Thanks, I think I see better the logic; but I've just tried and if I comment the attribute part of the LDAP authentication it fails to authenticate:
2016-10-18 16:27:33,579 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting > LDAP authentication for egunyar> > 2016-10-18 16:27:33,607 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response: > [org.ldaptive.auth.AuthenticationResponse@2012506855::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, > > [email protected], ldapEntry=[dn=CN=GUNYAR > Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL[[displayName[GUNYAR > Erdal]], [cn[GUNYAR Erdal]]], responseControls=null, messageId=-1], > accountState=null, result=true, resultCode=SUCCESS, message=null, > controls=null]> > 2016-10-18 16:27:33,611 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Applying > password policy to > [org.ldaptive.auth.AuthenticationResponse@2012506855::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, > > [email protected], ldapEntry=[dn=CN=GUNYAR > Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL[[displayName[GUNYAR > Erdal]], [cn[GUNYAR Erdal]]], responseControls=null, messageId=-1], > accountState=null, result=true, resultCode=SUCCESS, message=null, > controls=null]> > 2016-10-18 16:27:33,612 DEBUG > [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - > <Account state not defined. Returning empty list of messages.> > 2016-10-18 16:27:33,613 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response > returned as result. Creating the final LDAP principal> > 2016-10-18 16:27:33,614 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Creating LDAP > principal for egunyar based on CN=GUNYAR Erdal,OU=France,OU=COMPANY > Users,DC=COMPANY,DC=LOCAL> > 2016-10-18 16:27:33,615 ERROR > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <The principal > id attribute uid is not found. CAS cannot construct the final authenticated > principal if it's unable to locate the attribute that is designated as the > principal id. Attributes available are [[displayName[GUNYAR Erdal]], > [cn[GUNYAR Erdal]]]> > 2016-10-18 16:27:33,618 INFO > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <LdapAuthenticationHandler failed authenticating egunyar> > 2016-10-18 16:27:33,618 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <LdapAuthenticationHandler exception details: uid attribute not found for > egunyar> > 2016-10-18 16:27:33,620 WARN > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Authentication has failed. Credentials may be incorrect or CAS cannot find > authentication handler that supports [egunyar] of type > [UsernamePasswordCredential], which suggests a configuration problem.> > 2016-10-18 16:27:33,622 DEBUG > [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - <Resolving > principal at audit point [execution(Authentication > org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(AuthenticationTransaction))] > > with thrown exception > [org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 > successes]> The configuration being: cas.authn.ldap[0].* ... # Except those which are commented: # cas.authn.ldap[0].principalAttributeId=sAMAccountName # cas.authn.ldap[0].principalAttributePassword= # cas.authn.ldap[0].principalAttributeList= cas.personDirectory.principalAttribute=sAMAccountName cas.personDirectory.returnNull=false cas.authn.attributeRepository.attributes.uid=sAMAccountName cas.authn.attributeRepository.attributes.displayName=displayName cas.authn.attributeRepository.attributes.cn=cn cas.authn.attributeRepository.attributes.affiliation=department cas.authn.attributeRepository.jdbc.* ... Note that if I put back principalAttributeId, then the resolver will be the default LDAP stuff like the previous posts. What could I be do wrong? :/ Maybe in the way I try to nuke the default LDAP resolver? Erdal. Le mardi 18 octobre 2016 14:06:01 UTC+2, Misagh Moayyed a écrit : > > As I said earlier, this works for the LDAP attributes but doesn't merge > with the JDBC ones (no query sent). > > See this section: > https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes > > > > If no other attribute source is defined and if attributes are not > retrieved as part of primary authentication via LDAP…. > > You are doing that; which is that you are getting attributes from LDAP as > part of authn. When you do, CAS disables external principal resolvers > because it is taught that attributes come from ldap directly. If you wish > to merge multiple sources, you need to disable that part and nuke out the > attributes and define attribute repository sources for each source via the > properties. That will activate merging. > > I can open an issue, I don't know what's the best process. > > https://github.com/apereo/cas/issues > > Might be worth introducing flexibility into the configuration to allow > what you have defined. > > > -- CAS gitter chatroom: https://gitter.im/apereo/cas CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html CAS documentation website: https://apereo.github.io/cas CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6777bcc2-4218-4c51-8b04-44d26a39f1c7%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
