git diff 18fda4d tomcat-users.xml
diff --git a/tomcat-users.xml b/tomcat-users.xml
index 7224d60..901e50b 100644
--- a/tomcat-users.xml
+++ b/tomcat-users.xml
@@ -33,14 +33,15 @@
   <user username="both" password="tomcat" roles="tomcat,role1"/>
   <user username="role1" password="tomcat" roles="role1"/>
 -->
+  <user username="dsi" password="s3cret" roles="manager-gui,manager-script,manager-jmx,manager-status"/>
 
 <!-- <role rolename="admin"/> -->
 <!-- <role rolename="admin-gui"/> -->
 <!-- <role rolename="admin-script"/> -->
 <!-- <role rolename="manager"/> -->
-<!-- <role rolename="manager-gui"/> -->
-<!-- <role rolename="manager-script"/> -->
-<!-- <role rolename="manager-jmx"/> -->
-<!-- <role rolename="manager-status"/> -->
+<role rolename="manager-gui"/>
+<role rolename="manager-script"/>
+<role rolename="manager-jmx"/>
+<role rolename="manager-status"/>
 <!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> -->
 </tomcat-users>

ainsi a ce niveau nous pouvons atteindre notre serveur tomcat en natif (8080) sur le manager via :

http://cas4.exemple.fr:8080/manager/html

Cas4 UniconLabs/simple-cas4-overlay-template

suivant la documentation officielle (http://jasig.github.io/cas/4.0.x/installation/Maven-Overlay-Installation.html) nous partons du Maven WAR overlay founis par UniconLabs

git clone

on recupere les sources via github : 

[disi@cas4 UniconLabs]$ git clone https://github.com/UniconLabs/simple-cas4-overlay-template
Cloning into 'simple-cas4-overlay-template'...
remote: Counting objects: 95, done.
remote: Total 95 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (95/95), done.

[disi@cas4 UniconLabs]$ cd simple-cas4-overlay-template/
[disi@cas4 simple-cas4-overlay-template]$ ls
build.xml  etc  LICENSE.txt  pom.xml  README.md  src

parametrage cas.properties

le fichier de parametrage “cas.properties” est definie dans 

[disi@cas4 simple-cas4-overlay-template]$ grep cas.properties ./src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml
	<context:property-placeholder location="file:/etc/cas/cas.properties"/>

pour le moment nous faisons un simple (server.name, host.name ) parametrage initiale pour le test primaire avec le login password de test (casuser / M..n) cf deployerConfigContext.xml où ce login est definit en dure dans le bean “primaryAuthenticationHandler” . 

[disi@cas4 UniconLabs]$ cd simple-cas4-overlay-template/
[disi@cas4 simple-cas4-overlay-template]$ ls
build.xml  etc  LICENSE.txt  pom.xml  README.md  src
[disi@cas4 simple-cas4-overlay-template]$ cd etc/
[disi@cas4 etc]$ ls
cas.properties  log4j.xml
[disi@cas4 etc]$ vim cas.properties

petit backup/versionning git pour le forme 

[disi@cas4 etc]$ git commit -a -m "custom cas.properties" 
[master cd5dbb4] custom cas.properties
 1 file changed, 3 insertions(+), 3 deletions(-)

/etc/cas directory

[root@cas4 etc]# mkdir cas
[root@cas4 etc]# chgrp disi /etc/cas/
[root@cas4 etc]# chmod 775 /etc/cas/

[disi@cas4 etc]$ cp cas.properties log4j.xml /etc/cas/

build

on lance la premiere compilation : 

[disi@cas4 simple-cas4-overlay-template]$ mvn clean package
[INFO] Scanning for projects...
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building cas4-overlay 1.0
[INFO] ------------------------------------------------------------------------
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-compiler-plugin/3.1/maven-compiler-plugin-3.1.pom

...
Downloaded: http://oss.sonatype.org/content/repositories/releases/org/jasig/cas/cas-server-webapp/4.0.0/cas-server-webapp-4.0.0.war (24474 KB at 3628.4 KB/sec)
[INFO] 
[INFO] --- maven-clean-plugin:2.4.1:clean (default-clean) @ cas4-overlay ---
[INFO] 
[INFO] --- maven-resources-plugin:2.5:resources (default-resources) @ cas4-overlay ---
[debug] execute contextualize
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /home/disi/UniconLabs/simple-cas4-overlay-template/src/main/resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ cas4-overlay ---
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/1.5.1/plexus-utils-1.5.1.pom

