ActiveMQ Jetty with 2 authentications methods (LDAP + local) - ldap

I currently having ActiveMQ jetty web server configured by using LDAP authentication for the users of the web console (admins), but I'm struggling to have at the same time HashLoginService for Rest API purpose...
I there a way to have the two authentication methods working on ActiveMQ Jetty?
Here my working config with LDAP:
<bean id="ldapLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
<property name="name" value="LDAP realm" />
<property name="loginModuleName" value="LDAPLogin" />
<property name="roleClassNames" value="org.apache.activemq.jaas.GroupPrincipal" />
<property name="identityService" ref="identityService" />
</bean>
<bean id="identityService" class="org.eclipse.jetty.security.DefaultIdentityService"/>
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admin_grp" />
<property name="authenticate" value="true" />
</bean>
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admin_grp" />
<property name="authenticate" value="true" />
</bean>
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<property name="pathSpec" value="/api/*,/admin/*,*.jsp" />
</bean>
<bean id="adminSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="adminSecurityConstraint" />
<property name="pathSpec" value="*.action" />
</bean>
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<property name="loginService" ref="ldapLoginService" />
<property name="realmName" value="LdapRealm" />
<property name="identityService" ref="identityService" />
<property name="authenticator">
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
</property>
<property name="constraintMappings">
<list>
<ref bean="adminSecurityConstraintMapping" />
<ref bean="securityConstraintMapping" />
</list>
</property>
<property name="handler" ref="secHandlerCollection" />
</bean>
and the ldap config:
LDAPLogin {
org.apache.activemq.jaas.LDAPLoginModule required
debug="false"
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="{{ ldap_connect_url }}"
connectionUsername="{{ bind_dn }}"
connectionPassword="{{ bind_pw }}"
connectionProtocol=""
authentication=simple
userBase="{{ base_dn }}"
userSearchMatching="{{ ldap_user_search_matching }}"
userSearchSubtree="true"
roleBase="{{ ldap_role_base }}"
roleName="cn"
roleSearchMatching="{{ ldap_role_search_matching }}"
roleSearchSubtree=false
;
};

Why don't you add the PropertyFileLoginModule to your JAAS config file? It is similar to the HashLoginService, but works with JAAS. You would have to change your JAAS config to make the LDAPLoginModule sufficient rather than required, and make the PropertyFileLoginModule also sufficient. That way, if either of the login modules can succeed in authenticating the user. Reading more about the definitions of required/requisite/sufficient/optional may be helpful.

Jetty 9.x JAAS docs do not mention the ability to run multiple authentication sources, but you could implement your own custom JAAS LoginModule to support it.
If you are looking for something out-of-the-box, I know many people run ActiveMQ inside another runtime container (such as Apache Karaf) that supports single JAAS realm with multiple backends.

Related

Deactivate HTTP access for ActiveMQ 5.16.2 web console

I am using ActiveMQ 5.16.2, and I would like to only give a secured access to the web console. Thus, I would like to either:
Make a redirect from HTTP to HTTPS.
If a redirect is not possible then deactivate the HTTP access with port 8161.
Which files will I have to configure and how can I configure those changes?
You only need to change conf/jetty.xml. To disable HTTP access comment out the Connector bean, and then to enable HTTPS access uncomment the SecureConnector bean, e.g.:
<bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject" ref="Server" />
<property name="targetMethod" value="setConnectors" />
<property name="arguments">
<list>
<!--bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<property name="host" value="#{systemProperties['jetty.host']}" />
<property name="port" value="#{systemProperties['jetty.port']}" />
</bean-->
<!--
Enable this connector if you wish to use https with web console
-->
<bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<constructor-arg>
<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
<property name="keyStorePassword" value="password" />
</bean>
</constructor-arg>
<property name="port" value="8162" />
</bean>
</list>
</property>
</bean>
You'll want to supply your own SSL certificate. Just put your certificate in the conf directory and change the keyStorePath and keyStorePassword values appropriately, e.g.:
<property name="keyStorePath" value="${activemq.conf}/myCert.p12" />
<property name="keyStorePassword" value="myCertPassword" />

