参考文献:

CAS集成ldap:https://wiki.jasig.org/display/CASUM/LDAP

CAS集成restful api:https://wiki.jasig.org/display/CASUM/RESTful+API

下载jar包

在参考文献当中,我们看到不论是集成ldap还是集成restful api都需要另外单独下载jar包。如果有maven的话,直接通过配置文件即可下载,但是当前我们没有配置,所以需要手动下载。Google搜索cas-server-support-ldap可以找到相关jar包的下载地址,当前我们的cas.version=3.5.2,根据这个版本好下载相应的jar文件。在cas-server-support-ldap的jar包页面,我们可以看到这个jar包还要依赖于其他jar,也要一并下载了。

在下载jar包之前,可以先比对/usr/local/tomcat7/webapps/cas/WEB-INF/lib当中是否已经有这个jar包了,如果没有再去下载。下载完毕以后将jar包放在/usr/local/tomcat7/webapps/cas/WEB-INF/lib目录下。

CAS与LDAP集成

Cas与ldap集成有FastBindLdapAuthenticationHandler和BindLdapAuthenticationHandler这两种接口,前者适用于CAS的验证登录名就直接是ldap当中uid的情况,这种情况比较单一,当前我是按照BindLdapAuthenticationHandler进行配置的。

配置deployerConfigContext.xml

所有关于cas集成ldap的修改都在 cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml这个配置文件当中

首先在这个配置文件当中添加以下这个bean

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">

  <!-- DO NOT enable JNDI pooling for context sources that perform LDAP bind operations. -->

  <property name="pooled" value="false"/>

  <!--

    Although multiple URLs may defined, it's strongly recommended to avoid this configuration

    since the implementation attempts hosts in sequence and requires a connection timeout

    prior to attempting the next host, which incurs unacceptable latency on node failure.

    A proper HA setup for LDAP directories should use a single virtual host that maps to multiple

    real hosts using a hardware load balancer.

  -->

  <property name="url" value="ldap://localhost" />

  <!--

    Manager credentials are only required if your directory does not support anonymous searches.

    Never provide these credentials for FastBindLdapAuthenticationHandler since the user's

    credentials are used for the bind operation.

  -->

  <property name="userDn" value="cn=admin,dc=envisioncn,dc=com"/>

  <property name="password" value="12345678"/>

  <!-- Place JNDI environment properties here. -->

  <property name="baseEnvironmentProperties">

    <map>

      <!-- Three seconds is an eternity to users. -->

      <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />

      <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />

      <!-- Explained at http://docs.oracle.com/javase/jndi/tutorial/ldap/security/auth.html -->

      <entry key="java.naming.security.authentication" value="simple" />

    </map>

  </property>

</bean>

在配置文档当中有一栏关于“SSL Considerations”的介绍,里面说的就是,如果我们没有为LDAP Server配置SSL的话,我们就不能ldaps,只能用ldap协议,也就是像我上面那样使用<property name="url" value="ldap://localhost" />,而不是<property name="url" value="ldaps://localhost" />。验证自己是否配置了SSL,可以查看636端口是否开启。通过netstat查看发现ldap只开启了389端口,那么就按照我上面的进行配置。LDAP开启SSL的方法可以参考https://help.ubuntu.com/12.04/serverguide/openldap-server.html里面的“TLS”这一章节。

enadmin@cgnmon:~$ netstat -ln

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp               127.0.0.1:           0.0.0.0:*               LISTEN

tcp               0.0.0.0:              0.0.0.0:*               LISTEN

tcp               0.0.0.0:              0.0.0.0:*               LISTEN

tcp               0.0.0.0:              0.0.0.0:*               LISTEN

tcp               127.0.0.1:            0.0.0.0:*               LISTEN

tcp               0.0.0.0:             0.0.0.0:*               LISTEN

tcp6              :::                 :::*                    LISTEN

tcp6              :::                   :::*                    LISTEN

tcp6              :::                 :::*                    LISTEN

tcp6              :::                  :::*                    LISTEN

tcp6              :::                 :::*                    LISTEN

udp               0.0.0.0:              0.0.0.0:*

udp               10.0.2.15:           0.0.0.0:*

udp               127.0.0.1:           0.0.0.0:*

udp               0.0.0.0:             0.0.0.0:*

udp6              :::                 :::*

udp6              fe80::a00:27ff:fe22: :::*

udp6              :::                  :::*

Active UNIX domain sockets (only servers)

