phpCAS latest release v2.1.2-1
last update 31-August-2007 11:53AM

Database authentication with CAS GH

This method is esentially used by organizations of which some users, for technical or political reasons, are not registered in their LDAP directory but in a distinct database.

As well as for LDAP authentication, fault tolerance is insured by the redundancy of database servers, and three access modes are provided (bind, search and query).

Bind mode

In this mode, users should be declared in the database, i.e. be database users; authentication is successfull when the information given by the user allows CAS to connect to the database.

One may use:

<authentication debug="off">
<handler>
<classname>
org.esupportail.cas.server.handlers.database.SearchDatabaseHandler

</classname>
<config>
<server>
<jdbc_driver>com.mysql.jdbc.Driver</jdbc_driver>
<jdbc_url>jdbc:mysql://127.0.0.1</jdbc_url>
</server>
</config>
</handler>
</authentication>

Search mode

This mode uses a privileged connection to the database. The authentication informations (login and password) are stored in a table; authentication is successfull when information provided by the users are found in the database.

One may use:

<authentication debug="off">
<handler>
<classname>
org.esupportail.cas.server.handlers.database.SearchDatabaseHandler
</classname>
<config>
<table>user</table>
<login_column>login</login_column>
<password_column>password</password_column>
<bind_username>admin</bind_username>
<bind_password>secret</bind_password>
<server>
<jdbc_driver>com.mysql.jdbc.Driver</jdbc_driver>
<jdbc_url>jdbc:mysql://127.0.0.1</jdbc_url>
</server>
</config>
</handler>
</authentication>

When using this mode, the administrator should specify:

  • the table of the database users are stored in;
  • the columns storing the users' id and password;
  • the encryption used to store the password (optional);
  • the credentials used to connect to the database (optional).

Query mode

This mode also uses a privileged connection to the database. The authentication informations are stored anywhere in the database, and authentication is successfull when information provided by the users matches the informations returned by the query.

One may use:

<authentication debug="off">
<handler>
<classname>
org.esupportail.cas.server.handlers.database.QueryDatabaseHandler

</classname>
<config>
<sql_query>
SELECT md5_password FROM user WHERE login = '%u' AND NOT locked

</sql_query>
<encryption>md5</encryption>
<bind_username>admin</bind_username>
<bind_password>secret</bind_password>
<server>
<jdbc_driver>com.mysql.jdbc.Driver</jdbc_driver>
<jdbc_url>jdbc:mysql://127.0.0.1</jdbc_url>
</server>
</config>
</handler>
</authentication>

When using this mode, the administrator should specify:

  • the SQL query used to query the database. This query can contain the special "%u" token, which will be replace by the users' netId at runtime;
  • the encryption used to store the password (plain, des, md5 and pammd5 are allowed, md5 by default);
  • the credentials used to connect to the database (optional).

Note: internally, a SearchDatabaseHandler is a QueryDatabaseHandler using the following SQL query:

SELECT <password_column> FROM <table> WHERE <login_column> = '%u'

Database servers

The database servers are defined by:

  • the JDBC URL of the database;
  • the JDBC driver that should be used to access the database.

When specifying several servers, all the servers are considered as replicates: when authenticationfails on one database, database authentication fails because databases are intended to contain the same data; next (redundant) servers are tried only if the first one does not respond.

JDBC drivers

CAS GH developers usually place the JARs implementing the JDBC drivers they use into the ${tomcat.home}/webapps/cas/WEB-INF/lib directory (classes are placed into ${tomcat.home}/webapps/cas/WEB-INF/classes), or, when using one of the esup-cas-server and esup-cas-quick-start packages, directly into the custom/cas-server-patch/web/WEB-INF folder (so the files get deployed with ant).

No JDBC driver is provided with CAS GH, but the following links may help to find the JDBC driver corresponding to your database:

 

 
SourceForge.net Logo

Copyright © 2002-2004 - ESUP-Portail consortium