...
Downloaded: http://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (350 KB at 3208.2 KB/sec)
Downloaded: http://repo.maven.apache.org/maven2/com/google/collections/google-collections/1.0/google-collections-1.0.jar (625 KB at 3528.8 KB/sec)
[INFO] No sources to compile
[INFO] 
[INFO] --- maven-resources-plugin:2.5:testResources (default-testResources) @ cas4-overlay ---
[debug] execute contextualize
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /home/disi/UniconLabs/simple-cas4-overlay-template/src/test/resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ cas4-overlay ---
[INFO] No sources to compile
[INFO] 
[INFO] --- maven-surefire-plugin:2.10:test (default-test) @ cas4-overlay ---
[INFO] No tests to run.
[INFO] Surefire report directory: /home/disi/UniconLabs/simple-cas4-overlay-template/target/surefire-reports

-------------------------------------------------------
 T E S T S
-------------------------------------------------------

Results :

Tests run: 0, Failures: 0, Errors: 0, Skipped: 0

...
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/3.0.8/plexus-utils-3.0.8.jar (227 KB at 3059.3 KB/sec)
Downloaded: http://repo.maven.apache.org/maven2/com/thoughtworks/xstream/xstream/1.4.3/xstream-1.4.3.jar (471 KB at 2996.7 KB/sec)
[INFO] Packaging webapp
[INFO] Assembling webapp [cas4-overlay] in [/home/disi/UniconLabs/simple-cas4-overlay-template/target/cas]
[INFO] Processing war project
[INFO] Copying webapp resources [/home/disi/UniconLabs/simple-cas4-overlay-template/src/main/webapp]
[INFO] Processing overlay [ id org.jasig.cas:cas-server-webapp]
[INFO] Webapp assembled in [1023 msecs]
[INFO] Building war: /home/disi/UniconLabs/simple-cas4-overlay-template/target/cas.war
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 21.857s
[INFO] Finished at: Tue Dec 23 16:00:14 CET 2014
[INFO] Final Memory: 10M/25M
[INFO] ------------------------------------------------------------------------

deploy

et on deploie le cas.war fraichement créé dans le webapps de tomcat qui deploira automatiquement l'appli : 

[disi@cas4 ~]$ cp /home/disi/UniconLabs/simple-cas4-overlay-template/target/cas.war /var/lib/tomcat/webapps/
[disi@cas4 ~]$ ls -al /var/lib/tomcat/webapps/
total 24484
drwxrwxr-x. 6 root   tomcat     4096  6 janv. 11:46 .
drwxr-xr-x. 3 root   tomcat       20 20 nov.  10:44 ..
drwxr-xr-x  7 tomcat tomcat      101  6 janv. 11:46 cas
-rw-rw-r--  1 disi   disi   25057390  6 janv. 11:46 cas.war

catalina log de deploiement 

janv. 06, 2015 11:46:17 AM org.apache.catalina.startup.HostConfig deployWAR
INFOS: Déploiement de l'archive /var/lib/tomcat/webapps/cas.war de l'application web
log4j:WARN No appenders could be found for logger (org.springframework.web.context.ContextLoader).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

log4j:ERROR setFile(null,true) call failed.
java.io.FileNotFoundException: /var/log/cas/cas.log (Aucun fichier ou dossier de ce type)

correction du pb de cas.log 

[root@cas4 log]# mkdir cas
[root@cas4 log]# chown root:tomcat cas
[root@cas4 log]# chmod 775 cas

FR CAS4 cas-overlay-demo

autre exemple de source d'overlay fr , a poursuivre …. 

