Your configuration is not clear on what you intend to do. By my reading, looks
like the problem is you are getting static attributes rather than what’s
defined in LDAP? If so, it’s because of this:
<entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver"
/>
What you’re saying there is, authenticate via ldap, then retrieve my attributes
defined by the resolver (which are static because this resolver is connected to
your static source). Your other handler right below it is never involved,
because this one simply succeeds.
So:
Turn this:
<entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver"
/>
<entry key-ref="primaryAuthenticationHandler" value="#{null}" />
Into this:
<entry key-ref="ldapAuthenticationHandler" value="#{null}" />
Now, if you wish to get attributes from LDAP AND from a static config that is
also possible. But not this way.
Note that “principalAttributeMap” of your handler can be a list too. If you
don’t have any special mappings, you can turn that map into a list. Easier to
read.
Misagh
From: David Lee <[email protected]>
Reply: David Lee <[email protected]>
Date: March 3, 2016 at 7:11:26 AM
To: CAS Community <[email protected]>
CC: [email protected] <[email protected]>,
[email protected] <[email protected]>
Subject: Re: [cas-user] principal attributes from ldap in CAS 4.2
I'm struggling with the same problem..
<!-- See
http://jasig.github.io/cas/development/installation/LDAP-Authentication.html -->
<bean id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="mail">
<constructor-arg ref="authenticator" />
<property name="principalAttributeMap">
<map>
<!--
| This map provides a simple attribute
resolution mechanism.
| Keys are LDAP attribute names, values are
CAS attribute names.
| This facility can be used instead or in
addition to PrincipalResolver
| components.
-->
<entry key="member" value="memberOf" />
<entry key="eduPersonAffiliation"
value="affiliation" />
<entry key="mail" value="mail" />
<entry key="displayName" value="displayName" />
<entry key="cn" value="cn" />
<entry key="sn" value="sn" />
<entry key="entryUUID" value="entryUUID" />
</map>
</property>
</bean>
Like above I added additional entries I would like to retrieve from LDAP, and
it works, but looks like the attributes generated by SimplePrinciple was
overwritten by the below,
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
p:backingMap-ref="attrRepoBackingMap" />
<util:map id="attrRepoBackingMap">
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
<entry key="mail" value="mail" />
<entry key="cn" value="cn" />
<entry key="sn" value="sn" />
<entry>
<key><value>memberOf</value></key>
<list>
<value>faculty</value>
<value>staff</value>
<value>org</value>
</list>
</entry>
</util:map>
So when I tried to get the attributes in the CAS client as below,
AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal();
Map attributes = principal.getAttributes();
Iterator attributeNames = attributes.keySet().iterator();
It populates static entries defined in the backing map.
For your reference, I followed all the posts in this question thread and did as
below,
<util:map id="authenticationHandlersResolvers">
<entry key-ref="proxyAuthenticationHandler"
value-ref="proxyPrincipalResolver" />
<entry key-ref="ldapAuthenticationHandler"
value-ref="primaryPrincipalResolver" />
<entry key-ref="primaryAuthenticationHandler" value="#{null}" />
</util:map>
cas.principal.resolver.persondir.return.null=false // in cas.properties I did
this.
And added the below to the service JSON file
...
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" :
"org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false,
"allowedAttributes" : [ "java.util.ArrayList", [ "cn", "mail", "sn" ] ]
},
...
But it still retrieves the mapped static entries...
Could you please share how you could get the attributes in the map in
<bean id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="mail">
<constructor-arg ref="authenticator" />
<property name="principalAttributeMap">
<map>
<!--
| This map provides a simple attribute
resolution mechanism.
| Keys are LDAP attribute names, values are
CAS attribute names.
| This facility can be used instead or in
addition to PrincipalResolver
| components.
-->
<entry key="member" value="memberOf" />
<entry key="eduPersonAffiliation"
value="affiliation" />
<entry key="mail" value="mail" />
<entry key="displayName" value="displayName" />
<entry key="cn" value="cn" />
<entry key="sn" value="sn" />
<entry key="entryUUID" value="entryUUID" />
</map>
</property>
</bean>
Thanks in advance.
On Monday, February 8, 2016 at 6:34:55 PM UTC+9, Mikko Tuumanen wrote:
Study
http://jasig.github.io/cas/4.2.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler
<entry key-ref="primaryAuthenticationHandler" value-ref="#{null}" />
causes
Caused by: org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'authenticationHandlersResolvers': Cannot resolve
reference to bean '#{null}' while setting bean property 'sourceMap' with key
[<primaryAuthenticationHandler>]; nested exception is
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named
'null' is defined
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
