Integrating OpenDS and CAS in Liferay
I am using Liferay 5.2.3, openDs-2.2.0 and CAS (http://www.jasig.org/cas)
OpenDS LDAP
1) Open DS (http://www.opends.org/) . I am going with minimal configuration for LDAP.
Steps to Follow:
1) Install plain open DS from http://www.opends.org/, without default configuration.
While installation I changed the default port form 389 to 10389.
a) provided hostname [PC name]:abc
b) Create Admin as say: cn=admin,ou=system with password changeit.
c) create a Base DN entry as: dc=company,dc=com
d) Create user entry under ou=people. under this basedn entry.
e) Connect OpenDS via JExplorer LDAP Browser ( http://jxplorer.org/) and you can see those entries as.:
For connecting via JExplorer use:
Host: abc , port:10389
protocal: LDAP V3
BaseDN: dc=company,dc=com
Level: user + password
userDn: cn=admin,ou=system
password: changeit
You should see something like:
Now we are done with LDAP Setting successfully.
Liferay + LDAP
2) Install Liferay Tomcat Bundle downloaded from http://www.liferay.com/ (I am using liferay 5.2.3).
a) Open up the bundle extract it to some directory say: d:\ in windows.
b) Start liferay (TOMCAT_HOME/bin/start) of the above bundle.
c) Go to control panel of Liferay: (Login as bruno admin and under drop down menu "control panel")
d) In control Panel Go to Portal->Settings->Authentication->LDAP.
Here provide the details as:
Enabled :Check
Base provider URL: ldap://abc:10398/
BaseDN: dc=company,dc=com
Principal: cn=admin,ou=system
credentails=chageit[Photo]
Now test the LDAP connection using "Test LDAP Connection" button. It should give you successful result.
Under users section provide details as:
Authentication Search Filter:(mail=@email_address@)
Import Search Filter (objectClass=inetOrgPerson)
Screen Name: cn
Password: userPassword
EmailAddress:mail
FirstName: givenName
LastName: sn
JobTitle: title
Group: groupMembership
After this Click on "Test LDAP Users" You should see the users we created while LDAP setup.
Here under import /export section: check import Enabled, export Eanbled.
userDn: ou=people,dc=company,dc=com
Leave rest details as default.
Save the details and you are set to go.You can test via logging form user;s in LDAP in Liferay :)....
Now we will proceed with Integration of CAS over these settings which we have done till now.
3) CAS Integration:
a) Download CAS : cas-server-3.3.5-release from http://www.jasig.org/cas. Explode the Zip file and you will find cas-server-webapp-3.3.5.war in modules folder.
b) Prepare a fresh installtion of tomcat say at port : 8081 because liferay will be running on 8080.
a) For this open the server.xml file in fresh insalled tomcat and chnage port 8080 to 8081.
b)Un-comment the following section to enable https. <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
c)Rename the cas-server-webapp-3.3.5.war as cas-web.war and put it in webapps folder of the fresh tomcat installation.
d)Start this tomcat server.
e) After starting the tomcat. Stop the tomcat server, you should see cas-web folder now in webapps directory.
f) Now go to cas-web/web-inf folder open deployerConfigContext.xml and provide following enteries:
g) Under : <property name="authenticationHandlers"> ....<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" />......add
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="cn=%u" /> <property name="searchBase" value="ou=People,dc=company,dc=com" /> <property name="contextSource" ref="contextSource" /> </bean>
h). Since we are creating a reference to contextSource above, so we need to add a bean with that reference. Add a new bean entry as: <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="urls"> <list> <value>ldap://abc:10389/</value> </list> </property> <property name="userDn" value="cn=admin,ou=system"/> <property name="password" value="changeit"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property></bean>
3) save ths file.
4) Now we will configure Liferay to enable CAS authentication. For this goto Liferay -> control panel >Settings->Authentication->CAS
5) Do the following changes:
Enabled: checked
Import from LDAP: checked
Login URL: https://abc:8443/cas-web/login (Assuming CAS is also on abc)
Logout URL: https://abc:8443/cas-web/logout
server name: abc:8080 (Liferay is on 8080)
Service URL: http://abc:8080/c/portal/login
validate URL: https://abc:8443/cas-web/proxyValidate
save the settings.
