AnsweredAssumed Answered

Error en SSO + Share + CAS + LDAP

Question asked by ajsanchez22 on Mar 23, 2016
Latest reply on Mar 31, 2016 by douglascrp
Muchas Gracias por la aclaración.

Revisando la documentación de Alfresco para realizar la Autenticación por Single Sing On (SSO), seguí el siguiente tutorial:

<a href="http://docs.alfresco.com/5.0/concepts/alf-modauthcas-intro.html">Overview of using Alfresco with CAS authentication</a>

Con las siguientes características:

[Servidor LDAP]: Windows Server 2012 Active Directory

[Maquina_1]: CentOS 6.6
Servidor CAS: Jasig Central Authentication Service 3.4.3.1
Servidor Apache: Apache/2.2.15 (Activados los modulos mod_auth_cas y mod_proxy_ajp)
Servidor Alfresco 5.0.d en un Tomcat 7.0.61

Se realiza todas las configuraciones descritas en el manual, lo diferente es la maquina 1 y maquina 2 descritos en el tutorial estan en la misma maquina_1 . Y se ingresa a la url
http://<maquina_1>/share
; redirecciona a la pagina de autenticación del CAS https://192.168.1.18/cas/login?service=http%3a%2f%2f192.168.1.18%2fshare</code>, se ingresa el usuario y contraseña del dominio, y el login es exitoso redirecciona a la pagina de la Pagina Share, pero aparece la pagina de login de alfresco, por lo cual no reconoció la autenticación realizada.

A continuación lo que muestra en los diferentes logs de los servicios integrados

[alfresco catalina.out]
2016-03-22 10:13:49,289  INFO  [web.site.EditionInterceptor] [ajp-bio-8109-exec-4] Unable to retrieve License information from Alfresco: 401 



[cas.log]
2016-03-22 10:13:48,775 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: prueba2]
2016-03-22 10:13:48,792 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-U9zNvcFkojpV4owqzLvN-cas] for service [http://192.168.1.18/share] for user [prueba2]



[Apache ssl_access_log]
192.168.1.53 - - [22/Mar/2016:10:13:31 -0500] "GET /cas/favicon.ico;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 200 170
192.168.1.53 - - [22/Mar/2016:10:13:48 -0500] "POST /cas/login;jsessionid=8C7D7FF895355D97363C2AFC806C1984?service=http%3a%2f%2f192.168.1.18%2fshare HTTP/1.1" 302 -
192.168.1.18 - - [22/Mar/2016:10:13:48 -0500] "GET /cas/serviceValidate?service=http%3a%2f%2f192.168.1.18%2fshare&ticket=ST-1-U9zNvcFkojpV4owqzLvN-cas HTTP/1.1" 200 175


[Apache error.log]
[Tue Mar 22 10:13:48 2016] [error] [client 192.168.1.53] MOD_AUTH_CAS: CASScope (/share) not a substring of request path, using request path (/) for cookie


[Apache access.log]
192.168.1.53 - - [22/Mar/2016:10:13:31 -0500] "GET /share HTTP/1.1" 302 334 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:48 -0500] "GET /share?ticket=ST-1-U9zNvcFkojpV4owqzLvN-cas HTTP/1.1" 302 287 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:48 -0500] "GET /share HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:48 -0500] "GET /share/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:48 -0500] "GET /share/page/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/js/bubbling.v2.1_5a671b93e806ea64b41f915cf6147232.js HTTP/1.1" 200 7630 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/yui/history/history_543b42a00a378f4d4b6e70c81d915b0a.js HTTP/1.1" 200 5781 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/js/yui-common_0ebd1fff37640abe891d16bbee9d516a.js HTTP/1.1" 200 712116 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/service/messages_d89bd062c918d53d4b24df9c209a688e.js?locale=es_ES HTTP/1.1" 200 80924 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/js/flash/AC_OETags_23681d043aef7e80993a9f9354d71741.js HTTP/1.1" 200 4003 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
192.168.1.53 - prueba2 [22/Mar/2016:10:13:51 -0500] "GET /share/res/js/alfresco_ba1176f2a6d49fbab1628f80cf821725.js HTTP/1.1" 200 122696 "http://192.168.1.18/share/page?pt=login" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"


[Apache ssl_request_log]
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/login?service=http%3a%2f%2f192.168.1.18%2fshare HTTP/1.1" 6407
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/css/cas.css;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 6360
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/ja-sig-logo.gif;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 1502
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/js/cas.js;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 1557
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/key-point_tr.gif HTTP/1.1" 107
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/ja-sig-logo.gif HTTP/1.1" 1502
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/key-point_tl.gif HTTP/1.1" 103
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/key-point_bl.gif HTTP/1.1" 102
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/images/key-point_br.gif HTTP/1.1" 386
[22/Mar/2016:10:13:31 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /cas/favicon.ico;jsessionid=8C7D7FF895355D97363C2AFC806C1984 HTTP/1.1" 170
[22/Mar/2016:10:13:48 -0500] 192.168.1.53 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /cas/login;jsessionid=8C7D7FF895355D97363C2AFC806C1984?service=http%3a%2f%2f192.168.1.18%2fshare HTTP/1.1" -
[22/Mar/2016:10:13:48 -0500] 192.168.1.18 TLSv1 DHE-RSA-AES128-SHA "GET /cas/serviceValidate?service=http%3a%2f%2f192.168.1.18%2fshare&ticket=ST-1-U9zNvcFkojpV4owqzLvN-cas HTTP/1.1" 175


Por ultimo, demuestro la configuración que realice en el alfresco.

[Server.xml]

<!– Configuración del Puerto Seguro con la Integración con el componente SORL –>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
      SSLEnabled="true" maxThreads="150" scheme="https"
      keystoreFile="/XXX/apache-tomcat-7.0.61/bin/alf_data/keystore/ssl.keystore"
      keystorePass="XXXXX" keystoreType="JCEKS" secure="true" connectionTimeout="240000"
      truststoreFile="/XXX/apache-tomcat-7.0.61/bin/alf_data/keystore/ssl.truststore"
      truststorePass="XXXXXXXX" truststoreType="JCEKS" clientAuth="false" sslProtocol="TLS"/>

<!– Define an AJP 1.3 Connector on port 8009 –>
<Connector port="8109" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false"/>



[alfresco-global.properties]
authentication.chain=external1:external
external.authentication.proxyUserName=alfresco-system
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.enabled=true
external.authentication.userIdPattern=



[ <web-extension>/share-config-custom.xml ]
<config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
        
         <connector>
            <id>alfrescoCookie</id>      
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
        
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>X-Alfresco-Remote-User</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8181/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>


Y se pone el archivo alfresco-system.p12 en
/apache-tomcat-7.0.61/shared/classes/alfresco/web-extension


Por lo cual no esta funcionando el Single Sing On, y pido de su colaboración para revisar que puede ser el inconveniente.

Muchas Gracias.

Outcomes