CAS 5

ref

rpm package system installés

installation sur une VM centos 7

java

[root@cas5d ~]# yum install java-openjdk

Installé :
  java-1.8.0-openjdk.x86_64 1:1.8.0.181-3.b13.el7_5                                                                                          

Dépendances installées :
  alsa-lib.x86_64 0:1.1.4.1-2.el7                             copy-jdk-configs.noarch 0:3.3-10.el7_5     fontconfig.x86_64 0:2.10.95-11.el7  
  fontpackages-filesystem.noarch 0:1.44-8.el7                 freetype.x86_64 0:2.4.11-15.el7            giflib.x86_64 0:4.1.6-9.el7         
  java-1.8.0-openjdk-headless.x86_64 1:1.8.0.181-3.b13.el7_5  javapackages-tools.noarch 0:3.4.1-11.el7   libICE.x86_64 0:1.0.9-9.el7         
  libSM.x86_64 0:1.2.2-2.el7                                  libX11.x86_64 0:1.6.5-1.el7                libX11-common.noarch 0:1.6.5-1.el7  
  libXau.x86_64 0:1.0.8-2.1.el7                               libXcomposite.x86_64 0:0.4.4-4.1.el7       libXext.x86_64 0:1.3.3-3.el7        
  libXfont.x86_64 0:1.5.2-1.el7                               libXi.x86_64 0:1.7.9-1.el7                 libXrender.x86_64 0:0.9.10-1.el7    
  libXtst.x86_64 0:1.2.3-1.el7                                libfontenc.x86_64 0:1.1.3-3.el7            libjpeg-turbo.x86_64 0:1.2.90-5.el7 
  libpng.x86_64 2:1.5.13-7.el7_2                              libxcb.x86_64 0:1.12-1.el7                 libxslt.x86_64 0:1.1.28-5.el7       
  lksctp-tools.x86_64 0:1.0.17-2.el7                          python-javapackages.noarch 0:3.4.1-11.el7  python-lxml.x86_64 0:3.2.1-4.el7    
  stix-fonts.noarch 0:1.1.0-5.el7                             ttmkfdir.x86_64 0:3.0.9-42.el7             tzdata-java.noarch 0:2018e-3.el7    
  xorg-x11-font-utils.x86_64 1:7.5-20.el7                     xorg-x11-fonts-Type1.noarch 0:7.5-9.el7   

Terminé !

tomcat

[root@cas5d ~]# yum install tomcat

Installé :
  tomcat.noarch 0:7.0.76-7.el7_5                                                                                                             

Dépendances installées :
  apache-commons-collections.noarch 0:3.2.1-22.el7_2  apache-commons-daemon.x86_64 0:1.0.13-7.el7  apache-commons-dbcp.noarch 0:1.4-17.el7 
  apache-commons-logging.noarch 0:1.1.2-7.el7         apache-commons-pool.noarch 0:1.6-9.el7       avalon-framework.noarch 0:4.3-10.el7    
  avalon-logkit.noarch 0:2.1-14.el7                   ecj.x86_64 1:4.5.2-3.el7                     geronimo-jms.noarch 0:1.1.1-19.el7      
  geronimo-jta.noarch 0:1.1.1-17.el7                  javamail.noarch 0:1.4.6-8.el7                log4j.noarch 0:1.2.17-16.el7_4          
  tomcat-el-2.2-api.noarch 0:7.0.76-7.el7_5           tomcat-jsp-2.2-api.noarch 0:7.0.76-7.el7_5   tomcat-lib.noarch 0:7.0.76-7.el7_5      
  tomcat-servlet-3.0-api.noarch 0:7.0.76-7.el7_5      xalan-j2.noarch 0:2.7.1-23.el7               xerces-j2.noarch 0:2.11.0-17.el7_0      
  xml-commons-apis.noarch 0:1.4.01-16.el7             xml-commons-resolver.noarch 0:1.2-15.el7    

tomcat

Activation avec systemctl

[root@cas5d ~]#  systemctl list-unit-files | grep -i tomcat 
tomcat.service                            disabled
tomcat@.service                           disabled

[root@cas5d ~]#  systemctl enable tomcat 
Created symlink from /etc/systemd/system/multi-user.target.wants/tomcat.service to /usr/lib/systemd/system/tomcat.service.