Enable SSL in ActiveMQ - connection getting timed out while accessing web console over https

I have a RHEL 7 server where I have ActiveMQ installed (version : apache-activemq-5.15.11).I am trying to run the web console over https and hence I went through the instructions mentioned in the documentation here and made changes in my jetty.xml and un-commented the following section:
<!--
Enable this connector if you wish to use https with web console
-->
<!-- bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<constructor-arg>
<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
<property name="keyStorePassword" value="password" />
</bean>
</constructor-arg>
<property name="port" value="8162" />
</bean -->
when I am trying to access the web console like the following:
https://myserver.com:8162/admin/index.jsp
I am getting connection getting timed out in the browser.
Questions :
Am I trying to access it properly - via port 8162? It works fine with port 8161 and over http like the following:
http://myserver.com:8161/admin/index.jsp
Are there any additional changes needed to make it work over https?
My jetty.xml is below for reference:
<!--
Licensed to the Apache Software Foundation (ASF) under one or more contributor
license agreements. See the NOTICE file distributed with this work for additional
information regarding copyright ownership. The ASF licenses this file to You under
the Apache License, Version 2.0 (the "License"); you may not use this file except in
compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or
agreed to in writing, software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied. See the License for the specific language governing permissions and
limitations under the License.
-->
<!--
An embedded servlet engine for serving up the Admin consoles, REST and Ajax APIs and
some demos Include this file in your configuration to enable ActiveMQ web components
e.g. <import resource="jetty.xml"/>
-->
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
<property name="name" value="ActiveMQRealm" />
<property name="config" value="${activemq.conf}/jetty-realm.properties" />
</bean>
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="user,admin" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admin" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<property name="pathSpec" value="/api/*,/admin/*,*.jsp" />
</bean>
<bean id="adminSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="adminSecurityConstraint" />
<property name="pathSpec" value="*.action" />
</bean>
<bean id="rewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<property name="rules">
<list>
<bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="*"/>
<property name="name" value="X-FRAME-OPTIONS"/>
<property name="value" value="SAMEORIGIN"/>
</bean>
<bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="*"/>
<property name="name" value="X-XSS-Protection"/>
<property name="value" value="1; mode=block"/>
</bean>
<bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="*"/>
<property name="name" value="X-Content-Type-Options"/>
<property name="value" value="nosniff"/>
</bean>
</list>
</property>
</bean>
<bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection">
<property name="handlers">
<list>
<ref bean="rewriteHandler"/>
<bean class="org.eclipse.jetty.webapp.WebAppContext">
<property name="contextPath" value="/admin" />
<property name="resourceBase" value="${activemq.home}/webapps/admin" />
<property name="logUrlOnStart" value="true" />
</bean>
<bean class="org.eclipse.jetty.webapp.WebAppContext">
<property name="contextPath" value="/api" />
<property name="resourceBase" value="${activemq.home}/webapps/api" />
<property name="logUrlOnStart" value="true" />
</bean>
<bean class="org.eclipse.jetty.server.handler.ResourceHandler">
<property name="directoriesListed" value="false" />
<property name="welcomeFiles">
<list>
<value>index.html</value>
</list>
</property>
<property name="resourceBase" value="${activemq.home}/webapps/" />
</bean>
<bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
<property name="serveIcon" value="false" />
</bean>
</list>
</property>
</bean>
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<property name="loginService" ref="securityLoginService" />
<property name="authenticator">
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
</property>
<property name="constraintMappings">
<list>
<ref bean="adminSecurityConstraintMapping" />
<ref bean="securityConstraintMapping" />
</list>
</property>
<property name="handler" ref="secHandlerCollection" />
</bean>
<bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
</bean>
<bean id="jettyPort" class="org.apache.activemq.web.WebConsolePort" init-method="start">
<!-- the default port number for the web console -->
<property name="host" value="0.0.0.0"/>
<property name="port" value="8161"/>
</bean>
<bean id="Server" depends-on="jettyPort" class="org.eclipse.jetty.server.Server"
destroy-method="stop">
<property name="handler">
<bean id="handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
<property name="handlers">
<list>
<ref bean="contexts" />
<ref bean="securityHandler" />
</list>
</property>
</bean>
</property>
</bean>
<bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject" ref="Server" />
<property name="targetMethod" value="setConnectors" />
<property name="arguments">
<list>
<bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<!-- see the jettyPort bean -->
<property name="host" value="#{systemProperties['jetty.host']}" />
<property name="port" value="#{systemProperties['jetty.port']}" />
</bean>
<!--
Enable this connector if you wish to use https with web console
-->
<!-- Enabling the following connector on Nov 11,2020 for HTTPS -->
<bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<constructor-arg>
<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
<property name="keyStorePassword" value="password" />
</bean>
</constructor-arg>
<property name="port" value="8162" />
</bean>
</list>
</property>
</bean>
<bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" />
<property name="arguments">
<list>
<ref bean="Server" />
<ref bean="secHandlerCollection" />
</list>
</property>
</bean>
<bean id="invokeStart" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"
depends-on="configureJetty, invokeConnectors">
<property name="targetObject" ref="Server" />
<property name="targetMethod" value="start" />
</bean>
</beans>

