CentOS 7.x Deploy Apereo CAS 6.2 and integrate with AD

Home > CentOS > CentOS 7.x > Web Based Tools > CentOS 7.x Apereo CAS > CentOS 7.x Deploy Apereo CAS 6.2 and integrate with AD

The below steps do not work. Refer CentOS 7.x Deploy Apereo CAS 5.3 and integrate with AD for working steps instead

Deploy AD with LDAPS

1. First deploy AD server, if not present already, by referring to Windows Server 2016 Setup new Active Directory
2. Then ensure that there is LDAPS support on AD using Setup AD to respond to LDAP queries over LDAPS protocol

Build CAS 6.2 and integrate it with AD

1. Create CentOS 7.x container or VM. Ensure that container is setup with proper networking to be able to reach AD server. It might help if AD server is configured as DNS for this CAS server to help with local FQDN resolution.
2. Install openssh, tomcat and git

   yum -y install openssh-server epel-release
   systemctl start sshd
   systemctl enable sshd
   
   yum -y install tomcat git vim
   git clone https://github.com/apereo/cas-overlay-template.git
   
   #Download and copy Oracle jdk-11.0.6_linux-x64_bin.rpm to container
   yum localinstall jdk-11.0.6_linux-x64_bin.rpm
   
   #Add below to .bashrc also
   export JAVA_HOME=/usr/java/jdk-11.0.6
   export PATH=/usr/java/jdk-11.0.6/bin:$PATH
   
   cd cas-overlay-template
   ./gradlew clean build
   
   #If build fails then rerun './gradlew clean build'.  For me
   #it failed on first build and worked on second without any change.
   #Failure are possibly due to Internet issues
   ls build/libs -l
   
   ./gradlew createKeystore
   ./gradlew CopyCasConfiguration
   
   ./gradlew run
   #Try to access https://<ip>:8443/cas/login after Ready message
   #is displayed
   
   yum -y install openldap-clients
   #Download Sysinternals AD explorer http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx
   #Connect to AD using Administrator user and password if available to help in understanding LDAP structure
   
   ldapsearch -x -H 'ldaps://<AD-FDQN>/' -b '<AD-BASE-DN>' -D '<Administrator-user-DN>' -W
   
   #vim /etc/openldap/ldap.conf and append TLS_REQCERT  never
   ldapsearch -x -H 'ldaps://<AD-FDQN>/' -b '<AD-BASE-DN>' -D '<Administrator-user-DN>' -W

3. In gradle.properties append: ( https://apereo.github.io/cas/6.1.x/installation/LDAP-Authentication.html )

   compile="org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
   compile "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"

4. Check current hostname

   hostname
   hostname --fqdn
   cat /etc/hostname

   Make sure that there is entry in /etc/hosts resolving LAN IP to hostname

5. Rebuild and test

   ./gradlew clean build
   ./gradlew CopyCasConfiguration
   ./gradlew run
   
   #Login with casuser:Mellon

6. Copy AD CA certificate and issued certificate to CAS server using:
   1. On AD server execute below command in cmd:

      certutil  -ca.cert <AD-FQDN>.cer

   2. Copy <AD-FQDN>.cer file to cas server at location /etc/pki/ca-trust/source/anchors
   3. Download SSL certificate produced at port 636 signed by above CA using:

      cd /etc/pki/ca-trust/source/anchors
      openssl s_client -connect <AD-FQDN>:636 -showcerts

   4. Note that openssl will claim that certificate veritification has failed with output lines begining with:

      CONNECTED(00000003)
      depth=0
      verify error:num=20:unable to get local issuer certificate
      verify return:1
      depth=0
      verify error:num=21:unable to verify the first certificate
      verify return:1

   5. Copy lines between ----BEGIN CERTIFICATE---- and ----END CERTIFICATE--- to file named <AD-FQDN>.pem
   6. Update CA trust using:

      update-ca-trust

   7. Again run:

      openssl s_client -connect <AD-FQDN>:636 -showcerts

   8. Now the validation should succeed with:

      CONNECTED(00000003)
      depth=1 DC = com, DC = <AD-Domain>, CN = <Common-name-given-while-creating AD LDAPS certificate>
      verify return:1
      depth=0
      verify return:1

