[cas-dev] Re: CAS 7.0 attribute retrieval failure

[Ray Bon]

Ok, to close the loop on this (and perhaps open a new one), I can get the 
attributes if I use this config option:
cas.authn.attribute-repository.ldap[0].query-attributes.username=uid

NOTE: attributes are returned if no service is provided with the 
authentication attempt since username is the last attribute processed 
(discussed later).

To find the key, 'username', I used this logger (and the follow up for 
ldap):
<Logger name="org.apereo.services.persondir" level="debug" />
<Logger name="org.ldaptive" level="trace"/>
<Logger name="org.ldaptive.SearchRequest" level="trace" additivity="true" />

After perusing the code, indeed the resulting FilterTemplate has all 
entries (principal, credentialClass, credentialId, username, service), 
observed with this log line:
Generated query builder 
'[org.ldaptive.FilterTemplate@-621386179::filter=uid={user}, 
parameters={user=https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient}]'
 
from query Map {principal=[rbon], 
credentialClass=[UsernamePasswordCredential], credentialId=[rbon], 
username=[rbon], 
service=[https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]}.

However the filter is only  concerned with a single parameter, 'user', 
setting it to the entry being processed; i.e. last one wins, which is the 
value for service.

If, however the search filter is changed to:
search-filter: uid={username}

Then attributes are returned.

Two obvious ways forward are:
1. make cas.authn.attribute-repository.ldap[].query-attributes a required 
property (and provide at least some predefined options; such as principal, 
credentialId, username)
2. add the attribute used in the authentication stage to the list of query 
parameters (so the same search-filter can be used with authentication and 
attribute retrieval)

I am open to other suggestions.

Ray

On Tuesday, January 30, 2024 at 8:56:15 a.m. UTC-8 Misagh Moayyed wrote:

