X509 authentication with CAS GH

This feature is currently under development, but it is not supported yet.
Below are original specifications, but be aware that they may change in a near future.

In a next version, GenericHandler may also be able to authenticate users presenting x509 certificates. When a user presents an x509 certificate to CAS GH, the class:

• lets the web server control the validity of the certificate,
• extracts the user's login name from the certificate (cert_attr attribute of the x509 tag)
• looks into in an LDAP server to check that the issuer DN and subject DN of the certificate correspond to the ones stored in the LDAP directory.

Two modes are provided to search users in the directory: ldap_search and ldap_fastsearch, which correspond to the ldap_bind and ldap_fastbind modes used when accessing LDAP servers for authentication (see LDAP authentication with CAS GH).

One may use:

<x509 ldap_version="3" ldap_timeout="5" cert_attr="name">
  <ldap_fastsearch 
      search_base="uid=%u,ou=people,dc=esup-portail,dc=org" 
      bind_dn="admin" bind_pw="secret"/>
  <ldap_server host="ldap.esup-portail.org" port="389" secured="no" />
  <ldap_server host="replica.esup-portail.org" port="389" secured="no" />
</x509>

or:

<x509 ldap_version="3" ldap_timeout="5" cert_attr="name">
  <ldap_search 
      search_base="dc=univ-rennes1,dc=fr"
      scope="sub" filter="uid=%u"
      bind_dn="admin" bind_pw="secret" />
  <ldap_server host="ldap.esup-portail.org" port="389" secured="no" />
  <ldap_server host="replica.esup-portail.org" port="389" secured="no" />
</x509>

This feature is currently under development, but it is not supported yet.
Above are original specifications, but be aware that they may change in a near future.