I looked into the source code of
*CasCoreAuthenticationPrincipalConfiguration.java* and I'm getting
attributeRepositories as empty.
@Autowired
@RefreshScope
@Bean
@ConditionalOnMissingBean(name = "personDirectoryPrincipalResolver")
public PrincipalResolver personDirectoryPrincipalResolver(@Qualifier("
principalFactory") final PrincipalFactory principalFactory) {
final PersonDirectoryPrincipalResolver bean = new
PersonDirectoryPrincipalResolver();
bean.setAttributeRepository(attributeRepository);
bean.setPrincipalAttributeName(casProperties.getPersonDirectory().
getPrincipalAttribute());
bean.setReturnNullIfNoAttributes(casProperties.getPersonDirectory().
isReturnNull());
bean.setPrincipalFactory(principalFactory);
final ChainingPrincipalResolver resolver = new ChainingPrincipalResolver();
if (!attributeRepositories.isEmpty()) {
LOGGER.debug("Attribute repository sources are defined and available for
the principal resolution chain. "
+ "The principal resolver will use a combination of attributes collected
from attribute repository sources "
+ "and whatever may be collected during the authentication phase where
results are eventually merged.");
resolver.setChain(CollectionUtils.wrapList(bean, new
EchoingPrincipalResolver()));
} else {
LOGGER.debug("Attribute repository sources are not available for principal
resolution so principal resolver will echo "
+ "back the principal resolved during authentication directly.");
resolver.setChain(new EchoingPrincipalResolver());
}
return resolver;
}
So it is always going to EchoingPrincipalResolver . and then Principal is
getting resolved to *CN=Soumya Ranjan
Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com.*
Do I need any additional properties to set in my cas.properties, so that
it'll include the PersonDirectoryPrincipalResolver in the resolver chain
when I'm using plain JAAS Ldap auth?
On Friday, February 16, 2018 at 10:17:44 AM UTC+5:30, Soumya Tripathy wrote:
>
> I want CAS should resolve the principal as *Soumya_Tripathy *instead of
> *CN=Soumya
> Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com.,*
> How
> can I achieve the same in 5.2.2 version of CAS with Jaas LDAP?
>
> On Thursday, February 15, 2018 at 11:19:39 PM UTC+5:30, Manfredo Hopp
> wrote:
>>
>> What would your question be
>>
>> 2018-02-15 11:29 GMT-03:00 Soumya Tripathy <[email protected]>:
>>
>>> Hi,
>>> Recently we upgraded CAS from 5.1.0 to 5.2.2.
>>> With CAS 5.1.0 when I was using JAAS with LDAP it was returning the
>>> correct principal.
>>> But when with CAS 5.2.0 now I'm getting the principal as
>>>
>>> Log In Successful
>>>
>>> You, *CN=Soumya Ranjan
>>> Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com *
>>> have successfully logged into the Central Authentication Service
>>>
>>> (XXX are masked due to company internal policy)
>>>
>>> Where as earlier(With CAS-5.1.0) I was getting
>>> Log In Successful
>>>
>>> You, Soumya_Tripathy have successfully logged into the Central
>>> Authentication Service
>>>
>>>
>>> I compared the logs of both the version, here is the findings:
>>>
>>>
>>> *CAS-5.1.0 Logs*
>>>
>>>
>>> 2018-02-15 19:28:04,673 DEBUG
>>> [org.apereo.cas.authentication.handler.support.JaasAuthenticationHandler] -
>>> <Attempting authentication for: [Soumya_Tripathy]> [LdapLoginModule]
>>> authentication-first mode; SSL disabled [LdapLoginModule] user provider:
>>> ldap://ad.xxx.com/DC=ad,DC=XXX,DC=com [LdapLoginModule] attempting to
>>> authenticate user: Soumya_Tripathy [LdapLoginModule] searching for entry
>>> belonging to user: Soumya_Tripathy [LdapLoginModule] found entry: CN=Soumya
>>> Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com
>>> [LdapLoginModule] authentication succeeded [LdapLoginModule] added
>>> LdapPrincipal "CN=Soumya Ranjan
>>> Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com" to
>>> Subject [LdapLoginModule] added UserPrincipal "Soumya_Tripathy" to Subject
>>> [LdapLoginModule] logged out Subject 2018-02-15 19:28:04,770 DEBUG
>>> [org.apereo.cas.authentication.AbstractAuthenticationManager] -
>>> <Authentication handler [JaasAuthenticationHandler] successfully
>>> authenticated [Soumya_Tripathy]> 2018-02-15 19:28:04,773 DEBUG
>>> [org.apereo.cas.authentication.principal.resolvers.
>>> *PersonDirectoryPrincipalResolver*] - <Attempting to resolve a
>>> principal...> 2018-02-15 19:28:04,775 DEBUG
>>> [org.apereo.cas.authentication.principal.resolvers.
