Help

Error en SSO + Share + CAS + LDAP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
ajsanchez22
Member II
‎23 Mar 2016 1:44 PM

Error en SSO + Share + CAS + LDAP

Muchas Gracias por la aclaración.

Revisando la documentación de Alfresco para realizar la Autenticación por Single Sing On (SSO), seguí el siguiente tutorial:

<a href="http://docs.alfresco.com/5.0/concepts/alf-modauthcas-intro.html">Overview of using Alfresco with CAS authentication</a>

Con las siguientes características:

[Servidor LDAP]: Windows Server 2012 Active Directory

[Maquina_1]: CentOS 6.6
Servidor CAS: Jasig Central Authentication Service 3.4.3.1
Servidor Apache: Apache/2.2.15 (Activados los modulos mod_auth_cas y mod_proxy_ajp)
Servidor Alfresco 5.0.d en un Tomcat 7.0.61

Se realiza todas las configuraciones descritas en el manual, lo diferente es la maquina 1 y maquina 2 descritos en el tutorial estan en la misma maquina_1 . Y se ingresa a la url 
http://<maquina_1>/share
; redirecciona a la pagina de autenticación del CAS https://192.168.1.18/cas/login?service=http%3a%2f%2f192.168.1.18%2fshare</code>, se ingresa el usuario y contraseña del dominio, y el login es exitoso redirecciona a la pagina de la Pagina Share, pero aparece la pagina de login de alfresco, por lo cual no reconoció la autenticación realizada.

A continuación lo que muestra en los diferentes logs de los servicios integrados

[alfresco catalina.out]
2016-03-22 10:13:49,289  INFO  [web.site.EditionInterceptor] [ajp-bio-8109-exec-4] Unable to retrieve License information from Alfresco: 401



[cas.log]
2016-03-22 10:13:48,775 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: prueba2]
2016-03-22 10:13:48,792 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-U9zNvcFkojpV4owqzLvN-cas] for service [http://192.168.1.18/share] for user [prueba2]



[Apache ssl_access_log]
192.168.1.53 - - [22/Mar/2016:10:13:31 -0500] "GET /cas/favicon.ico;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 200 170
192.168.1.53 - - [22/Mar/2016:10:13:48 -0500] "POST /cas/login;jsessionid=8C7D7FF895355D97363C2AFC806C1984?service=http%3a%2f%2f192.168.1.18%2fshare HTTP/1.1" 302 -
192.168.1.18 - - [22/Mar/2016:10:13:48 -0500] "GET /cas/serviceValidate?service=http%3a%2f%2f192.168.1.18%2fshare&ticket=ST-1-U9zNvcFkojpV4owqzLvN-cas HTTP/1.1" 200 175


[Apache error.log]
[Tue Mar 22 10:13:48 2016] [error] [client 192.168.1.53] MOD_AUTH_CAS: CASScope (/share) not a substring of request path, using request path (/) for cookie


[Apache access.log]
192.168.1.53 - - [22/Mar/2016:10:13:31 -0500] "GET /share HTTP/1.1" 302 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:48 -0500] "GET /share?ticket=ST-1-U9zNvcFkojpV4owqzLvN-cas HTTP/1.1" 302 287 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:48 -0500] "GET /share HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:48 -0500] "GET /share/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:48 -0500] "GET /share/page/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/js/bubbling.v2.1_5a671b93e806ea64b41f915cf6147232.js HTTP/1.1" 200 7630 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/yui/history/history_543b42a00a378f4d4b6e70c81d915b0a.js HTTP/1.1" 200 5781 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/js/yui-common_0ebd1fff37640abe891d16bbee9d516a.js HTTP/1.1" 200 712116 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/service/messages_d89bd062c918d53d4b24df9c209a688e.js?locale=es_ES HTTP/1.1" 200 80924 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/js/flash/AC_OETags_23681d043aef7e80993a9f9354d71741.js HTTP/1.1" 200 4003 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/js/alfresco_ba1176f2a6d49fbab1628f80cf821725.js HTTP/1.1" 200 122696 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"


[Apache ssl_request_log]
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/login?service=http%3a%2f%2f192.168.1.18%2fshare HTTP/1.1" 6407
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/css/cas.css;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 6360
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/ja-sig-logo.gif;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 1502
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/js/cas.js;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 1557
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/key-point_tr.gif HTTP/1.1" 107
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/ja-sig-logo.gif HTTP/1.1" 1502
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/key-point_tl.gif HTTP/1.1" 103
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/key-point_bl.gif HTTP/1.1" 102
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/key-point_br.gif HTTP/1.1" 386
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/favicon.ico;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 170
[22/Mar/2016:10:13:48 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /cas/login;jsessionid=8C7D7FF895355D97363C2AFC806C1984?service=http%3a%2f%2f192.168.1.18%2fshare HTTP/1.1" -
[22/Mar/2016:10:13:48 -0500] 192.168.1.18 TLSv1 DHE-RSA-AES128-SHA "GET /cas/serviceValidate?service=http%3a%2f%2f192.168.1.18%2fshare&ticket=ST-1-U9zNvcFkojpV4owqzLvN-cas HTTP/1.1" 175


Por ultimo, demuestro la configuración que realice en el alfresco.

[Server.xml]

<!– Configuración del Puerto Seguro con la Integración con el componente SORL –>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
      SSLEnabled="true" maxThreads="150" scheme="https"
      keystoreFile="/XXX/apache-tomcat-7.0.61/bin/alf_data/keystore/ssl.keystore"
      keystorePass="XXXXX" keystoreType="JCEKS" secure="true" connectionTimeout="240000"
      truststoreFile="/XXX/apache-tomcat-7.0.61/bin/alf_data/keystore/ssl.truststore"
      truststorePass="XXXXXXXX" truststoreType="JCEKS" clientAuth="false" sslProtocol="TLS"/>

<!– Define an AJP 1.3 Connector on port 8009 –>
<Connector port="8109" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false"/>



[alfresco-global.properties]
authentication.chain=external1:external
external.authentication.proxyUserName=alfresco-system
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.enabled=true
external.authentication.userIdPattern=



[ <web-extension>/share-config-custom.xml ]
<config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
         
         <connector>
            <id>alfrescoCookie</id>       
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
         
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>X-Alfresco-Remote-User</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8181/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>


Y se pone el archivo alfresco-system.p12 en 
/apache-tomcat-7.0.61/shared/classes/alfresco/web-extension


Por lo cual no esta funcionando el Single Sing On, y pido de su colaboración para revisar que puede ser el inconveniente.

Muchas Gracias.
0 Kudos
Reply
1 Reply
douglascrp
Advanced II
‎31 Mar 2016 3:38 AM

Re: Error en SSO + Share + CAS + LDAP

Check this ou https://github.com/wrighting/alfresco-cas
This project has a fix for SSO on Alfresco 5.0.d
0 Kudos
Reply
The Archive

Content from pre 2016 and from language groups that have been closed.

Content is read-only.

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.