Table des matières

Introduction

Ce document a pour objectif d'exposer des procédures de mise en place d'un serveur CAS utilisant LDAP comme backend de stockage des comptes utilisateurs. Des exemples de CASification d'applications seront exposées via des procédures également.

Les procédures sont centrées sur le système d'exploitation Debian GNU/Linux

Gestion de l'autorité de certification

Une des premières étapes est de mettre en place une autorité de certification du et des domaines que l'ont gère afin de permettre les échanges en SSL/TLS entre le serveur CAS et les composants de l'architecture.

Présentation de l’arborescence

CA/domain.tld contient :

Procédure d'utilisation de la CA

cd CA/domain.tld

Éditer le fichier de configuration pour l'adapter à vos besoins.

Par exemple pour gérer 4 “Common Name” pour chaque certificat :

--- 8< --- ./openssl.cnf
...
0.commonName                = Common Name 1 (eg, YOUR name)
0.commonName_max            = 64
1.commonName                            = Common Name 2 (eg, YOUR name)
1.commonName_max                        = 64
2.commonName                            = Common Name 3 (eg, YOUR name)
2.commonName_max                        = 64
3.commonName                            = Common Name 4 (eg, YOUR name)
3.commonName_max                        = 64
... 
--- >8 ---

Création d'une autorité de certification

./newroot.sh

puis suivre le questionnaire.

Création certificat + clé signé sur 4 domaines

./newweb.sh sub_domain.domain.tld

puis suivre le questionnaire.

Par exemple :

./newweb.sh wildcard.asso-cocktail.fr

pour les sous-domaines *.asso-cocktail.{fr,org,com} et *.asso-ckt.fr.

Renouvellement certificat + clé

./resignweb.sh sub_domain.domain.tld

puis suivre le questionnaire.

Conversion PKCS#12

./convert_pkcs12.sh sub_domain.domain.tld

Conversion x509

./convert_x509.sh sub_domain.domain.tld

Installation certificat et clé

Procédure d'installation d'un certificat et de sa clé associée sur une machine.

Installation d'un certificat

Mettre sub_domain.domain.tld-cert.pem dans /etc/ssl/certs :

cd /etc/ssl/certs && certlink.sh sub_domain.domain.tld-cert.pem

Installation d'une clé

Mettre sub_domain.domain.tld-key.pem dans /etc/ssl/private.

Installation du certificat racine

Mettre cacert.pem dans /etc/ssl.

Configuration des logiciels

Tomcat

Installation de tomcat :

apt-get install tomcat6

Installation de l'autorité de certification dans le keystore java :

keytool -keystore /etc/ssl/certs/java/cacerts -alias cocktail_root_ca -delete
keytool -import -v -trustcacerts -alias cocktail_root_ca -file ~/CA/asso-cocktail.fr/cacert.pem -keystore /etc/ssl/certs/java/cacerts
keytool -keystore /root/cocktail.keystore -alias wildcard.asso-cocktail.fr -delete

Conversion en pkcs#12 de la clé et du certificat wildcard.asso-cocktail.fr.

Configuration d'un connecteur SSL/TLS sur tomcat :

cp ~/CA/asso-cocktail.fr/wildcard.asso-cocktail.fr-cert.p12 /usr/share/tomcat6/
--- 8< --- /etc/tomcat6/server.xml
...
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxHttpHeaderSize="8192" 
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/usr/share/tomcat6/wildcard.asso-cocktail.fr-cert.p12" keystorePass="keystorepass" keystoreType="PKCS12" />
...
--- >8 ---

Il peut être opportun de désactiver le connecteur par défaut sur le port 8080 si tomcat ne doit servir que pour le serveur CAS.

Serveur CAS

Construire le serveur CAS avec maven2 sur une autre machine. Le procédure est documenté ici et est correcte : https://wiki.jasig.org/display/CASUM/Building+and+Deploying

Installer/copier le fichier cas.war dans /var/lib/tomcat6/webapps.

