This basically should allow you configure access roles into the app. You get the roles for the user, and you decide which of those roles is a match so access can be granted. Is that what you are trying to do?
If you search the archives, you will come across http://comments.gmane.org/gmane.comp.java.jasig.cas.user/24806 which might help. From: [email protected] [mailto:[email protected]] On Behalf Of Al J Sent: Wednesday, February 24, 2016 9:37 AM To: CAS Community <[email protected]> Subject: [cas-user] having trouble with ldap config for cas-services mangement webapp I am having a really tough time getting cas services management webapp to work w/ldap (against an IPA server) I can get authentication to work, but I can't figure out what are the right group-xxx attributes to use, I don't know what they are intended to do. Where can I find out how these are used? I've pulled my ldap values out into a .properties file for easier maintenance, copying for the most part that which works just fine for my cas server in my managementConfigContext.xml -- I have made only this change <sec:ldap-server id="ldapServer" url="${ldap.url}" manager-dn="${ldap.authn.managerDN}" manager-password="${ldap.authn.managerPassword}" /> <sec:ldap-user-service id="userDetailsService" server-ref="ldapServer" group-search-base="${ldap.authn.group.baseDn}" group-role-attribute="${ldap.authn.group.roleAttr}" group-search-filter="${ldap.authn.group.searchFilter}" user-search-base="${ldap.authn.user.baseDn}" user-search-filter="${ldap.authn.user.searchFilter}"/> I have added these values to my cas-mangement.properties # LDAP Server ldap.url=<omitted> # LDAP connection timeout in milliseconds ldap.connectTimeout=3000 # Whether to use StartTLS (probably needed if not SSL connection) ldap.useStartTLS=false # Base DN of users to be authenticated ldap.authn.user.baseDn=cn=users,cn=accounts,dc=epc-instore,dc=com # Manager DN for authenticated searches ldap.authn.managerDN=uid=<omitted>,cn=users,cn=accounts,dc=epc-instore,dc=com # Manager password for authenticated searches ldap.authn.managerPassword=<omitted> # Search filter used for configurations that require searching for DNs #ldap.authn.searchFilter=(&(uid={user})(accountState=active)) ldap.authn.user.searchFilter=(uid={0}) ldap.authn.group.searchFilter=gidNumber=1886200029 ldap.authn.group.baseDn=cn=groups,cn=accounts,dc=epc-instore,dc=com ldap.authn.group.roleAttr=cn # Search filter used for configurations that require searching for DNs #ldap.authn.format=uid=%s,ou=Users,dc=example,dc=org ldap.authn.format=uid=%s,cn=users,cn=accounts,dc=epc-instore,dc=com # A path to trusted X.509 certificate for StartTLS ldap.trustedCert=/path/to/cert.cer -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
