I'm going to use the CAS, together with 7 different AD DN, connected with
VPN from different offices. And if one of them will have problems with the
connection I lose the ability to use to services to users in 6 different
LDAP
My full test config (At now I use in test envelopment) attached.
Leonid S. Batizhevsky
On Wed, Aug 31, 2011 at 18:08, Marvin Addison <[email protected]>wrote:
> Let's please have a little more discussion about an issue before
> filing improvements in Jira. There is absolutely no need for a
> smarter authentication manager to address the current use case of LDAP
> failover. I recently re-wrote
> https://wiki.jasig.org/display/CASUM/LDAP with further emphasis on
> best practices for LDAP authentication in HA setups, but possibly more
> could be done. Please review the section "Connection Pooling" and
> provide feedback. I'm fully confident this is a documentation issue,
> not a technology one. We use the default authentication manager with
> a well-configured connection pool and have a very sound HA setup for
> LDAP authentication.
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:sec="http://www.springframework.org/schema/security";
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd";>
<bean id="authenticationManager"
class="org.jasig.cas.authentication.LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager">
<!-- class="org.jasig.cas.authentication.AuthenticationManagerImpl"> -->
<constructor-arg index="0">
<map>
<entry key-ref="EX-LdapAuthHandler" value-ref="EXCredentialtoPrincipalResolver"/>
<entry key-ref="TST-LdapAuthHandler" value-ref="TSTCredentialtoPrincipalResolver"/>
<entry key-ref="SPNEGOAuthHandler" value-ref="TESTSPNEGOCredentialtoPrincipalResolver"/>
</map>
</constructor-arg>
</bean>
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
<!-- SPNEGO (NTLM,Kerberos) -->
<bean id="TESTSPNEGOCredentialtoPrincipalResolver" class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver">
<property name="attributeRepository">
<ref bean="TSTattributeRepository" />
</property>
</bean>
<bean id="SPNEGOAuthHandler" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler">
<property name="authentication">
<bean class="jcifs.spnego.Authentication" />
</property>
<property name="principalWithDomainName" value="true" />
<property name="NTLMallowed" value="true"/>
</bean>
<bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
<property name="jcifsServicePrincipal" value="HTTP/[email protected]" />
<property name="loginConf" value="/opt/tomcat-cas/login.conf" />
<property name="jcifsServicePassword" value="cas1" />
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="TEST.LAN" />
<property name="kerberosKdc" value="192.168.11.121" />
</bean>
<!-- START EXAMPLE.LAN ldap -->
<bean id="EXCredentialtoPrincipalResolver" class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
</property>
<property name="filter" value="(sAMAccountName=%u)"/>
<property name="principalAttributeName" value="sAMAccountName"/>
<property name="searchBase" value="cn=Users,dc=example,dc=lan"/>
<property name="contextSource" ref="EXcontextSource"/>
<property name="attributeRepository">
<ref bean="EXattributeRepository"/>
</property>
</bean>
<bean id="EX-LdapAuthHandler" class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="sAMAccountName=%u" />
<property name="searchBase" value="cn=Users,dc=example,dc=lan" />
<property name="contextSource" ref="EXcontextSource" />
<property name="searchContextSource" ref="EXpooledContextSource" />
<property name="ignorePartialResultException" value="yes" /> <!-- fix because of how AD returns results -->
</bean>
<bean id="EXcontextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="urls">
<list>
<value>ldap://vm1-w2k3.example.lan/</value>
</list>
</property>
<property name="userDn" value="cn=Administrator,cn=Users,dc=example,dc=lan"/>
<property name="password" value=",th`pf314"/>
<property name="baseEnvironmentProperties">
<map>
<entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
<entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
<entry key="java.naming.security.authentication" value="simple" />
</map>
</property>
</bean>
<bean id="EXpooledContextSource"
class="org.springframework.ldap.pool.factory.PoolingContextSource"
p:maxIdle="5"
p:maxActive="10"
p:maxWait="10000"
p:timeBetweenEvictionRunsMillis="600000"
p:minEvictableIdleTimeMillis="1200000"
p:testOnBorrow="false"
p:testWhileIdle="true"
p:dirContextValidator-ref="dirContextValidator"
p:contextSource-ref="EXcontextSource" />
<!-- END EXAMPLE.LAN ldap -->
<!-- START TEST.LAN ldap -->
<bean id="TSTCredentialtoPrincipalResolver" class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
</property>
<property name="filter" value="(sAMAccountName=%u)"/>
<property name="principalAttributeName" value="sAMAccountName"/>
<property name="searchBase" value="cn=Users,dc=test,dc=lan"/>
<property name="contextSource" ref="TSTcontextSource"/>
