having trouble with ldap config for cas-services mangement webapp

[Al J]

I am having a really tough time getting cas services management webapp to work w/ldap (against an IPA server)

I can get authentication to work, but I can't figure out what are the right group-xxx attributes to use, I don't know what they are intended to do.

Where can I find out how these are used?

I've pulled my ldap values out into a .properties file for easier maintenance, copying for the most part that which works just fine for my cas server

in my managementConfigContext.xml -- I have made only this change 

    <sec:ldap-server id="ldapServer" url="${ldap.url}"
                     manager-dn="${ldap.authn.managerDN}"
                     manager-password="${ldap.authn.managerPassword}" />


    <sec:ldap-user-service id="userDetailsService" server-ref="ldapServer"
                group-search-base="${ldap.authn.group.baseDn}" group-role-attribute="${ldap.authn.group.roleAttr}"
                group-search-filter="${ldap.authn.group.searchFilter}"
                user-search-base="${ldap.authn.user.baseDn}"
                user-search-filter="${ldap.authn.user.searchFilter}"/>

I have added these values to my cas-mangement.properties

# LDAP Server
ldap.url=<omitted>

# LDAP connection timeout in milliseconds

ldap.connectTimeout=3000

# Whether to use StartTLS (probably needed if not SSL connection)

ldap.useStartTLS=false

# Base DN of users to be authenticated
ldap.authn.user.baseDn=cn=users,cn=accounts,dc=epc-instore,dc=com


# Manager DN for authenticated searches
ldap.authn.managerDN=uid=<omitted>,cn=users,cn=accounts,dc=epc-instore,dc=com


# Manager password for authenticated searches
ldap.authn.managerPassword=<omitted>


# Search filter used for configurations that require searching for DNs
#ldap.authn.searchFilter=(&(uid={user})(accountState=active))
ldap.authn.user.searchFilter=(uid={0})


ldap.authn.group.searchFilter=gidNumber=1886200029
ldap.authn.group.baseDn=cn=groups,cn=accounts,dc=epc-instore,dc=com
ldap.authn.group.roleAttr=cn


# Search filter used for configurations that require searching for DNs
#ldap.authn.format=uid=%s,ou=Users,dc=example,dc=org
ldap.authn.format=uid=%s,cn=users,cn=accounts,dc=epc-instore,dc=com


# A path to trusted X.509 certificate for StartTLS
ldap.trustedCert=/path/to/cert.cer

[Misagh Moayyed]

This basically should allow you configure access roles into the app. You get the roles for the user, and you decide which of those roles is a match so access can be granted. Is that what you are trying to do?

If you search the archives, you will come across http://comments.gmane.org/gmane.comp.java.jasig.cas.user/24806 which might help.

 

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[Al J]

I just want to set it so that everybody in our developers group can admin 

We are running an IPA server so I don't have anyplace (that i know of) to add roles -- and I do not want to muck about with it's underlying ldap store outside of it's GUI

I can already just set the user search path to only accept users in the developers group so I don't need groups/roles

I don't understand what the group stuff is supposed to return -- the string 'ROLE_ADMIN' or an array of strings of roles?

I wish I could tell it to ignore the group stuff or just hard code the 'ROLE_ADMIN' in there

thanks

[Al J]

so I set it to only accept users from the developers group

then I did my best to set the group stuff to only accept the developers group

now I'm getting http error 403 on the cas-services/manage.html

a different problem now ?

[Misagh Moayyed]

403 usually means you’re denied access to the app. Possibly because of a role mismatch L

 

You might get more mileage out of the integration if you discussed the change with Spring Security folks, and what you might have to do to extend it. It takes a while to decipher, and in recent versions of the platform, Spring Sec is removed in favor of something that is easier understood and augmented. Perhaps the changes could be backported.

[Al J]

Skate, Shoot, Score !!

I figured out how to add roles in the IPA app and added one called ROLE_ADMIN, but that didn't work, and when I turned on debug I saw why -- I was being granted the role: ROLE_ROLE_ADMIN -- sigh... OK so a quick change in IPA to the role name of ADMIN and things started working.  Afterwards I changed that to: admin -- and that works also, so it seems to be case sensitive.

My group search items are: 

# group search items -- note: IPA required authenticated search to see roles

ldap.authn.group.searchFilter=(cn=admin)

ldap.authn.group.baseDn=cn=roles,cn=accounts,dc=my-domain,dc=com

ldap.authn.group.roleAttr=cn

So, 1st I had to figure out how to make the group stuff return the string I wanted it to: ROLE_ADMIN -- and then I had to realize that the ROLE_ is applied programmatically

Whew!

Al;