Setting up SSO with CAS and LDAP

This post provides a tutorial on how to set up SSO functionality by using CAS and LDAP authentication as a backend server. This setup aims on authenticating webservices via CAS which will provide Single Sign On using LDAP user credentials. We make use of the great Zentyal derivative of Ubuntu, which makes configuration really comfortable as it handles all major complex tasks (Squid hurts a little, bind hurts a lot) by configuring modules on a neat GUI accessible from any browser.

Well, maybe not any browser – we haven’t ever tested firing up the GUI on Internet Explorer but being able to configure complex server layouts and using IE is an oxymoron.

We love Ruby. We love CAS. A lot. We’ve examined many different SSO services, but CAS is one of the most mature solutions plus it is enterprise scalable. While CAS is enterprise ready, it is not yet doomed to be bloated or of heavy weight, as making use of RubyCAS still establishes a vital and light weight implementation.

Infrastructure

The gateway system is a Zentyal 3.2 server based upon Ubuntu 12.04. We aren’t too fond of cutting edge systems which are most likely to break whenever possible, so the 3.2 release was our latest stable experience. We call this guy zentyal throughout this tutorial and assign the internal IP 10.0.0.10.

The deployment system is an Ubuntu Server 14.04 which hosts different instances of webservices like ownCloud, Redmine, Github, Question2Answer, Drupal and many more. Slapd provides LDAP, RubyCAS (which we have forked ‘n’ fixed) provides CAS. The name of this big boy in this tutorial is devserver and lives at 10.0.0.50.

For RubyCAS we of course need Ruby on our system, so we compiled 2.1.1 from source. Jump to the last paragraph to read what you have to do in order overcome the compile errors, it is a rather simple fix but hard to find on the internet. Just to mention, RubyCAS is a Rack application, not a Rails application. You’ll also need php-cas installed for many applications, we’ll post another entry which incorporates all the different readmes and config options, please be patient until we’re done. Meanwhile you could go to our GitHub Page for finding out more.

We chose PostgreSQL as our database as we always do. You can go with MySQL as well but we don’t recommend doing so. When you decide to implement an SSO solution you’ll most likely manage a larger user base which directly translate to lots of data sets. Use Postgres, elephants are much cooler than dolphins.

Topology

Installation and configuration

We have split our environment’s configuration apart into the configuration of the so called ‘devserver’ (CAS & Apache) and the Zentyal Gateway/DNS (Apache with ReverseProxy config).

Preface

Our configuration heavily differs from standards, as we run our webservices – including Apache – from the /srv directory. The /srv directory incorporates separate /etc and /var subdirectories so we can run different configuration sets for expirmental purpose. Not the config per se is experimental but what we do with our environment. Simply translate /srv/cas/var/www to /var/www so it fits to your environment.

Devserver CAS Configuration

[email protected]

To install CAS clone the git repo into /srv/ directory (see paragraph above – use /var/www if you do not like to follow our structure).
# if the directory doesn't exist: create it
cd /srv/cas/var/www/
sudo git clone https://github.com/rubycas/rubycas-server.git
sudo mv rubycas-server cas
cd cas
sudo cp config/config.example.yml config.yml

Of course you can clone our repository which you can find on our GitHub page.

Now we have to modify the config.yml to fit our needs for authenticating against LDAP. There is no need for creating an ssl_cert since the CAS-server is hosted in a trusted network. Connections are only allowed from our Zentyal-server.

The following config file summarises all the essential options:

conf.yml

server: webrick #RubyCAS comes with WebRICK but we'll provide a Passenger config later
port: 444
uri_path: /cas
database:
  adapter: postgresql
  database: cas_server
  username: cas
  password: 'SWORDFISH'
  host: 10.0.0.10
  reconnect: true
authenticator:
  class: CASServer::Authenticators::LDAP
  ldap:
    host: hostname.yourserver.com
    port: 390 # could be 389 in your case
    base: 'ou=Users,dc=yourserver,dc=com'
    username_attribute: uid
    filter: '(memberof=cn=__USERS__,ou=Groups,dc=yourserver,dc=com)'
    auth_user: 'cn=zentyalro,dc=yourserver,dc=com'
    auth_password: 'somecrypto'
extra_attributes: cn, mail, givenName, sn, dn
theme: simple
infoline: Single-Sign-On by Leonis
organization: Leonis # your_org
log:
  file: /var/log/casserver.log
  level: DEBUG

Our configuration stores live data into the postgres database cas_server. This database has to be created in the first place! Also be aware that in our case the database is provided by 10.0.0.10 (hostname.yourserver.com) and has to be created there.