ActiveMQ Web console using LDAP Active Directory authentication

Struggling to get ActiveMQ web console to use LDAP and authenticated against Active Directory.
No errors when starting MQ, username/password login box prompt appears but doesn't progress when inserting the correct credentials.
Version
5.15.6
login.config
amqLdapLoginModule {
org.eclipse.jetty.jaas.spi.LdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="ad-server1.domain.com"
port="389"
bindDn="CN=readonly-user,OU=Accounts,DC=domain,DC=com"
bindPassword="readonly-user-password"
authenticationMethod="simple"
forceBindingLogin="false"
userBaseDn="CN=users,DC=domain,DC=com"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="inetOrgPerson"
roleBaseDn="CN=groups,DC=domain,dc=com"
roleNameAttribute="cn"
roleMemberAttribute="uniqueMember"
roleObjectClass="groupOfUniqueNames";
};
jetty.xml
<bean id="ldapLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
<property name="name" value="LdapRealm" />
<property name="loginModuleName" value="amqLdapLoginModule" />
<property name="roleClassNames" value="org.eclipse.jetty.jaas.JAASRole" />
<property name="identityService" ref="identityService" />
</bean>
<bean id="identityService" class="org.eclipse.jetty.security.DefaultIdentityService"/>
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admins-group" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admins-group" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="securityHandlerLdap" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<property name="loginService" ref="ldapLoginService" />
<property name="identityService" ref="identityService" />
<property name="realmName" value="LdapRealm" />
<property name="authenticator">
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
</property>
<property name="constraintMappings">
<list>
<ref bean="adminSecurityConstraintMapping" />
<ref bean="securityConstraintMapping" />
</list>
</property>
<property name="handler" ref="secHandlerCollection" />
</bean>
<bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
</bean>
Following the guide from http://bacedifo.blogspot.com/2013/06/securing-activemq-580-web-console-using.html and using the ldaptive ldap java library with some tweaks to the configs I managed to get this working for our AD environment.
Copied the ldaptive-{version number}.jar and jetty-jass-{version number}.jar to /activemq/lib directory.
login.conf
activemq {
org.ldaptive.jaas.LdapLoginModule required
debug=true
storePass="true"
ldapUrl="ldap://ldap-server1.domainname.com:389 ldap://ldap-server2.domainname.com:389"
connectionStrategy="ACTIVE_PASSIVE"
bindDn="CN=ldap-readaccount,OU=Read Accounts,DC=domainname,DC=com"
baseDn="OU=accounts,DC=domainname,DC=com"
bindCredential="ldapuser-password"
useStartTLS="false"
userFilter="(sAMAccountName={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://ldap-server1.domainname.com:389 ldap://ldap-server2.domainname.com:389"
connectionStrategy="ACTIVE_PASSIVE"
bindDn="CN=ldap-readaccount,OU=Read Accounts,DC=domainname,DC=com"
baseDn="OU=groups,DC=domainname,DC=com"
bindCredential="ldapuser-password"
roleFilter="(&(cn=webconsoleadmins)(member={user}))"
useStartTLS="false"
defaultRole="admins"
roleAttribute="cn";
};
jetty.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="securityLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
<property name="name" value="LdapRealm" />
<property name="loginModuleName" value="activemq" />
<property name="roleClassNames" value="org.ldaptive.jaas.LdapRole" />
<property name="identityService" ref="identityService" />
</bean>
<bean id="identityService" class="org.eclipse.jetty.security.DefaultIdentityService"/>
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admins,webconsoleadmins" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admins,webconsoleadmins" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
...
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<property name="loginService" ref="securityLoginService" />
<property name="identityService" ref="identityService" />
<property name="authenticator">
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
</property>
<property name="constraintMappings">
<list>
<ref bean="adminSecurityConstraintMapping" />
<ref bean="securityConstraintMapping" />
</list>
</property>
<property name="handler" ref="secHandlerCollection" />
</bean>