Proto RefCnt Flags       Type       State         I-Node   Path

unix        [ ACC ]     STREAM     LISTENING          @/com/ubuntu/upstart

unix        [ ACC ]     STREAM     LISTENING          /var/run/acpid.socket

unix        [ ACC ]     STREAM     LISTENING          /var/run/dbus/system_bus_socket

unix        [ ACC ]     STREAM     LISTENING          /var/run/slapd/ldapi

unix        [ ACC ]     STREAM     LISTENING          /var/run/apache2/cgisock.

unix        [ ACC ]     STREAM     LISTENING          /var/run/sendmail/mta/smcontrol

unix        [ ACC ]     SEQPACKET  LISTENING          /run/udev/control

添加完上面那个bean以后,我们还需要修改authenticationManager这个bean,需要将原先的SimpleTestUsernamePasswordAuthenticationHandler修改为我们的BindLdapAuthenticationHandler。具体配置如下:

 <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">

       <property name="credentialsToPrincipalResolvers">

         <list>

             <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >

                <property name="attributeRepository" ref="attributeRepository" />

               </bean>

               <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />

           </list>

       </property>

       <property name="authenticationHandlers">

         <list>

            <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"

                    p:httpClient-ref="httpClient" />

              <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"

                   p:filter="uid=%u"

                    p:searchBase="ou=People,dc=envisioncn,dc=com"

                    p:contextSource-ref="contextSource" />

           </list>

         </property>

         <property name="authenticationMetaDataPopulators">

           <list>

              <bean class="org.jasig.cas.authentication.SamlAuthenticationMetaDataPopulator" />

             </list>

          </property>

  </bean>

配置到这里,CAS与LDAP的集成就已经基本完成了。还可以优化的地方有以下几方面,这个在后面有时间了再进行配置。

  1. 为LDAP配置连接池
  2. 为LDAP配置SSL验证

CAS与Restful api集成

下载相关的jar包

跟ldap一样,也是需要下载jar包的,google搜索cas-server-integration-restlet找到相应的下载地址

配置

所有针对restful的配置都在/usr/local/tomcat7/webapps/cas/WEB-INF/web.xml这个配置文件当中。

修改web.xml,添加servlet和servlet-mapping,具体如下所示:

  <servlet>

    <servlet-name>cas</servlet-name>

    <servlet-class>

      org.jasig.cas.web.init.SafeDispatcherServlet

    </servlet-class>

    <init-param>

      <param-name>publishContext</param-name>

      <param-value>false</param-value>

    </init-param>

    <load-on-startup>1</load-on-startup>

  </servlet>

<servlet>

    <servlet-name>restlet</servlet-name>

    <servlet-class>com.noelios.restlet.ext.spring.RestletFrameworkServlet</servlet-class>

    <load-on-startup>1</load-on-startup>

</servlet>

<servlet-mapping>

    <servlet-name>restlet</servlet-name>

    <url-pattern>/v1/*</url-pattern>

</servlet-mapping>

  <servlet-mapping>

    <servlet-name>cas</servlet-name>

    <url-pattern>/login</url-pattern>

  </servlet-mapping>

测试:

在ubuntu任意目录下下创建一个testcas.sh文件,并赋予这个文件可执行权限,执行命令如下

#sudo touch testcas.sh

#sudo chmod 777 testcas.sh

该文本内容如下所示。

# This file is used to store the Ticket Getting Ticket

rm tgt.txt

# This file is used to store the Service Ticket

rm serviceTicket.txt

#This file is used to store the service call response

rm response.txt

export CAS_LOGIN_URL=https://localhost:8443/cas/v1/tickets

export GET_URL=https://localhost:8443/cas

export USERNAME=username

export PASSWORD=password

# Request a new Ticket Getting Ticket (TGT).  This returns HTML which is put into tgt.txt.

wget --no-check-certificate -O tgt.txt --post-data="username=$USERNAME&password=$PASSWORD" $CAS_LOGIN_URL

