Hello everybody,
I have setup CAS with SPNEGO, JBOSS-TickectCahe and SAML-Attributes from AD.
I want to query also another LDAP-Source on the Mainframe but I don not get a
proper answer because I don#t know how to customize the query.
The Mainframe is quite picky about the requests.
I succeeded to get an answer using jython only if I request cn=xxx and refeed
the complete answer with the searchBase appended.
Like this:
ize0f58@dmztomint02:~$ jython/jython testldap.py "ou=ap1,o=env11" "cn=y0e7122"
dn: cn=y0e7122,ou=au1,ou=sot1,ou=ot1
- objectclass: top, person, organizationalPerson, inetOrgPerson, dsPerson,
ibm-nativeAuthentication, dsOperationalInfo, shadowAccount, posixAccount
- cn: y0e7122
ize0f58@dmztomint02:~$ jython/jython testldap.py "ou=ap1,o=env11"
"member=cn=y0e7122,ou=au1,ou=sot1,ou=ot1,ou=ap1,o=env11"
dn: cn=AG101,ou=au1,ou=sot1,ou=ot2
.
.
- cn: AG101
- member: cn=not set, cn=y0e7021, ou=au1, ou=sot1, ou=ot1, ou=ap1, o=env11,
cn=y0e7022, ou=au1, ou=sot1, ou=ot1, ou=ap1, o=env11, cn=y0e7019, ou=au1,
ou=sot1, ou=ot1, ou=ap1, o=env11, cn=y0e7122, ou=au1, ou=sot1, ou=ot1, ou=ap1,
o=env11, cn=y0e7188, ou=au1, ou=sot1, ou=ot1, ou=ap1, o=env11, cn=y0e7380,
ou=au1, ou=sot1, ou=ot1, ou=ap1, o=env11, cn=y0e7706, ou=au1, ou=sot1, ou=ot1,
ou=ap1, o=env11, cn=y14803, ou=au1, ou=sot1, ou=ot1, ou=ap1, o=env11
Attached is my deployerConfigContext.xml.
May be you have a hint.
Best regards
Nicolaie
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:tx="http://www.springframework.org/schema/tx";
xmlns:sec="http://www.springframework.org/schema/security";
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd";>
<!-- ############################## AUTHENTICATION ############################## -->
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver" />
</property>
<property name="filter" value="(sAMAccountName=%u)" />
<property name="principalAttributeName" value="sAMAccountName" />
<property name="searchBase" value=""/>
<property name="contextSource" ref="csAD" />
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler">
<property name="authentication">
<bean class="jcifs.spnego.Authentication" />
</property>
<property name="principalWithDomainName" value="false" />
<property name="NTLMallowed" value="false"/>
</bean>
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient"
/>
</list>
</property>
<property name="authenticationMetaDataPopulators">
<list>
<bean class="org.jasig.cas.authentication.SamlAuthenticationMetaDataPopulator" />
</list>
</property>
</bean>
<!-- ############################## SPNEGO ####################################### -->
<bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
<property name="jcifsServicePrincipal" value="${kerberos.principal}" />
<property name="jcifsServicePassword" value="${kerberos.password}" />
<property name="kerberosDebug" value="${kerberos.debug}" />
<property name="kerberosRealm" value="${kerberos.realm}" />
<property name="kerberosKdc" value="${kerberos.kdc}" />
<property name="kerberosConf" value="${kerberos.conf}" />
<property name="loginConf" value="${catalina.base}/webapps/cas/WEB-INF/login.conf" />
</bean>
<!-- ############################# CONTEXTSOURCES ########################## -->
<bean id="csAD" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="userDn" value="${cas.AD.DN}" />
<property name="password" value="${cas.AD.pwd}" />
<property name="pooled" value="false" />
<property name="base" value="${cas.AD.searchBase}" />
<property name="urls">
<list>
<value>${cas.AD.server1.users}</value>
<value>${cas.AD.server2.users}</value>
<value>${cas.AD.server3.users}</value>
<value>${cas.AD.server4.users}</value>
</list>
</property>
<property name="baseEnvironmentProperties">
<map>
<entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
<entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
<entry key="java.naming.security.authentication" value="simple" />
<entry key="java.naming.referral" value="follow" />
</map>
</property>
</bean>
<bean id="csLDAP" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="userDn" value="${cas.LDAP.DN}" />
<property name="password" value="${cas.LDAP.pwd}" />
<property name="pooled" value="false" />
<property name="base" value="${cas.LDAP.searchBase}" />
<property name="urls">
<list>
<value>ldaps://${cas.LDAP.server}/</value>
</list>
</property>
<property name="baseEnvironmentProperties">
<map>
<entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
<entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
<entry key="java.naming.security.authentication" value="simple" />
<entry key="java.naming.referral" value="follow" />
</map>
</property>
</bean>
<!-- ############################# ATTRIBUTES ################################### -->
<bean id="ldapTemplateAD" class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="csAD" />
<property name="ignorePartialResultException" value="true" />
</bean>
<bean id="arAD" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="csAD" />
<property name="requireAllQueryAttributes" value="true" />
<property name="ldapTemplate" ref="ldapTemplateAD" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="sAMAccountName" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry value="Nachname" key="sn" />
<entry value="Vorname" key="givenName" />
<entry value="Mail" key="userPrincipalName" />
<entry value="Gruppen" key="memberOf" />
</map>
</property>
</bean>
<bean id="arLDAP" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="csLDAP" />
<property name="requireAllQueryAttributes" value="true" />
<property name="queryTemplate" value="member={0}"/>
<property name="queryAttributeMapping">
<map>
<entry key="username" value="dn" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry value="Gruppen" key="cn" />
</map>
</property>
</bean>
<bean id="attributeRepository" class="org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl">
<property name="personAttributeDaos">
<list>
<ref bean="arAD" />
<ref bean="arLDAP" />
</list>
</property>
<property name="merger">
<bean class="org.jasig.services.persondir.support.merger.ReplacingAttributeAdder" />
</property>
</bean>
<!-- ############################## ADMINUSERS ############################## -->
<sec:user-service id="userDetailsService">
<sec:user name="y0e7122" password="notused" authorities="ROLE_ADMIN" />
<sec:user name="y0e7021" password="notused" authorities="ROLE_ADMIN" />
<sec:user name="y0e7011" password="notused" authorities="ROLE_ADMIN" />
<sec:user name="y0e7019" password="notused" authorities="ROLE_ADMIN" />
<sec:user name="y0e7022" password="notused" authorities="ROLE_ADMIN" />
<sec:user name="y0e7188" password="notused" authorities="ROLE_ADMIN" />
<sec:user name="y0e7380" password="notused" authorities="ROLE_ADMIN" />
<sec:user name="y0e7706" password="notused" authorities="ROLE_ADMIN" />
</sec:user-service>
<!-- ############################## SERVICES ############################## -->
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegisteredServiceImpl"
p:id="0"
p:name="CAS"
p:description="Hier sind nur SSL gesicherte Urls erlaubt"
p:serviceId="https://**.prod.blb.de:64443/cas/**"; >
<property name="allowedAttributes">
<list>
<value>Nachname</value>
<value>Vorname</value>
<value>Mail</value>
<value>Gruppen</value>
</list>
</property>
</bean>
</list>
</property>
</bean>
<!-- ############################## AUDITTRAIL ############################## -->
<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
</beans>