How to config activiti.org to work with IBM Domino LDAP groups

I work on integration IBM Domino with activiti.org workflow engine. I need to connect Activiti with Domino LDAP in order to retrive users and groups.
I already can log in with my Domino credentials but I'm not able to resolve user groups. My user is a member of ACTIVITI_ADMINS domino group but he doesn't see activiti-explorer administration menu (the one that default kermit user see). I've made the following modifications in Activiti xml config files. What should I add/rewrite in my config files in order to resolve user groups?
activiti-custom-context.xml
<bean id="processEngineConfiguration" class="org.activiti.spring.SpringProcessEngineConfiguration">
<!--...-->
<property name="configurators">
<list>
<bean class="org.activiti.ldap.LDAPConfigurator">
<!-- Server connection params -->
<property name="server" value="ldap://myDominoLdapServer" />
<property name="port" value="389" />
<property name="user" value="cn=User Ldap, ou=myUnit1, ou=myUnit2, o=myCompany" />
<property name="password" value="myPassword" />
<!-- Query params -->
<property name="baseDn" value="o=myCompany" />
<property name="queryUserByUserId" value="(&(objectClass=inetOrgPerson)(displayname={0}))" />
<property name="queryUserByFullNameLike" value="(&(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))" />
<property name="queryGroupsForUser" value="(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))" />
<!-- Attribute config -->
<property name="userIdAttribute" value="displayname" />
<property name="userFirstNameAttribute" value="GivenName" />
<property name="userLastNameAttribute" value="sn" />
<property name="userEmailAttribute" value="mail" />
<property name="groupIdAttribute" value="cn" />
<property name="groupNameAttribute" value="cn" />
</bean>
</list>
</property>
</bean>
activiti-ui-context.xml
<bean name="explorerApp" class="org.activiti.explorer.ExplorerApp" scope="session">
<property name="environment" value="${activiti.ui.environment}" />
<property name="useJavascriptDiagram" value="${activiti.ui.jsdiagram}" />
<property name="i18nManager" ref="i18nManager" />
<property name="viewManager" ref="viewManager" />
<property name="notificationManager" ref="notificationManager" />
<property name="attachmentRendererManager" ref="attachmentRendererManager" />
<property name="formPropertyRendererManager" ref="formPropertyRendererManager" />
<property name="variableRendererManager" ref="variableRendererManager" />
<property name="applicationMainWindow" ref="mainWindow" />
<property name="componentFactories" ref="componentFactories" />
<property name="workflowDefinitionConversionFactory" ref="workflowDefinitionConversionFactory" />
<property name="loginHandler" ref="activitiLoginHandler" />
<property name="simpleWorkflowJsonConverter" ref="simpleWorkflowJsonConverter" />
<property name="adminGroups">
<list>
<value>ACTIVITI_ADMINS</value>
</list>
</property>
<property name="userGroups">
<list>
<value>user</value>
</list>
</property>
</bean>
Your configuration looks right so the problem must have something to do with the LDAP query used to retrieved the groups for the user:
<property name="queryGroupsForUser" value="(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))" />
Is this query returning the ACTIVITI_ADMIN group?
Well, I've found that the baseDN entry was the reason of my problem. I set empty value and Activiti is resolving my group now. The activiti-custom-context.xml file contains the following code:
<bean id="processEngineConfiguration" class="org.activiti.spring.SpringProcessEngineConfiguration">
<!--...-->
<property name="configurators">
<list>
<bean class="org.activiti.ldap.LDAPConfigurator">
<!-- Server connection params -->
<property name="server" value="ldap://myDominoLdapServer" />
<property name="port" value="389" />
<property name="user" value="cn=User Ldap, ou=myUnit1, ou=myUnit2, o=myCompany" />
<property name="password" value="myPassword" />
<!-- Query params -->
<!--MY CHANGE START-->
<property name="baseDn" value="" />
<!--MY CHANGE END-->
<property name="queryUserByUserId" value="(&(objectClass=inetOrgPerson)(displayname={0}))" />
<property name="queryUserByFullNameLike" value="(&(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))" />
<property name="queryGroupsForUser" value="(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))" />
<!-- Attribute config -->
<property name="userIdAttribute" value="displayname" />
<property name="userFirstNameAttribute" value="GivenName" />
<property name="userLastNameAttribute" value="sn" />
<property name="userEmailAttribute" value="mail" />
<property name="groupIdAttribute" value="cn" />
<property name="groupNameAttribute" value="cn" />
</bean>
</list>
</property>
</bean>

