[cas-user] FW: [uportal-user] LDAP - AD Authentication
Dear all, actually forwarding a question I asked at the uportal user list, someone here might be able to guide me with this. I want to know if it is possible to construct a complex ldap query to filter users based on anything other than something of the type CN=u%,OU=testou,DC=somedomain,DC=com when using fastbindldapauthenticationhandler. Or if I should be using the bindldapauthenticationhandler and if it would be possible to use proper ldap filters with it. Thank you From: James Wennmacher [mailto:jwennmac...@unicon.net] Sent: 19 September 2013 01:29 To: George Beitis Cc: uportal-u...@lists.jasig.org Subject: Re: [uportal-user] LDAP - AD Authentication I assume you mean the configuration of filter on org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler mentioned on https://wiki.jasig.org/display/UPM40/Configuring+the+Bundled+CAS+Server+to+Authenticate+Against+LDAP. Per https://wiki.jasig.org/display/CASUM/LDAP that is a string used to construct the dn that is used to bind to the ldap server. The page also references another handler BindLdapAuthenticationHandler that looks like it might use an ldap filter to search first, then bind afterward. If you have other questions the CAS user group would probably be better at answering them as they maintain that code. I hope that helps. James Wennmacher - Unicon 480.558.2420 On 09/16/2013 10:23 PM, George Beitis wrote: Hi James, That make things clearer thank you! I have another question regarding filters used for LDAP authentication, are these filters proper LDAP queries? The only thing I can get working as a filter is in the lines of CN=u%,OU=testou,DC=somedomain,DC=com, but I can't used the sam account name for example or even a joint query of any sort. Any help on this? George From: James Wennmacher [mailto:jwennmac...@unicon.net] Sent: 13 September 2013 22:11 To: uportal-u...@lists.jasig.orgmailto:uportal-u...@lists.jasig.org Cc: George Beitis Subject: Re: [uportal-user] LDAP - AD Authentication Do you have an external CAS server to authenticate against? If you have an external CAS server, modify the filters/environment.properties to have the URL of the external CAS server. That CAS server would need to be configured to authenticate against LDAP. It sounds though that you don't have an external CAS server and you are using uPortal to present a login form that you want authenticated against SD. deployerConfigContext.xml is to configure the internal CAS Server to authenticate against source (internal database, or in your case an external LDAP). ldapContext.xml sets up an LDAP context that can be used by the internal login page to authenticate against. It also sets up an ldapContext that the PersonDirectory uses to obtain person attributes for the logged-in person. If I'm understanding you, you would want both of these to refer to LDAP as these are separate processes. You've probably already referred to these, but for more information, see https://wiki.jasig.org/display/UPM40/CAS https://wiki.jasig.org/display/UPM40/Active+Directory https://wiki.jasig.org/display/UPM40/Default+Person+Directory+configuration https://wiki.jasig.org/display/UPM40/LDAP+User+Attribute+Sources Note that the internal CAS server isn't really providing CAS SSO capability for you (you'd use an external CAS server for that) but simply a login page so you could just display the internal login portlet on your guest/unauthenticated page to request username/password and have the login portlet authenticate against AD. See Step 6 at https://wiki.jasig.org/display/UPM40/Active+Directory. I hope this clarifies things. James Wennmacher Unicon 480.558.2420 On 09/13/2013 12:38 AM, George Beitis wrote: Dear all, I need something clarified. When authenticating against Active Directory server, we are given 2 options, either cas or what appears to be in the inbuilt method. I somehow configured both so not sure which one is doing what. I am directed to the /cas/login page which I assume takes precedence. Is my assumption correct? Should I remove all configuration from the ldapContext.xml file? Or stick to the configuration there and remove all configuration from deployerConfigContext.xml overlay file? And if so, where will the user be logging from? The same CAS page? Regards George -- You are currently subscribed to uportal-u...@lists.ja-sig.orgmailto:uportal-u...@lists.ja-sig.org as: jwennmac...@unicon.netmailto:jwennmac...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/uportal-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] service validation content type
Hi, You raise a good question. The real content is XML. We can also wonder why there isn't any encoding defined (should be UTF-8). So I guess it could be : *contentType=text/xml; charset=UTF-8* for both JSPs. I don't know if there is some legacy reason here. Best regards, Jérôme 2013/9/19 Tom Poage tfpo...@ucdavis.edu One of our users noticed that Content-type in the HTTP header for a serviceValidate error is text/plain, while that for a serviceValidate success is text/html. The former will display the 'raw' XML in a browser, the latter will not. They found it confusing. casServiceValidationFailure.jsp contains: %@ page session=false contentType=text/plain % casServiceValidationSuccess.jsp contains: %@ page session=false % I don't see reference to content type in http://www.jasig.org/cas/protocol, and don't see anything I can use for guidance in the 4.0 snapshot I have. It doesn't look intentional that I can see. What should it be? text/xml, application/xml, text/plain, ...? Thanks. Tom. -- You are currently subscribed to cas-user@lists.jasig.org as: lel...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] Service requires basic authentication by single sign out