[disi@cas4 ~]$ mkdir leleuj
[disi@cas4 ~]$ cd leleuj/
[disi@cas4 leleuj]$ git clone https://github.com/leleuj/cas-overlay-demo
Cloning into 'cas-overlay-demo'...
remote: Counting objects: 307, done.
remote: Total 307 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (307/307), 60.10 KiB | 0 bytes/s, done.
Resolving deltas: 100% (104/104), done.

httpd et proxy ajp

il faut que le serveur reponde en https, avoir un apache en frontal de tomcat pour rediriger les requetes https vers tomcat est pratique

activation du service apache 

[root@cas4 log]# systemctl enable httpd.service 
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'

firewall pour https (http://www.certdepot.net/rhel7-get-started-firewalld/) 

[root@cas4 certs]# firewall-cmd --permanent --add-service=https
success
[root@cas4 certs]# firewall-cmd --reload
success
[root@cas4 certs]# firewall-cmd --list-services
dhcpv6-client https ssh tomcat

lien ajp 

[root@cas4 certs]# cat /etc/httpd/conf.d/proxy-ajp.conf
ProxyPass /cas ajp://localhost:8009/cas retry=3 min=0 max=100 smax=50 ttl=10 timeout=60
ProxyPass /manager ajp://localhost:8009/manager retry=3 min=0 max=100 smax=50 ttl=10 timeout=60

recharge de cette configuration apache 

[root@cas4 certs]# systemctl reload httpd.service

CAS login URL

premier test d'usage

https://cas4.exemple.fr/cas/login

saisie du login casuser et le password associé , log associés sur le serveur tomcat : 

2015-01-07 11:36:24,185 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler successfully authenticated casuser+password>
2015-01-07 11:36:24,185 DEBUG [org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - <Attempting to resolve a principal...>
2015-01-07 11:36:24,185 DEBUG [org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - <Creating SimplePrincipal for [casuser]>
2015-01-07 11:36:24,186 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver@3e8d4630 resolved casuser from casuser+password>
2015-01-07 11:36:24,189 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated casuser with credentials [casuser+password].>
2015-01-07 11:36:24,189 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Attribute map for casuser: {uid=uid, eduPersonAffiliation=eduPersonAffiliation, groupMembership=groupMembership}>
2015-01-07 11:36:24,189 INFO [org.perf4j.TimingLogger] - <start[1420626984170] time[19] tag[AUTHENTICATE]>
2015-01-07 11:36:24,190 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [casuser+password]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Wed Jan 07 11:36:24 CET 2015
CLIENT IP ADDRESS: 157.158.211.9
SERVER IP ADDRESS: cas4.exemple.fr
=============================================================

Cela marche bien avec un compte en dure !.

Ldap authentication Handler

reference : http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html

il y a 3 etapes / fichiers a modifier

pom.xml

indiquer au fichier de definition du projet qu'on veux utiliser le support-ldap : 

[disi@cas4 simple-cas4-overlay-template]$ diff pom.xml.orig pom.xml
53a54,59
> 	<dependency>
>          	<groupId>org.jasig.cas</groupId>
>          	<artifactId>cas-server-support-ldap</artifactId>
>          	<version>${cas.version}</version>
>     	</dependency>
>

deployerConfigContext.xml

les sources de l'overlay UniconLabs ne modifient pas par defaut le fichier deployerConfigContext.xml, il faut donc en mettre une copie dans le repertoire src afin que nos modifications soient prisent en compte lors du deploiement 

[disi@cas4 simple-cas4-overlay-template]$ cp ./target/cas/WEB-INF/deployerConfigContext.xml  src/main/webapp/WEB-INF/deployerConfigContext.xml

il faut ajouter toutes les directives présentées sur http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html mais aussi faire le lien vers ce ldap authentication Handler ( ce qui a premiere vue n'est pas indiqué dans cette doc, info reprise de https://lists.wisc.edu/read/messages?id=37789779 )

notament dans le bean id=“authenticationManager” 

 <entry key-ref="ldapAuthenticationHandler" value-ref="usernamePasswordCredentialsResolver" />

et ajouter aussi le bean referencé usernamePasswordCredentialsResolver 

<bean id="usernamePasswordCredentialsResolver"
          class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />

j'ai aussi remplacé principalIdAttribute=“uid” au lieu de =“mail” (on utilise l'uid ici) et pour le map d'attribut member par uid ,

