This is actually fairly straightforward if you know what you’re doing unfortunately it takes a while, for me at least, to get to that level of understanding.
Probably the most important thing missing from the pages I’ve seen describing this is that you need to configure OpenLDAP first.
OpenLDAP
What you want is to enable the memberOf overlay
For Ubuntu 12.04 the steps are as follows:
Create the files
module.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof
overlay.ldif
dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
Then configure OpenLDAP as follows:
ldapadd -Y EXTERNAL -H ldapi:/// -f module.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f overlay.ldif
You should probably read up on this a bit more – in particular note that retrospectively adding this won’t achieve what you want without extra steps to reload the groups
CAS
The CAS documentation is actually reasonably good once you understand that you are after the memberOf attribute but for example I’ll show some config here
deployerConfigContext.xml
<bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="contextSource" ref="contextSource" /> <property name="baseDN" value="ou=people,dc=wrighting,dc=org" /> <property name="requireAllQueryAttributes" value="true" /> <!-- Attribute mapping between principal (key) and LDAP (value) names used to perform the LDAP search. By default, multiple search criteria are ANDed together. Set the queryType property to change to OR. --> <property name="queryAttributeMapping"> <map> <entry key="username" value="uid" /> </map> </property> <property name="resultAttributeMapping"> <map> <!-- Mapping beetween LDAP entry attributes (key) and Principal's (value) --> <entry value="Name" key="cn" /> <entry value="Telephone" key="telephoneNumber" /> <entry value="Fax" key="facsimileTelephoneNumber" /> <entry value="memberOf" key="memberOf" /> </map> </property> </bean>
After that you can setup your CAS to use SAML1.1 or modify view/jsp/protocol/2.0/casServiceValidationSuccess.jsp according to your preferences.
Don’t forget to allow the attributes for the registered services as well
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="0" /> <property name="name" value="HTTP and IMAP" /> <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" /> <property name="serviceId" value="^(https?|imaps?)://.*" /> <property name="evaluationOrder" value="10000001" /> <property name="allowedAttributes"> <list> <value>Name</value> <value>Telephone</value> <value>memberOf</value> </list> </property> </bean> </list> </property> </bean>