LDAP Authentication Handler
Including the Handler
In the pom.xml file for your CAS Maven2 WAR Overlay, add the following dependency:
You need to decide how you would like CAS to authenticate the credentials. Should it merely attempt to authenticate to (bind to) the LDAP server using the credentials directly as the user? Or should it first look up the user in some subtree and then attempt to bind as that user? It is more efficient and more secure to use fastbind, but that is not always possible. This is explained in detail later in this document.
Both methods require you to configure an LDAP context bean: this is the configuration to access your directory. It is recommended to configure a new bean in the top list and reference that from the configuration of the AuthenticationHandler, as explained in the instructions on this page.
Use this handler when a user DN may be directly composed from the username, e.g. uid=%u,ou=people,dc=vt,edu, where %u is the username provided on the CAS login form.
The FastBindLdapAuthenticationHandler supports the following properties:
This component performs a typical two-phase LDAP authentication process:
Use this handler when the DN cannot be directly composed from the username, for example when the directory uid is an opaque identifier that is distinct from a memorable username or the common sense of username is based on an alternative attribute such as mail (email address). Since two LDAP operations are performed for every authentication, this method is inherently less efficient than FastBindLdapAuthenticationHandler and should be used when required.
The BindLdapAuthenticationHandler supports the following properties:
Note that all configuration should happen in cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml
Define a ContextSource
BindLdapAuthenticationHandler and FastBindLdapAuthenticationHandler require a Spring ContextSource to provide an LDAP connection on which to perform authentication operations.
The use of PoolingContextSource is strongly recommended in cases where it is supported. This component uses commons-pool object pooling and has performance characteristics suitable for HA environments. This is in stark contrast to the JNDI pooling feature enabled by com.sun.jndi.ldap.connect.pool=true that uses a strategy that will incur unacceptable latency in the case of LDAP node failure.
Connection pooling is supported for BindLdapAuthenticationHandler as of CAS 3.4.9. The searchContextSource property of BindLdapAuthenticationHandler may reference a ContextSource other than the one used for binds and is an ideal opportunity to leverage LDAP connection pooling for improved performance.
The following property values should serve as a reasonable starting point for pool tuning. They could simply be put into your cas.properties file alongside other property values.
There are cases where it is necessary to pull additional LDAP attributes (Eg. "mail") into the CAS principal (ie. user object). Please see Attributesfor more on this.