403 usually means you’re denied access to the app. Possibly because of a role mismatch L
You might get more mileage out of the integration if you discussed the change with Spring Security folks, and what you might have to do to extend it. It takes a while to decipher, and in recent versions of the platform, Spring Sec is removed in favor of something that is easier understood and augmented. Perhaps the changes could be backported. From: [email protected] [mailto:[email protected]] On Behalf Of Al J Sent: Wednesday, February 24, 2016 11:01 AM To: CAS Community <[email protected]> Cc: [email protected] Subject: Re: [cas-user] having trouble with ldap config for cas-services mangement webapp so I set it to only accept users from the developers group then I did my best to set the group stuff to only accept the developers group now I'm getting http error 403 on the cas-services/manage.html a different problem now ? On Wednesday, February 24, 2016 at 12:15:12 PM UTC-5, Al J wrote: I just want to set it so that everybody in our developers group can admin We are running an IPA server so I don't have anyplace (that i know of) to add roles -- and I do not want to muck about with it's underlying ldap store outside of it's GUI I can already just set the user search path to only accept users in the developers group so I don't need groups/roles I don't understand what the group stuff is supposed to return -- the string 'ROLE_ADMIN' or an array of strings of roles? I wish I could tell it to ignore the group stuff or just hard code the 'ROLE_ADMIN' in there thanks On Wednesday, February 24, 2016 at 11:59:41 AM UTC-5, Misagh Moayyed wrote: This basically should allow you configure access roles into the app. You get the roles for the user, and you decide which of those roles is a match so access can be granted. Is that what you are trying to do? If you search the archives, you will come across http://comments.gmane.org/gmane.comp.java.jasig.cas.user/24806 which might help. From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Al J Sent: Wednesday, February 24, 2016 9:37 AM To: CAS Community <[email protected] <mailto:[email protected]> > Subject: [cas-user] having trouble with ldap config for cas-services mangement webapp I am having a really tough time getting cas services management webapp to work w/ldap (against an IPA server) I can get authentication to work, but I can't figure out what are the right group-xxx attributes to use, I don't know what they are intended to do. Where can I find out how these are used? I've pulled my ldap values out into a .properties file for easier maintenance, copying for the most part that which works just fine for my cas server in my managementConfigContext.xml -- I have made only this change <sec:ldap-server id="ldapServer" url="${ldap.url}" manager-dn="${ldap.authn.managerDN}" manager-password="${ldap.authn.managerPassword}" /> <sec:ldap-user-service id="userDetailsService" server-ref="ldapServer" group-search-base="${ldap.authn.group.baseDn}" group-role-attribute="${ldap.authn.group.roleAttr}" group-search-filter="${ldap.authn.group.searchFilter}" user-search-base="${ldap.authn.user.baseDn}" user-search-filter="${ldap.authn.user.searchFilter}"/> I have added these values to my cas-mangement.properties # LDAP Server ldap.url=<omitted> # LDAP connection timeout in milliseconds ldap.connectTimeout=3000 # Whether to use StartTLS (probably needed if not SSL connection) ldap.useStartTLS=false # Base DN of users to be authenticated ldap.authn.user.baseDn=cn=users,cn=accounts,dc=epc-instore,dc=com # Manager DN for authenticated searches ldap.authn.managerDN=uid=<omitted>,cn=users,cn=accounts,dc=epc-instore,dc=com # Manager password for authenticated searches ldap.authn.managerPassword=<omitted> # Search filter used for configurations that require searching for DNs #ldap.authn.searchFilter=(&(uid={user})(accountState=active)) ldap.authn.user.searchFilter=(uid={0}) ldap.authn.group.searchFilter=gidNumber=1886200029 ldap.authn.group.baseDn=cn=groups,cn=accounts,dc=epc-instore,dc=com ldap.authn.group.roleAttr=cn # Search filter used for configurations that require searching for DNs #ldap.authn.format=uid=%s,ou=Users,dc=example,dc=org ldap.authn.format=uid=%s,cn=users,cn=accounts,dc=epc-instore,dc=com # A path to trusted X.509 certificate for StartTLS ldap.trustedCert=/path/to/cert.cer -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
