如何使用LDAP ApacheDS配置CAS 4.0

时间:2014-12-17 16:32:19

标签: ssl ldap ssl-certificate cas apacheds

我想用ApacheDS LDAP配置CAS server 4.0。我按照下面的步骤:

1-基于this Link我修改了deployerConfigContext.xml文件。以下bean添加到此文件中:

<bean id="ldapAuthenticationHandler"
      class="org.jasig.cas.authentication.LdapAuthenticationHandler"
      p:principalIdAttribute="uid"
      c:authenticator-ref="authenticator">
    <property name="principalAttributeMap">
        <map>
            <!--
               | This map provides a simple attribute resolution mechanism.
               | Keys are LDAP attribute names, values are CAS attribute names.
               | Use this facility instead of a PrincipalResolver if LDAP is
               | the only attribute source.
               -->
            <entry key="member" value="member" />
            <entry key="mail" value="mail" />
            <entry key="displayName" value="displayName" />
        </map>
    </property>
</bean>

<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
      c:resolver-ref="dnResolver"
      c:handler-ref="authHandler" />

<!--
   | The following DN format works for many directories, but may need to be
   | customized.
   -->
<bean id="dnResolver"
      class="org.ldaptive.auth.FormatDnResolver"
      c:format="uid=%s,${ldap.baseDn}" />

<bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
      p:connectionFactory-ref="pooledLdapConnectionFactory" />

<bean id="pooledLdapConnectionFactory"
      class="org.ldaptive.pool.PooledConnectionFactory"
      p:connectionPool-ref="connectionPool" />

<bean id="connectionPool"
      class="org.ldaptive.pool.BlockingConnectionPool"
      init-method="initialize"
      p:poolConfig-ref="ldapPoolConfig"
      p:blockWaitTime="${ldap.pool.blockWaitTime}"
      p:validator-ref="searchValidator"
      p:pruneStrategy-ref="pruneStrategy"
      p:connectionFactory-ref="connectionFactory" />

<bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
      p:minPoolSize="${ldap.pool.minSize}"
      p:maxPoolSize="${ldap.pool.maxSize}"
      p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
      p:validatePeriodically="${ldap.pool.validatePeriodically}"
      p:validatePeriod="${ldap.pool.validatePeriod}" />

<bean id="connectionFactory" class="org.ldaptive.DefaultConnectionFactory"
      p:connectionConfig-ref="connectionConfig" />

<bean id="connectionConfig" class="org.ldaptive.ConnectionConfig"
      p:ldapUrl="${ldap.url}"
      p:connectTimeout="${ldap.connectTimeout}"
      p:useStartTLS="${ldap.useStartTLS}"
      p:sslConfig-ref="sslConfig" />

<bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
    <property name="credentialConfig">
        <bean class="org.ldaptive.ssl.X509CredentialConfig"
              p:trustCertificates="${ldap.trustedCert}" />
    </property>
</bean>

<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
      p:prunePeriod="${ldap.pool.prunePeriod}"
      p:idleTime="${ldap.pool.idleTime}" />

<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />

此外,bellow属性已添加到cas.properties中:

#========================================
# General properties
#========================================
ldap.url=ldaps://localhost:10636



# LDAP connection timeout in milliseconds
ldap.connectTimeout=30000

# Whether to use StartTLS (probably needed if not SSL connection)
ldap.useStartTLS=true

#========================================
# LDAP connection pool configuration
#========================================
ldap.pool.minSize=3
ldap.pool.maxSize=10
ldap.pool.validateOnCheckout=false
ldap.pool.validatePeriodically=true

# Amount of time in milliseconds to block on pool exhausted condition
# before giving up.
ldap.pool.blockWaitTime=3000

# Frequency of connection validation in seconds
# Only applies if validatePeriodically=true
ldap.pool.validatePeriod=3000

# Attempt to prune connections every N seconds
ldap.pool.prunePeriod=3000

# Maximum amount of time an idle connection is allowed to be in
# pool before it is liable to be removed/destroyed
ldap.pool.idleTime=6000

#========================================
# Authentication
#========================================

ldap.baseDn=dc=example,dc=com

# Base DN of users to be authenticated
ldap.authn.baseDn=dc=example,dc=com

# Manager DN for authenticated searches
ldap.authn.managerDN=uid=admin,ou=system

# Manager password for authenticated searches
ldap.authn.managerPassword=secret

# Search filter used for configurations that require searching for DNs
#ldap.authn.searchFilter=(&(uid={user})(accountState=active))
ldap.authn.searchFilter=(uid={0})

# Search filter used for configurations that require searching for DNs
#ldap.authn.format=uid=%s,ou=Users,dc=example,dc=org
ldap.authn.format=uid=%s,ou=system

ldap.trustedCert=file:/D:/ApacheDS.cer

我还使用InstallCert将localhosr的端口:8443(tomcat)和localhost:10636(ApacheDS)添加到cacers文件中。并使用Portecle从cardrs的ApacheDs认证中导出ApacheDS.cer。

我的tomcat修改后的server.xml文件如下:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="50" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="C:/Program Files/Java/jdk1.7.0_60/jre/lib/security/cacerts" 
               keystorePass="changeit"
               />

以下Jars还添加到apache-tomcat-8.0.8 \ webapps \ cas-server-webapp-4.0.0 \ WEB-INF \ lib: CAS服务器支持LDAP的-4.0.0.jar 弹簧LDAP的核 - 2.0.2.RELEASE.jar 弹簧LDAP的1.2.1.jar ldaptive-1.0.5.jar