[root@cas5d ~]# systemctl start tomcat.service
[root@cas5d ~]# systemctl status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
   Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled; vendor preset: disabled)
   Active: active (running) since lun. 2018-10-15 11:35:52 CEST; 9s ago

firewalld

firewalld rich-format rules

option avec controle fin a base de rich rules

[root@cas5d ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="10.10.0.0/16" port port=8080 protocol=tcp log prefix="http8080" accept'
success
[root@cas5d ~]# firewall-cmd --reload
success

firewalld option a base de service

sinon on peux recopier la definition du service ssh vers un service tomcat afin d'ouvrir via un service firewalld notre port tomcat 8080 .

[root@cas4 ~]# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/tomcat.xml
[root@cas4 ~]# vim /etc/firewalld/services/tomcat.xml
[root@cas4 ~]# cat /etc/firewalld/services/tomcat.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>tomcat</short>
  <description>tomcat is a java servlet container/server</description>
  <port protocol="tcp" port="8080"/>
</service>

dans cette option a base de service on ajoute de maniere permanente (disponible aux prochains boot) le service tomcat

[root@cas4 ~]# firewall-cmd --zone=public --add-service=tomcat
success

la visibilité via iptables est toujours possible

[root@cas5d ~]# iptables -L -n | grep 8080
ACCEPT     tcp  --  10.10.0.0/16       0.0.0.0/0            tcp dpt:8080 ctstate NEW
LOG        tcp  --  10.10.0.0/16       0.0.0.0/0            tcp dpt:8080 ctstate NEW LOG flags 0 level 4 prefix "http8080"

malgres tout, pour obtenir cette ouverture de maniere stable, un ajout du service dans la zone active (ici public) est necessaire

[root@cas4 ~]# grep tomcat /etc/firewalld/zones/public.xml
  <service name="tomcat"/>
  
[root@cas4 ~]# systemctl restart firewalld.service 

tomcat manager user

pour une administration web via le manager de tomcat, il faut definir un username et des roles manager-* depuis tomcat7 !

[root@cas4 tomcat]# git diff 18fda4d tomcat-users.xml
diff --git a/tomcat-users.xml b/tomcat-users.xml
index 7224d60..901e50b 100644
--- a/tomcat-users.xml
+++ b/tomcat-users.xml
@@ -33,14 +33,15 @@
   <user username="both" password="tomcat" roles="tomcat,role1"/>
   <user username="role1" password="tomcat" roles="role1"/>
 -->
+  <user username="dsi" password="s3cret" roles="manager-gui,manager-script,manager-jmx,manager-status"/>
 
 <!-- <role rolename="admin"/> -->
 <!-- <role rolename="admin-gui"/> -->
 <!-- <role rolename="admin-script"/> -->
 <!-- <role rolename="manager"/> -->
-<!-- <role rolename="manager-gui"/> -->
-<!-- <role rolename="manager-script"/> -->
-<!-- <role rolename="manager-jmx"/> -->
-<!-- <role rolename="manager-status"/> -->
+<role rolename="manager-gui"/>
+<role rolename="manager-script"/>
+<role rolename="manager-jmx"/>
+<role rolename="manager-status"/>
 <!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> -->
 </tomcat-users>

ainsi a ce niveau nous pouvons atteindre notre serveur tomcat en natif (8080) sur le manager via :

http://cas4.exemple.fr:8080/manager/html

Cas4 UniconLabs/simple-cas4-overlay-template

suivant la documentation officielle (http://jasig.github.io/cas/4.0.x/installation/Maven-Overlay-Installation.html) nous partons du Maven WAR overlay founis par UniconLabs

git clone

on recupere les sources via github :

[disi@cas4 UniconLabs]$ git clone https://github.com/UniconLabs/simple-cas4-overlay-template
Cloning into 'simple-cas4-overlay-template'...
remote: Counting objects: 95, done.
remote: Total 95 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (95/95), done.