My jasig don't use the User ldap password

We have several services auntentican with an LDAP server, we put JASIG as the main entrance, we deploy JASIG on Jboss7 and works well over SSL, however our LDAP server over TLS works. My problem is that over TLS for any authenticated user runs any user password, right or wrong.
I do not know why the login username is sensitive and not sensitive to the password, pass any password.
Thank you.
Show parts interesting parts of my DeployConfigContex.xml file.
This is our AuthenticationManager:
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
</property>
<property name="filter" value="(cn=%u)" />
<property name="principalAttributeName" value="cn" />
<property name="searchBase" value="ou=ServiciosCentrales,ou=Usuarios,dc=educacion,dc=es" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="cn=%u" />
<property name="searchBase" value="ou=ServiciosCentrales,ou=Usuarios,dc=educacion,dc=es" />
<property name="contextSource" ref="contextSource" />
<property name="ignorePartialResultException" value="yes" />
</bean>
</list>
</property>
</bean>
this es our contexsource:
<property name="pooled" value="false" />
<property name="userDn" value="cn=secret,dc=educacion,dc=es"/>
<property name="password" value="secret"/>
<property name="url" value="ldap://192.168.0.100:389"/>
<qualifier value="secured"/>
<property name="authenticationStrategy">
<bean class="org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy">
<property name="sslSocketFactory">
<bean class="com.cein.educa.ldap.LDAPSocketFactory" />
</property>
<property name="hostnameVerifier">
<bean class="com.cein.educa.ldap.LDAPHostNameVerifier" />
</property>
<property name="shutdownTlsGracefully" value="true" />
</bean>
</property>
<property name="baseEnvironmentProperties">
<map>
<entry key="java.naming.security.authentication" value="simple" />
</map>
</property>
</bean>