I saw many tutorials on CAS, Liferay and LDAP – but unfortunetly, none of them worked for me. So I decided to document what does work (at least for me).
Note that my environment is based on LifeRay 6.0.5 and CAS 3.5.1.
- Configure Tomcat for SSL. I have used port 443. You can read all about it here
- After creating the certificates, I just ended up with adding the following tag in TOMCAT_HOME/conf/server.xml
- IMPORTANT I did not manage to make CAS work with a self signed certificate, so I’ve used a temporary free one.
- Configure LifeRay for LDAP
- Login to LifeRay
- Go to the Control Panel–>Settings–>Authentication–>LDAP
- Ensure the “Enabled” check box is selected
- I strongly suggest enabling the “Import” checkbox and ensure Import is enabled for server startup.
- Add a server
- Fill in the LDAP server details (it’s easy to check them with an LDAP browser like jxplorer)
- Save your configuration
- I usually restart Tomcat after that change, and view the log to see all users were successfully imported
- Build CAS
- Download CAS (I downloaded it from here)
- Unzip the file
- Edit the CAS_HOME/cas-server-webapp/pom.xml file and add the following:
- Build CAS using maven. The command to run is mvn clean install
<dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-ldap</artifactId> <version>3.5.1</version> </dependency>
- Deploy CAS
- Copy the newly created WAR file from CAS_HOME/cas-server-webapp/target/cas.war to TOMCAT_HOME/webapps
- Configure CAS for LDAP
- Edit the TOMCAT_HOME/webapps/cas/WEB-INF/deployerConfigContext.xml
- Add the following at the end of the file (just before the /beans tag)
- Add the following under the list tag of the authenticationHandlers tag
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <!-- DO NOT enable JNDI pooling for context sources that perform LDAP bind operations. --> <property name="pooled" value="false"/> <!-- Although multiple URLs may defined, it's strongly recommended to avoid this configuration since the implementation attempts hosts in sequence and requires a connection timeout prior to attempting the next host, which incurs unacceptable latency on node failure. A proper HA setup for LDAP directories should use a single virtual host that maps to multiple real hosts using a hardware load balancer. --> <property name="url" value="ldap://LDAP_SERVER:389" /> <!-- Manager credentials are only required if your directory does not support anonymous searches. Never provide these credentials for FastBindLdapAuthenticationHandler since the user's credentials are used for the bind operation. --> <property name="userDn" value="cn=Manager"/> <property name="password" value="test"/> <!-- Place JNDI environment properties here. --> <property name="baseEnvironmentProperties"> <map> <!-- Three seconds is an eternity to users. --> <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" /> <entry key="com.sun.jndi.ldap.read.timeout" value="3000" /> <!-- Explained at http://download.oracle.com/javase/1.3/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION --> <entry key="java.naming.security.authentication" value="simple" /> </map> </property> </bean>
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" p:filter="mail=%u" p:searchBase="ou=people,dc=test,dc=com" p:contextSource-ref="contextSource" /> </list> </property> </bean>
- Configure LifeRay for CAS
- Login to LifeRay
- Go to the Control Panel–>Settings–>Authentication–>CAS
- Ensure the “Enabled” check box is selected
- Ensure the “LDAP Import” check box is selected
- Enter the URLs of the CAS server
- Save
- Add the following line to TOMCAT_HOME/webapps/ROOT/WEB-INF/classes/system-ext.properties
- Add the following line to TOMCAT_HOME/webapps/ROOT/WEB-INF/classes/portal-ext.properties
- Restart Tomcat
<Connector port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/root/.keystore" keystorePass="password" clientAuth="false" sslProtocol="TLS"/>
com.liferay.filters.sso.cas.CASFilter=true
auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin
You can now access your LifeRay instance, and get the CAS login instead…