[disi@cas4 UniconLabs]$ cd simple-cas4-overlay-template/
[disi@cas4 simple-cas4-overlay-template]$ ls
build.xml  etc  LICENSE.txt  pom.xml  README.md  src

parametrage cas.properties

le fichier de parametrage “cas.properties” est definie dans

[disi@cas4 simple-cas4-overlay-template]$ grep cas.properties ./src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml
	<context:property-placeholder location="file:/etc/cas/cas.properties"/>

pour le moment nous faisons un simple (server.name, host.name ) parametrage initiale pour le test primaire avec le login password de test (casuser / M..n) cf deployerConfigContext.xml où ce login est definit en dure dans le bean “primaryAuthenticationHandler” .

[disi@cas4 UniconLabs]$ cd simple-cas4-overlay-template/
[disi@cas4 simple-cas4-overlay-template]$ ls
build.xml  etc  LICENSE.txt  pom.xml  README.md  src
[disi@cas4 simple-cas4-overlay-template]$ cd etc/
[disi@cas4 etc]$ ls
cas.properties  log4j.xml
[disi@cas4 etc]$ vim cas.properties 

petit backup/versionning git pour le forme

[disi@cas4 etc]$ git commit -a -m "custom cas.properties" 
[master cd5dbb4] custom cas.properties
 1 file changed, 3 insertions(+), 3 deletions(-)

/etc/cas directory

[root@cas4 etc]# mkdir cas
[root@cas4 etc]# chgrp disi /etc/cas/
[root@cas4 etc]# chmod 775 /etc/cas/

[disi@cas4 etc]$ cp cas.properties log4j.xml /etc/cas/

build

on lance la premiere compilation :

[disi@cas4 simple-cas4-overlay-template]$ mvn clean package
[INFO] Scanning for projects...
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building cas4-overlay 1.0
[INFO] ------------------------------------------------------------------------
Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-compiler-plugin/3.1/maven-compiler-plugin-3.1.pom

...
Downloaded: http://oss.sonatype.org/content/repositories/releases/org/jasig/cas/cas-server-webapp/4.0.0/cas-server-webapp-4.0.0.war (24474 KB at 3628.4 KB/sec)
[INFO] 
[INFO] --- maven-clean-plugin:2.4.1:clean (default-clean) @ cas4-overlay ---
[INFO] 
[INFO] --- maven-resources-plugin:2.5:resources (default-resources) @ cas4-overlay ---
[debug] execute contextualize
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /home/disi/UniconLabs/simple-cas4-overlay-template/src/main/resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ cas4-overlay ---
Downloading: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/1.5.1/plexus-utils-1.5.1.pom

...
Downloaded: http://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (350 KB at 3208.2 KB/sec)
Downloaded: http://repo.maven.apache.org/maven2/com/google/collections/google-collections/1.0/google-collections-1.0.jar (625 KB at 3528.8 KB/sec)
[INFO] No sources to compile
[INFO] 
[INFO] --- maven-resources-plugin:2.5:testResources (default-testResources) @ cas4-overlay ---
[debug] execute contextualize
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /home/disi/UniconLabs/simple-cas4-overlay-template/src/test/resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ cas4-overlay ---
[INFO] No sources to compile
[INFO] 
[INFO] --- maven-surefire-plugin:2.10:test (default-test) @ cas4-overlay ---
[INFO] No tests to run.
[INFO] Surefire report directory: /home/disi/UniconLabs/simple-cas4-overlay-template/target/surefire-reports

-------------------------------------------------------
 T E S T S
-------------------------------------------------------

Results :

