Skip to end of metadata
Go to start of metadata
Table of Contents

This HOWTO describes how to set up CAS to authenticate to LDAP using the GSSAPI mechanism with a Kerberos 5 backend.

Environment: 

Server: Fedora Core 6 + CAS 3.1 + Tomcat 5.5.20 + OpenLDAP 2.3.30 + Cyrus SASL 2.1.22 + Kerboeros 1.5-23

Client: Fedora Core 6 + Firefox 2

      Windows XP + IE6 SP2

Config DNS:

To make SSL and Kerberos work, I have to config DNS at the very beginning.

1. Edit /etc/named.conf, add langhua zone:

/etc/named.conf

2. Create /var/named/named.langhua

/var/named/named.langhua

3. Create /var/name/192.168.1.db

/var/name/192.168.1.db

4. nslookup auth.langhua

Server: 192.168.1.110
Address: 192.168.1.110#53

Name: auth.langhua
Address: 192.168.1.110

5. dig -x 192.168.1.110

; <<>> DiG 9.3.4-P1 <<>> -x 192.168.1.110
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3829
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;110.1.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:
110.1.168.192.in-addr.arpa. 3600 IN PTR auth.langhua.

;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 3600 IN NS localhost.

;; ADDITIONAL SECTION:
localhost. 86400 IN A 127.0.0.1
localhost. 86400 IN AAAA ::1

;; Query time: 1 msec
;; SERVER: 192.168.1.110#53(192.168.1.110)
;; WHEN: Thu Nov 29 04:53:02 2007
;; MSG SIZE rcvd: 137

Config Kerberos:

1. Config /etc/krb5.conf

/etc/krb5.conf

2. kdb5_util create -s

3. Add users to Kerberos

kadmin.local -q "addprinc krbadm@AUTH.LANGHUA"
kadmin.local -q "addprinc ldapadm@AUTH.LANGHUA"
kadmin.local -q "addprinc host/auth.langhua@AUTH.LANGHUA"
kadmin.local -q "addprinc ldap/auth.langhua@AUTH.LANGHUA"

If you face this error in this step, delete the files under /var/kerberos/krb5kdc/ and redo the above step 2 and 3:
kadmin.local: Cannot find/read stored master key while initializing kadmin.local interface

4. Edit /var/kerberos/krb5kdc/kdc.conf

This file is configed in /etc/krb5.conf.

/var/kerberos/krb5kdc/kdc.conf

5. Edit /var/kerberos/krb5kdc/kadm5.acl

This file is configed in /var/kerberos/krb5kdc/kdc.conf.

/var/kerberos/krb5kdc/kadm5.acl

6. Config /var/kerberos/krb5kdc/kadm5.keytab

This file is configed in /var/kerberos/krb5kdc/kdc.conf.
kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin"
kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw"

7. Edit /etc/krb.realms

/etc/krb.realms

8. Edit /etc/krb.conf

/etc/krb.conf

9. Start Kerberos

/etc/init.d/kadmin start
/etc/init.d/krb5kdc start

Test Kerberos

1. kadmin.local -q "ktadd -k /etc/krb5.keytab host/auth.langhua"

2. kinit -k host/auth.langhua

If the error "kinit(v5): Password incorrect while getting initial credentials" found, delete /etc/krb5.keytab, and redo step 1 and 2.

3. klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/auth.langhua@AUTH.LANGHUA

Valid starting Expires Service principal
11/29/07 02:44:44 11/30/07 02:44:44 krbtgt/AUTH.LANGHUA@AUTH.LANGHUA

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

4. Make sure kvno numbers are the same

4.1 kvno host/auth.langhua

host/auth.langhua@AUTH.LANGHUA: kvno = 5

4.2 klist -k /etc/krb5.keytab

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
--- -------------------------------------------------------------------
5 host/auth.langhua@AUTH.LANGHUA
5 host/auth.langhua@AUTH.LANGHUA

If the numbers are not same, redo step 1, 2, 3.

5. Test ktelnetd, krlogind, krshd

5.1 Edit ~/.k5login

host/auth.langhua@AUTH.LANGHUA

5.2 Start xinetd

chkconfig klogin on
chkconfig kshell on
chkconfig eklogin on
chkconfig krb5-telnet on
/etc/init.d/xinetd restart

5.3 krlogin auth.langhua -k AUTH.LANGHUA

This rlogin session is encrypting all data transmissions.
Last login: Thu Nov 29 04:46:08 from auth.langhua
You have new mail.

