/
CAS + LDAP Unique Example

CAS + LDAP Unique Example

Owned by Tomek Kott
Last updated: Nov 21, 2008Version comment

Introduction

Here is a small example for creating your own User Directory that might be interfacing with some unique situations. Here there is a combined CAS for login + LDAP for group identification.

For the website I am developing, I had a rather unique situation in which there is a built in Central Authentication System (CAS) that takes care of passwords/userid's and things like that. On the other hand, profile information (such as First Name / Last Name) and group information are located in an LDAP system. Additionally, I had to first only allow a certain subset of users from CAS to log in, and secondly I had to separate those that could log in into two groups based on some membership data from the FC installation.

Process

So, the process by which this all occurs is also independent of the FarCry login screen (in a sense):

1) Users browse to custom displayPageLogin (dmHTML) type, and submit their username.
2) The same page processes the input to check against LDAP if they are in the correct group.
3) If it's in the correct group, the user is forwarded to the FarCry login screen, which immediately forwards onto the CAS service (this is required so that the CAS always sees one page, FC Login, as its requestor)
4) User logs in through CAS, upon success gets forwarded back through FC Login to the default page specified in the displayLogin type of dmHTML (i.e., the FC Login webskin)
5) User is then logged into the public "back-end" (i.e. not the webtop) without seeing the webtop interface.

Creation steps

To do this, I created a custom UD called CASLDAPUD. I then mapped the right roles onto the UD Groups (which are defined by hand for my purposes)

Attached to this post is the CASLDAPUD cfc page, and detailed below is the relevant portion of the displayPageLogin and displayLogin. I have taken out the things that need to be changed for your own ldap servers, and other page fu etc. and replaced with XXX. So just search for those and you should be able to implement the solution.

Finally, this is all sort of 'beta' stage, as I would love to get things working with a config on the front for most of these things to be changed easily.

Hope this helps someone somewhere!

getGroupUsers

getGroupUsers Function Needed!

I left out this function from the original CFC. Basically it returns a empty string. This for me is fine, since:

.bq getGroupUsers is used for workflow - when approval is requested for an item FarCry checks to see who has permission to approve it AND has an email address and provides that as a list to the user. (Blair McKenzie)

displayPageLogin

displayPageLogin
<ft:processform action="Login">
                <cfldap 
                      server = "XXX"
                      port = "389"
                      action = "query"
                      name = "results"
                      start = "XXX"
                      filter = "XXX"
                      attributes = "*">
                <cfif results.RecordCount>
                    <!---No ticket and no session.ident variable:  redirect to CAS--->
                    
                    <cflocation url="/farcry/core/webtop/login.cfm?ud=CASLDAPUD&uid=#form.userid#" addtoken="no">    
                </cfif>
            </ft:processform>
            <ft:form name="useridInput" action="XXX">
                <cfoutput><input class="required" type="string" name="userid" /></cfoutput>
                <ft:button value="Login" />
            </ft:form>

displayLogin

displayLogin
    <cfset session.loginReturnURL = "XXX" />
    <cfset session.loginReturnURL = replace( session.loginReturnURL, "logout=1", "" ) />
    <cfset session.loginReturnURL = replace( session.loginReturnURL, "&&", "" ) />