Now shutdown Liferay and Tomcat (CAS one) both.
Now we have completed our basic conficuration, the only thing missing is the certificate by which authentication will be done via CAS. So let's generate certificated and make it trusted for things to work like butter :)
Generate the SSL cert with Java keytool ;
In any directory enter the command :
keytool -genkey -alias tomcat -keypass password -keyalg RSA
Answers the Q's (note that your firstname and lastname MUST be hostname of your server and cannot be a IP address)
Enter keystore password: changeit
What is your first and last name? [Unknown]: abc
What is the name of your organizational unit? [Unknown]: abc
What is the name of your City or Locality? [Unknown]:
What is the name of your State or Province? [Unknown]:
What is the two-letter country code for this unit? [Unknown]: Is CN=abc, OU=abc, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes
Then Enter command:
keytool -export -alias tomcat -keypass changeit -file server.cert
This command exports the cert you generated from your personal keystore (In windows .keystore file) . To save the certificate on file named server.cert
Finally import the cert into Java's keystore with this command.
keytool -import -alias tomcat -file server.cert keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts
Note: This import of certificate should be done for all the JRE's [The tomcat JRE for CAS and the JRE for Liferay], probably the liferay bundle would be having its own JRE, so import the certificate there as well as in the Tomcat installation JRE or JDK , should be Java_home :).
After this....Yeah we are all set.......
Start OpenDS, Start CAS Tomcat, Start Liferay.
Form home click "sign in" in liferay, you will be redirected to CAS login screen. Enter the credentials which we added in LDAP [Note: CAS authenticates with userId not email which liferay does], so put Id we used in LDAP into CAS login screen with password, put password and submit. You should now be redirected to Liferay and logged in with Signed in User.
Some Problems that I faced during above activity:
1) Exporting to LDAP fails if the user doesn't have a Job Title: Well provide jobTitle...Its required by Liferay. so go to LDAP browser and for each user provide value for title.
2) I have to use Passwords as plain text as passwords are exported to LDAP via Liferay is in form of Plain Text.
3) CAS uses username for authentication and for liferay its the ScreenName. so authentication is for screenname even if we supply email as authentication in Liferay.
4) Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] : This error comes up whenever the certificates are not matching on both the JVM's where CAS and Liferay is running. So, just ensure they are correct and at proper place, This problem will be resolved.
Hi Mayank,
ReplyDeleteThank you very much for wonderful blog
Can you explain me more about below point under OpenDS category
d) Create user entry under ou=people. under this basedn entry
- Is it while installing OpenDS
- After we are into JXplorer
Thanks & Regards,
- Nagendra Kumar
You can do it post installation too
ReplyDeleteI did that way thanks, With the users i created i am able to login BUT again liferay is showing its login page. How to skip this.
ReplyDeleteHelp me to resolve above
Regards,
- Nagendra Kumar
Hi Mayank,
ReplyDeleteThanks for useful post.
I have followed the exact same steps. I am running OpenLDAP with CAS (with bean configurations you described).
Once i try logging in Liferay using a user which does not exist in Liferay but is there in OpenLDAP - it gets me the ticket but again takes me to Liferay login page because it could not export the user from OpenLDAP.
Here is the server error -
11:15:21,694 ERROR [CASAutoLogin:113] com.liferay.portal.SystemException: Problem accessign LDAP server Failed to bind to the
LDAP server
com.liferay.portal.SystemException: Problem accessign LDAP server Failed to bind to the LDAP server
at com.liferay.portal.security.auth.CASAutoLogin.addUser(CASAutoLogin.java:180)
at com.liferay.portal.security.auth.CASAutoLogin.login(CASAutoLogin.java:97)
at com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.processFilter(AutoLoginFilter.java:208)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter.processFilter(OpenSSOFilter.java:73)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:154)
at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:193)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
Can you help please?
Thanks
@Nagendra - Did you see the login page with logged in user, if yes, place a redirect. If no then there is some problem with imorting the profile form LDAP to liferay.
