How to combine LDAP and static users from a file
23 views
Skip to first unread message
Josep Manel Andrés
Sep 8, 2016, 4:45:08 AM9/8/16
to CAS Community
Hi all,
We've got a CAS server for our systems with an LDAP backend, which works
great, but we have an special case in which an app needs to be able to
login with root account, but this is not on the LDAP.
So my question is how it's possible to combine both systems, LDAP login
and a username and password for root account only. I would like to keep
it simple.
Best regards.
--
Josep Manel Andrés (josep....@bsc.es)
Operations - Barcelona Supercomputing Center
C/ Jordi Girona, 31 http://www.bsc.es
08034 Barcelona, Spain Tel: +34-93-405 42 14
e-mail: sys...@bsc.es Fax: +34-93-413 77 21
-----------------------------------------------
WARNING / LEGAL TEXT: This message is intended only for the use of the
individual or entity to which it is addressed and may contain
information which is privileged, confidential, proprietary, or exempt
from disclosure under applicable law. If you are not the intended
recipient or the person responsible for delivering the message to the
intended recipient, you are strictly prohibited from disclosing,
distributing, copying, or in any way using this message. If you have
received this communication in error, please notify the sender and
destroy and delete any copies you may have received.
http://www.bsc.es/disclaimer
We've got a CAS server for our systems with an LDAP backend, which works
great, but we have an special case in which an app needs to be able to
login with root account, but this is not on the LDAP.
So my question is how it's possible to combine both systems, LDAP login
and a username and password for root account only. I would like to keep
it simple.
Best regards.
--
Josep Manel Andrés (josep....@bsc.es)
Operations - Barcelona Supercomputing Center
C/ Jordi Girona, 31 http://www.bsc.es
08034 Barcelona, Spain Tel: +34-93-405 42 14
e-mail: sys...@bsc.es Fax: +34-93-413 77 21
-----------------------------------------------
WARNING / LEGAL TEXT: This message is intended only for the use of the
individual or entity to which it is addressed and may contain
information which is privileged, confidential, proprietary, or exempt
from disclosure under applicable law. If you are not the intended
recipient or the person responsible for delivering the message to the
intended recipient, you are strictly prohibited from disclosing,
distributing, copying, or in any way using this message. If you have
received this communication in error, please notify the sender and
destroy and delete any copies you may have received.
http://www.bsc.es/disclaimer
Josep Manel Andrés
Sep 8, 2016, 4:51:01 AM9/8/16
to cas-...@apereo.org
By the way, I am running CAS 4.1
Thanks.
Thanks.
William G. Thompson, Jr.
Sep 8, 2016, 7:58:50 AM9/8/16
to josep....@bsc.es, CAS Community
Yes, with CAS all things are possible. :)
AuthN handlers can be changed so you can have both. Something like
this would work. You'll need to make sure your usernames don't
overlap.
<bean id="fileAuthnHandler"
class="org.jasig.cas.adaptors.generic.FileAuthenticationHandler"
p:fileName="/path/to/local-users.properties" />
<bean id="ldapAuthnHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:contextSource-ref="ldapAuthContext"
/>
Also see https://apereo.github.io/cas/4.1.x/installation/Whitelist-Authentication.html
Best,
Bill
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To post to this group, send email to cas-...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/57D1250D.1040903%40bsc.es.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
AuthN handlers can be changed so you can have both. Something like
this would work. You'll need to make sure your usernames don't
overlap.
<bean id="fileAuthnHandler"
class="org.jasig.cas.adaptors.generic.FileAuthenticationHandler"
p:fileName="/path/to/local-users.properties" />
<bean id="ldapAuthnHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:contextSource-ref="ldapAuthContext"
/>
Also see https://apereo.github.io/cas/4.1.x/installation/Whitelist-Authentication.html
Best,
Bill
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To post to this group, send email to cas-...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/57D1250D.1040903%40bsc.es.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Josep Manel Andrés
Sep 8, 2016, 10:32:27 AM9/8/16
to William G. Thompson, Jr., CAS Community
Hi Willian,
Great! It kind of worked :)
I have put this in the authenticationManager Bean:
<bean id="authenticationManager"
class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
<entry key-ref="proxyAuthenticationHandler"
value-ref="proxyPrincipalResolver" />
<entry key-ref="ldapAuthenticationHandler"
value="#{null}" />
<entry key-ref="fileAuthnHandler" value="#{null}" />
</map>
</constructor-arg>
And this before ldapAuthenticationHandler:
<bean id="fileAuthnHandler"
class="org.jasig.cas.adaptors.generic.FileAuthenticationHandler"
p:fileName="/etc/cas/local-users.properties" />
But now I am getting this error:
2016-09-08 16:25:21,599 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<LdapAuthenticationHandler failed authenticating scott>
2016-09-08 16:25:21,599 ERROR
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<FileAuthenticationHandler: IO error reading backing file (Details:
Could not open ServletContext resource [/etc/cas/local-users.properties])>
Any hint?
Cheers.
Great! It kind of worked :)
I have put this in the authenticationManager Bean:
<bean id="authenticationManager"
class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
<entry key-ref="proxyAuthenticationHandler"
value-ref="proxyPrincipalResolver" />
<entry key-ref="ldapAuthenticationHandler"
value="#{null}" />
<entry key-ref="fileAuthnHandler" value="#{null}" />
</map>
</constructor-arg>
And this before ldapAuthenticationHandler:
<bean id="fileAuthnHandler"
class="org.jasig.cas.adaptors.generic.FileAuthenticationHandler"
But now I am getting this error:
2016-09-08 16:25:21,599 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<LdapAuthenticationHandler failed authenticating scott>
2016-09-08 16:25:21,599 ERROR
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<FileAuthenticationHandler: IO error reading backing file (Details:
Could not open ServletContext resource [/etc/cas/local-users.properties])>
Any hint?
Cheers.
William G. Thompson, Jr.
Sep 8, 2016, 10:47:27 AM9/8/16
to josep....@bsc.es, CAS Community
> 2016-09-08 16:25:21,599 ERROR
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
> <FileAuthenticationHandler: IO error reading backing file (Details: Could
> not open ServletContext resource [/etc/cas/local-users.properties])>
Read permissions on /etc/cas/local-users.properties?
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
> <FileAuthenticationHandler: IO error reading backing file (Details: Could
> not open ServletContext resource [/etc/cas/local-users.properties])>
Josep Manel Andrés
Sep 8, 2016, 10:53:54 AM9/8/16
to William G. Thompson, Jr., CAS Community
sorry,
I've missed "file:"
p:fileName="/etc/cas/local-users.properties" />
p:fileName="file:/etc/cas/local-users.properties" />
Thanks a lot, now it works.
I've missed "file:"
p:fileName="/etc/cas/local-users.properties" />
p:fileName="file:/etc/cas/local-users.properties" />
Thanks a lot, now it works.
Reply all
Reply to author
Forward
0 new messages