Monday, July 7, 2014

CAS Integration with Liferay

Note:- Environment is based on LifeRay 6.0.5 and CAS 3.5.1.

1. Configure Tomcat for SSL. I have used port 443. You can read all about it here
   A. After creating the certificates, I just ended up with adding the following tag in TOMCAT_HOME/conf/server.xml
<Connector
           port="443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/root/.keystore" keystorePass="password"
           clientAuth="false" sslProtocol="TLS"/> 
   B. IMPORTANT I did not manage to make CAS work with a self signed certificate, so I’ve used a temporary free one.

2. Configure LifeRay for LDAP
  • Login to LifeRay
  • Go to the Control Panel–>Settings–>Authentication–>LDAP
  • Ensure the “Enabled” check box is selected
  • I strongly suggest enabling the “Import” checkbox and ensure Import is enabled for server startup.
  • Add a server
  • Fill in the LDAP server details (it’s easy to check them with an LDAP browser like jxplorer)
  • Save your configuration
  • I usually restart Tomcat after that change, and view the log to see all users were successfully imported
3. Build CAS
  • Download CAS (I downloaded it from here)
  • Unzip the file
  • Edit the CAS_HOME/cas-server-webapp/pom.xml file and add the following:
<dependency>
     <groupId>org.jasig.cas</groupId>
     <artifactId>cas-server-support-ldap</artifactId>
     <version>3.5.1</version>
</dependency>
  • Build CAS using maven. The command to run is mvn clean install
4. Deploy CAS
  • Copy the newly created WAR file from CAS_HOME/cas-server-webapp/target/cas.war to TOMCAT_HOME/webapps
5. Configure CAS for LDAP
  • Edit the TOMCAT_HOME/webapps/cas/WEB-INF/deployerConfigContext.xml
  • Add the following at the end of the file (just before the /beans tag)
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
  <!-- DO NOT enable JNDI pooling for context sources that perform LDAP bind operations. -->
  <property name="pooled" value="false"/>
  <!--
    Although multiple URLs may defined, it's strongly recommended to avoid this configuration
    since the implementation attempts hosts in sequence and requires a connection timeout
    prior to attempting the next host, which incurs unacceptable latency on node failure.
    A proper HA setup for LDAP directories should use a single virtual host that maps to multiple
    real hosts using a hardware load balancer.
  -->
  <property name="url" value="ldap://LDAP_SERVER:389" />
  <!--
    Manager credentials are only required if your directory does not support anonymous searches.
    Never provide these credentials for FastBindLdapAuthenticationHandler since the user's
    credentials are used for the bind operation.
  -->
  <property name="userDn" value="cn=Manager"/>
  <property name="password" value="test"/>
  <!-- Place JNDI environment properties here. -->
  <property name="baseEnvironmentProperties">
    <map>
      <!-- Three seconds is an eternity to users. -->
      <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
      <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
      <!-- Explained at http://download.oracle.com/javase/1.3/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION -->
      <entry key="java.naming.security.authentication" value="simple" />
    </map>
  </property>
</bean>
  • Add the following under the list tag of the authenticationHandlers tag 
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:filter="mail=%u"
p:searchBase="ou=people,dc=test,dc=com"
p:contextSource-ref="contextSource" />
                      </list>
              </property>
      </bean>
6. Configure LifeRay for CAS
    • Login to LifeRay
    • Go to the Control Panel–>Settings–>Authentication–>CAS
    • Ensure the “Enabled” check box is selected
    • Ensure the “LDAP Import” check box is selected
    • Enter the URLs of the CAS server
    • Save
    • Add the following line to TOMCAT_HOME/webapps/ROOT/WEB-INF/classes/system-ext.properties


 com.liferay.filters.sso.cas.CASFilter=true
  •  Add the following line to TOMCAT_HOME/webapps/ROOT/WEB-INF/classes/portal-ext.properties
auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin
  • Restart Tomcat
You can now access your LifeRay instance, and get the CAS login instead…






Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)