[email protected]

[email protected]:~$ sudo -u postgres createuser cas
[email protected]:~$ sudo -u postgres createdb -O cas cas_server # crate DB and assign to user

Run
[email protected]

bundle install # ignore the yellow warning for now

and fix any further missing dependencies (can vary from version to version).

Start the CAS server by using (or see Appendix for init-script)

[email protected]

sudo bundle exec rubycas-server -c config.yml

Devserver (CAS-Server) Apache Configuration

Create /etc/apache2/sites-available/cas.conf

cas.conf

#<VirtualHost *:80> # you read right – uncomment this line
      PassengerMinInstances 3 # let Passenger do more than one instance
      <Directory /srv/shared/var/www/cas>
        AllowOverride all
        RailsBaseURI /cas
        PassengerAppRoot /srv/cas/var/www/casrails
        PassengerResolveSymlinksInDocumentRoot on
         # MultiViews must be turned off.
         Options -MultiViews
      </Directory>
#</VirtualHost> # that one needs a sharp too

As our devserver runs Ubuntu 14.04 with Apache 2.4 we do not have to specify the suffix .conf for our vHost but we don’t want to confuse people. There are many, many servers out there running Ubuntu 12.04 – we are better safe than sorry.
Most important here: You do not want to create a separate vHost but only a separate file for a directory. There is no need to create any hassle, Passenger is sensitive so don’t hurt its feelings.

Run
[email protected]

sudo a2ensite cas.conf

Make sure to have set up all your directory entries in sites-available/default correctly and /cas/ is reachable.

Gateway / Webserver (Zentyal)

Configuring the reverse proxy is simply done by adding entries to your Apache configuration when mod_proxy is enabled. Let’s first enable these mods by applying:

[email protected]

sudo a2enmod proxy
sudo a2enmod proxy_html
sudo a2enmod proxy_http

You need to reload and restart Apache after enabling the mods. Next we are going to add the necessary entries to our vHosts, first default (or 000-default):

/etc/apache2/sites-available/default

ProxyPass /cas http://10.0.0.50:444/cas

As we prefer to take a walk on the SSL-side here goes default-ssl

/etc/apache2/sites-available/default-ssl

ProxyPass /cas https://10.0.0.50:444/cas

and moreover these entries go to both:

*default/-ssl*
ProxyRequests Off
ProxyPreserveHost On

<Proxy *>
      Order deny,allow
      Allow from all
</Proxy>

For God’s sake do not miss that one. If you do forget about that we wish you happy times with not being able to reach Google since bot nets are going to heavily abuse your reverse proxy. We have a solid configuration for Fail2Ban and DenyHosts, please feel free to contact us.

Appendix

Pitfalls

During the setup of the environment we have found and eliminated some pitfalls.

Extra-attributes provided by LDAP

The „extra-attributes“ setting for rubycas seems to work fine, but the XML conversion was also a little bit buggy when trying to talk to RubyCAS using the phpCAS-Library. We achieved creating a workaround which solved the problem of leading “——” and whitespaces in the extra attributes by changing the XML builder method in lib/casserver/server.rb.
Instead of .to_yaml the CDATA is now converted into a string-(array with one element), which will now give you the exact clean value of the extra-attributes.

Changed

lib/casserver/server.rb

builder.cdata! value.to_yaml

into

lib/casserver/server.rb

builder.cdata! value.first.to_s

Use CAS’ extra-attributes instead of LDAP directly

CAS has a wonderful syntax and can provide LDAP attributes on its own to application servers. Instead of populating the user databases of the app-servers via LDAP directly, CAS can be used as an interface between them and provide additional data to users stored in the directory. The extra attributes can be used for creating users in the local databases. If application servers talk to LDAP and CAS simultaneously, unexpected results may occur.

