What would your question be 2018-02-15 11:29 GMT-03:00 Soumya Tripathy <[email protected]>:
> Hi, > Recently we upgraded CAS from 5.1.0 to 5.2.2. > With CAS 5.1.0 when I was using JAAS with LDAP it was returning the > correct principal. > But when with CAS 5.2.0 now I'm getting the principal as > > Log In Successful > > You, *CN=Soumya Ranjan > Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com * have > successfully logged into the Central Authentication Service > > (XXX are masked due to company internal policy) > > Where as earlier(With CAS-5.1.0) I was getting > Log In Successful > > You, Soumya_Tripathy have successfully logged into the Central > Authentication Service > > > I compared the logs of both the version, here is the findings: > > > *CAS-5.1.0 Logs* > > > 2018-02-15 19:28:04,673 DEBUG [org.apereo.cas.authentication.handler. > support.JaasAuthenticationHandler] - <Attempting authentication for: > [Soumya_Tripathy]> [LdapLoginModule] authentication-first mode; SSL > disabled [LdapLoginModule] user provider: ldap://ad.xxx.com/DC=ad,DC= > XXX,DC=com [LdapLoginModule] attempting to authenticate user: > Soumya_Tripathy [LdapLoginModule] searching for entry belonging to user: > Soumya_Tripathy [LdapLoginModule] found entry: CN=Soumya Ranjan > Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com > [LdapLoginModule] authentication succeeded [LdapLoginModule] added > LdapPrincipal "CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU= > XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com" to Subject [LdapLoginModule] added > UserPrincipal "Soumya_Tripathy" to Subject [LdapLoginModule] logged out > Subject 2018-02-15 19:28:04,770 DEBUG > [org.apereo.cas.authentication.AbstractAuthenticationManager] > - <Authentication handler [JaasAuthenticationHandler] successfully > authenticated [Soumya_Tripathy]> 2018-02-15 19:28:04,773 DEBUG > [org.apereo.cas.authentication.principal.resolvers. > *PersonDirectoryPrincipalResolver*] - <Attempting to resolve a > principal...> 2018-02-15 19:28:04,775 DEBUG [org.apereo.cas. > authentication.principal.resolvers.*PersonDirectoryPrincipalResolver*] - > <Creating principal for [Soumya_Tripathy]> > > > *CAS-5.2.2 Logs* > > 2018-02-15 18:51:19,449 DEBUG [org.apereo.cas.authentication.handler. > support.JaasAuthenticationHandler] - <Attempting authentication for: > [soumya_tripathy]> [LdapLoginModule] authentication-first mode; SSL > disabled [LdapLoginModule] user provider: ldap://ad.xxx.com/DC=ad,DC= > XXX,DC=com [LdapLoginModule] attempting to authenticate user: > soumya_tripathy [LdapLoginModule] searching for entry belonging to user: > soumya_tripathy [LdapLoginModule] found entry: CN=Soumya Ranjan > Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com > [LdapLoginModule] authentication succeeded [LdapLoginModule] added > LdapPrincipal "CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU= > XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com" to Subject [LdapLoginModule] added > UserPrincipal "soumya_tripathy" to Subject [LdapLoginModule] logged out > Subject 2018-02-15 18:51:19,523 DEBUG [org.apereo.cas.authentication. > *PolicyBasedAuthenticationManager*] - <Authentication handler > [JaasAuthenticationHandler] successfully authenticated [soumya_tripathy]> > 2018-02-15 18:51:19,524 DEBUG [org.apereo.cas.authentication.principal. > resolvers.*ChainingPrincipalResolver*] - <Invoking principal resolver > [org.apereo.cas.authentication.principal.resolvers. > EchoingPrincipalResolver@6920d398[]]> 2018-02-15 18:51:19,525 DEBUG > [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] > - <Resolved principal [CN=Soumya Ranjan Tripathy,OU=GEN,OU=Users,OU= > XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com]> 2018-02-15 18:51:19,527 DEBUG > [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver] > - <Final principal constructed by the chain of resolvers is [CN=Soumya > Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com]> > 2018-02-15 18:51:19,528 DEBUG [org.apereo.cas.authentication. > PolicyBasedAuthenticationManager] - <[org.apereo.cas. > authentication.principal.resolvers.ChainingPrincipalResolver@ > 1a6ac3e7[chain=[org.apereo.cas.authentication.principal.resolvers. > EchoingPrincipalResolver@6920d398[]]]] resolved [CN=CN=Soumya Ranjan > Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com] from > [soumya_tripathy]> 2018-02-15 18:51:19,529 DEBUG [org.apereo.cas. > authentication.PolicyBasedAuthenticationManager] - <Final principal > resolved for this authentication event is [CN=CN=Soumya Ranjan > Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com]> > > > > > What I observe earlier version(5.1.0) CAS was delegating the request to > *PersonDirectoryPrincipalResolver > *but now with 5.2.2 version it is delegating to > *PolicyBasedAuthenticationManager > *and *ChainingPrincipalResolver.* > > > *HTTPSandIMAPS-10000001.json:* > > { > > "@class": "org.apereo.cas.services.RegexRegisteredService", > > "serviceId": "^(http|https|imaps)://.*", > > "name": "HTTPS and IMAPS", > > "id": 10000001, > > "description": "This service definition authorizes all application urls > that support HTTPS and IMAPS protocols.", > > "proxyPolicy": > > { > > "@class": "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy" > > }, > > "evaluationOrder": 10000, > > "usernameAttributeProvider": > > { > > "@class": "org.apereo.cas.services.DefaultRegisteredServiceUserna > meProvider", > > "canonicalizationMode": "NONE", > > "encryptUsername": false > > }, > > "logoutType" : "BACK_CHANNEL", > > "attributeReleasePolicy": > > { > > "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleaseP > olicy", > > "authorizedToReleaseCredentialPassword": false, > > "authorizedToReleaseProxyGrantingTicket": false, > > "excludeDefaultAttributes": false > > }, > > "accessStrategy": > > { > > "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccess > Strategy", > > "enabled": true, > > "ssoEnabled": true, > > "requireAllAttributes": true, > > "caseInsensitive": false > > } > > } > > > *JAAS.conf:* > > > LDAP { com.sun.security.auth.module.LdapLoginModule REQUIRED > userProvider="ldap://xxx"; authIdentity="{USERNAME}@xxxdomain" > userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})( > cn={USERNAME}))(objectClass=user))" useSSL=false debug=true; }; > > > > Is there any configuration I'm missing with respect to cas 5.2.2? > > > > Thanks > > Soumya Ranjna Tripathy > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/96b08cf1-c3b4-4768-af75- > df0dc5cbbec6%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/96b08cf1-c3b4-4768-af75-df0dc5cbbec6%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mieZfZ6uE7AJ96knJkJOFp9_uGYDN%2BoB0nkfothfuW6rWw%40mail.gmail.com.
