Just to follow up, this issue is resolved in recent RC4-SNAPSHOT.
It's no longer necessary to set the following to override default
mapping of cn to commonName.
cas.authn.attributeRepository.attributes.cn=cn
On Tue, Oct 04, 2016 at 01:32:22PM -1000, Baron Fujimoto wrote:
>While testing CAS 5 RC3, we discovered it was not releasing the cn
>attribute as we expected.
>
>We are authenticating via LDAP and using it as an attribute source.
>
>The following was defined in our cas.properties:
>
>cas.authn.ldap[0].principalAttributeList=cn,uhUuid
>cas.authn.attributeRepository.defaultAttributesToRelease=cn,uhUuid
>
>This is logged:
>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP
>response:
>[org.ldaptive.auth.AuthenticationResponse@1770400845::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
> resolvedDn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu,
>ldapEntry=[dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu[[uid[baron]],
>[displayName[Baron K Fujimoto]], [uhUuid[10101010]], [cn[Baron K Fujimoto]]],
>responseControls=null, messageId=-1], accountState=null, result=true,
>resultCode=SUCCESS, message=null, controls=null]>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Applying
>password policy to
>[org.ldaptive.auth.AuthenticationResponse@1770400845::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
> resolvedDn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu,
>ldapEntry=[dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu[[uid[baron]],
>[displayName[Baron K Fujimoto]], [uhUuid[10101010]], [cn[Baron K Fujimoto]]],
>responseControls=null, messageId=-1], accountState=null, result=true,
>resultCode=SUCCESS, message=null, controls=null]>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Retrieved
>principal id attribute baron>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
>principal attribute: [uid[baron]]>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
>principal attribute: [uhUuid[10101010]]>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
>principal attribute: [displayName[Baron K Fujimoto]]>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
>principal attribute: [cn[Baron K Fujimoto]]>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Created
>LDAP principal for id baron and 5 attributes>
>DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
><Final principal resolved for this authentication event is baron>
>
>DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
><Attribute map for baron: {commonName=Baron K Fujimoto, displayName=Baron K
>Fujimoto,
>LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu,
>uhUuid=10101010, uid=baron}>
>
>DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
><Collected principal attributes [{commonName=Baron K Fujimoto, uid=baron,
>LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu,
>displayName=Baron K Fujimoto, uhUuid=10101010}] for inclusion in this result
>for principal [baron]>
>
>DEBUG
>[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository]
>- <DefaultPrincipalAttributesRepository will return the collection of
>attributes directly associated with the principal object which are
>[{commonName=Baron K Fujimoto, displayName=Baron K Fujimoto,
>LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu,
>uhUuid=10101010, uid=baron}]>
>2016-10-03 17:37:47,729 DEBUG
>[org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
> - <Found [5] cached attributes for principal [baron] that are
>{commonName=Baron K Fujimoto, displayName=Baron K Fujimoto,
>LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu,
>uhUuid=10101010, uid=baron}>
>DEBUG
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
><Found principal attributes {commonName=Baron K Fujimoto, displayName=Baron K
>Fujimoto,
>LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu,
>uhUuid=10101010, uid=baron} for baron>
>DEBUG
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
><Calling attribute policy ReturnAllowedAttributeReleasePolicy to process
>attributes for baron>
>DEBUG
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
><Attribute policy ReturnAllowedAttributeReleasePolicy allows release of {} for
>baron>
>DEBUG
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
><Checking default attribute policy attributes>
>DEBUG
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
><Located application context. Retrieving default attributes for release, if
>any>
>DEBUG
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
><Default attributes for release are: [cn, uhUuid]>
>DEBUG
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
><Found and added default attribute for release: uhUuid>
>DEBUG
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
><Default attributes found to be released are {uhUuid=10101010}>
>DEBUG
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
><Attempting to merge policy attributes and default attributes>
>DEBUG
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
><Adding default attributes first to the released set of attributes>
>DEBUG
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
><Adding policy attributes to the released set of attributes>
>DEBUG
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
><Final collection of attributes allowed are: {uhUuid=10101010}>
>
>At this point, it seems that cn (by virtue of having been mapped to
>commonName?) is no longer in the set of attibutes to release, and thus not
>released by default
>
>My theory, based on the observed behavior where it also gets the
>displayName, despite it not being requested or used anywhere in my config
>that I can discern, and the apparent mapping if cn=commonName is that stub
>defaults for Authentication Attributes described in the cas.properties
>documentation are still in effect despite specifying a
>principalAttributeList.
>
>"If no other attribute source is defined, the below attributes are used
>to create a static/stub attribute repository."
>
><https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes>
>
>I've found I can work around this if I set this in cas.properties
>
>cas.authn.attributeRepository.attributes.cn=cn
>
>This apparently overrides the default remapping of cn to commonName and
>thus makes it available for release.
>
>Is this the expected behavior? It seems counterintuitive to have cn
>remapped by default and require some sort of kludge like that if you want
>to release cn as an attribute. It's not explicitly stated in the docs, but
>I assumed that specifying .principalAttributeList would supercede stub
>defaults. Or am I mixing things up or approaching this the wrong way?
--
Baron Fujimoto <[email protected]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20161013225714.GH23083%40praenomen.mgt.hawaii.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