au final voici tout ce qui a été changé dans deployerConfigContext.xml 

[disi@cas4 disi]$  diff ./simple-cas4-overlay-template/target/cas/WEB-INF/deployerConfigContext.xml /home/disi/UniconLabs/simple-cas4-overlay-template/src/main/webapp/WEB-INF/deployerConfigContext.xml  
64a65
> 		<entry key-ref="ldapAuthenticationHandler" value-ref="usernamePasswordCredentialsResolver" />	
127a129,214
> 
> 	<bean id="usernamePasswordCredentialsResolver"
>           class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />	
> 
> <!-- http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html LDAP Supporting Direct Bind -->
> <bean id="ldapAuthenticationHandler"
>       class="org.jasig.cas.authentication.LdapAuthenticationHandler"
>       p:principalIdAttribute="uid"
>       c:authenticator-ref="authenticator">
>     <property name="principalAttributeMap">
>         <map>
>             <!--
>                                 | This map provides a simple attribute resolution mechanism.
>                | Keys are LDAP attribute names, values are CAS attribute names.
>                | Use this facility instead of a PrincipalResolver if LDAP is
>                | the only attribute source.
>                -->
>             <entry key="uid" value="uid" />
>             <entry key="mail" value="mail" />
>             <entry key="displayName" value="displayName" />
>         </map>
>     </property>
> </bean>
> 
> <bean id="authenticator" class="org.ldaptive.auth.Authenticator"
>       c:resolver-ref="dnResolver"
>       c:handler-ref="authHandler" />
> 
> <bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
>       p:baseDn="${ldap.baseDn}"
>       p:allowMultipleDns="false"
>       p:connectionFactory-ref="searchPooledLdapConnectionFactory"
>       p:userFilter="${ldap.authn.searchFilter}" />
> 
> <bean id="searchPooledLdapConnectionFactory"
>       class="org.ldaptive.pool.PooledConnectionFactory"
>       p:connectionPool-ref="searchConnectionPool" />
> 
> <bean id="searchConnectionPool" parent="abstractConnectionPool" />
> 
> <bean id="abstractConnectionPool" abstract="true"
>       class="org.ldaptive.pool.BlockingConnectionPool"
>       init-method="initialize"
>       p:poolConfig-ref="ldapPoolConfig"
>       p:blockWaitTime="${ldap.pool.blockWaitTime}"
>       p:validator-ref="searchValidator"
>       p:pruneStrategy-ref="pruneStrategy"
>       p:connectionFactory-ref="connectionFactory" />
> 
> <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
>       p:minPoolSize="${ldap.pool.minSize}"
>       p:maxPoolSize="${ldap.pool.maxSize}"
>       p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
>       p:validatePeriodically="${ldap.pool.validatePeriodically}"
>       p:validatePeriod="${ldap.pool.validatePeriod}" />
> 
> <bean id="connectionFactory" class="org.ldaptive.DefaultConnectionFactory"
>       p:connectionConfig-ref="connectionConfig" />
> 
> <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig"
>       p:ldapUrl="${ldap.url}"
>       p:connectTimeout="${ldap.connectTimeout}"
>       p:useStartTLS="${ldap.useStartTLS}"
>       p:sslConfig-ref="sslConfig" />
> 
> <bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
>     <property name="credentialConfig">
>         <bean class="org.ldaptive.ssl.X509CredentialConfig"
>               p:trustCertificates="${ldap.trustedCert}" />
>     </property>
> </bean>
> 
> <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
>       p:prunePeriod="${ldap.pool.prunePeriod}"
>       p:idleTime="${ldap.pool.idleTime}" />
> 
> <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
> 
> <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
>       p:connectionFactory-ref="bindPooledLdapConnectionFactory" />
> 
> <bean id="bindPooledLdapConnectionFactory"
>       class="org.ldaptive.pool.PooledConnectionFactory"
>       p:connectionPool-ref="bindConnectionPool" />
> 
> <bean id="bindConnectionPool" parent="abstractConnectionPool" />

voici le fichier complet :

deployerconfigcontext.xml

cas.properties

enfin , pour alimenter les variables definies dans le deployerConfigContext.xml ci-dessus, voici le cas.properties associé, idem j'ai du ajouter: 

ldap.baseDn=ou=people,dc=exemple,dc=fr
ldap.trustedCert=/etc/pki/tls/certs/chain-24222-cas4.exemple.fr-3-AddTrust_External_CA_Root.pem

variables appelées dans deployerConfigContext.xml mais pas definies dans le cas.properties d'exemple .

