LDAP authentication with CAS GH

As LDAP became a standard for user referencials, authentication on an LDAP directory is the most widely used method nowadays. LDAP authentication configuration consists in specifying:

• the mode used to access LDAP servers (see bellow);
• an LDAP server or a list of LDAP servers (for redundancy);

Two access modes are provided (bind and fastbind), depending on the internal structure of the LDAP directory.

Direct acces mode (fastbind)

The fastbind method can be used with LDAP directories of which the users' Distinguished Names can be directly deduced from their login name (practically, LDAP directories where all the users are stored at the same hierarchical level).

In this mode, CAS tries to connect to the LDAP directory with the user's DN and the password provided.

One may use:

<authentication debug="off">
  <handler>
    <classname>org.esupportail.cas.server.handlers.ldap.FastBindLdapHandler</classname>
    <config>
      <filter>uid=%u,ou=people,dc=esup-portail,dc=org</filter>
      <server>
        <url>ldap://ldap.esup-portail.org</url>
      </server>
      <server>
        <url>ldap://replica.esup-portail.org</url>
      </server>
</config>
  </handler>
</authentication>

When using the ldap_fastbind method, the administrator should only spécify the filter to find the users' DN in the directory. The following tokens (similar to ldap_saslauthd) can be used in the filter string:

• %% = %
• %u = user
• %U = user portion of %u (%U = test when %u = test@domain.tld)
• %d = domain portion of %u (%d = domain.tld when %u = test@domain.tld)
• %1-9 = domain tokens (%1 = tld, %2 = domain when %d = domain.tld)
• %s = service
• %r = realm

The %u token has to be used at minimum for the filter to be useful. Defaults to uid=%u.

Search mode (bind)

When users are located in different branches of the directory, deducing the users' DN from their login name is impossible. In this case, the ldap_bind mode should be used. It performs a search in the directory before trying to connect.

One may use:

<authentication debug="off">
  <handler>
    <classname>org.esupportail.cas.server.handlers.ldap.BindLdapHandler</classname>
    <config>
      <search_base>ou=people,dc=esup-portail,dc=org</search_base>
      <filter>uid=%u</filter>
      <scope>sub</scope>
      <bind_dn>admin</bind_dn>
      <bind_password>secret</bind_password>
      <server>
        <url>ldap://ldap.esup-portail.org</url>
      </server>
      <server>
        <url>ldap://replica.esup-portail.org</url>
      </server>
      <disable_multiple_accounts/>
    </config>
  </handler>
</authentication>

When using the bind method, the administrator should specify:

• the start point of the search (e.g. dc=univ-rennes1,dc=fr). Tokens described in the filter attribute (see above) can be used for substitution;
• the search scope (can be sub, one or base). Defaults to sub;
• the filter to find the users' DN in the directory;
• parameters to connect to the LDAP directory (when ommited, an anonymous connection is used);
• whether multiple accounts for users are allowed or not, thanks to the <enable_multiple_accounts> and <disable_multiple_accounts> tags (by default, they are not allowed). If the result of the LDAP search has more then one result, no connection to the LDAP directory is done and the authentication is refused. This feature was added in version 2.0.5.

LDAP servers

The LDAP servers are defined by:

• their LDAP URL.
• whether referrals should be skipped or not (set optional tag <skip-referrals> to 1 when binding to AD). This feature was added in version 2.0.7

When specifying several servers, all the servers are considered as replicates: when authentication fails on one directory, LDAP authentication fails because directories are intended to contain the same data; next (redundant) servers are tried only if the first one does not respond.

Specifying many replicas can be done by specifying a space-separated list of LDAP URLs in the <url> element (these URLs will be handled by JNDI (since JDK 1.4) as precised in http://java.sun.com/products/jndi/tutorial/ldap/misc/url.html. Alternatively, using several <server> elements can help debugging.