SSL Certificate Issue for rubyCAS

In our environment a certificate for rubyCAS is not absolutely necessary since the connection between clients from the internet and Zentyal is already encrypted and CAS only communicates in a trusted LAN. Therefore – for now – no SSL encryption for providing (CAS-)tickets has been enabled.
It also seems like CAS may have some issues with the reverse proxy and the domain name when trying to use and validate the certificate. Further investigation will be necessary to use it productively. We will assign Jacques CacheFleau to dive deeper into this matter.

Init-script for rubycas

Save this file to /etc/init.d/rubycas and do a

[email protected]

sudo chmod +x /etc/init.d/rubycas

After that you can simply run

[email protected]

sudo service rubycas start|stop|restart

to manage the server.

bash_script

#!/bin/bash

function isRunning {
  PID=`sudo netstat -pantlu | grep 444 | awk ' { print $7 } ' | cut -d"/" -f1 | head -n 1`
  if [ "$PID" != "-" ] && [ "$PID" != "" ]
  then
    if [ "$PID" -gt "0" ]
    then
      return 0
    else
      return 1
    fi
  else
    return 1
  fi
}

function shutdown_cas {
  if isRunning
  then
    echo -n "Shutting down rubycas…"
    sudo kill $PID
    echo "done."
  else
    echo "rubycas not running mumble mumble"
  fi
}

function start_cas {
  if isRunning
  then
    echo "rubycas already running mumble mumble"
  else
    echo -n "Starting rubycas…"
    cd /srv/cas/var/www/casrails
    bundle exec rubycas-server -c /srv/cas/var/www/casrails/config.yml &> /srv/cas/var/www/casrails/current_output.log &
    echo "done."
  fi
}

case "$1" in
  start)
    start_cas
    ;;

  stop)
    shutdown_cas
    ;;

  restart)
    if isRunning
    then
      echo "Detected running RubyCAS"
      shutdown_cas
      sleep 3s
      start_cas
    else
      start_cas
    fi
    ;;

  *)
    echo $"Usage: $0 {start|stop|restart}"
    exit 1
esac

Hint: Watch out for the proper directories! Replace /srv/cas/var/www with your configuration accordingly. Also when cloning rubycas do not miss to create a symlink to your /public directory inside the cas directory. In our case, we renamed the cas directory to casrails.

Compiling Ruby 2.1.1 properly

Hint: User a newer Ruby version now! This is outdated, yet you get the idea of what to do.

[email protected]

sudo apt-get install autoconf automake bison build-essential curl git git-core libc6-dev libreadline6 libreadline6-dev libreadline6-dev libssl-dev libsqlite3-dev libtool libxml2-dev libxslt-dev libxslt1-dev libyaml-dev ncurses-dev openssl sqlite3 zlib1g zlib1g-dev

[email protected]

wget http://ftp.ruby-lang.org/pub/ruby/2.1/ruby-2.1.1.tar.gz
tar -xzvf ruby-2.1.1.tar.gz
cd ruby-2.1.1/

If you continue compiling you will see:

compiling_ruby_freaking_out

# man, this truly sucks
readline.c: In function ‘Init_readline’:
readline.c:1977:26: error: ‘Function’ undeclared (first use in this function)
     rl_pre_input_hook = (Function *)readline_pre_input_hook;
                          ^
readline.c:1977:26: note: each undeclared identifier is reported only once for each function it appears in
readline.c:1977:36: error: expected expression before ‘)’ token
     rl_pre_input_hook = (Function *)readline_pre_input_hook;
                                    ^
readline.c: At top level:
readline.c:634:1: warning: ‘readline_pre_input_hook’ defined but not used [-Wunused-function]
readline_pre_input_hook(void)

So we fix this quickly by replacing a line:

[email protected]

cd ext/readline/
sudo nano readline.c

CTRL+W # search for rl_pre_input_hook = (Function *)readline_pre_input_hook;

# delete this line
CTRL+SHIFT+V # replace with rl_pre_input_hook = (rl_hook_func_t *)readline_pre_input_hook;

Save, exit and continue:

[email protected]

./configure
make
sudo make install
ruby -v # Victory! All your gem is now belong to us.

Protip: Real men use checkinstall.

Questions?

Since you are using Zentyal why not Kerberos?

Why not Zoidberg? Kerberos is kool but some webservices are just not capable of handling that beast.

