so I set it to only accept users from the developers group then I did my best to set the group stuff to only accept the developers group
now I'm getting http error 403 on the cas-services/manage.html a different problem now ? On Wednesday, February 24, 2016 at 12:15:12 PM UTC-5, Al J wrote: > > I just want to set it so that everybody in our developers group can admin > > We are running an IPA server so I don't have anyplace (that i know of) to > add roles -- and I do not want to muck about with it's underlying ldap > store outside of it's GUI > > I can already just set the user search path to only accept users in the > developers group so I don't need groups/roles > > I don't understand what the group stuff is supposed to return -- the > string 'ROLE_ADMIN' or an array of strings of roles? > > I wish I could tell it to ignore the group stuff or just hard code the > 'ROLE_ADMIN' in there > > thanks > > On Wednesday, February 24, 2016 at 11:59:41 AM UTC-5, Misagh Moayyed wrote: >> >> This basically should allow you configure access roles into the app. You >> get the roles for the user, and you decide which of those roles is a match >> so access can be granted. Is that what you are trying to do? >> >> If you search the archives, you will come across >> http://comments.gmane.org/gmane.comp.java.jasig.cas.user/24806 which >> might help. >> >> >> >> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Al >> J >> *Sent:* Wednesday, February 24, 2016 9:37 AM >> *To:* CAS Community <[email protected]> >> *Subject:* [cas-user] having trouble with ldap config for cas-services >> mangement webapp >> >> >> >> I am having a really tough time getting cas services management webapp to >> work w/ldap (against an IPA server) >> >> >> >> I can get authentication to work, but I can't figure out what are the >> right group-xxx attributes to use, I don't know what they are intended to >> do. >> >> >> >> Where can I find out how these are used? >> >> >> >> I've pulled my ldap values out into a .properties file for easier >> maintenance, copying for the most part that which works just fine for my >> cas server >> >> >> >> in my managementConfigContext.xml -- I have made only this change >> >> >> >> <sec:ldap-server id="ldapServer" url="${ldap.url}" >> manager-dn="${ldap.authn.managerDN}" >> manager-password="${ldap.authn.managerPassword}" /> >> >> >> <sec:ldap-user-service id="userDetailsService" server-ref= >> "ldapServer" >> group-search-base="${ldap.authn.group.baseDn}" >> group-role-attribute="${ldap.authn.group.roleAttr}" >> group-search-filter="${ldap.authn.group.searchFilter}" >> user-search-base="${ldap.authn.user.baseDn}" >> user-search-filter="${ldap.authn.user.searchFilter}"/> >> >> >> >> I have added these values to my cas-mangement.properties >> >> >> >> # LDAP Server >> ldap.url=<omitted> >> >> # LDAP connection timeout in milliseconds >> >> ldap.connectTimeout=3000 >> >> >> >> # Whether to use StartTLS (probably needed if not SSL connection) >> >> ldap.useStartTLS=false >> >> >> # Base DN of users to be authenticated >> ldap.authn.user.baseDn=cn=users,cn=accounts,dc=epc-instore,dc=com >> >> >> # Manager DN for authenticated searches >> ldap.authn.managerDN=uid=<omitted>,cn=users,cn=accounts,dc=epc-instore,dc >> =com >> >> >> # Manager password for authenticated searches >> ldap.authn.managerPassword=<omitted> >> >> >> # Search filter used for configurations that require searching for DNs >> #ldap.authn.searchFilter=(&(uid={user})(accountState=active)) >> ldap.authn.user.searchFilter=(uid={0}) >> >> >> ldap.authn.group.searchFilter=gidNumber=1886200029 >> ldap.authn.group.baseDn=cn=groups,cn=accounts,dc=epc-instore,dc=com >> ldap.authn.group.roleAttr=cn >> >> >> # Search filter used for configurations that require searching for DNs >> #ldap.authn.format=uid=%s,ou=Users,dc=example,dc=org >> ldap.authn.format=uid=%s,cn=users,cn=accounts,dc=epc-instore,dc=com >> >> >> # A path to trusted X.509 certificate for StartTLS >> ldap.trustedCert=/path/to/cert.cer >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/. >> > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