CAS server issues single sign out callbacks request to a CAS client via POST. But the client demands this callback should be sent with basic authentication, namely an additional Header in this callback request: Authorization: Basic base64 encoded credential Best regards, Xie -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Service requires basic authentication by single sign out
Hi, It means that your application is protected by basic auth, isn't it ? Thus protected by CAS and a basic auth at the same time... In any case, the component responsible for calling applications for logout is the HttpClient class [1]. In CAS 4.0, HttpClient is no more a class, but an interface implemented by default with SimpleHttpClient [2]. The method called for logout is : sendMessageToEndPoint [3]. Best regards, Jérôme [1] : https://github.com/Jasig/cas/blob/3.5.x/cas-server-core/src/main/java/org/jasig/cas/util/HttpClient.java [2] : https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java/org/jasig/cas/util/SimpleHttpClient.java [3] : https://github.com/Jasig/cas/blob/3.5.x/cas-server-core/src/main/java/org/jasig/cas/authentication/principal/AbstractWebApplicationService.java#L164https://github.com/Jasig/cas/blob/3.5.x/cas-server-core/src/main/java/org/jasig/cas/authentication/principal/AbstractWebApplicationService.java#L148 2013/9/19 xie xiefei...@hotmail.com CAS server issues single sign out callbacks request to a CAS client via POST. But the client demands this callback should be sent with basic authentication, namely an additional Header in this callback request: Authorization: Basic base64 encoded credential Best regards, Xie -- You are currently subscribed to cas-user@lists.jasig.org as: lel...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] FW: [uportal-user] LDAP - AD Authentication
possible to construct a complex ldap query to filter users based on anything other than something of the type “CN=u%,OU=testou,DC=somedomain,DC=com” when using fastbindldapauthenticationhandler. No, not possible. You're actually constructing the bind DN via string replacement, so in strict terms it's not an LDAP query filter. You have to use BindLdapAuthenticationHandler to do complex filtering. I've seen a number of interesting queries over the years; you should be able to do what you want. Let us know if you need help formulating a query. M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] java docs
Does anyone have a good public link for cas java docs? Can't find one in the wiki .. -- thanks kevin.foote -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] java docs
On Thu, 19 Sep 2013, Kevin P. Foote wrote: Does anyone have a good public link for cas java docs? never mind .. got it -- thanks kevin.foote -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] ticket= param
I am attempting to integrate CAS into Spring, and I notice that upon successful login the ticket=ST-someid is still left as a parameter in the url. This is causing some issues with users that end up bookmarking the url with the ticket still in the URL. I would have imagined that the CasAuthenticationFilter would have stripped this ticket param out of the href once it was done consuming it? If not, how does one deal with bookmarks with tickets in it, and not getting a SAM11 exception of ticket does not exist? -- Chris Marsh Disclaimer: This e-mail is intended only for the person addressed. It may contain confidential information and/or privileged material. If you receive this in error, please notify the sender immediately and delete the information from your computer. Please do not copy or use it for any purpose nor disclose its contents to any other person. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] service validation content type
I can file an enhancement request, but it'd be good to know if any (common) clients explicitly look for specific MIME types, such as text/plain. I'm not aware of any clients that expect a particular mime type in the response payload. M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] service validation content type
I can file an enhancement request, but it'd be good to know if any (common) clients explicitly look for specific MIME types, such as text/plain. I'd expect/hope most (modern) application servers to serve UTF-8 by default. Explicitly specifying charset in the JSPs might then be considered deprecated. On the other hand, explicitly stating charset could be considered good 'defensive' programming. :-) Thanks. Tom. On Sep 19, 2013, at 1:22 AM, Jérôme LELEU lel...@gmail.com wrote: Hi, You raise a good question. The real content is XML. We can also wonder why there isn't any encoding defined (should be UTF-8). So I guess it could be : contentType=text/xml; charset=UTF-8 for both JSPs. I don't know if there is some legacy reason here. Best regards, Jérôme 2013/9/19 Tom Poage tfpo...@ucdavis.edu One of our users noticed that Content-type in the HTTP header for a serviceValidate error is text/plain, while that for a serviceValidate success is text/html. The former will display the 'raw' XML in a browser, the latter will not. They found it confusing. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] ticket= param
I would have imagined that the CasAuthenticationFilter would have stripped this ticket param out of the href once it was done consuming it? There's a configuration parameter that controls the behavior. You want redirectAfterValidation=true. See [1] for more information. M [1] https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] caching attributes?
From: Scott Battaglia [mailto:scott.battag...@gmail.com] I can't promise anything but I'll see if we can easily convert persondirectory to use Spring 3's cache apis. If that will make it any easier to actually use, that would be much appreciated :). It would be nice if the documentation could also include a couple of examples of working configurations, perhaps it's just my lack of java background but it's a bit mystifying how to get all the pieces to work together. Thanks much... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user