Tests run: 0, Failures: 0, Errors: 0, Skipped: 0

...
Downloaded: http://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/3.0.8/plexus-utils-3.0.8.jar (227 KB at 3059.3 KB/sec)
Downloaded: http://repo.maven.apache.org/maven2/com/thoughtworks/xstream/xstream/1.4.3/xstream-1.4.3.jar (471 KB at 2996.7 KB/sec)
[INFO] Packaging webapp
[INFO] Assembling webapp [cas4-overlay] in [/home/disi/UniconLabs/simple-cas4-overlay-template/target/cas]
[INFO] Processing war project
[INFO] Copying webapp resources [/home/disi/UniconLabs/simple-cas4-overlay-template/src/main/webapp]
[INFO] Processing overlay [ id org.jasig.cas:cas-server-webapp]
[INFO] Webapp assembled in [1023 msecs]
[INFO] Building war: /home/disi/UniconLabs/simple-cas4-overlay-template/target/cas.war
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 21.857s
[INFO] Finished at: Tue Dec 23 16:00:14 CET 2014
[INFO] Final Memory: 10M/25M
[INFO] ------------------------------------------------------------------------

deploy

et on deploie le cas.war fraichement créé dans le webapps de tomcat qui deploira automatiquement l'appli :

[disi@cas4 ~]$ cp /home/disi/UniconLabs/simple-cas4-overlay-template/target/cas.war /var/lib/tomcat/webapps/
[disi@cas4 ~]$ ls -al /var/lib/tomcat/webapps/
total 24484
drwxrwxr-x. 6 root   tomcat     4096  6 janv. 11:46 .
drwxr-xr-x. 3 root   tomcat       20 20 nov.  10:44 ..
drwxr-xr-x  7 tomcat tomcat      101  6 janv. 11:46 cas
-rw-rw-r--  1 disi   disi   25057390  6 janv. 11:46 cas.war

catalina log de deploiement

janv. 06, 2015 11:46:17 AM org.apache.catalina.startup.HostConfig deployWAR
INFOS: Déploiement de l'archive /var/lib/tomcat/webapps/cas.war de l'application web
log4j:WARN No appenders could be found for logger (org.springframework.web.context.ContextLoader).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

log4j:ERROR setFile(null,true) call failed.
java.io.FileNotFoundException: /var/log/cas/cas.log (Aucun fichier ou dossier de ce type)

correction du pb de cas.log

[root@cas4 log]# mkdir cas
[root@cas4 log]# chown root:tomcat cas
[root@cas4 log]# chmod 775 cas

FR CAS4 cas-overlay-demo

autre exemple de source d'overlay fr , a poursuivre ….

[disi@cas4 ~]$ mkdir leleuj
[disi@cas4 ~]$ cd leleuj/
[disi@cas4 leleuj]$ git clone https://github.com/leleuj/cas-overlay-demo
Cloning into 'cas-overlay-demo'...
remote: Counting objects: 307, done.
remote: Total 307 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (307/307), 60.10 KiB | 0 bytes/s, done.
Resolving deltas: 100% (104/104), done.

httpd et proxy ajp

il faut que le serveur reponde en https, avoir un apache en frontal de tomcat pour rediriger les requetes https vers tomcat est pratique

activation du service apache

[root@cas4 log]# systemctl enable httpd.service 
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'

firewall pour https (http://www.certdepot.net/rhel7-get-started-firewalld/)

[root@cas4 certs]# firewall-cmd --permanent --add-service=https
success
[root@cas4 certs]# firewall-cmd --reload
success
[root@cas4 certs]# firewall-cmd --list-services
dhcpv6-client https ssh tomcat

lien ajp

[root@cas4 certs]# cat /etc/httpd/conf.d/proxy-ajp.conf
ProxyPass /cas ajp://localhost:8009/cas retry=3 min=0 max=100 smax=50 ttl=10 timeout=60
ProxyPass /manager ajp://localhost:8009/manager retry=3 min=0 max=100 smax=50 ttl=10 timeout=60

recharge de cette configuration apache

[root@cas4 certs]# systemctl reload httpd.service 

CAS login URL

premier test d'usage

https://cas4.exemple.fr/cas/login

saisie du login casuser et le password associé , log associés sur le serveur tomcat :

