Liferay Portal

Welcome to the world of Liferay Portal, the best of the breed in open source, the more you discover about it, the more intersting it becomes..... so let's explore Liferay with Mayank.

Pages

Monday, February 8, 2010

Liferay OpenDS and CAS Integration

Integrating OpenDS and CAS in Liferay

I am using Liferay 5.2.3, openDs-2.2.0 and CAS (
http://www.jasig.org/cas)


OpenDS LDAP

1) Open DS (http://www.opends.org/) . I am going with minimal configuration for LDAP.

Steps to Follow:

1) Install plain open DS from
http://www.opends.org/, without default configuration.

While installation I changed the default port form 389 to 10389.

a) provided hostname [PC name]:abc

b) Create Admin as say: cn=admin,ou=system with password changeit.

c) create a Base DN entry as: dc=company,dc=com

d) Create user entry under ou=people. under this basedn entry.

e) Connect OpenDS via JExplorer LDAP Browser (
http://jxplorer.org/) and you can see those entries as.:

For connecting via JExplorer use:

Host: abc , port:10389
protocal: LDAP V3
BaseDN: dc=company,dc=com
Level: user + password
userDn: cn=admin,ou=system
password: changeit

You should see something like:




Now we are done with LDAP Setting successfully.

Liferay + LDAP
2) Install Liferay Tomcat Bundle downloaded from
http://www.liferay.com/ (I am using liferay 5.2.3).

a) Open up the bundle extract it to some directory say: d:\ in windows.

b) Start liferay (TOMCAT_HOME/bin/start) of the above bundle.

c) Go to control panel of Liferay: (Login as bruno admin and under drop down menu "control panel")

d) In control Panel Go to Portal->Settings->Authentication->LDAP.
Here provide the details as:

Enabled :Check
Base provider URL:
ldap://abc:10398/
BaseDN: dc=company,dc=com
Principal: cn=admin,ou=system
credentails=chageit[Photo]
Now test the LDAP connection using "Test LDAP Connection" button. It should give you successful result.
Under users section provide details as:
Authentication Search Filter:(
mail=@email_address@)
Import Search Filter (objectClass=inetOrgPerson)
Screen Name: cn
Password: userPassword
EmailAddress:mail
FirstName: givenName
LastName: sn
JobTitle: title
Group: groupMembership

After this Click on "Test LDAP Users" You should see the users we created while LDAP setup.

Here under import /export section: check import Enabled, export Eanbled.
userDn: ou=people,dc=company,dc=com
Leave rest details as default.

Save the details and you are set to go.You can test via logging form user;s in LDAP in Liferay :)....
Now we will proceed with Integration of CAS over these settings which we have done till now.


3) CAS Integration:

a) Download CAS : cas-server-3.3.5-release from http://www.jasig.org/cas. Explode the Zip file and you will find cas-server-webapp-3.3.5.war in modules folder.
b) Prepare a fresh installtion of tomcat say at port : 8081 because liferay will be running on 8080.
a) For this open the server.xml file in fresh insalled tomcat and chnage port 8080 to 8081.
b)Un-comment the following section to enable https. <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
c)Rename the cas-server-webapp-3.3.5.war as cas-web.war and put it in webapps folder of the fresh tomcat installation.
d)Start this tomcat server.
e) After starting the tomcat. Stop the tomcat server, you should see cas-web folder now in webapps directory.
f) Now go to cas-web/web-inf folder open deployerConfigContext.xml and provide following enteries:
g) Under : <property name="authenticationHandlers"> ....<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" />......add
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="cn=%u" /> <property name="searchBase" value="ou=People,dc=company,dc=com" /> <property name="contextSource" ref="contextSource" /> </bean>


h). Since we are creating a reference to contextSource above, so we need to add a bean with that reference. Add a new bean entry as: <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="urls"> <list> <value>ldap://abc:10389/</value> </list> </property> <property name="userDn" value="cn=admin,ou=system"/> <property name="password" value="changeit"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property></bean>
3) save ths file.