# Extract from the HTML the TGT and put back into tgt.txt

echo TGT`grep -oEi 'action=\".*\"' tgt.txt | grep -oEi '\-.*\-cas'` > tgt.txt

# display the TGT

cat tgt.txt

# Request a new Service Ticket and store in serviceTicket.txt

wget --no-check-certificate --post-data="service=$GET_URL" -O serviceTicket.txt $CAS_LOGIN_URL/`cat tgt.txt`

# Get the data at from the service at GET_URL and store in response.txt

wget --no-check-certificate -O response.txt $GET_URL?ticket=`cat serviceTicket.txt`

# Display the data from the service call

cat response.txt

运行此testcas.sh文件,看一下能否正常生成tgt,

运行结果如下:

enadmin@cgnmon:~/test$ ./testcas.sh

--2013-12-11 22:51:38--  https://localhost:8443/cas/v1/tickets

Resolving localhost (localhost)... 127.0.0.1

Connecting to localhost (localhost)|127.0.0.1|:8443... connected.

WARNING: cannot verify localhost's certificate, issued by `/C=cn/ST=shanghai/L=shanghai/O=envision/OU=en/CN=test':

  Self-signed certificate encountered.

    WARNING: certificate common name `test' doesn't match requested host name `localhost'.

HTTP request sent, awaiting response... 201 Created //这表示生成tgt成功。

Length: 443 [text/html]

Saving to: `tgt.txt'

100%[=============================================================================================================================>] 443         --.-K/s   in 0s      

2013-12-11 22:51:38 (218 MB/s) - `tgt.txt' saved [443/443]

TGT-1-4CeCylfHfbis9kttoqPsYIpMA17ajV5TJ4fWifA6pHjncKfR9E-cas//tgt

--2013-12-11 22:51:38--  https://localhost:8443/cas/v1/tickets/TGT-1-4CeCylfHfbis9kttoqPsYIpMA17ajV5TJ4fWifA6pHjncKfR9E-cas

Resolving localhost (localhost)... 127.0.0.1

Connecting to localhost (localhost)|127.0.0.1|:8443... connected.

WARNING: cannot verify localhost's certificate, issued by `/C=cn/ST=shanghai/L=shanghai/O=envision/OU=en/CN=test':

  Self-signed certificate encountered.

    WARNING: certificate common name `test' doesn't match requested host name `localhost'.

HTTP request sent, awaiting response... 404 Not Found

2013-12-11 22:51:38 ERROR 404: Not Found.

--2013-12-11 22:51:38--  https://localhost:8443/cas?ticket=

Resolving localhost (localhost)... 127.0.0.1

Connecting to localhost (localhost)|127.0.0.1|:8443... connected.

WARNING: cannot verify localhost's certificate, issued by `/C=cn/ST=shanghai/L=shanghai/O=envision/OU=en/CN=test':

  Self-signed certificate encountered.

    WARNING: certificate common name `test' doesn't match requested host name `localhost'.

HTTP request sent, awaiting response... 302 Found

Location: https://localhost:8443/cas/?ticket= [following]

--2013-12-11 22:51:38--  https://localhost:8443/cas/?ticket=

Reusing existing connection to localhost:8443.

HTTP request sent, awaiting response... 302 Found

Location: https://localhost:8443/cas/login?ticket= [following]

--2013-12-11 22:51:39--  https://localhost:8443/cas/login?ticket=

Reusing existing connection to localhost:8443.

HTTP request sent, awaiting response... 200 OK

Length: 6161 (6.0K) [text/html]

Saving to: `response.txt'

100%[=============================================================================================================================>] 6,161       --.-K/s   in 0s      

2013-12-11 22:51:41 (320 MB/s) - `response.txt' saved [6161/6161]

CAS与LDAP集成的更多相关文章

  1. No.1 CAS 之LDAP认证服务端集群配置

    建档日期:   2016/08/31 最后修改日期:   2016/12/09   1 概述 本文描述了CAS单点登录服务端配置的大概流程,希望抛砖引玉,帮助你完成CAS服务端的配置. 本文采用apa ...