2015-01-07 11:36:24,185 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler successfully authenticated casuser+password>
2015-01-07 11:36:24,185 DEBUG [org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - <Attempting to resolve a principal...>
2015-01-07 11:36:24,185 DEBUG [org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - <Creating SimplePrincipal for [casuser]>
2015-01-07 11:36:24,186 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver@3e8d4630 resolved casuser from casuser+password>
2015-01-07 11:36:24,189 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated casuser with credentials [casuser+password].>
2015-01-07 11:36:24,189 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Attribute map for casuser: {uid=uid, eduPersonAffiliation=eduPersonAffiliation, groupMembership=groupMembership}>
2015-01-07 11:36:24,189 INFO [org.perf4j.TimingLogger] - <start[1420626984170] time[19] tag[AUTHENTICATE]>
2015-01-07 11:36:24,190 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [casuser+password]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Wed Jan 07 11:36:24 CET 2015
CLIENT IP ADDRESS: 157.158.211.9
SERVER IP ADDRESS: cas4.exemple.fr
=============================================================

Cela marche bien avec un compte en dure !.

Ldap authentication Handler

reference : http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html

il y a 3 etapes / fichiers a modifier

pom.xml

indiquer au fichier de definition du projet qu'on veux utiliser le support-ldap :

[disi@cas4 simple-cas4-overlay-template]$ diff pom.xml.orig pom.xml
53a54,59
> 	<dependency>
>          	<groupId>org.jasig.cas</groupId>
>          	<artifactId>cas-server-support-ldap</artifactId>
>          	<version>${cas.version}</version>
>     	</dependency>
> 

deployerConfigContext.xml

les sources de l'overlay UniconLabs ne modifient pas par defaut le fichier deployerConfigContext.xml, il faut donc en mettre une copie dans le repertoire src afin que nos modifications soient prisent en compte lors du deploiement

[disi@cas4 simple-cas4-overlay-template]$ cp ./target/cas/WEB-INF/deployerConfigContext.xml  src/main/webapp/WEB-INF/deployerConfigContext.xml

il faut ajouter toutes les directives présentées sur http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html mais aussi faire le lien vers ce ldap authentication Handler ( ce qui a premiere vue n'est pas indiqué dans cette doc, info reprise de https://lists.wisc.edu/read/messages?id=37789779 )

notament dans le bean id=“authenticationManager”

 <entry key-ref="ldapAuthenticationHandler" value-ref="usernamePasswordCredentialsResolver" />

et ajouter aussi le bean referencé usernamePasswordCredentialsResolver

<bean id="usernamePasswordCredentialsResolver"
          class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />

j'ai aussi remplacé principalIdAttribute=“uid” au lieu de =“mail” (on utilise l'uid ici) et pour le map d'attribut member par uid ,