      Refer:

      • https://support.microsoft.com/en-us/help/555252
      • https://www.sbarjatiya.com/notes_wiki/index.php?title=Openssl#Download_server_certificate_directly_from_server
      • https://www.sbarjatiya.com/notes_wiki/index.php?title=CentOS_7.x_add_ca_or_host_certificate_as_trusted_certificate_at_OS_level
7. Create AD user with required details such as
   • First Name :: Saurabh
   • Last Name :: Barjatiya
   • Username :: saurabh
   • Password :: <secret>
8. Download AD explorer from Sysinternals site https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer and validate DN for saurabh to be 'CN=Saurabh Barjatiya,CN=Users,DC=<Domain>,DC=com'
9. Edit etc/cas/config/log4j2.xml and update ldap logging from warn to debug using:

   <Property name="ldap.log.level">debug</Property>

10. Edit etc/cas/config/cas.properties in cas-overlay-template folder as per
    • https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_authentication_config-ad-auth-properties.html#install-and-test-on-the-master-build-server
    • https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#ldap-connection-settings
    • https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-authentication-1
    • https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/active$20directory%7Csort:date/cas-user/g_yhFqKHsm8/qEs2Tn0kBgAJ
    • https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/LBfDaRPQ5Ds/discussion
    • https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/active$20directory%7Csort:date/cas-user/LBfDaRPQ5Ds/JKLsaEohCwAJ
    • https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/active$20directory%7Csort:date/cas-user/wAobhOW3ltU/OTxhrOmiCAAJ
    • Sample configuration which does not seem to work is:

      
      cas.server.name=https://<CAS-FQDN>:8443
      cas.server.prefix=${cas.server.name}/cas
      
      logging.config: file:/etc/cas/config/log4j2.xml
      
      cas.serviceRegistry.json.location:    file:/etc/cas/services
      cas.serviceRegistry.initFromJson=true
      
      cas.authn.policy.requiredHandlerAuthenticationPolicyEnabled=true
      cas.authn.policy.any.enabled=true
      cas.authn.policy.any.tryAll=false
      
      cas.authn.accept.users=
      
      ActiveDirectory - Domain 1
      cas.authn.ldap[0].order=1
      cas.authn.ldap[0].name=LDAP1
      cas.authn.ldap[0].type=AD
      cas.authn.ldap[0].type=AUTHENTICATED
      cas.authn.ldap[0].useSsl=true
      cas.authn.ldap[0].ldapUrl=ldaps://<AD-FQDN>:636/
      cas.authn.ldap[0].enhanceWithEntryResolver=true
      cas.authn.ldap[0].baseDn=<AD-Base-DN>
      cas.authn.ldap[0].bindDn=<Bind-DN>
      cas.authn.ldap[0].bindCredential=<Redacted>
      cas.authn.ldap[0].searchFilter=sAMAccountName={user}
      cas.authn.ldap[0].dnFormat=CN=%s,CN=Users,dc=<Domain>,dc=com
      cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
      cas.authn.ldap[0].poolPassivator=NONE
      cas.authn.ldap[0].hostnameVerifier=ANY
      
      In order to allow ssl, we had to add CA/domain cert to the keystore
      Attribute repository
      cas.authn.attributeRepository.ldap[0].keystore=file:/etc/pki/ca-trust/extracted/java/cacerts
      cas.authn.attributeRepository.ldap[0].keystorePassword=changeit

11. Rebuild and test

    ./gradlew clean build
    ./gradlew CopyCasConfiguration
    ./gradlew run
    
    Login with saurabh:<ad-password>

12. Create /etc/cas/services/CAS-1.json with:

    {
    "@class" : "org.apereo.cas.services.RegexRegisteredService",
    "serviceId" : "^https://.*",
    "name" : "CAS",
    "id" : 1,
    "evaluationOrder":10,
    "accessStrategy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "ssoEnabled" : true
    },
    }

    • Refer:
      • https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/

Home > CentOS > CentOS 7.x > Web Based Tools > CentOS 7.x Apereo CAS > CentOS 7.x Deploy Apereo CAS 6.2 and integrate with AD