>>> *PersonDirectoryPrincipalResolver*] - <Creating principal for
>>> [Soumya_Tripathy]>
>>>
>>>
>>> *CAS-5.2.2 Logs*
>>>
>>> 2018-02-15 18:51:19,449 DEBUG
>>> [org.apereo.cas.authentication.handler.support.JaasAuthenticationHandler] -
>>> <Attempting authentication for: [soumya_tripathy]> [LdapLoginModule]
>>> authentication-first mode; SSL disabled [LdapLoginModule] user provider:
>>> ldap://ad.xxx.com/DC=ad,DC=XXX,DC=com [LdapLoginModule] attempting to
>>> authenticate user: soumya_tripathy [LdapLoginModule] searching for entry
>>> belonging to user: soumya_tripathy [LdapLoginModule] found entry: CN=Soumya
>>> Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com
>>> [LdapLoginModule] authentication succeeded [LdapLoginModule] added
>>> LdapPrincipal "CN=Soumya Ranjan
>>> Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com" to
>>> Subject [LdapLoginModule] added UserPrincipal "soumya_tripathy" to Subject
>>> [LdapLoginModule] logged out Subject 2018-02-15 18:51:19,523 DEBUG
>>> [org.apereo.cas.authentication.*PolicyBasedAuthenticationManager*] -
>>> <Authentication handler [JaasAuthenticationHandler] successfully
>>> authenticated [soumya_tripathy]> 2018-02-15 18:51:19,524 DEBUG
>>> [org.apereo.cas.authentication.principal.resolvers.
>>> *ChainingPrincipalResolver*] - <Invoking principal resolver
>>> [org.apereo.cas.authentication.principal.resolvers.EchoingPrincipalResolver@6920d398[]]>
>>>
>>> 2018-02-15 18:51:19,525 DEBUG
>>> [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver]
>>>
>>> - <Resolved principal [CN=Soumya Ranjan
>>> Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com]>
>>> 2018-02-15 18:51:19,527 DEBUG
>>> [org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver]
>>>
>>> - <Final principal constructed by the chain of resolvers is [CN=Soumya
>>> Ranjan Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com]>
>>> 2018-02-15 18:51:19,528 DEBUG
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>> <[org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver@1a6ac3e7[chain=[org.apereo.cas.authentication.principal.resolvers.EchoingPrincipalResolver@6920d398[]]]]
>>>
>>> resolved [CN=CN=Soumya Ranjan
>>> Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com] from
>>> [soumya_tripathy]> 2018-02-15 18:51:19,529 DEBUG
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final
>>> principal resolved for this authentication event is [CN=CN=Soumya Ranjan
>>> Tripathy,OU=GEN,OU=Users,OU=XXX,OU=XXX,OU=XXX,DC=ad,DC=XXX,DC=com]>
>>>
>>>
>>>
>>>
>>> What I observe earlier version(5.1.0) CAS was delegating the request to
>>> *PersonDirectoryPrincipalResolver
>>> *but now with 5.2.2 version it is delegating to
>>> *PolicyBasedAuthenticationManager
>>> *and *ChainingPrincipalResolver.*
>>>
>>>
>>> *HTTPSandIMAPS-10000001.json:*
>>>
>>> {
>>>
>>> "@class": "org.apereo.cas.services.RegexRegisteredService",
>>>
>>> "serviceId": "^(http|https|imaps)://.*",
>>>
>>> "name": "HTTPS and IMAPS",
>>>
>>> "id": 10000001,
>>>
>>> "description": "This service definition authorizes all application
>>> urls that support HTTPS and IMAPS protocols.",
>>>
>>> "proxyPolicy":
>>>
>>> {
>>>
>>> "@class":
>>> "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"
>>>
>>> },
>>>
>>> "evaluationOrder": 10000,
>>>
>>> "usernameAttributeProvider":
>>>
>>> {
>>>
>>> "@class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
>>>
>>> "canonicalizationMode": "NONE",
>>>
>>> "encryptUsername": false
>>>
>>> },
>>>
>>> "logoutType" : "BACK_CHANNEL",
>>>
>>> "attributeReleasePolicy":
>>>
>>> {
>>>
>>> "@class":
>>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>>>
>>> "authorizedToReleaseCredentialPassword": false,
>>>
>>> "authorizedToReleaseProxyGrantingTicket": false,
>>>
>>> "excludeDefaultAttributes": false
>>>
>>> },
>>>
>>> "accessStrategy":
>>>
>>> {
>>>
>>> "@class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>>>
>>> "enabled": true,
>>>
>>> "ssoEnabled": true,
>>>
>>> "requireAllAttributes": true,
>>>
>>> "caseInsensitive": false
>>>
>>> }
>>>
>>> }
>>>
>>>
>>> *JAAS.conf:*
>>>
>>>
>>> LDAP { com.sun.security.auth.module.LdapLoginModule REQUIRED
>>> userProvider="ldap://xxx"; authIdentity="{USERNAME}@xxxdomain"
>>> userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))"
>>>
>>> useSSL=false debug=true; };
>>>
>>>
>>>
>>> Is there any configuration I'm missing with respect to cas 5.2.2?
>>>
>>>
>>>
>>> Thanks
>>>
>>> Soumya Ranjna Tripathy
>>>
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/96b08cf1-c3b4-4768-af75-df0dc5cbbec6%40apereo.org
>>>
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/96b08cf1-c3b4-4768-af75-df0dc5cbbec6%40apereo.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a2ab63c4-1820-4910-97c0-a0e481c148b2%40apereo.org.
