CentOS 7.x Deploy Apereo CAS 6.2 and integrate with AD

From Notes_Wiki

Home > CentOS > CentOS 7.x > Web Based Tools > CentOS 7.x Apereo CAS > CentOS 7.x Deploy Apereo CAS 6.2 and integrate with AD

The below steps do not work. Refer CentOS 7.x Deploy Apereo CAS 5.3 and integrate with AD for working steps instead

Deploy AD with LDAPS

  1. First deploy AD server, if not present already, by referring to Windows Server 2016 Setup new Active Directory
  2. Then ensure that there is LDAPS support on AD using Setup AD to respond to LDAP queries over LDAPS protocol


Build CAS 6.2 and integrate it with AD

  1. Create CentOS 7.x container or VM. Ensure that container is setup with proper networking to be able to reach AD server. It might help if AD server is configured as DNS for this CAS server to help with local FQDN resolution.
  2. Install openssh, tomcat and git
    yum -y install openssh-server epel-release
    systemctl start sshd
    systemctl enable sshd
    yum -y install tomcat git vim
    git clone https://github.com/apereo/cas-overlay-template.git
    #Download and copy Oracle jdk-11.0.6_linux-x64_bin.rpm to container
    yum localinstall jdk-11.0.6_linux-x64_bin.rpm
    #Add below to .bashrc also
    export JAVA_HOME=/usr/java/jdk-11.0.6
    export PATH=/usr/java/jdk-11.0.6/bin:$PATH
    cd cas-overlay-template
    ./gradlew clean build
    #If build fails then rerun './gradlew clean build'. For me
    #it failed on first build and worked on second without any change.
    #Failure are possibly due to Internet issues
    ls build/libs -l
    ./gradlew createKeystore
    ./gradlew CopyCasConfiguration
    ./gradlew run
    #Try to access https://<ip>:8443/cas/login after Ready message
    #is displayed
    yum -y install openldap-clients
    #Download Sysinternals AD explorer http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx
    #Connect to AD using Administrator user and password if available to help in understanding LDAP structure
    ldapsearch -x -H 'ldaps://<AD-FDQN>/' -b '<AD-BASE-DN>' -D '<Administrator-user-DN>' -W
    #vim /etc/openldap/ldap.conf and append TLS_REQCERT never
    ldapsearch -x -H 'ldaps://<AD-FDQN>/' -b '<AD-BASE-DN>' -D '<Administrator-user-DN>' -W
  3. In gradle.properties append: ( https://apereo.github.io/cas/6.1.x/installation/LDAP-Authentication.html )
    compile="org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
    compile "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
  4. Check current hostname
    hostname
    hostname --fqdn
    cat /etc/hostname
    Make sure that there is entry in /etc/hosts resolving LAN IP to hostname
  5. Rebuild and test
    ./gradlew clean build
    ./gradlew CopyCasConfiguration
    ./gradlew run
    #Login with casuser:Mellon
  6. Copy AD CA certificate and issued certificate to CAS server using:
    1. On AD server execute below command in cmd:
      certutil -ca.cert <AD-FQDN>.cer
    2. Copy <AD-FQDN>.cer file to cas server at location /etc/pki/ca-trust/source/anchors
    3. Download SSL certificate produced at port 636 signed by above CA using:
      cd /etc/pki/ca-trust/source/anchors
      openssl s_client -connect <AD-FQDN>:636 -showcerts
    4. Note that openssl will claim that certificate veritification has failed with output lines begining with:
      CONNECTED(00000003)
      depth=0
      verify error:num=20:unable to get local issuer certificate
      verify return:1
      depth=0
      verify error:num=21:unable to verify the first certificate
      verify return:1
    5. Copy lines between ----BEGIN CERTIFICATE---- and ----END CERTIFICATE--- to file named <AD-FQDN>.pem
    6. Update CA trust using:
      update-ca-trust
    7. Again run:
      openssl s_client -connect <AD-FQDN>:636 -showcerts
    8. Now the validation should succeed with:
      CONNECTED(00000003)
      depth=1 DC = com, DC = <AD-Domain>, CN = <Common-name-given-while-creating AD LDAPS certificate>
      verify return:1
      depth=0
      verify return:1
      Refer:
  7. Create AD user with required details such as
    • First Name :: Saurabh
    • Last Name :: Barjatiya
    • Username :: saurabh
    • Password :: <secret>
  8. Download AD explorer from Sysinternals site https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer and validate DN for saurabh to be 'CN=Saurabh Barjatiya,CN=Users,DC=<Domain>,DC=com'
  9. Edit etc/cas/config/log4j2.xml and update ldap logging from warn to debug using:
    <Property name="ldap.log.level">debug</Property>
  10. Edit etc/cas/config/cas.properties in cas-overlay-template folder as per
  11. Rebuild and test
    ./gradlew clean build
    ./gradlew CopyCasConfiguration
    ./gradlew run
    Login with saurabh:<ad-password>
  12. Create /etc/cas/services/CAS-1.json with:
    {
    "@class" : "org.apereo.cas.services.RegexRegisteredService",
    "serviceId" : "^https://.*",
    "name" : "CAS",
    "id" : 1,
    "evaluationOrder":10,
    "accessStrategy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "ssoEnabled" : true
    },
    }


Home > CentOS > CentOS 7.x > Web Based Tools > CentOS 7.x Apereo CAS > CentOS 7.x Deploy Apereo CAS 6.2 and integrate with AD