4) Now we will configure Liferay to enable CAS authentication. For this goto Liferay -> control panel >Settings->Authentication->CAS
5) Do the following changes:
Enabled: checked
Import from LDAP: checked
Login URL: https://abc:8443/cas-web/login (Assuming CAS is also on abc)
Logout URL: https://abc:8443/cas-web/logout
server name: abc:8080 (Liferay is on 8080)
Service URL: http://abc:8080/c/portal/login
validate URL: https://abc:8443/cas-web/proxyValidate
save the settings.
Now shutdown Liferay and Tomcat (CAS one) both.
Now we have completed our basic conficuration, the only thing missing is the certificate by which authentication will be done via CAS. So let's generate certificated and make it trusted for things to work like butter :)
Generate the SSL cert with Java keytool ;
In any directory enter the command :
keytool -genkey -alias tomcat -keypass password -keyalg RSA
Answers the Q's (note that your firstname and lastname MUST be hostname of your server and cannot be a IP address)
Enter keystore password: changeit
What is your first and last name? [Unknown]: abc
What is the name of your organizational unit? [Unknown]: abc
What is the name of your City or Locality? [Unknown]:
What is the name of your State or Province? [Unknown]:
What is the two-letter country code for this unit? [Unknown]: Is CN=abc, OU=abc, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes
Then Enter command:
keytool -export -alias tomcat -keypass changeit -file server.cert
This command exports the cert you generated from your personal keystore (In windows .keystore file) . To save the certificate on file named server.cert
Finally import the cert into Java's keystore with this command.
keytool -import -alias tomcat -file server.cert keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts
Note: This import of certificate should be done for all the JRE's [The tomcat JRE for CAS and the JRE for Liferay], probably the liferay bundle would be having its own JRE, so import the certificate there as well as in the Tomcat installation JRE or JDK , should be Java_home :).

After this....Yeah we are all set.......
Start OpenDS, Start CAS Tomcat, Start Liferay.
Form home click "sign in" in liferay, you will be redirected to CAS login screen. Enter the credentials which we added in LDAP [Note: CAS authenticates with userId not email which liferay does], so put Id we used in LDAP into CAS login screen with password, put password and submit. You should now be redirected to Liferay and logged in with Signed in User.
Some Problems that I faced during above activity:
1) Exporting to LDAP fails if the user doesn't have a Job Title: Well provide jobTitle...Its required by Liferay. so go to LDAP browser and for each user provide value for title.
2) I have to use Passwords as plain text as passwords are exported to LDAP via Liferay is in form of Plain Text.
3) CAS uses username for authentication and for liferay its the ScreenName. so authentication is for screenname even if we supply email as authentication in Liferay.
4) Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] : This error comes up whenever the certificates are not matching on both the JVM's where CAS and Liferay is running. So, just ensure they are correct and at proper place, This problem will be resolved.

25 comments:

  1. Hi Mayank,

    Thank you very much for wonderful blog

    Can you explain me more about below point under OpenDS category
    d) Create user entry under ou=people. under this basedn entry
    - Is it while installing OpenDS
    - After we are into JXplorer

    Thanks & Regards,
    - Nagendra Kumar

    ReplyDelete
  2. You can do it post installation too

    ReplyDelete
  3. I did that way thanks, With the users i created i am able to login BUT again liferay is showing its login page. How to skip this.

    Help me to resolve above

    Regards,
    - Nagendra Kumar

    ReplyDelete
  4. Hi Mayank,
    Thanks for useful post.
    I have followed the exact same steps. I am running OpenLDAP with CAS (with bean configurations you described).

    Once i try logging in Liferay using a user which does not exist in Liferay but is there in OpenLDAP - it gets me the ticket but again takes me to Liferay login page because it could not export the user from OpenLDAP.

    Here is the server error -
    11:15:21,694 ERROR [CASAutoLogin:113] com.liferay.portal.SystemException: Problem accessign LDAP server Failed to bind to the
    LDAP server
    com.liferay.portal.SystemException: Problem accessign LDAP server Failed to bind to the LDAP server
    at com.liferay.portal.security.auth.CASAutoLogin.addUser(CASAutoLogin.java:180)
    at com.liferay.portal.security.auth.CASAutoLogin.login(CASAutoLogin.java:97)
    at com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.processFilter(AutoLoginFilter.java:208)
    at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
    at com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter.processFilter(OpenSSOFilter.java:73)
    at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
    at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:193)
    at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)

    Can you help please?
    Thanks

    ReplyDelete
  5. @Nagendra - Did you see the login page with logged in user, if yes, place a redirect. If no then there is some problem with imorting the profile form LDAP to liferay.