Lancer ou relancer tomcat pour déployer cas.war :

invoke-rc.d tomcat6 restart

Copier les fichiers suivants .jar pour le support LDAP :

cp cas-server-support-ldap-3.4.11.jar spring-ldap-core-1.3.1.RELEASE.jar /var/lib/tomcat6/webapps/cas/WEB-INF/lib

Configuration du support LDAP :

--- 8< ---  /path/to/webapps/cas/WEB-INF/deployerConfigContext.xml
...
<property name="authenticationHandlers">
...
                <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
                    <property name="filter" value="uid=%u" />
                    <property name="searchBase" value="dc=asso-ckt,dc=fr" />
                    <property name="contextSource" ref="contextSource" />
                </bean>
....
--- >8 ---

Si seul LDAP en tant que base de comptes va être utilisé, il peut être opportun de commenter les autres types d'authentification.

En tant que “bean” à part entière :

--- 8< ---  /path/to/webapps/cas/WEB-INF/deployerConfigContext.xml
...
            <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
                <property name="anonymousReadOnly" value="false" />
                <property name="pooled" value="true" />
                <property name="urls">
                    <list>
                        <value>ldap://localhost</value>
                    </list>
                </property>
                <property name="baseEnvironmentProperties">
                    <map>
                        <entry>
                            <key><value>java.naming.security.protocol</value></key>
                            <value>tls</value>
                        </entry>
                        <entry>
                            <key><value>java.naming.security.authentication</value></key>
                            <value>simple</value>
                        </entry>
                    </map>
                </property>
            </bean>
...
--- >8 ---
--- 8< ---  /path/to/webapps/cas/WEB-INF/cas.properties
...
server.prefix=https://auth.asso-cocktail.org:8443/cas                  
...               
host.name=auth.asso-cocktail.org                 
...
--- >8 ---

Redémarrer tomcat :

invoke-rc.d tomcat6 restart

CASification

PAM CAS

Il existe un paquet .deb pour debian : https://wiki.jasig.org/display/CASC/PAM+Module

Contenu basique d'une configuration pour un serveur sur le réseau virtuel interne.

--- 8< --- /etc/pam_cas.conf 
# host from CAS server. mandatory
host c2.asso-ckt.fr
 
# port from CAS server. Default to 80 or 443, depends from ssl instruction
port 8443
 
# uri to validate ticket. Default to /proxyValidate
uriValidate /cas/proxyValidate
 
# https or no. values on or off. Default to on.
ssl on
 
# debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off
debug on
 
# proxy or proxies who deliver Proxy Ticket.
# If no proxy, pam_cas doesn't control it
# It may be several proxy instructions
proxy https://c2.asso-ckt.fr:8443/cas/proxy
#proxy https://uportal1.its.yale.edu/CasProxyServlet
#proxy https://uportal2.its.yale.edu/CasProxyServlet
 
# trusted_ca. mandatory if ssl on.
# It a file in pem format. It can contents several certificates
# If the CAS server certificate is auto-signed, the file must content the certificate
# If the certificate is trusted by an Certificate Autority, The file must content
#    certificate from high level CA
#trusted_ca /etc/cert/cybertrust_root.pem
trusted_ca /etc/ssl/cacert.pem
--- >8 ---

Ensuite il faut choisir un service qui utilise PAM pour le CASifier, dans l'exemple, prenons vsftpd :

--- 8< --- /etc/pam.d/vsftpd 
...
auth    sufficient   pam_cas.so -sftp://ftp.asso-cocktail.org -f/etc/pam_cas.conf
...
--- >8 ---

DokuWiki

Installation de PHPCAS :

La version 1.3.0 a un bug concerant la gestion du paquetage PEAR. Ce bug n'est plus présent dans la version 1.3.1 donc la section de cette documentation qui réindroduit le fichier package.xml dans l'archive n'est plus nécessaire en version 1.3.1.

wget http://downloads.jasig.org/cas-clients/php/current.tgz
tar zxvf current.tgz
cd CAS-1.3.0/
wget http://pkgs.fedoraproject.org/gitweb/?p=php-pear-CAS.git;a=blob_plain;f=package.xml;hb=HEAD -O package.xml 
tar zcvf CAS-1.3.0.tgz CAS-1.3.0
apt-get install php5-curl
pear install CAS-1.3.0.tgz

Installation du plugin CAS DokuWiki :

Une archive est disponible ici : http://people.aix.steria.org/~jbenoit/software/dokuwiki/plugins/ssocas/.
Elle contient un certain nombre de correctifs par rapport à la version sur le site officiel de DokuWiki mais doit néanmoins exposer tjs des bugs.
Il faut la désarchiver dans /path/to/dokuwiki/lib/plugins :

cd /path/to/dokuwiki/lib/plugins
tar zxvf ssocas.tar.gz

Il est également préférable de rattacher DokuWiki à un système central de gestion des comptes et de leurs droits.

