Re: [cas-user] Attribute Resolution and Merging Radius and LDAP

Tue, 29 Oct 2019 09:41:02 -0700 

Colin,

Try this in the logs,

        <!-- DEBUG Found principal attributes [...] for [username]
                   Attribute policy [???] allows release of [...] for [username]
                   Final collection of attributes allowed are: [...] -->
        <AsyncLogger 
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" 
level="debug"/>

You can set attributes to be released by default (normally no attributes are 
released),

cas.authn.ldap[1].principalAttributeList=mail, \
                                          cn, \
                                          sn

Attributes can be set on a per service basis as well. The default set can be 
turned off on a per service basis.
https://apereo.github.io/cas/6.1.x/integration/Attribute-Release-Policies.html

Ray

On Tue, 2019-10-29 at 11:40 -0400, Colin Ryan wrote:

Folks,

I'm trying to have Radius be my Authentication Method but gather attributes 
from the LDAP entry for the user. The LDAP database is the same one that is 
actually backing the RADIUS auth.


Seemed straight forward enough based upon: 
https://apereo.github.io/2018/10/18/cas5-radius-mfa-authn/


The authentication part is working and I can see in the Logs that the 
personDirectory function is getting the attributes, but they aren't been show 
as the available attributes in the default no-resource user page that CAS uses 
in it's most primitive state.


The authentication seems to put the basic RADIUS response into the 
SimplePrincipal

[SimplePrincipal(id=colinr, attributes={Service-Type=Framed-User, 
Framed-Protocol=PPP})]>


And the LDAP Attribute Resolver seems to be working


DEBUG [org.apereo.services.persondir.support.ldap.LdaptivePersonAttributeDao] - 
<Converted

 ldap DN entry [uid=colinr, ou=People, o=caveo, o=isp] to attribute map 
{uid=[colinr], inetUserStatus=[Active], cn=[9999

999]}>^[[m

^[[36m2019-10-27 13:31:06,336 DEBUG 
[org.apereo.services.persondir.support.MergingPersonAttributeDaoImpl] - 
<Retrieved a

ttributes='[NamedPersonImpl[name=colinr,attributes={uid=[colinr], 
inetUserStatus=[Active], commonName=[9999999]}]]' for

query='{username=[colinr]}', isFirstQuery=false, 
currentlyConsidering='org.apereo.services.persondir.support.ldap.Ldapti

vePersonAttributeDao@1e224cb6', resultAttributes='null'>^[[m


But the two set's never merge.


I'm sure it's just newbie mistake but I've read the documentation a number of 
time, and can't seem to figure it out.


Config is below CAS 6.0.5.1

cas.authn.accept.users=

#cas.authn.ldap[0].order=1

## Radius

cas.authn.radius.name=CAS1

cas.authn.radius.server.protocol=PAP

cas.authn.radius.server.retries=1

cas.authn.radius.client.authenticationPort=1645

cas.authn.radius.client.sharedSecret=xxxx

cas.authn.radius.client.inetAddress=100.10.1.182

cas.authn.radius.client.accountingPort=1646

# LDAP As Attribute Repository

cas.authn.attribute-repository.ldap[0].order=1

cas.authn.attribute-repository.ldap[0].attributes.uid=uid

cas.authn.attribute-repository.ldap[0].attributes.cn=commonName

cas.authn.attribute-repository.ldap[0].attributes.memberOf=memberOf

cas.authn.attribute-repository.ldap[0].attributes.dn=dn

cas.authn.attribute-repository.ldap[0].attributes.inetUserStatus=inetUserStatus

cas.authn.attribute-repository.ldap[0].ldapUrl=

<ldap://100.10.1.230:3131>

ldap://100.10.1.230:3131

cas.authn.attribute-repository.ldap[0].useSsl=false

cas.authn.attribute-repository.ldap[0].useStartTls=false

cas.authn.attribute-repository.ldap[0].baseDn=o=isp

cas.authn.attribute-repository.ldap[0].searchFilter=uid={0}

cas.authn.attribute-repository.ldap[0].bindDn=xxxxxx

cas.authn.attribute-repository.ldap[0].bindCredential=xxxx

cas.person-directory.return-null=false

cas.person-directory.principal-attribute=uid

cas.authn.attribute-repository.expiration-time=-1

cas.authn.attribute-repository.maximum-cache-size=0

cas.authn.attribute-repository.merger=MERGE


--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4f2fb2d5e90833bf1b1714e7c626501032beeb4.camel%40uvic.ca.

Reply via email to