5.4 telnet -x 192.168.1.110 -k AUTH.LANGHUA

Trying 192.168.1.110...
Connected to auth.langhua (192.168.1.110).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 accepts you as ``host/auth.langhua@AUTH.LANGHUA'' ]
done.
Last login: Thu Nov 29 04:46:23 from auth.langhua
You have new mail.

5.5 rsh 192.168.1.110 -k AUTH.LANGHUA

Last login: Thu Nov 29 04:47:00 from auth.langhua
You have new mail.

Kerberos configuration is OK now.

Config Cyrus SASL GSSAPI

1. Add ldap service

 

1.1 kadmin.local -q "addprinc -randkey ldap/auth.langhua@AUTH.LANGHUA"

1.2 check /var/kerberos/krb5kdc/kadm5.acl has ldap service configed

1.3 kadmin.local -q "ktadd -k /etc/krb5.keytab ldap/auth.langhua"

2. Add a test user

2.1 kadmin.local -q "addprinc test@AUTH.LANGHUA"

2.2 kadmin.local -q "ktadd -k /etc/krb5.keytab test"

2.3 Edit ~/.k5login

test@AUTH.LANGHUA

3. Verify GSSAPI works on your system

3.1 sasl2-sample-server -s ldap -m GSSAPI

trying 10, 1, 6
trying 2, 1, 6
bind: Address already in use

3.2 sasl2-sample-client -s ldap -m GSSAPI auth.langhua

Output in terminal

GSSAPI is OK now. 

If the server and client can communicate but cannot authen successfully, perhaps it's caused by the driver of your ethernet card.

Config OpenLDAP GSSAPI

1. ldapsearch -Y GSSAPI -b 'o=langhua,c=cn' '(ou=worldwide)'

SASL/GSSAPI authentication started
SASL username: test@AUTH.LANGHUA
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <o=langhua,c=cn> with scope subtree
# filter: (ou=worldwide)
# requesting: ALL
#

# worldwide, langhua, cn
dn: ou=worldwide,o=langhua,c=cn
objectClass: organizationalUnit
objectClass: top
ou: worldwide

# martin.peschke, worldwide, langhua, cn
dn: uid=martin.peschke,ou=worldwide,o=langhua,c=cn
uid: martin.peschke
ou: worldwide
objectClass: organizationalPerson
objectClass: uidObject
objectClass: person
objectClass: top
sn: Martin Peschke
cn: Martin Peschke

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2

2. Edit /etc/slapd.conf

/etc/slapd.conf

3. /etc/init.d/ldap restart

4. Use JXplorer, select GSSAPI to login auth.langhua:389

If successful login, the OpenLDAP configuration is complete.

Config CAS

1. Create /cas-server-support-ldap/src/main/java/org/jasig/cas/adaptors/ldap/BindLdapGssapiAuthenticationHandler.java

/cas-server-support-ldap/src/main/java/org/jasig/cas/adaptors/ldap/BindLdapGssapiAuthenticationHandler.java

2. Create /cas-server-support-ldap/src/main/java/org/jasig/cas/adaptors/ldap/AbstractLdapGssapiAuthenticationHandler.java

/cas-server-support-ldap/src/main/java/org/jasig/cas/adaptors/ldap/AbstractLdapGssapiAuthenticationHandler.java

3. Create /cas-server-support-ldap/src/main/java/org/jasig/cas/adaptors/ldap/util/AuthenticatedLdapGssapiContextSource.java

/cas-server-support-ldap/src/main/java/org/jasig/cas/adaptors/ldap/util/AuthenticatedLdapGssapiContextSource.java

4. Create /cas-server-support-ldap/src/main/java/org/jasig/cas/adaptors/ldap/util/LDAPAction.java

/cas-server-support-ldap/src/main/java/org/jasig/cas/adaptors/ldap/util/LDAPAction.java

5. build and deploy CAS 3.1

6. Create $CAS/WEB-INF/gssapi.conf

$CAS/WEB-INF/gssapi.conf

7. Edit $CAS/WEB-INF/deployerConfigContext.xml

$CAS/WEB-INF/deployerConfigContext.xml

8. restart tomcat

9. kadmin.local -q "cpw -pw 111111 test"

Make CAS use password to authorize test.

Visit https://auth.langhua:8443/cas/

In client, use IE6 or firefox to visit https://auth.langhua:8443/cas/
username: test or test@AUTH.LANGHUA
password: 111111

Here is a picture to show the login process.
 
Good Luck!

Shi Yusen/Beijing Langhua Ltd.
http://www.langhua.cn/

  • No labels