Fork me on GitHub

n. Slang a rough lawless young Kuali developer.
[perhaps variant of Houlihan, Irish surname]
kualiganism n

Blog of an rSmart Java Developer. Full of code examples, solutions, best practices, et al.

Tuesday, April 3, 2012

LDAP CAS Implementation


This is a companion post to Rice KIM LDAP and Embedded Apache DS.

CAS is the phenominal JA-SIG single sign-on (SSO) web application that Kuali is standardizing with. We already know of ways to implement LDAP with Kuali applications. Once you get your KIM integration, then where do you? You still need your users in the KRIM_PRNCPL_T table if you want to login. How do you setup CAS to know about your LDAP directory service?

Kuali CAS LDAP Implementation on GitHub

I put together another github project called kuali-cas. It is a maven project that easily will configure your CAS server for development and possibly even production CAS installations.

1 Checkout kuali-cas

% git clone
% cd kuali-cas

2 Modify

To configure CAS to talk to your LDAP server, you need to configure the src/main/resource/ file. It looks something like:

You want to configure it somewhat the same way you have setup your LDAP configuration with your Kuali Application.

3 Build the cas.war Package

% mvn package

4 Copy the war to Your Appserver

% cp target/cas.war $CATALINA_HOME/webapps/

That is it. Now when you browse your kuali application and it redirects you to CAS, the CAS server will be connected to your LDAP server.

What About admin?

That's right! The admin user is probably not going to exist in your production LDAP directory, so what do you do about admins in development and in production?

Well, you could login as a regular user and backdoor. In production you will not have a backdoor, so then what?

Backdoor CAS Instance

I suggest running another CAS instance that connects to KIM RDBMS and name it backdoor-cas.
  1. Create backdoor-cas.war (normal kuali-cas war file).
  2. Install it in the same place as your cas.war (Now you should have 2 cas servers running on the same appserver.)
  3. Create a backdoor.jsp:

  4. Map the backdoor cas filter to backdoor.jsp (note this is in
    addition to the other cas.

Using backdoor.jsp

  1. Login by going to http://localhost:8080/kfs-dev/ This will connect you through LDAP.
  2. Suppose then you want to login as admin. Now that you are logged in as williamh, you cannot login again. So now what? http://localhost:8080/cas/logout will log out out.
  3. You can then go to http://localhost:8080/kfs-dev/backdoor.jsp. This will trigger the backdoor filter and force you into http://localhost:8080/backdoor-cas/login and http://localhost:8080/backdoor-cas/validate which will log you in using KIM RDBMS. As a result you can login as admin. Yay!

What you get is ldap login everywhere except for backdoor.jsp. When
you hit backdoor.jsp, it will force KIM RDBMS login, then redirect to

It's a little hacky, but it will get you both logins.

No comments:

Post a Comment