(cf http://comments.gmane.org/gmane.comp.java.jasig.cas.user/27717 )

voici le fichier exemple complet :

cas.properties

maintenant une authentification CAS4 + ldap fonctionne

debug info

une fois cette configuration en place (mvn clean package et relance du tomcat + effacement manuel du cas.war et repertoire cas dans le webapps tomcat, car le nouveau fichier deployerConfigContext.xml n'etait pas automatiquement repositionné !) , une authentification via ldap fonctionne enfin .

log tomcat : 

2015-01-07 16:18:36,027 DEBUG [org.jasig.cas.authentication.AcceptUsersAuthenticationHandler] - <test was not found in the map.>
2015-01-07 16:18:36,028 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler failed authenticating test+password>
2015-01-07 16:18:36,028 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for test+password>
2015-01-07 16:18:36,030 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolve user=test>
2015-01-07 16:18:36,030 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <searching for DN using userFilter>
2015-01-07 16:18:36,053 DEBUG [org.ldaptive.SearchOperation] - <execute request=[org.ldaptive.SearchRequest@1830579154::baseDn=ou=people,dc=exemple,dc=fr, searchFilter=[org.ldaptive.SearchFilter@929747261::filter=(uid={user}), parameters={user=test}], returnAttributes=[1.1], searchScope=ONELEVEL, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false
....
....
[displayName[Test TEST]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]>
2015-01-07 16:18:36,380 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [uid[test]]>
2015-01-07 16:18:36,380 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [mail[test@exemple.fr]]>
2015-01-07 16:18:36,380 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [displayName[Test TEST]]>
2015-01-07 16:18:36,388 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler successfully authenticated test+password>
2015-01-07 16:18:36,388 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <org.jasig.cas.authentication.principal.BasicPrincipalResolver@303cfcca resolved test from test+password>
2015-01-07 16:18:36,391 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated test with credentials [test+password].>
2015-01-07 16:18:36,391 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Attribute map for test: {}>
2015-01-07 16:18:36,392 INFO [org.perf4j.TimingLogger] - <start[1420643916024] time[367] tag[AUTHENTICATE]>
2015-01-07 16:18:36,410 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [test+password]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Wed Jan 07 16:18:36 CET 2015
CLIENT IP ADDRESS: 157.158.211.9
SERVER IP ADDRESS: cas4.exemple.fr
=============================================================

>
2015-01-07 16:18:36,413 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [TGT-1-I9PM7KyilG0eFfHYLp23qvUymsveWehnNUtQn7BEAtJtSidyBP-cas4.exemple.fr] to registry.>
2015-01-07 16:18:36,414 INFO [org.perf4j.TimingLogger] - <start[1420643916022] time[391] tag[CREATE_TICKET_GRANTING_TICKET]>
2015-01-07 16:18:36,414 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-1-I9PM7KyilG0eFfHYLp23qvUymsveWehnNUtQn7BEAtJtSidyBP-cas4.exemple.fr
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Jan 07 16:18:36 CET 2015
CLIENT IP ADDRESS: 157.158.211.9
SERVER IP ADDRESS: cas4.exemple.fr
=============================================================

requete dans ldap.log coté ldap serveur : 

Jan  7 16:59:36 ldap4 slapd[1236]: conn=32062 op=0 SRCH base="ou=people,dc=exemple,dc=fr" scope=1 deref=0 filter="(uid=test)"
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32062 op=0 SRCH attr=1.1
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32062 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32059 op=0 BIND dn="uid=test,ou=people,dc=exemple,dc=fr" method=128
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32059 op=0 BIND dn="uid=test,ou=People,dc=exemple,dc=fr" mech=SIMPLE ssf=0
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32059 op=0 RESULT tag=97 err=0 text=
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32059 op=1 SRCH base="uid=test,ou=people,dc=exemple,dc=fr" scope=0 deref=0 filter="(objectClass=*)"
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32059 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

redeploiement cas

On reconstruit a nouveau Cas 

[disi@cas4 simple-cas4-overlay-template]$  mvn -Dmaven.test.skip\=true package

puis on fait un RAZ du war dans l'arborescence tomcat 

[root@cas4 cas-server-webapp]# systemctl stop tomcat.service 
[root@cas4 cas-server-webapp]# rm -rf /var/lib/tomcat/webapps/cas
[root@cas4 cas-server-webapp]# rm -rf /var/lib/tomcat/webapps/cas.war 
[root@cas4 cas-server-webapp]# systemctl start tomcat.service ; tail -f /var/log/cas/cas.log