  2. ldap集成bitbucket

    confluence ldap配置跟jira ldap集成一样,请参考:https://www.cnblogs.com/imcati/p/9378668.html 需在 Global permissi ...

  3. ldap集成jenkins

    jenkins版本:2.5.3,ldap插件:1.15 jenkins ldap支持需要安装ldap plugin,强烈建议插件安装版本为1.15及以上(支持ldap 配置测试) 安装插件: 系统管理 ...

  4. ldap集成confluence

    confluence ldap配置跟jira ldap集成一样,请参考:https://www.cnblogs.com/imcati/p/9378668.html

  5. apache+svn+ldap集成

    apache+svn搭建方式如下:http://www.cnblogs.com/uglyliu/p/6914056.html SVN和ldap集成,我用的方式只需要更改 /etc/http/conf. ...

  6. CAS 与.net 集成的 “循环重定向”问题分析

    转自:http://www.cnblogs.com/xingshao/archive/2011/09/29/2195746.html 近期的一个项目,项目包含了若干的子系统,因为人员配备的原因,项目会 ...

  7. ldap 集成harbor

    harbor: 1.6 默认配置文件在harbor.cfg,我们可以先不添加配置,直接在harbor web界面进行配置(harbor 1.6 如果db 启动失败提示postgresql 数据目录已存 ...

  8. ldap集成grafana

    grafana版本: 5.0.3 grafana通过k8s方式安装,所以需将配置文件挂载过去. cat grafana-configmap.yaml apiVersion: v1 kind: Conf ...

  9. ldap集成x-pack

    ldap配置支持x-pack有两种格式: 1.  User Search Mode 2. User DN Templates Mode 由于第一种方式需要明文填入ldap管理员账号信息,我这边采用第二 ...

随机推荐

  1. SSL邮件发送(腾讯企业邮箱测试通过,可以支持多附件)

    参考网址:http://www.cnblogs.com/LUA123/p/5575134.html ,谢谢! package net.common.utils.common; import java. ...

  2. kali linux2.0安装vega

    1.到官网下载安装包(选择版本:我这里以Linux64位为例) vega下载地址:https://subgraph.com/vega/download/ 2.解压到指定目录: unzip VegaBu ...

  3. mac zsh环境配置java_home环境变量

    用zsh,修改-/.zshrc 修改这些文件之后,重修打开terminal,配置不会丢 首先确保已经安装了jdk: ## check the present running java which ja ...

  4. linux内核内存分配(三、虚拟内存管理)

    在分析虚拟内存管理前要先看下linux内核内存的具体分配我開始就是困在这个地方.对内核内存的分类不是非常清晰.我摘录当中的一段: 内核内存地址 ============================ ...

  5. Python 驱动 MongoDB 示例(PyMongo)

    Python 的MongoDB驱动 pymongo ,使用pip Install pymongo安装即可 最近发现网上的很多实例已经过时了,在此自我探究记录下来. 编写一个接口类来支持MongoDB的 ...

  6. Java编程的逻辑 (28) - 剖析包装类 (下)

    ​本系列文章经补充和完善,已修订整理成书<Java编程的逻辑>,由机械工业出版社华章分社出版,于2018年1月上市热销,读者好评如潮!各大网店和书店有售,欢迎购买,京东自营链接:http: ...

  7. Taints和Tolerations联用,将pod部署到k8s的master节点

    一般,k8s的master为了保持高性能,在这个主节点上只运行一些管理必须的POD. 如果我们限于资源,或是一些监控类的pod要部署到master节点呢? 昨天遇到这个问题,按网上通用的方法,未解决, ...

  8. intellj idea show "run dashboard" panel

    workspace.xml edit this point <component name="RunDashboard"> <option name=" ...

  9. linux nohup screen注解

    一.nohup  & 二.screen

  10. ps -aux与ps -ef

    ps -aux与ps -ef这两个命令显示的结果是差不多的. 不同之处就是显示风格不同,前者是BSD风格,后者SYSTEM V(其实我不太明白这尼玛风格是什么跟什么,我看起来都差不多啊) 然后重要的不 ...