最后!经过许多努力尝试后,我得到了以下错误:

Caused by: java.lang.IllegalStateException: Could not initialize pool size
    at org.ldaptive.pool.AbstractConnectionPool.initialize(AbstractConnectionPool.java:258)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1638)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1579)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1509)
    ... 70 more
Caused by: [org.ldaptive.provider.ConnectionException@3778440::resultCode=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, providerException=javax.naming.ServiceUnavailableException: localhost:10636; socket closed]
    at org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory.createInternal(JndiStartTLSConnectionFactory.java:95)
    at org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory.createInternal(JndiStartTLSConnectionFactory.java:37)
    at org.ldaptive.provider.AbstractProviderConnectionFactory.create(AbstractProviderConnectionFactory.java:99)
    at org.ldaptive.DefaultConnectionFactory$DefaultConnection.open(DefaultConnectionFactory.java:295)
    at org.ldaptive.pool.AbstractConnectionPool.createConnection(AbstractConnectionPool.java:482)
    at org.ldaptive.pool.AbstractConnectionPool.createAvailableConnection(AbstractConnectionPool.java:523)
    at org.ldaptive.pool.AbstractConnectionPool.grow(AbstractConnectionPool.java:363)
    at org.ldaptive.pool.AbstractConnectionPool.initialize(AbstractConnectionPool.java:252)
    ... 77 more
Caused by: javax.naming.ServiceUnavailableException: localhost:10636; socket closed
    at com.sun.jndi.ldap.Connection.readReply(Connection.java:454)
    at com.sun.jndi.ldap.LdapClient.extendedOp(LdapClient.java:1202)
    at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3206)
    at javax.naming.ldap.InitialLdapContext.extendedOperation(InitialLdapContext.java:183)
    at org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory.startTLS(JndiStartTLSConnectionFactory.java:134)
    at org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory.createInternal(JndiStartTLSConnectionFactory.java:92)
    ... 84 more

你能否帮我解决这个问题!我真的不知道问题的主要原因吗?

3 个答案:

答案 0 :(得分:5)

我不知道回答是否迟到,但到目前为止我遇到同样的问题,在阅读 ldaptive 项目来源后,我找到了如下答案:

只需将p:failFastInitialize =“false”参数添加到 connectionPool bean,就像

一样 
<bean id="connectionPool"
      class="org.ldaptive.pool.BlockingConnectionPool"
      init-method="initialize"
      p:poolConfig-ref="ldapPoolConfig"
      p:blockWaitTime="${ldap.pool.blockWaitTime}"
      p:validator-ref="searchValidator"
      p:pruneStrategy-ref="pruneStrategy"
      p:connectionFactory-ref="connectionFactory" p:failFastInitialize="false" />

答案 1 :(得分:4)

最后我可以找到解决方案!下面列出的是帮助您通过CAS服务器4连接到AacheDS的步骤。

  1. 下载cas-server-4.0.0-release.zip
  2. 下载Tomcat 8并运行它
  3. 解压缩cas-server-4.0.0-release.zip并将cas-server-webapp-4.0.0.war复制到tomcat的apache-tomcat-8.0.8 \ webapps中。等到Tomcat提取War文件并制作cas-server-webapp-4.0.0
  4. 停止Tomcat服务器

  5. 转到Tomcat的conf文件夹并编辑server.xml文件。您应取消注释此文件的HTTPS部分。

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
       maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
       clientAuth="false" sslProtocol="TLS" 
       keystoreFile="C:/Program Files/Java/jdk1.7.0_60/jre/lib/security/cacerts" 
       keystorePass="changeit"             
       />

  6. 如您所见,HTTPS Tomcat的认证应添加到cacerts文件中。您可以查看以下链接来执行此操作: A Simple Step-By-Step Guide To Apache Tomcat SSL Configuration

  7. 转到apache-tomcat-8.0.8 \ webapps \ cas-server-webapp-4.0.0 \ WEB-INF并使用以下内容替换deployerConfigContext.xml内容: Go to my Blog to copy the content of file

    8. enter image description here

    1. 转到apache-tomcat-8.0.8 \ webapps \ cas-server-webapp-4.0.0 \ META-INF \ maven \ org.jasig.cas \ cas-server-webapp并将以下内容添加到pom .XML:

      2. enter image description here

      1. 将以下jar文件添加到apache-tomcat-8.0.8 \ webapps \ cas-server-webapp-4.0.0 \ WEB-INF \ lib

        • cas-server-support-ldap-4.0.0.jar
        • 弹簧LDAP的芯 - 2.0.2.RELEASE.jar
        • spring-ldap-1.2.1.jar
        • ldaptive-1.0.5.jar

      2. 运行ApacheDS

      3. 使用Apache Directory Studio连接到ApacheDS,并在dc = example,dc = com中创建用户 Apache Directory Studio

      4. 启动Tomcat

      5. 转到http://localhost:8080/cas-server-webapp-4.0.0/login

      6. 输入您在Apache Directory Studio中输入的用户名和密码。您现在可以使用ldap用户登录CAS!

答案 2 :(得分:1)

我正在使用上面成功的Moghadam解决方案,但我必须在 deployerConfigContext.xml 中做一个小调整:

<bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" >
    <constructor-arg ref="authenticator" />
    <property name="principalAttributeMap">
        <map>
            <entry key="mail" value="mail" />
            <entry key="cn" value="cn" />
        </map>
    </property>
</bean>

请注意我删除了 p:principalIdAttribute =“uid”属性。

相关问题
最新问题