Integrating OpenDS and CAS in Liferay
I am using Liferay 5.2.3, openDs-2.2.0 and CAS (http://www.jasig.org/cas)
OpenDS LDAP
1) Open DS (http://www.opends.org/) . I am going with minimal configuration for LDAP.
Steps to Follow:
1) Install plain open DS from http://www.opends.org/, without default configuration.
While installation I changed the default port form 389 to 10389.
a) provided hostname [PC name]:abc
b) Create Admin as say: cn=admin,ou=system with password changeit.
c) create a Base DN entry as: dc=company,dc=com
d) Create user entry under ou=people. under this basedn entry.
e) Connect OpenDS via JExplorer LDAP Browser ( http://jxplorer.org/) and you can see those entries as.:
For connecting via JExplorer use:
Host: abc , port:10389
protocal: LDAP V3
BaseDN: dc=company,dc=com
Level: user + password
userDn: cn=admin,ou=system
password: changeit
You should see something like:
Now we are done with LDAP Setting successfully.
Liferay + LDAP
2) Install Liferay Tomcat Bundle downloaded from http://www.liferay.com/ (I am using liferay 5.2.3).
a) Open up the bundle extract it to some directory say: d:\ in windows.
b) Start liferay (TOMCAT_HOME/bin/start) of the above bundle.
c) Go to control panel of Liferay: (Login as bruno admin and under drop down menu "control panel")
d) In control Panel Go to Portal->Settings->Authentication->LDAP.
Here provide the details as:
Enabled :Check
Base provider URL: ldap://abc:10398/
BaseDN: dc=company,dc=com
Principal: cn=admin,ou=system
credentails=chageit[Photo]
Now test the LDAP connection using "Test LDAP Connection" button. It should give you successful result.
Under users section provide details as:
Authentication Search Filter:(mail=@email_address@)
Import Search Filter (objectClass=inetOrgPerson)
Screen Name: cn
Password: userPassword
EmailAddress:mail
FirstName: givenName
LastName: sn
JobTitle: title
Group: groupMembership
After this Click on "Test LDAP Users" You should see the users we created while LDAP setup.
Here under import /export section: check import Enabled, export Eanbled.
userDn: ou=people,dc=company,dc=com
Leave rest details as default.
Save the details and you are set to go.You can test via logging form user;s in LDAP in Liferay :)....
Now we will proceed with Integration of CAS over these settings which we have done till now.
3) CAS Integration:
a) Download CAS : cas-server-3.3.5-release from http://www.jasig.org/cas. Explode the Zip file and you will find cas-server-webapp-3.3.5.war in modules folder.
b) Prepare a fresh installtion of tomcat say at port : 8081 because liferay will be running on 8080.
a) For this open the server.xml file in fresh insalled tomcat and chnage port 8080 to 8081.
b)Un-comment the following section to enable https. <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
c)Rename the cas-server-webapp-3.3.5.war as cas-web.war and put it in webapps folder of the fresh tomcat installation.
d)Start this tomcat server.
e) After starting the tomcat. Stop the tomcat server, you should see cas-web folder now in webapps directory.
f) Now go to cas-web/web-inf folder open deployerConfigContext.xml and provide following enteries:
g) Under : <property name="authenticationHandlers"> ....<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" />......add
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="cn=%u" /> <property name="searchBase" value="ou=People,dc=company,dc=com" /> <property name="contextSource" ref="contextSource" /> </bean>
h). Since we are creating a reference to contextSource above, so we need to add a bean with that reference. Add a new bean entry as: <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="urls"> <list> <value>ldap://abc:10389/</value> </list> </property> <property name="userDn" value="cn=admin,ou=system"/> <property name="password" value="changeit"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property></bean>
3) save ths file.
4) Now we will configure Liferay to enable CAS authentication. For this goto Liferay -> control panel >Settings->Authentication->CAS
5) Do the following changes:
Enabled: checked
Import from LDAP: checked
Login URL: https://abc:8443/cas-web/login (Assuming CAS is also on abc)
Logout URL: https://abc:8443/cas-web/logout
server name: abc:8080 (Liferay is on 8080)
Service URL: http://abc:8080/c/portal/login
validate URL: https://abc:8443/cas-web/proxyValidate
save the settings.
Now shutdown Liferay and Tomcat (CAS one) both.
Now we have completed our basic conficuration, the only thing missing is the certificate by which authentication will be done via CAS. So let's generate certificated and make it trusted for things to work like butter :)
Generate the SSL cert with Java keytool ;
In any directory enter the command :
keytool -genkey -alias tomcat -keypass password -keyalg RSA
Answers the Q's (note that your firstname and lastname MUST be hostname of your server and cannot be a IP address)
Enter keystore password: changeit
What is your first and last name? [Unknown]: abc
What is the name of your organizational unit? [Unknown]: abc
What is the name of your City or Locality? [Unknown]:
What is the name of your State or Province? [Unknown]:
What is the two-letter country code for this unit? [Unknown]: Is CN=abc, OU=abc, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes
Then Enter command:
keytool -export -alias tomcat -keypass changeit -file server.cert
This command exports the cert you generated from your personal keystore (In windows .keystore file) . To save the certificate on file named server.cert
Finally import the cert into Java's keystore with this command.
keytool -import -alias tomcat -file server.cert keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts
Note: This import of certificate should be done for all the JRE's [The tomcat JRE for CAS and the JRE for Liferay], probably the liferay bundle would be having its own JRE, so import the certificate there as well as in the Tomcat installation JRE or JDK , should be Java_home :).
After this....Yeah we are all set.......
Start OpenDS, Start CAS Tomcat, Start Liferay.
Form home click "sign in" in liferay, you will be redirected to CAS login screen. Enter the credentials which we added in LDAP [Note: CAS authenticates with userId not email which liferay does], so put Id we used in LDAP into CAS login screen with password, put password and submit. You should now be redirected to Liferay and logged in with Signed in User.
Some Problems that I faced during above activity:
1) Exporting to LDAP fails if the user doesn't have a Job Title: Well provide jobTitle...Its required by Liferay. so go to LDAP browser and for each user provide value for title.
2) I have to use Passwords as plain text as passwords are exported to LDAP via Liferay is in form of Plain Text.
3) CAS uses username for authentication and for liferay its the ScreenName. so authentication is for screenname even if we supply email as authentication in Liferay.
4) Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] : This error comes up whenever the certificates are not matching on both the JVM's where CAS and Liferay is running. So, just ensure they are correct and at proper place, This problem will be resolved.