URL: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/idp/install-esupcas.html Author: Patrik Schnellmann - SWITCH $Date: 2007/08/03 11:41:39 $ $Revision: 1.9 $
esup-cas-server
package from http://esup-casgeneric.sourceforge.net. The version of CAS Server included in that package is cas-server-2.0.12
.esup-cas-server-2.0.7-3.zip
in directory /opt
:
The package content can be found in directory$ cd /opt $ unzip esup-cas-server-2.0.7-3.zip
/opt/esup-cas-server-2.0.7-3/
. The documentation in HTML format is in the subdirectory docs
.
docs/auth-high-level.html
or online on http://esup-casgeneric.sourceforge.net/auth-high-level.html. This can be done in the file properties/build.properties
.
Example configurations:
LDAP backend example configuration configuration:
For anonymous bind, leave the values for "ldap-search.bind-dn" and "ldap-search.bind-password" empty.esup-casgeneric.auth=ldap-search esup-casgeneric.auth.ldap-search.filter=uid=%u esup-casgeneric.auth.ldap-search.search-base=dc=example,dc=ch esup-casgeneric.auth.ldap-search.scope=sub esup-casgeneric.auth.ldap-search.bind-dn=cn=admin,dc=example,dc=ch esup-casgeneric.auth.ldap-search.bind-password=examplepw esup-casgeneric.auth.ldap-search.url=ldap://ldap.example.ch # [...] esup-casgeneric.log.path=/var/log/esup-casgeneric.log # [...] cas-server.deploy.home=/opt/tomcat/webapps/cas
Active Directory example configuration:
esup-casgeneric.auth=ad-search esup-casgeneric.auth.ad-search.filter=sAMAccountName=%u esup-casgeneric.auth.ad-search.search-base=dc=example,dc=ch esup-casgeneric.auth.ad-search.scope=sub esup-casgeneric.auth.ad-search.bind-dn=cn=Administrator,dc=example,dc=ch esup-casgeneric.auth.ad-search.bind-password=examplepw esup-casgeneric.auth.ad-search.url=ldap://ad.example.ch # [...] esup-casgeneric.log.path=/var/log/esup-casgeneric.log # [...] cas-server.deploy.home=/opt/tomcat/webapps/cas
cas
web application:
$ cd /opt/esup-cas-server-2.0.7-3/ $ ant deploy
/opt/tomcat/webapps/cas/
to meet your design guidelines (header.jsp, footer.jsp, login.jsp, goService.jsp
). You may also use templates provided by SWITCH: SWITCH-CAS.tar.gz.
http://www.example.ch/cas/login
. There you can test the authentication against the configured backend (LDAP).
The CAS Client installation and configuration is described in the Shibboleth Identity Provider 1.3 Installation Guide on install-idp-1.3-debian.html.
With the CAS Generic Handler it is possible to make SSL secured ldap (ldaps) connections. Depending on the certificates, the LDAP server uses, there has one additional step to be done: When the CAS handler makes an ldaps-connection, the certificate of the ldap server is checked if it is trusted or not. Therefore, Tomcat (or to be more precise, the JVM in which Tomcat runs) has to trust the certification authority (CA) who issued the certificate on the LDAP server. The certificate of the CA can be stored in one of three places where Java looks for them:
$TOMCAT_HOME/jre/lib/security/cacerts
.javax.net.ssl.trustStore
. For Tomcat, this is set in the CATALINA_OPTS
variable in /etc/init.d/tomcat
. This is how it is done when you follow our deployment guide for the Shibboleth IdP 1.3. (overrides the above)System.setProperty("javax.net.ssl.trustStore", "/path/to/truststore.jks")
. (overrides the two above)The only thing to be done for a successful ldaps connection is to import the CA certificate of the certificate used for ldaps:
$ keytool -import -trustcacerts -alias "my ca" -file myCA.PEM.crt \ -keystore truststore.jks
-- $Id: install-esupcas.html,v 1.9 2007/08/03 11:41:39 schnell Exp $