Apache

Le module apache permet de protéger des accès dans certaines directives comme <Location></Location> qui concernent des URIs.

Installation du module CAS pour apache :

apt-get install libapache2-mod-auth-cas
a2enmod auth_cas 
invoke-rc.d apache2 reload

Configuration du module CAS :

mkdir /opt/tmp/cas && chown www-data:www-data /opt/tmp/cas
<IfModule mod_auth_cas.c>
    CASDebug              On
    CASCertificatePath    /etc/ssl/cacert.pem
    CASValidateServer     Off
    CASLoginURL           https://auth.asso-cocktail.org/cas/login
    CASValidateURL        https://auth.asso-cocktail.org/cas/serviceValidate
    # à n'activer que si on veut rattacher le SSO à un domaine spécifique
    # CASCookieDomain       .asso-cocktail.org
    CASCookiePath         /opt/tmp/cas/
</IfModule>

Choisir une URI à protéger ou un répertoire où activer l'authentification CAS; à insérer dans les directives de configuration apache adéquates :

         AuthType CAS
         AuthName "Service Central d'authentification"
         Require valid-user

ProFTPD

Installation du module LDAP :

apt-get install proftpd-mod-ldap

Configuration du module LDAP :

--- 8< --- /etc/proftpd/ldap.conf
...
LDAPServer c2.asso-ckt.fr
LDAPDNInfo "cn=admin,dc=asso-ckt,dc=fr" "mot_de_passe"
LDAPDoAuth on "dc=asso-ckt,dc=fr"
#LDAPDoUIDLookup    on "ou=people,dc=asso-ckt,dc=fr"
#LDAPDoGIDLookup    on "ou=people,dc=asso-ckt,dc=fr"
#LDAPDefaultUID                  1000
#LDAPDefaultGID                  65534
#LDAPDefaultAuthScheme  SSHA1
#
# To be set on only for LDAP/TLS on ordinary port, for LDAP+SSL see below
LDAPUseTLS off
...
--- >8 --- 

Configuration du SSL/TLS :

--- 8< --- /etc/proftpd/tls.conf
...
TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             TLSv1
#
# Server SSL certificate. You can generate a self-signed certificate using 
# a command like:
#
# openssl req -x509 -newkey rsa:1024 \
#          -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
#          -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/ssl/private/proftpd.key 
# chmod 0640 /etc/ssl/private/proftpd.key
# 
TLSRSACertificateFile                   /etc/ssl/certs/wildcard.asso-cocktail.fr-cert.pem
TLSRSACertificateKeyFile                /etc/ssl/private/wildcard.asso-cocktail.fr-key.pem
#
# CA the server trusts
TLSCACertificateFile             /etc/ssl/cacert.pem
# or avoid CA cert and be verbose
TLSOptions                             NoCertRequest EnableDiags
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
TLSOptions                          AllowClientRenegotiations
#
# Authenticate clients that want to use FTP over TLS?
#
TLSVerifyClient                         off
#
# Are clients required to use FTP over TLS when talking to this server?
#
TLSRequired                             off
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations.  Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
TLSRenegotiate                          required off
...
--- >8 ----

Activation des configurations et modules :

--- 8< --- /etc/proftpd/modules.conf 
...
LoadModule mod_ldap.c
...
--- >8 --- 
--- 8< --- /etc/proftpd/proftpd.conf 
...
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
PassivePorts                  65434 65534
 
# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
MasqueradeAddress       188.165.41.115
MasqueradeAddress       ftp.asso-cocktail.fr
...
Include /etc/proftpd/ldap.conf
...
Include /etc/proftpd/tls.conf
...
--- >8 --- 

Ne pas oublier d'adapter la configuration du firewall pour l'intervalle de ports choisis pour les transferts passifs.

La CASification en elle même de ProFTPD peut se faire via PAM CAS mais çà restera imparfait en terme de SSO.

Jenkins

Il n'est pas possible de mettre en place deux types d'authentification différentes dans Jenkins, il faut choisir parmi toutes celles disponibles une et une seule.

