SSO之CAS + LDAP

原本主要詳細是介紹CAS和LDAP整合實現單點登陸的步驟。

1. 依《SSO之安裝CAS Server》所述安裝好CAS Server。
2. 安裝ApacheDS。安裝好ApacheDS後能夠用Apache Directory Studio對其進行維護。須要注意的是ApacheDS端口號是10389，默認用戶uid=admin,ou=system，密碼secret。
3. 創建組織架構。全部人員創建在ou=people,dc=comple,dc=com下面，第一階是部門，再下面能夠是職員，也能夠是子部門。

4. 打開tomcat/webapps/cas/WEB-INF/deployerConfigContext.xml，找到以下內容：

<!--
    | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS 
    | into production.  The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
    | where the username equals the password.  You will need to replace this with an AuthenticationHandler that implements your
    | local authentication strategy.  You might accomplish this by coding a new such handler and declaring
    | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
    +-->
<bean 
    class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />

修改爲以下：

<!--
<bean 
    class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
-->
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
    <property name="filter" value="cn=%u" />
    <property name="searchBase" value="ou=people,dc=example,dc=com" />
    <property name="contextSource" ref="contextSource" />
    <property name="allowMultipleAccounts" value="true" />
</bean>

還要在最後加上contextSource定義：

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
    <property name="userDn" value="uid=admin,ou=system" />
    <property name="password" value="secret" />
    <property name="pooled" value="true" />
    <property name="urls">
        <list>
            <value>ldap://192.168.12.250:10389</value>
        </list>
    </property>
    <property name="baseEnvironmentProperties">
        <map>
            <entry key="java.naming.security.authentication" value="simple" />
        </map>
    </property>
</bean>

5. 將cas-server-3.5.2.1-release.zip裏面的modules/cas-server-support-ldap-3.5.2.1.jar複製到cas/WEB-INF/lib。下載spring-ldap-core和spring-ldap-core-tiger到cas/WEB-INF/lib，注意對當前cas server來講，最好用1.3.2的版本。具體能夠參考《Eclipse調試cas server 3.5.2.1》。

6. 重啓tomcat，登陸cas/login測試。



注意事項：
1. CAS驗證有問題時能夠經過cas.log查詢一下。
2. LDAP不須要uid屬性，但必定須要userPassword屬性。

參考：
SSO之CAS+LDAP實現單點登陸認證 
SSO之CAS單點登陸實例演示
Eclipse調試cas server 3.5.2.1