Error en SSO + Share + CAS + LDAP

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Member II

Error en SSO + Share + CAS + LDAP

Muchas Gracias por la aclaración.

Revisando la documentación de Alfresco para realizar la Autenticación por Single Sing On (SSO), seguí el siguiente tutorial:

<a href="http://docs.alfresco.com/5.0/concepts/alf-modauthcas-intro.html">Overview of using Alfresco with CAS authentication</a>

Con las siguientes características:

[Servidor LDAP]: Windows Server 2012 Active Directory

[Maquina_1]: CentOS 6.6
Servidor CAS: Jasig Central Authentication Service 3.4.3.1
Servidor Apache: Apache/2.2.15 (Activados los modulos mod_auth_cas y mod_proxy_ajp)
Servidor Alfresco 5.0.d en un Tomcat 7.0.61

Se realiza todas las configuraciones descritas en el manual, lo diferente es la maquina 1 y maquina 2 descritos en el tutorial estan en la misma maquina_1 . Y se ingresa a la url
http://<maquina_1>/share
; redirecciona a la pagina de autenticación del CAS https://192.168.1.18/cas/login?service=http%3a%2f%2f192.168.1.18%2fshare</code>, se ingresa el usuario y contraseña del dominio, y el login es exitoso redirecciona a la pagina de la Pagina Share, pero aparece la pagina de login de alfresco, por lo cual no reconoció la autenticación realizada.

A continuación lo que muestra en los diferentes logs de los servicios integrados

[alfresco catalina.out]
2016-03-22 10:13:49,289  INFO  [web.site.EditionInterceptor] [ajp-bio-8109-exec-4] Unable to retrieve License information from Alfresco: 401 



[cas.log]
2016-03-22 10:13:48,775 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: prueba2]
2016-03-22 10:13:48,792 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-U9zNvcFkojpV4owqzLvN-cas] for service [http://192.168.1.18/share] for user [prueba2]



[Apache ssl_access_log]
192.168.1.53 - - [22/Mar/2016:10:13:31 -0500] "GET /cas/favicon.ico;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 200 170
192.168.1.53 - - [22/Mar/2016:10:13:48 -0500] "POST /cas/login;jsessionid=8C7D7FF895355D97363C2AFC806C1984?service=http%3a%2f%2f192.168.1.18%2fshare HTTP/1.1" 302 -
192.168.1.18 - - [22/Mar/2016:10:13:48 -0500] "GET /cas/serviceValidate?service=http%3a%2f%2f192.168.1.18%2fshare&ticket=ST-1-U9zNvcFkojpV4owqzLvN-cas HTTP/1.1" 200 175


[Apache error.log]
[Tue Mar 22 10:13:48 2016] [error] [client 192.168.1.53] MOD_AUTH_CAS: CASScope (/share) not a substring of request path, using request path (/) for cookie


[Apache access.log]
192.168.1.53 - - [22/Mar/2016:10:13:31 -0500] "GET /share HTTP/1.1" 302 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:48 -0500] "GET /share?ticket=ST-1-U9zNvcFkojpV4owqzLvN-cas HTTP/1.1" 302 287 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:48 -0500] "GET /share HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:48 -0500] "GET /share/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:48 -0500] "GET /share/page/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/js/bubbling.v2.1_5a671b93e806ea64b41f915cf6147232.js HTTP/1.1" 200 7630 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/yui/history/history_543b42a00a378f4d4b6e70c81d915b0a.js HTTP/1.1" 200 5781 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/js/yui-common_0ebd1fff37640abe891d16bbee9d516a.js HTTP/1.1" 200 712116 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/service/messages_d89bd062c918d53d4b24df9c209a688e.js?locale=es_ES HTTP/1.1" 200 80924 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/js/flash/AC_OETags_23681d043aef7e80993a9f9354d71741.js HTTP/1.1" 200 4003 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/js/alfresco_ba1176f2a6d49fbab1628f80cf821725.js HTTP/1.1" 200 122696 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"


[Apache ssl_request_log]
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/login?service=http%3a%2f%2f192.168.1.18%2fshare HTTP/1.1" 6407
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/css/cas.css;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 6360
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/ja-sig-logo.gif;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 1502
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/js/cas.js;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 1557
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/key-point_tr.gif HTTP/1.1" 107
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/ja-sig-logo.gif HTTP/1.1" 1502
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/key-point_tl.gif HTTP/1.1" 103
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/key-point_bl.gif HTTP/1.1" 102
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/key-point_br.gif HTTP/1.1" 386
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/favicon.ico;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 170
[22/Mar/2016:10:13:48 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /cas/login;jsessionid=8C7D7FF895355D97363C2AFC806C1984?service=http%3a%2f%2f192.168.1.18%2fshare HTTP/1.1" -
[22/Mar/2016:10:13:48 -0500] 192.168.1.18 TLSv1 DHE-RSA-AES128-SHA "GET /cas/serviceValidate?service=http%3a%2f%2f192.168.1.18%2fshare&ticket=ST-1-U9zNvcFkojpV4owqzLvN-cas HTTP/1.1" 175


Por ultimo, demuestro la configuración que realice en el alfresco.

[Server.xml]

<!– Configuración del Puerto Seguro con la Integración con el componente SORL –>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
      SSLEnabled="true" maxThreads="150" scheme="https"
      keystoreFile="/XXX/apache-tomcat-7.0.61/bin/alf_data/keystore/ssl.keystore"
      keystorePass="XXXXX" keystoreType="JCEKS" secure="true" connectionTimeout="240000"
      truststoreFile="/XXX/apache-tomcat-7.0.61/bin/alf_data/keystore/ssl.truststore"
      truststorePass="XXXXXXXX" truststoreType="JCEKS" clientAuth="false" sslProtocol="TLS"/>

<!– Define an AJP 1.3 Connector on port 8009 –>
<Connector port="8109" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false"/>



[alfresco-global.properties]
authentication.chain=external1:external
external.authentication.proxyUserName=alfresco-system
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.enabled=true
external.authentication.userIdPattern=



[ <web-extension>/share-config-custom.xml ]
<config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
        
         <connector>
            <id>alfrescoCookie</id>      
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
        
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>X-Alfresco-Remote-User</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8181/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>


Y se pone el archivo alfresco-system.p12 en
/apache-tomcat-7.0.61/shared/classes/alfresco/web-extension


Por lo cual no esta funcionando el Single Sing On, y pido de su colaboración para revisar que puede ser el inconveniente.

Muchas Gracias.
1 Reply
Highlighted
Advanced II

Re: Error en SSO + Share + CAS + LDAP

Check this ou https://github.com/wrighting/alfresco-cas
This project has a fix for SSO on Alfresco 5.0.d