Will it work with my webservices? And whom to complain to if it doesn’t work?

We are the maintainers of the ownCloud user_cas plugin and of the Question2Answer qa-external-cas plugin. You can file bug reports on GitHub or contact us here. We’re also working on the rubycas-server itself plus know how to work with the Redmine CAS plugin.
If you would like us to set up your environment simply let us know.

Seriously, why this /srv/cas thingy?

As already mentioned we have a special taste of unbreakable stuff, so we love to keep our applications separated from each other. Also we are great fans of keeping our configs tracked by Git. We have a GitLab instance up and running, also residing in /srv/ where’s no need to mess with directory permissions and keeping them secure so that Apache (…) and so on and so on.

Oh, this /srv thingy doesn’t sound stupid, can you tell me more about it?

Of course! We are working on an automatic installer for one-command installation with dependency check and live updates. For now we are hosting it at our GitLab but well publish it to GitHub and Launchpad (later on). We even have already agreed on the command which will be ‘leonis-install’. You read right, it’s because of the Lion’s Pride to call it that way. Funny pun, don’t you think?

OK, never mind.

If you have any questions feel free to contact us anytime. If you find it was a good read you are very welcome to hit one of these sharing buttons below the text. We appreciate that a lot!

Christopher Semmler's picture

Christopher Semmler

Christopher Semmler is our CEO and works in our IT and Finance Division. Apart from Business Development he makes technology decisions, works on platforms and Digital Marketing. He holds a Magister degree in Corporate Finance and Information Systems, loves to play with new tech and is specialised in the low level area.

Comments

  1. jahnvass's picture
    jahnvass (not verified)

    Mobdro Apk is an incredibly amazing media-streaming software that allows you appreciate tv-shows, films, sports, as well as a complete lot of media from your internet. So today, in this write-up here; we will have a full fledged dialogue iPhone, on Mobdro Get APK Android Apk, PC.http://mobdro-downloads.com/

  1. shilpa sharma's picture
    shilpa sharma (not verified)

    I have included and shared your page my electronic obliging correspondence records to send individuals back to your page since I am certain they will discover it to a bewildering degree persistent as well Escorts in kashmere gate Call Girls in kashmere gate

  1. SAS Training's picture
    SAS Training (not verified)

    This course is for clients who need to figure out how to compose SAS programs. It is the section point to learning SAS programming and is an essential to numerous different SAS courses.

  1. vishnu reddy's picture
    vishnu reddy (not verified)

    Hii you are providing good information.Thanks for sharing AND Hadoop online Courses, Hadoop Online Training ISB HYD Trained Faculty with 10 yrs of Exp See below link Hadoop Online Training in Hyderabad

  1. Christopher Nolan's picture
    Christopher Nolan (not verified)

    It bound to be bloated or of substantial weight, as making utilization of RubyCAS sets up an imperative and light weight usage. This association points on validating Do My Essay web administrations by means of CAS which will give solitary symbol on utilizing client accreditation.

  1. Sarah Taylor's picture
    Sarah Taylor (not verified)

    Could you please share with us video tutorial link of Installation and configuration actually my friend is saying to me “you should Pay Someone To Do Your Dissertation it will be better for you” but I want to research first.

  1. Alizay Mark's picture
    Alizay Mark (not verified)

    Might you be able to please impart to us video instructional exercise connection of Installation and arrangement really my companion is starting to me you should it will be better for Buy essay online cheap you however I need to investigation first.

  1. abonnement xbox live's picture
    abonnement xbox live (not verified)

    If there had not been a study lock, the generator would certainly be pounded by robots that would certainly take all the codes prior to genuine individuals like on your own obtain any type of. abonnement xbox live

  1. Dissertation Writing Service's picture
    Dissertation Wr... (not verified)

    I think this normally happens with the robots file. I was reading about this on one of these Dissertation Writing Services and they explained it pretty nicely too.

  1. kamal's picture
    kamal (not verified)

    As we are regularly operating on that trick weapon pixel gun 3d cheats making it extra reliable and also valuable for our visitors, we have actually included several brand new abilities so you can use it without trouble.

  1. Ellie Malan's picture
    Ellie Malan (not verified)

    Investigate the review on building a CAS server I did for a short time back. Custom Essay Help Service, It should make it straightforward..

