cas学习笔记(三)ldap链接

日期:2017-1-18 14:25:22
作者:ack
访问:3154
一、环境信息
cas 版本4.1.9
jdk1.7
数据库 openldap
二、cas配置信息
找到cas.properties文件,配置ldap的信息

#========================================
# General properties
#========================================
ldap.url=ldap://192.9.104.131:389
#ldap.url=ldap://192.9.104.132:389
# LDAP connection timeout in milliseconds
ldap.connectTimeout=3000
# Whether to use StartTLS (probably needed if not SSL connection)
ldap.useStartTLS=false
#========================================
# LDAP connection pool configuration
#========================================
ldap.pool.minSize=3
ldap.pool.maxSize=10
ldap.pool.validateOnCheckout=false
ldap.pool.validatePeriodically=true
# Amount of time in milliseconds to block on pool exhausted condition
# before giving up.
ldap.pool.blockWaitTime=3000
# Frequency of connection validation in seconds
# Only applies if validatePeriodically=true
ldap.pool.validatePeriod=300
# Attempt to prune connections every N seconds
ldap.pool.prunePeriod=300
# Maximum amount of time an idle connection is allowed to be in
# pool before it is liable to be removed/destroyed
ldap.pool.idleTime=600
#========================================
# Authentication
#========================================
# Base DN of users to be authenticated
ldap.authn.baseDn=ou=users,dc=tianditu,dc=com
# Manager DN for authenticated searches
ldap.authn.managerDN=cn=Manager,dc=tianditu,dc=com
# Manager password for authenticated searches
ldap.authn.managerPassword=root
# Search filter used for configurations that require searching for DNs
#ldap.authn.searchFilter=(&(uid={user})(accountState=active))
#ldap.authn.searchFilter=(|(uid={user})(cn={user}))
ldap.authn.searchFilter=(uid={user})
# Search filter used for configurations that require searching for DNs
#ldap.authn.format=uid=%s,ou=Users,dc=example,dc=org
ldap.authn.format=%s@tianditu.com
# A path to trusted X.509 certificate for StartTLS 
ldap.trustedCert=/root/keys/tdt3.cer
配置好以后,在WEB_INF下面新建一个ldap.xml的文件,这个文件用配置ldap的一些信息,如下:
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
	xmlns:c="http://www.springframework.org/schema/c" xmlns:tx="http://www.springframework.org/schema/tx"
	xmlns:util="http://www.springframework.org/schema/util" xmlns:sec="http://www.springframework.org/schema/security"
	xmlns:context="http://www.springframework.org/schema/context"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
       http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

	<!-- | Change principalIdAttribute to use another directory attribute, | 
		e.g. userPrincipalName, for the NetID -->
    <context:component-scan base-package="org.jasig.cas" />
    <context:annotation-config/>
    
    <bean id="MD5PasswordEncoder"
		class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder">
		<constructor-arg index="0">
			<value>MD5</value>
		</constructor-arg>
	</bean>
	<bean id="primaryAuthenticationHandler" 
	    class="org.jasig.cas.authentication.LdapAuthenticationHandler"
		p:principalIdAttribute="uid" 
		c:authenticator-ref="authenticator"
		>
		<property name="principalAttributeMap">
			<map>
				<!-- | This map provides a simple attribute resolution mechanism. | Keys 
					are LDAP attribute names, values are CAS attribute names. | Use this facility 
					instead of a PrincipalResolver if LDAP is | the only attribute source. -->
				<entry key="username" value="uid" />
				<entry key="accountState" value="accountState" />
				<entry key="displayName" value="displayName" />
				<entry key="password" value="userPassword" />
				<!--
				<entry key="member" value="member" />
				<entry key="displayName" value="displayName" />
				  -->
			</map>
		</property>
		<property name="passwordEncoder" ref="MD5PasswordEncoder"></property>
		
	</bean>

	<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
		c:resolver-ref="dnResolver" c:handler-ref="authHandler" />

	<bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
		p:baseDn="${ldap.authn.baseDn}" 
		p:subtreeSearch="true"
		p:allowMultipleDns="false" 
		p:connectionFactory-ref="searchPooledLdapConnectionFactory"
		p:userFilter="${ldap.authn.searchFilter}" />

	<bean id="searchPooledLdapConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
		p:connectionPool-ref="searchConnectionPool" />

	<bean id="searchConnectionPool" parent="abstractConnectionPool"
		p:connectionFactory-ref="searchConnectionFactory" />

	<bean id="searchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory"
		p:connectionConfig-ref="searchConnectionConfig" />

	<bean id="searchConnectionConfig" parent="abstractConnectionConfig"
		p:connectionInitializer-ref="bindConnectionInitializer" />

	<bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer"
		p:bindDn="${ldap.authn.managerDN}">
		<property name="bindCredential">
			<bean class="org.ldaptive.Credential" c:password="${ldap.authn.managerPassword}" />
		</property>
	</bean>

	<bean id="abstractConnectionPool" 
	    abstract="true"
		class="org.ldaptive.pool.BlockingConnectionPool" 
		init-method="initialize"
		destroy-method="close" 
		p:poolConfig-ref="ldapPoolConfig"
		p:blockWaitTime="${ldap.pool.blockWaitTime}" 
		p:validator-ref="searchValidator"
		p:pruneStrategy-ref="pruneStrategy" />

	<bean id="abstractConnectionConfig" 
	    abstract="true"
		class="org.ldaptive.ConnectionConfig" 
		p:ldapUrl="${ldap.url}"
		p:connectTimeout="${ldap.connectTimeout}" 
		p:useStartTLS="${ldap.useStartTLS}"
		p:sslConfig-ref="sslConfig" />

	<bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
		p:minPoolSize="${ldap.pool.minSize}" p:maxPoolSize="${ldap.pool.maxSize}"
		p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
		p:validatePeriodically="${ldap.pool.validatePeriodically}"
		p:validatePeriod="${ldap.pool.validatePeriod}" />

	<bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
		<property name="credentialConfig">
			<bean class="org.ldaptive.ssl.X509CredentialConfig"
				p:trustCertificates="${ldap.trustedCert}" />
		</property>
	</bean>

	<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
		p:prunePeriod="${ldap.pool.prunePeriod}" p:idleTime="${ldap.pool.idleTime}" />

	<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />

	<bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
		p:connectionFactory-ref="bindPooledLdapConnectionFactory" />

	<bean id="bindPooledLdapConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
		p:connectionPool-ref="bindConnectionPool" />

	<bean id="bindConnectionPool" parent="abstractConnectionPool"
		p:connectionFactory-ref="bindConnectionFactory" />

	<bean id="bindConnectionFactory" class="org.ldaptive.DefaultConnectionFactory"
		p:connectionConfig-ref="bindConnectionConfig" />

	<bean id="bindConnectionConfig" parent="abstractConnectionConfig" />
</beans>
再修改deployerConfigContext.xml
将原来默认的用户验证注释掉在文件尾部加入刚才创建的ldap.xml文件
<import resource="ldap.xml" />
到此,ldap链接方式配置完成。官方有详细的步骤。