au final voici tout ce qui a été changé dans deployerConfigContext.xml

[disi@cas4 disi]$  diff ./simple-cas4-overlay-template/target/cas/WEB-INF/deployerConfigContext.xml /home/disi/UniconLabs/simple-cas4-overlay-template/src/main/webapp/WEB-INF/deployerConfigContext.xml  
64a65
> 		<entry key-ref="ldapAuthenticationHandler" value-ref="usernamePasswordCredentialsResolver" />	
127a129,214
> 
> 	<bean id="usernamePasswordCredentialsResolver"
>           class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />	
> 
> <!-- http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html LDAP Supporting Direct Bind -->
> <bean id="ldapAuthenticationHandler"
>       class="org.jasig.cas.authentication.LdapAuthenticationHandler"
>       p:principalIdAttribute="uid"
>       c:authenticator-ref="authenticator">
>     <property name="principalAttributeMap">
>         <map>
>             <!--
>                                 | This map provides a simple attribute resolution mechanism.
>                | Keys are LDAP attribute names, values are CAS attribute names.
>                | Use this facility instead of a PrincipalResolver if LDAP is
>                | the only attribute source.
>                -->
>             <entry key="uid" value="uid" />
>             <entry key="mail" value="mail" />
>             <entry key="displayName" value="displayName" />
>         </map>
>     </property>
> </bean>
> 
> <bean id="authenticator" class="org.ldaptive.auth.Authenticator"
>       c:resolver-ref="dnResolver"
>       c:handler-ref="authHandler" />
> 
> <bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
>       p:baseDn="${ldap.baseDn}"
>       p:allowMultipleDns="false"
>       p:connectionFactory-ref="searchPooledLdapConnectionFactory"
>       p:userFilter="${ldap.authn.searchFilter}" />
> 
> <bean id="searchPooledLdapConnectionFactory"
>       class="org.ldaptive.pool.PooledConnectionFactory"
>       p:connectionPool-ref="searchConnectionPool" />
> 
> <bean id="searchConnectionPool" parent="abstractConnectionPool" />
> 
> <bean id="abstractConnectionPool" abstract="true"
>       class="org.ldaptive.pool.BlockingConnectionPool"
>       init-method="initialize"
>       p:poolConfig-ref="ldapPoolConfig"
>       p:blockWaitTime="${ldap.pool.blockWaitTime}"
>       p:validator-ref="searchValidator"
>       p:pruneStrategy-ref="pruneStrategy"
>       p:connectionFactory-ref="connectionFactory" />
> 
> <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
>       p:minPoolSize="${ldap.pool.minSize}"
>       p:maxPoolSize="${ldap.pool.maxSize}"
>       p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
>       p:validatePeriodically="${ldap.pool.validatePeriodically}"
>       p:validatePeriod="${ldap.pool.validatePeriod}" />
> 
> <bean id="connectionFactory" class="org.ldaptive.DefaultConnectionFactory"
>       p:connectionConfig-ref="connectionConfig" />
> 
> <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig"
>       p:ldapUrl="${ldap.url}"
>       p:connectTimeout="${ldap.connectTimeout}"
>       p:useStartTLS="${ldap.useStartTLS}"
>       p:sslConfig-ref="sslConfig" />
> 
> <bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
>     <property name="credentialConfig">
>         <bean class="org.ldaptive.ssl.X509CredentialConfig"
>               p:trustCertificates="${ldap.trustedCert}" />
>     </property>
> </bean>
> 
> <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
>       p:prunePeriod="${ldap.pool.prunePeriod}"
>       p:idleTime="${ldap.pool.idleTime}" />
> 
> <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
> 
> <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
>       p:connectionFactory-ref="bindPooledLdapConnectionFactory" />
> 
> <bean id="bindPooledLdapConnectionFactory"
>       class="org.ldaptive.pool.PooledConnectionFactory"
>       p:connectionPool-ref="bindConnectionPool" />
> 
> <bean id="bindConnectionPool" parent="abstractConnectionPool" />

voici le fichier complet :

deployerconfigcontext.xml

cas.properties

enfin , pour alimenter les variables definies dans le deployerConfigContext.xml ci-dessus, voici le cas.properties associé, idem j'ai du ajouter:

ldap.baseDn=ou=people,dc=exemple,dc=fr
ldap.trustedCert=/etc/pki/tls/certs/chain-24222-cas4.exemple.fr-3-AddTrust_External_CA_Root.pem

variables appelées dans deployerConfigContext.xml mais pas definies dans le cas.properties d'exemple .

(cf http://comments.gmane.org/gmane.comp.java.jasig.cas.user/27717 )

voici le fichier exemple complet :

cas.properties

maintenant une authentification CAS4 + ldap fonctionne

debug info

une fois cette configuration en place (mvn clean package et relance du tomcat + effacement manuel du cas.war et repertoire cas dans le webapps tomcat, car le nouveau fichier deployerConfigContext.xml n'etait pas automatiquement repositionné !) , une authentification via ldap fonctionne enfin .

log tomcat :

