CONFIGURATION PROCESS OF CAS with LDAP

About CAS:

The CAS protocol involves at least three parties: a client web browser, the web application requesting authentication, and the CAS server. It may also involve a back-end service, such as a database server, that does not have its own HTTP interface but communicates with a web application.
When the client visits an application desiring to authenticate to it, the application redirects it to CAS. CAS validates the client's authenticity, usually by checking a username and password against a database (such as Kerberos or Active Directory).
If the authentication succeeds, CAS returns the client to the application, passing along a security ticket. The application then validates the ticket by contacting CAS over a secure connection and providing its own service identifier and the ticket. CAS then gives the application trusted information about whether a particular user has successfully authenticated.
CAS allows multi-tier authentication via proxy address. A cooperating back-end service, like a database or mail server, can participate in CAS, validating the authenticity of users via information it receives from web applications. Thus, a webmail client and a webmail server can all implement CAS.

Why CAS?

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

CONFIGURATION PROCESS OF CAS with LDAP

Step 1:  Download CAS server latest version from bellow url,
http://www.jasig.org/cas_server_3_5_1_release as zip file and extract the zip file.
Step 2:  copy the webapp.war from modules folder of your extracted files.
Eg: D: \cas-server 3.5.1 \modules\cas-server-webapp-3.5.1.war;
And paste it in your tomcat server webapps folder, extract the war file.
Step 3: add the following jar files to cas lib.
1.      commons-pool-1.5.2.jar
http://repo1.maven.org/maven2/commons-pool/commons-pool/
2.       ldaptemplate-1.0.2.jar
3.       spring-ldap-1.2.1.jar
Step 4: open deployerConfigContext.xml and make following changes.

A. 
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
                 <!-- cofigure ldap admin user  -->
<property name="password" value="admin" /> 
                 <property name="userDn" value="cn=admin,ou=users,o=demo" /> 
<property name="pooled" value="false" />
<property name="urls">
<list>
 <value>ldap://localhost:10389</value> 
</list>
</property>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key><value>java.naming.security.authentication</value></key>
<value>simple</value>
</entry>
</map>
</property>
</bean>

B.   change "authenticationHandlers" hanlder property of authenticationManager element to the bellow

<property name="authenticationHandlers">
 <list>
<bean  class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
 p:httpClient-ref="httpClient" />
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
      p:filter="uid=%u" <!-- userid to be search  %u replaces with given userid at runtime-->
p:searchBase="ou=users,o=demo"  <!-- node to search start from -->
       p:contextSource-ref="contextSource"/>
</list>
</property>


Step 5: Since CAS Requires https protocol we have to create and configure SSL certificate in  tomcat.

Let us see how to create and configure SSL certificate in tomcat:

Step 1: Open a command prompt and go to the conf folder of tomcat.
Step 2: Type the following command
keytool -genkey -alias tomcat -keypass changeit -keyalg RSA -keystore server.keystore
Step 3: use “changeit” as password. Use myHostname when asked for first/last name. fill All information.
Step 4: server.keystore is generated.
Step 5: keytool -list -keystore server.keystore
Step 6: Type follwing command.
keytool -export -alias tomcat -keypass changeit -file server.crt -keystore server.keystore
Step 7: server.crt is generated
Step 8: Open server.xml file tomcat find the connector element with port 8443 and replace it with follwing.
<Connector
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="${user.home}/.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"/>
Step 9: restart tomcat server and type the following url in browser address bar
https://localhost:8443/cas/login

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

CLEANING UP THE ZABBIX DATABASE

My Zabbix database size increased a lot in the last few months and since my disk was running out space, I decided to clean up the old events from the database. Looking at the database tables, the biggest one was  history_uint , which holds the items history data – over 400 millions of records and over 30 Gb of disk space before the clean up. Since deleting the old records from this table directly would be a very slow process, I decided to create a new table and insert the latest records from the  history_uint  table and then just replace the old table with a new one. Since this is not an offical procedure, use it at your own risk. Environment: Zabbix v2.2 MySql 5.1 – InnoDB with  innodb_file_per_table=ON Step 1 – Stop the Zabbix server Step 2 – Open your favourite MySQL client and create a new table CREATE TABLE  history_uint_new  LIKE  history_uint; Step 3 – Insert the latest records from the  history_uint  table to the  history_uint_new table First you need to de
Đọc thêm

Configuring DHCP Relay service on the FortiGate unit

Configuring DHCP Relay service on the FortiGate unit If the clients are configured to obtain a IP address using DHCP relay, configure the FortiGate server as below: To configure DHCP relay on the FortiGate unit   1. Go to System > Network > Interfaces and select Interface want to configure DHCP relay.   2. Enable DHCP Server in the interface and choose Advanced   3. For Mode, select Relay.   4. In Type select Regular.   5. Select OK.   6. If a router is installed between the FortiGate unit and the DHCP server, define a static route to the DHCP server. Note : Sometimes it is required to specify more than one DHCP relay IP, to allow for the coverage of additional LAN subnets. Although the Web Based Manager (GUI) does not provide an option to configure this, it is possible to set up to 8 IPs from the CLI.       config system interface             edit <REQUIRED_INTERFACE_HERE>               set dhcp-relay-ip <FIRST_IP> <SECOND_IP> ....<EIGHTH_IP&
Đọc thêm

WAN link load balancing

Hình ảnh
W A N link load balancing In the same way that incoming traffic can be load balanced, outgoing or WAN traffic can also be load balanced and for the same three reasons. 1 .  Reduce the places in the work flow where a single point of failure can bring the process to a halt. 2 .  Expand the capacity of the resources to handle the required workload. 3 .  Have it configured so that the process of balancing the workload is automatic. Often, it can be just as important for an organizations members to be able to access the Internet as it is for the denizens of the Internet to access the Web facing resources. There is now a  WA N Load Balancing  feature located in the  N e t w o r k  section of the GUI (“WAN LLB”). As part of the new WAN Load Balancing feature, the FortiOS 5.2  R ou t e r > Static > Settings  GUI page has been removed. WAN Load Balancing should be used instead of the 5.2  E C M P Load Balancing Method  settings. The 5.2  L i n k Health Monitor  definitions
Đọc thêm