    @Preeti - The error message clearly says there is problem in binding with LDAP from Liferay. Please check whether you are able to connect via Liferay to LDAP, if Yes, then there should be some other message also in the exception chain which you have pasted. Please send me those too.

    ReplyDelete
  6. Thanks for the steps.

    I have my liferay running on jboss and CAS running on tomcat both are on localhost.

    I access liferay using http://localhost:8080/portal.
    CAS:
    http://localhost:8443/cas-web/login

    and both works .

    When i am trying to configure CAS for liferay using control panel as mentioned in your steps
    i am getting HTTP Status 404 - /c/portal/login exception .

    Kindly help

    ReplyDelete
  7. It does works...I left out something ..

    Sorry

    ReplyDelete
  8. the portal first goes to the liferay login page and then after clicking on "Sing in " it goes to CSA.

    How ican set it to go to CAS login.
    Thanks in advance.

    ReplyDelete
  9. This is the way it should be. Since we have not done any setting in CAS to know where to redirect after successful login, so liferay has to send those details for default landing page and then when the user is redirected to Liferay validate it.

    Refer Steps:

    Import from LDAP: checked
    Login URL: https://abc:8443/cas-web/login (Assuming CAS is also on abc)
    Logout URL: https://abc:8443/cas-web/logout
    server name: abc:8080 (Liferay is on 8080)
    Service URL: http://abc:8080/c/portal/login
    validate URL: https://abc:8443/cas-web/proxyValidate

    ReplyDelete
  10. Thanks for reply.

    I had set this already.

    One more problem i am getting is :
    After login from CAS it gets redirected to http://localhost:8080/c/portal/login?ticket=ST-1-DlrOnbiWInbP175TebF2-cas

    type Status report

    message /c/portal/login

    description The requested resource (/c/portal/login) is not available.

    ReplyDelete
  11. Thanks alot for help.
    Finaly i got this work.


    when I click on sign out it shows the cas signout page but when I am opening the portal default page(Same browser session) again it shows me signed in....

    Kinldy help

    ReplyDelete
  12. Hello,

    I did this document about how to construct a arquitecture with CAS + Liferay + OpenLdap. Feel free to use it.

    http://www.andaravelasvir.com/blog/default/page/publicaciones

    ReplyDelete
  13. When I run firefox with address https://localhost:8443/cas-web/login

    Message error :

    An error occurred during a connection to localhost:8443.

    SSL received a record that exceeded the maximum permissible length.

    (Error code: ssl_error_rx_record_too_long)


    Can anyone please provide me some inputs on this?

    ReplyDelete
  14. @Kien : Ensure that port 443 is open and enabled on your server. This is the standard port for https communications.

    ReplyDelete
  15. <Connector port="8443" maxHttpHeaderSize="8192"

    ReplyDelete
  16. maxThreads="150" minSpareThreads="25" maxSpareThreads="75"enableLookups="false" disableUploadTimeout="true"acceptCount="100" scheme="https" secure="true"clientAuth="false" sslProtocol="TLS" />

    ReplyDelete
  17. Mayank .

    When I start server error

    Protocol handler initialization failed: java.io.IOException: Cannot recover key

    Help me to resolve above

    Thanks

    ReplyDelete
  18. 'service' and 'ticket' parameters are both required



    When I loggin successfully with LDAP account. CAS will redirect me to this page with above error.

    https://localhost:8443/cas-server-webapp-3.4.8/proxyValidate?ticket=ST-6-dFeRY5CeHwKQyyd2A6UR-cas

    ReplyDelete
  19. thank you very much it works for me.

    Liferay 6.0.6

    Sincerely
    Abhinav Ladani.

    ReplyDelete
  20. This comment has been removed by the author.

    ReplyDelete
  21. This comment has been removed by the author.

    ReplyDelete
  22. hi,

    I am new to this LifeRay,I have HTML,CSS,Images&JS files out side So i Uploaded all these files to Document & media Library.every thing is ok But My Problem is it Asking uname & pass for guest role Also.(I given view permission for guest & i created pages as public only)


    plz help me

    Regards,
    Ram

    ReplyDelete
  23. Dear All,If you want to learn another example of ipc based on Event phase portlet than
    check this link,may be helpful
    http://www.attuneinfocom.com/how-create-ipc-portlet-liferay-611-ga2-0

    ReplyDelete
  24. gud for me and my blogs

    www.liferay4you.blogspot.com
    www.alljobsu.blogspot.com

    ReplyDelete