Install / Configure LDAP
DDF comes with an embedded LDAP instance that can be used for testing. During internal testing this LDAP was used extensively.
More information on configuring the LDAP and a list of users and attributes can be found at the Embedded LDAP Configuration page.
Add cas-server-support-ldap-3.3.1_1.jar to CAS
- Copy thirdparty/cas-server-support-ldap-3.3.1/target/cas-server-support-x509-3.3.1_1.jar to ${ozone-widget-framework}/apache-tomecat-${version}/webapps/cas/WEB-INF/lib/cas-server-support-ldap-3.3.1_1.jar
Add spring-ldap-1.2.1_1.jar to CAS
- Copy thirdparty/spring-ldap-1.2.1/target/spring-ldap-1.2.1_1.jar to ${ozone-widget-framework}/apache-tomecat-${version}/webapps/cas/WEB-INF/lib/spring-ldap-1.2.1_1.jar
Modify developerConfigContext.xml
In ${ozone-widget-framework}/apache-tomecat-${version}/webapps/cas/WEB-INF/deployerConfigContext.xml, add the FastBindLdapAuthenticationHandler bean definition to the <list> in the property stanza with name authenticationHandlers of the bean stanza with id authenticationManager:
deployerConfigContext.xml<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <!-- other property definitions --> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" > <property name="filter" value="uid=%u,ou=users,dc=example,dc=com" /> <property name="contextSource" ref="contextSource" /> </bean> <!-- other bean definitions --> </list> </property> </bean>
- In ${ozone-widget-framework}/apache-tomecat-${version}/webapps/cas/WEB-INF/deployerConfigContext.xml, remove the bean stanza with class ozone3.cas.adaptors.UserPropertiesFileAuthenticationHandler from the <list> of the property stanza with name authenticationHandlers.
In ${ozone-widget-framework}/apache-tomecat-${version}/webapps/cas/WEB-INF/deployerConfigContext.xml, add the contextSource bean stanza to the beans stanza:
deployerConfigContext.xml<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> <property name="urls"> <list> <value>ldap://localhost:1389</value> </list> </property> <property name="userDn" value="uid=admin,ou=system"/> <property name="password" value="secret"/> </bean>
Ozone Configuration
Ozone was also set up to work in LDAP. This section is here for reference if Ozone is being used in conjunction with CAS. These settings were used for internal testing and should only be used as a reference.
Modify OWFsecurityContext.xml
In ${ozone-widget-framework}/apache-tomecat-${version}/lib/OWFsecurityContext.xml, change the sec:x509 stanza to the following:
OWFsecurityContext.xml<sec:x509 subject-principal-regex="CN=(.*?)," user-service-ref="ldapUserService" />
In ${ozone-widget-framework}/apache-tomecat-${version}/lib/OWFsecurityContext.xml, remove the following import:
OWFsecurityContext.xml<import resource="ozone-security-beans/UserServiceBeans.xml" />
In ${ozone-widget-framework}/apache-tomecat-${version}/lib/OWFsecurityContext.xml, add the following import:
OWFsecurityContext.xml<import resource="ozone-security-beans/LdapBeans.xml" />
Modify LdapBeans.xml
In ${ozone-widget-framework}/apache-tomecat-${version}/lib/ozone-security-beans/LdapBeans.xml, change the bean stanza with id contextSource to the following:
LdapBeans.xml<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <!-- The URL of the ldap server, along with the base path that all other ldap path will be relative to --> <constructor-arg value="ldap://localhost:1389/dc=example,dc=com"/> </bean>In ${ozone-widget-framework}/apache-tomecat-${version}/lib/ozone-security-beans/LdapBeans.xml, change the bean stanza with id authoritiesPopulator to the following:
LdapBeans.xml<bean id="authoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> <constructor-arg ref="contextSource"/> <!-- search base for determining what roles a user has --> <constructor-arg value="ou=roles"/> </bean>
In ${ozone-widget-framework}/apache-tomecat-${version}/lib/ozone-security-beans/LdapBeans.xml, change the bean stanza with id ldapUserSearch to the following:
LdapBeans.xml<bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> <!-- search base for finding User records --> <constructor-arg value="ou=users" /> <constructor-arg value="(uid={0})" /> <!-- filter applied to entities under the search base in order to find a given user. this default searches for an entity with a matching uid --> <constructor-arg ref="contextSource" /> </bean>
In ${ozone-widget-framework}/apache-tomecat-${version}/lib/ozone-security-beans/LdapBeans.xml, change the bean stanza with id userDetailsMapper to the following:
LdapBeans.xml<bean id="userDetailsMapper" class="ozone.securitysample.authentication.ldap.OWFUserDetailsContextMapper"> <constructor-arg ref="contextSource" /> <!-- search base for finding OWF group membership --> <constructor-arg value="ou=groups" /> <constructor-arg value="(member={0})" /> <!-- filter that matches only groups that have the given username listed as a "member" attribute --> </bean>
Modify OWFCASBeans.xml
In ${ozone-widget-framework}/apache-tomecat-${version}/lib/ozone-security-beans/OWFCasBeans.xml, change the bean stanza with id casAuthenticationProvider to the following:
OWFCasBeans.xml<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> <property name="userDetailsService" ref="ldapUserService" /> <property name="serviceProperties" ref="serviceProperties" /> <property name="ticketValidator" ref="ticketValidator" /> <property name="key" value="an_id_for_this_auth_provider_only" /> </bean>