Friday, February 3, 2012

Build Jasig CAS Server for Active Directory integration

This is a step by step guide to compiling Jasig CAS server on a Windows box for integration with Active Directory.  On a Linux or OSX box, just install maven, modify the CAS source files, and build.  Fully tested with Java 1.7, Maven 3.0.4, and CAS 3.4.11 

Install Java and Maven

Install the Java JDK

Download Maven (get the apache-maven-3.x.x-bin.zip file)

Extract Maven and place the inner maven directory somewhere.  This guide assumes you used c:\maven

You need to add environment variables for Java and Maven.  Open the system control panel (Winkey+pause), open advanced system settings, open Environment Variables on the Advanced tab.  We'll be adding everything as a User Variable.  Create a new variable for JAVA_HOME and set it to the jdk directory in c:\program files\java\.  So set JAVA_HOME to  C:\Program Files\Java\jdk1.7.0_02

Add a variable for M2_HOME and point it at your maven directory.  Add another variable for M2 and point it at %M2_HOME%/bin.  Add or update your User Path variable and add %M2%.

You should have added the following:
JAVA_HOME C:\Program Files\Java\jdk1.7.0_02
M2_HOME C:\maven
M2 %M2_HOME%\bin
Path %M2%
Open a cmd prompt and run mvn --version.  You should see Maven version along with the Java version and no errors.


Download and modify the CAS source

Download the CAS source and extract it.  You will need to edit two files:
cas-server-webapp/pom.xml
cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml
Open pom.xml and add the following just after <dependencies> around line 12:

        <!-- LDAP support -->
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${project.version}</version>
</dependency>
Open  deployerConfigContext.xml
Around line 77 you should find the section <property name="authenticationHandlers">
There should be two beans, leave the first one alone, and replace the second one:

<bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
Replace with the following and modify the searchBase accordingly.  You'll also want to change the ldap filter from uid to something like sAMAccountName or mail:

<!-- LDAP bind Authentication Handler -->
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="uid=%u" />
    <property name="searchBase" value="{your LDAP search path, e.g.: cn=users,dc=example,dc=com}" />
    <property name="contextSource" ref="LDAPcontextSource" />
    <property name="ignorePartialResultException" value="yes" /> <!-- fix because of how AD returns results -->
</bean>
Next, add the following before the last </beans> and add your AD server url, userDN, and password.  This should be a ready only AD user.

<bean id="LDAPcontextSource" class="org.springframework.ldap.core.support.LdapContextSource">
    <property name="pooled" value="false"/>
    <property name="urls">
        <list>
            <value>{URL of your AD server, e.g.: ldaps://ad.example.com}/</value>
        </list>
    </property>
    <property name="userDn" value="{your account that has permission to bind to AD, e.g.: uid=someuser, dc=example, dc=com}"/>
    <property name="password" value="{your password for bind}"/>
    <property name="baseEnvironmentProperties">
        <map>
            <entry>
                <key>
                    <value>java.naming.security.authentication</value>
                </key>
                <value>simple</value>
            </entry>
        </map>
    </property>
</bean>

 Build the CAS webapp WAR file


Navigate to the CAS source in your terminal.  We are only concerned with building the WAR file at this point, navigate to cas-server/cas-server-webapp and run:
mvn package install

If all went well you should find cas.war in cas-server/cas-server-webapp/target.  You can now deploy this WAR file to your application server.

Credits:
https://wiki.jasig.org/display/CASUM/Building+and+Deploying
http://stackoverflow.com/questions/6412468/single-sign-on-sso-how-to-use-active-directory-as-an-authentication-method-fo


1 comment:

Akira Sekine said...

Thank you for posting this article. I have been following the original site (https://wiki.jasig.org/display/CASUM/Building+and+Deploying) though this site is much easier to understand. Really appreciated.

Would I be able to ask you a question please?
I set up but showing a following error on my log file below.
2015-07-22 01:50:43,478 WARN [org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler] - org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler is only to be used in a testing environment. NEVER enable this in a production environment.
2015-07-22 01:50:43,803 WARN [org.springframework.webflow.conversation.impl.ConversationLockFactory] - Unable to enable conversation locking. Switch to Java 5 or above, or put the 'util.concurrent' package on the classpath to enable locking in your environment.
2015-07-22 01:50:43,814 WARN [org.springframework.webflow.conversation.impl.ConversationLockFactory] - Unable to enable conversation locking. Switch to Java 5 or above, or put the 'util.concurrent' package on the classpath to enable locking in your environment.

I am very new to Java, and I am not sure how I need to fix the above error, if you could tell me where to fix the issues above, really appreciated.

thanks in advance,