ReplyDelete@Preeti - The error message clearly says there is problem in binding with LDAP from Liferay. Please check whether you are able to connect via Liferay to LDAP, if Yes, then there should be some other message also in the exception chain which you have pasted. Please send me those too.
Thanks for the steps.
ReplyDeleteI have my liferay running on jboss and CAS running on tomcat both are on localhost.
I access liferay using http://localhost:8080/portal.
CAS:
http://localhost:8443/cas-web/login
and both works .
When i am trying to configure CAS for liferay using control panel as mentioned in your steps
i am getting HTTP Status 404 - /c/portal/login exception .
Kindly help
It does works...I left out something ..
ReplyDeleteSorry
the portal first goes to the liferay login page and then after clicking on "Sing in " it goes to CSA.
ReplyDeleteHow ican set it to go to CAS login.
Thanks in advance.
This is the way it should be. Since we have not done any setting in CAS to know where to redirect after successful login, so liferay has to send those details for default landing page and then when the user is redirected to Liferay validate it.
ReplyDeleteRefer Steps:
Import from LDAP: checked
Login URL: https://abc:8443/cas-web/login (Assuming CAS is also on abc)
Logout URL: https://abc:8443/cas-web/logout
server name: abc:8080 (Liferay is on 8080)
Service URL: http://abc:8080/c/portal/login
validate URL: https://abc:8443/cas-web/proxyValidate
Thanks for reply.
ReplyDeleteI had set this already.
One more problem i am getting is :
After login from CAS it gets redirected to http://localhost:8080/c/portal/login?ticket=ST-1-DlrOnbiWInbP175TebF2-cas
type Status report
message /c/portal/login
description The requested resource (/c/portal/login) is not available.
Thanks alot for help.
ReplyDeleteFinaly i got this work.
when I click on sign out it shows the cas signout page but when I am opening the portal default page(Same browser session) again it shows me signed in....
Kinldy help
Hello,
ReplyDeleteI did this document about how to construct a arquitecture with CAS + Liferay + OpenLdap. Feel free to use it.
http://www.andaravelasvir.com/blog/default/page/publicaciones
When I run firefox with address https://localhost:8443/cas-web/login
ReplyDeleteMessage error :
An error occurred during a connection to localhost:8443.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
Can anyone please provide me some inputs on this?
@Kien : Ensure that port 443 is open and enabled on your server. This is the standard port for https communications.
ReplyDeleteI config in server.xml
ReplyDelete<Connector port="8443" maxHttpHeaderSize="8192"
ReplyDeletemaxThreads="150" minSpareThreads="25" maxSpareThreads="75"enableLookups="false" disableUploadTimeout="true"acceptCount="100" scheme="https" secure="true"clientAuth="false" sslProtocol="TLS" />
ReplyDeleteMayank .
ReplyDeleteWhen I start server error
Protocol handler initialization failed: java.io.IOException: Cannot recover key
Help me to resolve above
Thanks
'service' and 'ticket' parameters are both required
ReplyDeleteWhen I loggin successfully with LDAP account. CAS will redirect me to this page with above error.
https://localhost:8443/cas-server-webapp-3.4.8/proxyValidate?ticket=ST-6-dFeRY5CeHwKQyyd2A6UR-cas
thank you very much it works for me.
ReplyDeleteLiferay 6.0.6
Sincerely
Abhinav Ladani.
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeletehi,
ReplyDeleteI am new to this LifeRay,I have HTML,CSS,Images&JS files out side So i Uploaded all these files to Document & media Library.every thing is ok But My Problem is it Asking uname & pass for guest role Also.(I given view permission for guest & i created pages as public only)
plz help me
Regards,
Ram
Dear All,If you want to learn another example of ipc based on Event phase portlet than
ReplyDeletecheck this link,may be helpful
http://www.attuneinfocom.com/how-create-ipc-portlet-liferay-611-ga2-0
gud for me and my blogs
ReplyDeletewww.liferay4you.blogspot.com
www.alljobsu.blogspot.com