Hi, Recently we upgraded CAS from 5.1.0 to 5.2.2. With CAS 5.1.0 when I was using JAAS with LDAP it was returning the correct principal. But when with CAS 5.2.0 now I'm getting the principal as
Log In Successful You, *CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com * have successfully logged into the Central Authentication Service (XXX are masked due to company internal policy) Where as earlier(With CAS-5.1.0) I was getting Log In Successful You, Soumya_Tripathy have successfully logged into the Central Authentication Service I compared the logs of both the version, here is the findings: *CAS-5.1.0 Logs* 2018-02-15 19:28:04,673 DEBUG [org.apereo.cas.authentication.handler.support.JaasAuthenticationHandler] - <Attempting authentication for: [Soumya_Tripathy]> [LdapLoginModule] authentication-first mode; SSL disabled [LdapLoginModule] user provider: ldap://ad.xxx.com/DC=ad,DC=XXX,DC=com [LdapLoginModule] attempting to authenticate user: Soumya_Tripathy [LdapLoginModule] searching for entry belonging to user: Soumya_Tripathy [LdapLoginModule] found entry: CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com [LdapLoginModule] authentication succeeded [LdapLoginModule] added LdapPrincipal "CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com" to Subject [LdapLoginModule] added UserPrincipal "Soumya_Tripathy" to Subject [LdapLoginModule] logged out Subject 2018-02-15 19:28:04,770 DEBUG [org.apereo.cas.authentication.AbstractAuthenticationManager] - <Authentication handler [JaasAuthenticationHandler] successfully authenticated [Soumya_Tripathy]> 2018-02-15 19:28:04,773 DEBUG [org.apereo.cas.authentication.principal.resolvers. *PersonDirectoryPrincipalResolver*] - <Attempting to resolve a principal...> 2018-02-15 19:28:04,775 DEBUG [org.apereo.cas.authentication.principal.resolvers. *PersonDirectoryPrincipalResolver*] - <Creating principal for [Soumya_Tripathy]> *CAS-5.2.2 Logs* 2018-02-15 18:51:19,449 DEBUG [org.apereo.cas.authentication.handler.support.JaasAuthenticationHandler] - <Attempting authentication for: [soumya_tripathy]> [LdapLoginModule] authentication-first mode; SSL disabled [LdapLoginModule] user provider: ldap://ad.xxx.com/DC=ad,DC=XXX,DC=com [LdapLoginModule] attempting to authenticate user: soumya_tripathy [LdapLoginModule] searching for entry belonging to user: soumya_tripathy [LdapLoginModule] found entry: CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com [LdapLoginModule] authentication succeeded [LdapLoginModule] added LdapPrincipal "CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com" to Subject [LdapLoginModule] added UserPrincipal "soumya_tripathy" to Subject [LdapLoginModule] logged out Subject 2018-02-15 18:51:19,523 DEBUG [org.apereo.cas.authentication.*PolicyBasedAuthenticationManager*] - <Authentication handler [JaasAuthenticationHandler] successfully authenticated [soumya_tripathy]> 2018-02-15 18:51:19,524 DEBUG [org.apereo.cas.authentication.principal.resolvers. *ChainingPrincipalResolver*] - <Invoking principal resolver [org.apereo.cas.authentication.principal.resolvers.EchoingPrincipalResolver@6920d398[]]> 2018-02-15 18:51:19,525 DEBUG [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] - <Resolved principal [CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com]> 2018-02-15 18:51:19,527 DEBUG [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] - <Final principal constructed by the chain of resolvers is [CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com]> 2018-02-15 18:51:19,528 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver@1a6ac3e7[chain=[org.apereo.cas.authentication.principal.resolvers.EchoingPrincipalResolver@6920d398[]]]] resolved [CN=CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com] from [soumya_tripathy]> 2018-02-15 18:51:19,529 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final principal resolved for this authentication event is [CN=CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com]> What I observe earlier version(5.1.0) CAS was delegating the request to *PersonDirectoryPrincipalResolver *but now with 5.2.2 version it is delegating to *PolicyBasedAuthenticationManager *and *ChainingPrincipalResolver.* *HTTPSandIMAPS-10000001.json:* { "@class": "org.apereo.cas.services.RegexRegisteredService", "serviceId": "^(http|https|imaps)://.*", "name": "HTTPS and IMAPS", "id": 10000001, "description": "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.", "proxyPolicy": { "@class": "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy" }, "evaluationOrder": 10000, "usernameAttributeProvider": { "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider", "canonicalizationMode": "NONE", "encryptUsername": false }, "logoutType" : "BACK_CHANNEL", "attributeReleasePolicy": { "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "authorizedToReleaseCredentialPassword": false, "authorizedToReleaseProxyGrantingTicket": false, "excludeDefaultAttributes": false }, "accessStrategy": { "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled": true, "ssoEnabled": true, "requireAllAttributes": true, "caseInsensitive": false } } *JAAS.conf:* LDAP { com.sun.security.auth.module.LdapLoginModule REQUIRED userProvider="ldap://xxx"; authIdentity="{USERNAME}@xxxdomain" userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))" useSSL=false debug=true; }; Is there any configuration I'm missing with respect to cas 5.2.2? Thanks Soumya Ranjna Tripathy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/96b08cf1-c3b4-4768-af75-df0dc5cbbec6%40apereo.org.
