Turn this back on: 

cas.authn.ldap[0].principalAttributeId=sAMAccountName 

Or blank it out. 

If that doesn't work, you are welcome to file an issue. 


From: "Erdal Gunyar" <gun...@gmail.com> 
To: "CAS Community" <cas-user@apereo.org> 
Cc: "Misagh Moayyed" <mmoay...@unicon.net> 
Sent: Tuesday, October 18, 2016 6:06:23 PM 
Subject: Re: [cas-user] CAS 5: Changing the principal resolver in 
application.properties 

Thanks, I think I see better the logic; but I've just tried and if I comment 
the attribute part of the LDAP authentication it fails to authenticate: 



2016-10-18 16:27:33,579 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Attempting LDAP 
authentication for egunyar> 
2016-10-18 16:27:33,607 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response: 
[org.ldaptive.auth.AuthenticationResponse@2012506855::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
 resolvedDn=egunyar@COMPANY.LOCAL, ldapEntry=[dn=CN=GUNYAR 
Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL[[displayName[GUNYAR 
Erdal]], [cn[GUNYAR Erdal]]], responseControls=null, messageId=-1], 
accountState=null, result=true, resultCode=SUCCESS, message=null, 
controls=null]> 
2016-10-18 16:27:33,611 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Applying password 
policy to 
[org.ldaptive.auth.AuthenticationResponse@2012506855::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
 resolvedDn=egunyar@COMPANY.LOCAL, ldapEntry=[dn=CN=GUNYAR 
Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL[[displayName[GUNYAR 
Erdal]], [cn[GUNYAR Erdal]]], responseControls=null, messageId=-1], 
accountState=null, result=true, resultCode=SUCCESS, message=null, 
controls=null]> 
2016-10-18 16:27:33,612 DEBUG 
[org.apereo.cas.authentication.support.DefaultAccountStateHandler] - <Account 
state not defined. Returning empty list of messages.> 
2016-10-18 16:27:33,613 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response 
returned as result. Creating the final LDAP principal> 
2016-10-18 16:27:33,614 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Creating LDAP 
principal for egunyar based on CN=GUNYAR Erdal,OU=France,OU=COMPANY 
Users,DC=COMPANY,DC=LOCAL> 
2016-10-18 16:27:33,615 ERROR 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <The principal id 
attribute uid is not found. CAS cannot construct the final authenticated 
principal if it's unable to locate the attribute that is designated as the 
principal id. Attributes available are [[displayName[GUNYAR Erdal]], [cn[GUNYAR 
Erdal]]]> 
2016-10-18 16:27:33,618 INFO 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<LdapAuthenticationHandler failed authenticating egunyar> 
2016-10-18 16:27:33,618 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<LdapAuthenticationHandler exception details: uid attribute not found for 
egunyar> 
2016-10-18 16:27:33,620 WARN 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<Authentication has failed. Credentials may be incorrect or CAS cannot find 
authentication handler that supports [egunyar] of type 
[UsernamePasswordCredential], which suggests a configuration problem.> 
2016-10-18 16:27:33,622 DEBUG 
[org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - <Resolving principal 
at audit point [execution(Authentication 
org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(AuthenticationTransaction))]
 with thrown exception [org.apereo.cas.authentication.AuthenticationException: 
1 errors, 0 successes]> 


The configuration being: 
cas.authn.ldap[0].* ... 
# Except those which are commented: 
# cas.authn.ldap[0].principalAttributeId=sAMAccountName 
# cas.authn.ldap[0].principalAttributePassword= 
# cas.authn.ldap[0].principalAttributeList= 

cas.personDirectory.principalAttribute = sAMAccountName 
cas.personDirectory.returnNull = false 

cas.authn.attributeRepository.attributes.uid = sAMAccountName 
cas.authn.attributeRepository.attributes.displayName = displayName 
cas.authn.attributeRepository.attributes.cn = cn 
cas.authn.attributeRepository.attributes.affiliation = department 

cas.authn.attributeRepository.jdbc.* ... 


Note that if I put back principalAttributeId, then the resolver will be the 
default LDAP stuff like the previous posts. 

What could I be do wrong? :/ 
Maybe in the way I try to nuke the default LDAP resolver? 

Erdal. 


Le mardi 18 octobre 2016 14:06:01 UTC+2, Misagh Moayyed a écrit : 
BQ_BEGIN


BQ_BEGIN

As I said earlier, this works for the LDAP attributes but doesn't merge with 
the JDBC ones (no query sent). 

BQ_END



See this section: 
https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes
 

> If no other attribute source is defined and if attributes are not retrieved 
> as part of primary authentication via LDAP…. 

You are doing that; which is that you are getting attributes from LDAP as part 
of authn. When you do, CAS disables external principal resolvers because it is 
taught that attributes come from ldap directly. If you wish to merge multiple 
sources, you need to disable that part and nuke out the attributes and define 
attribute repository sources for each source via the properties. That will 
activate merging. 

BQ_BEGIN

I can open an issue, I don't know what's the best process. 

BQ_END



https://github.com/apereo/cas/issues 

Might be worth introducing flexibility into the configuration to allow what you 
have defined. 



BQ_END



-- 
CAS gitter chatroom: https://gitter.im/apereo/cas 
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html 
CAS documentation website: https://apereo.github.io/cas 
CAS project website: https://github.com/apereo/cas 
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org . 
To post to this group, send email to cas-user@apereo.org . 
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ . 
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6777bcc2-4218-4c51-8b04-44d26a39f1c7%40apereo.org
 . 
For more options, visit https://groups.google.com/a/apereo.org/d/optout . 

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/241944812.4024605.1476803822781.JavaMail.zimbra%40unicon.net.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Reply via email to