2015-01-07 16:18:36,027 DEBUG [org.jasig.cas.authentication.AcceptUsersAuthenticationHandler] - <test was not found in the map.>
2015-01-07 16:18:36,028 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler failed authenticating test+password>
2015-01-07 16:18:36,028 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP authentication for test+password>
2015-01-07 16:18:36,030 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolve user=test>
2015-01-07 16:18:36,030 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <searching for DN using userFilter>
2015-01-07 16:18:36,053 DEBUG [org.ldaptive.SearchOperation] - <execute request=[org.ldaptive.SearchRequest@1830579154::baseDn=ou=people,dc=exemple,dc=fr, searchFilter=[org.ldaptive.SearchFilter@929747261::filter=(uid={user}), parameters={user=test}], returnAttributes=[1.1], searchScope=ONELEVEL, timeLimit=0, sizeLimit=0, derefAliases=null, typesOnly=false
....
....
[displayName[Test TEST]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]>
2015-01-07 16:18:36,380 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [uid[test]]>
2015-01-07 16:18:36,380 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [mail[test@exemple.fr]]>
2015-01-07 16:18:36,380 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [displayName[Test TEST]]>
2015-01-07 16:18:36,388 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler successfully authenticated test+password>
2015-01-07 16:18:36,388 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <org.jasig.cas.authentication.principal.BasicPrincipalResolver@303cfcca resolved test from test+password>
2015-01-07 16:18:36,391 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated test with credentials [test+password].>
2015-01-07 16:18:36,391 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Attribute map for test: {}>
2015-01-07 16:18:36,392 INFO [org.perf4j.TimingLogger] - <start[1420643916024] time[367] tag[AUTHENTICATE]>
2015-01-07 16:18:36,410 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [test+password]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Wed Jan 07 16:18:36 CET 2015
CLIENT IP ADDRESS: 157.158.211.9
SERVER IP ADDRESS: cas4.exemple.fr
=============================================================

>
2015-01-07 16:18:36,413 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [TGT-1-I9PM7KyilG0eFfHYLp23qvUymsveWehnNUtQn7BEAtJtSidyBP-cas4.exemple.fr] to registry.>
2015-01-07 16:18:36,414 INFO [org.perf4j.TimingLogger] - <start[1420643916022] time[391] tag[CREATE_TICKET_GRANTING_TICKET]>
2015-01-07 16:18:36,414 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-1-I9PM7KyilG0eFfHYLp23qvUymsveWehnNUtQn7BEAtJtSidyBP-cas4.exemple.fr
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Jan 07 16:18:36 CET 2015
CLIENT IP ADDRESS: 157.158.211.9
SERVER IP ADDRESS: cas4.exemple.fr
=============================================================

requete dans ldap.log coté ldap serveur :

Jan  7 16:59:36 ldap4 slapd[1236]: conn=32062 op=0 SRCH base="ou=people,dc=exemple,dc=fr" scope=1 deref=0 filter="(uid=test)"
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32062 op=0 SRCH attr=1.1
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32062 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32059 op=0 BIND dn="uid=test,ou=people,dc=exemple,dc=fr" method=128
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32059 op=0 BIND dn="uid=test,ou=People,dc=exemple,dc=fr" mech=SIMPLE ssf=0
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32059 op=0 RESULT tag=97 err=0 text=
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32059 op=1 SRCH base="uid=test,ou=people,dc=exemple,dc=fr" scope=0 deref=0 filter="(objectClass=*)"
Jan  7 16:59:36 ldap4 slapd[1236]: conn=32059 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

redeploiement cas

On reconstruit a nouveau Cas

[disi@cas4 simple-cas4-overlay-template]$  mvn -Dmaven.test.skip\=true package

puis on fait un RAZ du war dans l'arborescence tomcat

[root@cas4 cas-server-webapp]# systemctl stop tomcat.service 
[root@cas4 cas-server-webapp]# rm -rf /var/lib/tomcat/webapps/cas
[root@cas4 cas-server-webapp]# rm -rf /var/lib/tomcat/webapps/cas.war 
[root@cas4 cas-server-webapp]# systemctl start tomcat.service ; tail -f /var/log/cas/cas.log