  1. Dianna Brassard's picture
    Dianna Brassard (not verified)

    The recommences composed by Professional essay help Service will correspond with you and assurance that you get the resume that cabinets your value as an employable candidate. They assurance that skills and masked gifts are qualified in a manner that the recommence just elements the most notable parts of an separate.it helps you to differentiate the worth you offer a possible business, and professionally essay writing help presents your competences, teaching, experience, and skills; focuses on your career pursuit crusade; and supplies you with canny, career hunt management devices to help in convincing career inquiry battle management.

  1. ALina Olive's picture
    ALina Olive (not verified)

    The additional traits can be utilized for making clients in the nearby databases. In the event that application servers converse with LDAP and CAS all the while, Custom Homework Service sudden outcomes may happen.

  1. jessica alex's picture
    jessica alex (not verified)

    This is why students are really felt lazy on their In the present some smart students are try to find some best external writing support for their writing use. Because this online supports is giving a top best for their users. They are having fine talented and professionally good writers to complete the dissertation. help with accounting assignment

  1. jordansaq's picture
    jordansaq (not verified)

    yeezy350find When I saw your article, especially this post you satisfied me amazingly.

  1. 1len jordanss123's picture
    1len jordanss123 (not verified)
  1. Gordon Banes's picture
    Gordon Banes (not verified)

    This is an amazing infrastructure. So complex and so sophisticated. I like how technology works. soundcloud music promotion

  1. Coursework 's picture
    Coursework  (not verified)

    We adore CAS. A ton. We've inspected a wide range of SSO administrations, however CAS is a standout amongst the most develop arrangements in addition to it is endeavor adaptable. Coursework While CAS is venture prepared, it is not yet destined to be bloated or of overwhelming weight, as making utilization of RubyCAS still sets up an imperative and light weight execution.

  1. Melisa Martin's picture
    Melisa Martin (not verified)

    Perfect! Just what I needed for my project. I ordered something really amazing from PapersBee but they delayed it due to some reasons. Now I found this guide online, which certainly amazes me. because this guide is so well-written and detail is so well drafted that can't be explained simply.

  1. Morgan Fowler's picture
    Morgan Fowler (not verified)

    Adopting a Federated Single Sign On sample improves the security posture of your product by means of being extra aligned with the Least Privilege layout sample and security great practices. Dissertation Help Service UK

  1. Aleealiyana's picture
    Aleealiyana (not verified)

    Obviously! We are chipping away at a program installer for a one-summon establishment with reliance check and live updates. For the time being, Essay Avenue we are facilitating it at our GitLab however well distribute it to GitHub and Launchpad (later on). We even have officially concurred on the order which will be 'Leonis-introduce'. You read right, this is a direct result of Lion's Pride to call it that way. Clever joke, wouldn't you say?

  1. Jessica 's picture
    Jessica (not verified)

    We cherish Ruby. We adore CAS. A great deal. We've analyzed a wide range of SSO administrations, Groovyessays.co.uk yet CAS is a standout amongst the most develops arrangements in addition to it is endeavor adaptable. While CAS is undertaking prepared, it is not yet bound to be bloated or of substantial weight, as making utilization of RubyCAS still sets up a fundamental and light weight execution.

  1. Addisonadam's picture
    Addisonadam (not verified)

    This post gives an instructional exercise on the best way to set up SSO usefulness by utilizing CAS and LDAP confirmation as a backend server. Buy Essay This setup points on validating web services through CAS which will give Single Sign On utilizing LDAP client qualifications. We make utilization of the considerable Zentyal subordinate of Ubuntu, which makes setup truly agreeable as it handles all real complex errands (Squid harms a bit, tie harms a great deal) by designing modules on a slick GUI open from any program.

  1. Michael's picture
    Michael (not verified)

    Thanks a lot for sharing it, that’s truly has added a lot to our knowledge about this topic. Have a more successful day. Finance Assignment Help

  1. Finance Assignment Help Online's picture
    Finance Assignm... (not verified)

    Thanks a lot for sharing it, that’s truly has added a lot to our knowledge about this topic. Have a more successful day. https://www.goassignmenthelp.com.au/finance-assignment-help/

Add comment