Assistance with x509 + LDAP

[Nick Couchman]

First, I'm new to CAS and am still working my way around it, Spring, and Maven.  Have mercy on the newbie.  My environment is a Linux server running Apache Tomcat 8 with JDK 1.8.  I've successfully configured LDAP authentication based on the cas/login page - I can enter an e-mail address and password for an LDAP user and get a successful login.

I'm still working on "CASifying" my apps, or at least finding the ones that support SAML, OAUTH, and OpenID and beginning to integrate those into CAS.  Very early on in those stages.

However, one thing I'd like to do is configure x509 client certificate ("PKI") authentication to CAS along with LDAP.  We issue certificates with a local CA, and the certificate subject name matches the user's LDAP DN.  So, what I'd like to do with the login flow with CAS is something like this:

- User/Application directs to CAS login page.

- CAS looks for/prompts for x509 certificate from user/browser.

- If user provides a certificate, CAS verifies it is issued by local CA, looks for the certificate subject name in LDAP, compares provided cert to the LDAP userCertificate field, and examines CRL distribution point to make sure certificate is valid.

- If certificate matches, is valid, etc., login succeeds, and the LDAP mail attribute is used as the login name/principal name for the login, and control is returned to app that requested login.

- If certificate is not provided, does not match, etc., user is directed to login page.

- User can enter e-mail address and LDAP password at login page.

- If LDAP authentication succeeds, user is logged in and control is returned to the requesting app.

- Else login fails.

So, first, I'd like to know if a configuration like this is possible?  I suspect that it is, based on how flexible and powerful the CAS server is, but don't want to make that assumption and start working on it only to find out it doesn't work.  If it is possible, can anyone provide any hints, example configurations, etc., that would get me headed in the right direction?

Thanks,
Nick

[Misagh Moayyed]

Everything you described is possible, almost word for word :)

 

See https://apereo.github.io/cas/4.2.x/installation/X509-Authentication.html

 

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/10d0319a-5206-4739-85de-52859f5f5ded%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Nick Couchman]

Awesome.  So I have looked at that page before, and what I'm struggling with wrapping my mind around is how to configure the LDAP lookup piece.  I've successfully configured CAS with LDAP, so I can get CAS talking to LDAP, and the instructions cover the x509 stuff, and LDAP lookup for CRL, but I'm looking for some hints on how to match Certificate Subject Name to LDAP DN.  I'll poke around more at those pages and see if I can work through it, but any further hints would be greatly appreciated.  Not asking anyone to do my work for me, just point me in the right direction.

-Nick

[Dmitriy Kopylenko]

I think you’d need to implement a custom principal resolver to do this LDAP look up which should return null principal reference if not successful, which would trigger UnresolvedPrincipalException up the authentication transaction stack, etc.

Cheers,

D.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/aee4e6ba-fda5-4e06-a659-4c42d63e7a68%40apereo.org.

[Natan Zeferino]

Folks

I'm trying to configure CAS 5.0.0 RC1 with X509 Authentication, but it isn't working.

I'm getting errors:

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'x509AuthenticationConfiguration': Unsatisfied dependency expressed through field 'revocationChecker': Error creating bean with name 'resourceCrlRevocationChecker' defined in class path resource [org/apereo/cas/adaptors/x509/config/X509AuthenticationConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas.adaptors.x509.authentication.handler.support.RevocationChecker]: Circular reference involving containing bean 'x509AuthenticationConfiguration' - consider declaring the factory method as static for independence from its containing instance. Factory method 'resourceCrlRevocationChecker' threw exception; nested exception is java.lang.NullPointerException; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceCrlRevocationChecker' defined in class path resource [org/apereo/cas/adaptors/x509/config/X509AuthenticationConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas.adaptors.x509.authentication.handler.support.RevocationChecker]: Circular reference involving containing bean 'x509AuthenticationConfiguration' - consider declaring the factory method as static for independence from its containing instance. Factory method 'resourceCrlRevocationChecker' threw exception; nested exception is java.lang.NullPointerException

In fact i'm not sure how to do it.

I did read https://apereo.github.io/cas/development/installation/X509-Authentication.html

I tryed this:

<bean id="crlCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean"

     p:cacheName="CRLCache"

     p:eternal="false"

     p:overflowToDisk="false"

     p:maxElementsInMemory="100"

     p:timeToLive="3600"

     p:timeToIdle="3600">

 <property name="cacheManager">

   <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />

 </property>

</bean>

<alias name="resourceCrlRevocationChecker" alias="x509RevocationChecker" />

<util:set id="x509CrlResources" >

<ref bean="crlCache"/>

</util:set>

Can somebody show me what I'm doing wrong?

Thanks