LDAP

Voici ce que génère l'interface d'administration de Jenkins :

--- 8< --- /var/lib/jenkins/config.xml
...
<securityRealm class="hudson.security.LDAPSecurityRealm">
    <server>c2</server>
    <rootDN></rootDN>
    <inhibitInferRootDN>false</inhibitInferRootDN>
    <userSearchBase>dc=asso-ckt,dc=fr</userSearchBase>
    <userSearch>uid={0}</userSearch>
</securityRealm>
...
--- >8 ---

CAS

Importation du certificat racine dans le keystore de Jenkins:

keytool -import -v -trustcacerts -alias cocktail_root_ca -file ~/cacert.pem -keystore /var/lib/jenkins/tools/javaBinary/jdk1.7.0_03/jre/lib/security/cacerts

Jenkins gère CAS mais en version 1 seulement. L'interface d'administration permet de générer une configuration fonctionnelle.

Il faut bien préciser l'URI publique du serveur CAS : https://auth.asso-cocktail.org/cas.

Pour rendre le CAS fonctionnel sur Jenkins, il faut tout d'abord compiler le serveur CAS avec le support de la version 1. Ce n'est pas forcement souhaitable car la version 1 expose quelques problèmes de sécurité.

SYMPA

LDAP

--- 8< --- /etc/sympa/auth.conf
...
ldap
      host                  c2:389
      timeout               30
      suffix                dc=asso-ckt,dc=fr
      get_dn_by_uid_filter   (uid=[sender])
      get_dn_by_email_filter    (mail=[sender])
      email_attribute   mail
      scope sub
...
--- >8 ---

CAS

FIXME

Alfresco

LDAP

mkdir -p /opt/alfresco-4.0.c/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1
cp -a /opt/alfresco-4.0.c/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties /opt/alfresco-4.0.c/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/
--- 8< --- /opt/alfresco-4.0.c/tomcat/shared/classes/alfresco-global.properties
...
# Authentification
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
...
--- >8 ---
--- 8< --- /opt/alfresco-4.0.c/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/ldap-authentication.properties
...
# This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=true
 
#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
ldap.authentication.allowGuestLogin=false
# How to map the user id entered by the user to that passed through to LDAP
# - simple 
#    - this must be a DN and would be something like
#      uid=%s,ou=People,dc=company,dc=com
# - digest
#    - usually pass through what is entered
#      %s
# If not set, an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will 
# be performed to resolve the DN dynamically. This allows directories to be structured and doesn't require the user ID to
# appear in the DN.
ldap.authentication.userNameFormat=
 
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
 
# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://c2:389
 
# The authentication mechanism to use for password validation
ldap.authentication.java.naming.security.authentication=simple
 
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false
 
# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is 
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false
 
# Comma separated list of user names who should be considered administrators by default
ldap.authentication.defaultAdministratorUserNames=
 
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for 
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=true
 
# The authentication mechanism to use for synchronization
ldap.synchronization.java.naming.security.authentication=simple
 
# The default principal to use (only used for LDAP sync)
ldap.synchronization.java.naming.security.principal=cn=System Administrator-admin,ou=people,dc=asso-ckt,dc=fr
 
# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=password
 
# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=100
 
# If positive, this property indicates that range retrieval should be used to fetch
# multi-valued attributes (such as member) in batches of the specified size.
# Overcomes any size limits imposed by Active Directory.        
ldap.synchronization.attributeBatchSize=100
 
# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass=posixGroup)
 
# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass=posixGroup)(!(modifyTimestamp<={0})))
 
# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(objectclass=inetOrgPerson)
 
# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass=inetOrgPerson)(!(modifyTimestamp<={0})))
# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=dc\=asso-ckt,dc\=fr
 
# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=dc\=asso-ckt,dc\=fr
 
# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
 
# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
 
# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=uid
 
# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName
 
# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn
 
# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail
 
# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=o
 
# The default home folder provider to use for people created via LDAP import
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
 
# The attribute on LDAP group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=cn
 
# The attribute on LDAP group objects to map to the authority display name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=description
 
# The group type in LDAP
ldap.synchronization.groupType=posixGroup
 
# The person type in LDAP
ldap.synchronization.personType=inetOrgPerson
# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=memberUid
 
# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries.
ldap.synchronization.enableProgressEstimation=true
--- >8 ---
service alfresco restart