<property name="attributeRepository">
<ref bean="TSTattributeRepository"/>
</property>
</bean>
<bean id="TST-LdapAuthHandler" class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:filter="sAMAccountName=%u"
p:searchBase="cn=Users,dc=test,dc=lan"
p:contextSource-ref="TSTcontextSource"
p:searchContextSource-ref="TSTpooledContextSource"
p:ignorePartialResultException="yes"/>
<bean id="TSTcontextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="urls">
<list>
<value>ldap://vm2-w2k3.test.lan/</value>
</list>
</property>
<property name="userDn" value="cn=Administrator,cn=Users,dc=test,dc=lan"/>
<property name="password" value=",th`pf314"/>
<property name="pooled" value="true"/>
<property name="baseEnvironmentProperties">
<map>
<entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
<entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
<entry key="java.naming.security.authentication" value="simple" />
</map>
</property>
</bean>
<!-- END TEST.LAN ldap -->
<bean id="TSTpooledContextSource"
class="org.springframework.ldap.pool.factory.PoolingContextSource"
p:maxIdle="5"
p:maxActive="10"
p:maxWait="10000"
p:timeBetweenEvictionRunsMillis="600000"
p:minEvictableIdleTimeMillis="1200000"
p:testOnBorrow="false"
p:testWhileIdle="true"
p:dirContextValidator-ref="dirContextValidator"
p:contextSource-ref="TSTcontextSource" />
<bean id="dirContextValidator"
class="org.springframework.ldap.pool.validation.DefaultDirContextValidator"
p:base=""
p:filter="objectclass=*">
<property name="searchControls">
<bean class="javax.naming.directory.SearchControls"
p:timeLimit="1000"
p:countLimit="1"
p:searchScope="0"
p:returningAttributes="" />
</property>
</bean>
<!-- START ATTR REPOS -->
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl">
<property name="personAttributeDaos">
<list>
<ref bean="EXattributeRepository" />
<ref bean="TSTattributeRepository" />
</list>
</property>
<property name="recoverExceptions">
<value>false</value>
</property>
<property name="merger">
<bean class="org.jasig.services.persondir.support.merger.NoncollidingAttributeAdder"/>
</property>
</bean>
<bean id="EXattributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="EXcontextSource" />
<property name="baseDN" value="cn=Users,dc=example,dc=lan" />
<property name="requireAllQueryAttributes" value="true" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="sAMAccountName" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="cn" value="cn"/>
<entry value="mail" key="Mail" />
<entry value="description" key="description" />
<entry value="memberOf" key="memberOf" />
<entry value="displayName" key="displayName" />
<entry value="givenName" key="givenName" />
<entry value="employeeID" key="employeeID" />
<entry value="sn" key="sn" />
</map>
</property>
</bean>
<bean id="TSTattributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="TSTcontextSource" />
<property name="baseDN" value="cn=Users,dc=test,dc=lan" />
<property name="requireAllQueryAttributes" value="true" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="sAMAccountName" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="cn" value="cn"/>
<entry value="mail" key="Mail" />
<entry value="description" key="description" />
<entry value="memberOf" key="memberOf" />
<entry value="displayName" key="displayName" />
<entry value="givenName" key="givenName" />
<entry value="employeeID" key="employeeID" />
<entry value="sn" key="sn" />
</map>
</property>
</bean>
<!-- END ATTR REPOS -->
<!--
Sample, in-memory data store for the ServiceRegistry. A real implementation
would probably want to replace this with the JPA-backed ServiceRegistry DAO
The name of this bean should remain "serviceRegistryDao".
-->
<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="0" />
<property name="name" value="HTTP" />
<property name="description" value="Only Allows HTTP Urls" />
<property name="serviceId" value="http://**"; />
<property name="ignoreAttributes" value="true" />
</bean>
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="1" />
<property name="name" value="HTTPS" />
<property name="description" value="Only Allows HTTPS Urls" />
<property name="serviceId" value="https://**"; />
<property name="ignoreAttributes" value="true" />
</bean>
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="2" />
<property name="name" value="IMAPS" />
<property name="description" value="Only Allows HTTPS Urls" />
<property name="serviceId" value="imaps://**" />
</bean>
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="3" />
<property name="name" value="IMAP" />
<property name="description" value="Only Allows IMAP Urls" />
<property name="serviceId" value="imap://**" />
</bean>
</list>
</property>
</bean>
<sec:user-service id="userDetailsService">
<sec:user name="leonko" password="notused" authorities="ROLE_ADMIN" />
</sec:user-service>
<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
</beans>