> You can review PrincipalAttributeRepositoryFetcher.
>
> On Sunday, January 28, 2024 at 6:54:08 PM UTC+4 rbona...@gmail.com wrote:
>
>> To clarify the sentence about the service being submitted for ldap search.
>> What is happening:
>> uid=
>> https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient
>> what should happen
>> uid=rbon
>>
>> Ray
>>
>> On Friday, January 26, 2024 at 9:26:10 p.m. UTC-8 Ray Bon wrote:
>>
>>> I am using org.apereo.cas:cas-server-support-ldap-core with the 
>>> following config to retrieve attributes after the authentication step.
>>>
>>> ....
>>> ldap[0]:
>>>         attributes:
>>>           description: description
>>>         bind-credential: ${authn.ldap.bind-credential}
>>>         base-dn: ${authn.ldap.base-dn-admin}
>>>         bind-dn: ${authn.ldap.bind-dn}
>>>         connect-timeout: PT3S
>>>         id: administrators
>>>         ldap-url: ${ldap-url}
>>>         order: 2
>>>         search-filter: uid={user}
>>> ...
>>>
>>> This results in the below log output  (at bottom of email) (more 
>>> available upon request). Since the search is submitted with the service 
>>> (_not_ serviceId), no attribute is returned. This behaviour is new since 
>>> version 6.5
>>>
>>> I have looked at the code in:
>>>
>>> https://github.com/apereo/cas/blob/v7.0.0/support/cas-server-support-person-directory/src/main/java/org/apereo/cas/config/CasPersonDirectoryLdapConfiguration.java
>>>
>>> https://github.com/apereo/person-directory/blob/person-directory-parent-3.0.1/person-directory-impl/src/main/java/org/apereo/services/persondir/support/ldap/LdaptivePersonAttributeDao.java
>>>
>>> https://github.com/apereo/cas/blob/master/support/cas-server-support-ldap-core/src/main/java/org/apereo/cas/util/LdapConnectionFactory.java
>>>
>>> https://github.com/apereo/cas/blob/master/support/cas-server-support-ldap-core/src/main/java/org/apereo/cas/util/LdapUtils.java
>>>
>>> I would like to know where LdaptivePersonAttributeDao is being accessed 
>>> in other parts of the cas code? That is, what populates the attributes and 
>>> how it chooses the particular attribute:value to submit to the search 
>>> request?
>>>
>>> Thanks,
>>>
>>> Ray
>>>
>>>
>>> cas               | 2024-01-25 22:13:56,810 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding 
>>> attribute 'principal' with value '[rbon]' to query builder 'null'> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,811 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed 
>>> LDAP search query [uid=rbon]> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,811 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding 
>>> attribute 'credentialClass' with value '[UsernamePasswordCredential]' to 
>>> query builder '[org.ldaptive.FilterTemplate@748158591::filter=uid={user}, 
>>> parameters={user=rbon}]'> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,811 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed 
>>> LDAP search query [uid=UsernamePasswordCredential]> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,811 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding 
>>> attribute 'credentialId' with value '[rbon]' to query builder 
>>> '[org.ldaptive.FilterTemplate@-147358242::filter=uid={user}, 
>>> parameters={user=UsernamePasswordCredential}]'> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,811 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed 
>>> LDAP search query [uid=rbon]> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,811 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding 
>>> attribute 'username' with value '[rbon]' to query builder 
>>> '[org.ldaptive.FilterTemplate@748158591::filter=uid={user}, 
>>> parameters={user=rbon}]'> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,811 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed 
>>> LDAP search query [uid=rbon]> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,811 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding 
>>> attribute 'service' with value '[
>>> https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]'
>>>  
>>> to query builder 
>>> '[org.ldaptive.FilterTemplate@748158591::filter=uid={user}, 
>>> parameters={user=rbon}]'> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,811 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed 
>>> LDAP search query [uid=
>>> https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]>
>>>  
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,811 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Generated query 
>>> builder '[org.ldaptive.FilterTemplate@-621386179::filter=uid={user}, 
>>> parameters={user=
>>> https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient}]'
>>>  
>>> from query Map {principal=[rbon], 
>>> credentialClass=[UsernamePasswordCredential], credentialId=[rbon], 
>>> username=[rbon], service=[
>>> https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]}.>
>>>  
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,812 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting baseDn: ou=...> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,812 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting filter: 
>>> [org.ldaptive.FilterTemplate@-621386179::filter=uid={user}, 
>>> parameters={user=
>>> https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient}]>
>>>  
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,812 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting binaryAttributes: 
>>> [objectGUID, objectSid]> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,813 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting returnAttributes: 
>>> [eduPersonEntitlement, uid, mail, eduPersonAffiliation, givenName, 
>>> eduPersonPrincipalName, sn, cn, memberOf]> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,813 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting searchScope: SUBTREE> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,813 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting sizeLimit: 0> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:56,813 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting timeLimit: PT0S> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,040 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding 
>>> attribute 'principal' with value '[rbon]' to query builder 'null'> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,040 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed 
>>> LDAP search query [uid=rbon]> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,040 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding 
>>> attribute 'credentialClass' with value '[UsernamePasswordCredential]' to 
>>> query builder '[org.ldaptive.FilterTemplate@748158591::filter=uid={user}, 
>>> parameters={user=rbon}]'> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,040 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed 
>>> LDAP search query [uid=UsernamePasswordCredential]> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,040 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding 
>>> attribute 'credentialId' with value '[rbon]' to query builder 
>>> '[org.ldaptive.FilterTemplate@-147358242::filter=uid={user}, 
>>> parameters={user=UsernamePasswordCredential}]'> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,040 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed 
>>> LDAP search query [uid=rbon]> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,041 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding 
>>> attribute 'username' with value '[rbon]' to query builder 
>>> '[org.ldaptive.FilterTemplate@748158591::filter=uid={user}, 
>>> parameters={user=rbon}]'> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,041 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed 
>>> LDAP search query [uid=rbon]> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,041 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Adding 
>>> attribute 'service' with value '[
>>> https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]'
>>>  
>>> to query builder 
>>> '[org.ldaptive.FilterTemplate@748158591::filter=uid={user}, 
>>> parameters={user=rbon}]'> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,041 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Constructed 
>>> LDAP search query [uid=
>>> https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]>
>>>  
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,041 DEBUG [     
>>> org.aper.serv.pers.supp.ldap.LdaptivePersonAttributeDao] - <Generated query 
>>> builder '[org.ldaptive.FilterTemplate@-621386179::filter=uid={user}, 
>>> parameters={user=
>>> https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient}]'
>>>  
>>> from query Map {principal=[rbon], 
>>> credentialClass=[UsernamePasswordCredential], credentialId=[rbon], 
>>> username=[rbon], service=[
>>> https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient]}.>
>>>  
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,041 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting baseDn: 
>>> ou=administrators,ou=...> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,041 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting filter: 
>>> [org.ldaptive.FilterTemplate@-621386179::filter=uid={user}, 
>>> parameters={user=
>>> https://democasclientlocal.uvic.ca/democasclient/callback?client_name=CasClient}]>
>>>  
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,042 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting binaryAttributes: 
>>> [objectGUID, objectSid]> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,042 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting returnAttributes: 
>>> [description]> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,042 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting searchScope: SUBTREE> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,042 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting sizeLimit: 0> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,042 TRACE [                     
>>>                  org.ldap.SearchRequest] - <setting timeLimit: PT0S> 
>>> [https-openssl-nio-8443-exec-9]
>>> cas               | 2024-01-25 22:13:57,277 INFO  [             
>>>  org.aper.cas.auth.DefaultAuthenticationManager] - <Authenticated principal 
>>> [rbon] with attributes [{domain=[uvic.ca], username=[rbon]}] via 
>>> credentials [[UsernamePasswordCredential(username=rbon, source=null, 
>>> customFields={})]].> [https-openssl-nio-8443-exec-9]
>>>
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-dev+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-dev/1e76eb58-f42b-48b8-a99c-78bc385ea599n%40apereo.org.