Andy,
Seems almost like your "issue" with the mysterious tight linkage to MFA
and Radius and this are related.
Is there a way to enable MFA radius but have it behave as a single factor?
Side note is there a way using Radius Authentication to dynamically add
a realm identifier to the users provided userID on a user by users basis..
Colin
On 2019-11-07 4:57 a.m., Andy Ng wrote:
Hi Colin,
I have take a look into your problem, which is using *Radius
Authentication a*nd *LDAP *attribute, and LDAP attribute don't come up.
I am using CAS 6.1.1 + Freeradius + OpenLDAP as demo, but I think the
solution should be applicable to CAS 6.0 and other technology as well.
Before going for the fix, I did some research and deducing:
- LDAP Attribute + other authentication *do work* (e.g. JSON / REST) ....
- So the problems seems to be *Radius Authetication*
- I am suspecting that, because Radius Authentication is so deeply
coupled with MFA, if we don't enabled MFA Radius will have weird behavior.
After some trail and error, here what I did to make LDAP attribute
appears:
- In here
https://github.com/apereo/cas/blob/v6.1.1/support/cas-server-support-radius/src/main/java/org/apereo/cas/config/RadiusConfiguration.java#L168
plan.registerAuthenticationHandler(radiusAuthenticationHandler());
Change it to
plan.registerAuthenticationHandlerWithPrincipalResolver(radiusAuthenticationHandler(),
defaultPrincipalResolver.getObject());
And add defaultPrincipalResolver back to the file:
@Autowired
@Qualifier("defaultPrincipalResolver")
private ObjectProvider<PrincipalResolver> defaultPrincipalResolver;
And... after that change, as you can see in the below capture, I can
login with Radius Authentication and also output LDAP Attribute.
Annotation 2019-11-07 173857.png
I am using hard coded method to fix the above, you should use more
elegant way to fix it, or better yet submit a PR to CAS to fix the
source of problem :)
If you have docker installed, I have also a github branch here:
https://github.com/NgSekLong/SelectUrCAS/tree/test_radius_problem_20191107
Which contain the fixed version demo for your testing.
You can see the demo after cloning the above repository, and execute
the below Command to generate the demo:
docker-compose -f docker-compose.yml -f
./source/authentication/freeradius/docker-compose.yml -f
./source/authentication-attribute/openldap/docker-compose.yml -f
./source/client/phpcas/docker-compose.yml -f
./source/service-registry/json-1001/docker-compose.yml up
Go to *Total Mail Defense warning: numerical links are often
malicious:* https://127.0.0.1:8443/cas/login
<http://127.0.0.1:8443/cas/login>
casuser:Mellon
Should see the result
See if the above helps you...
Cheers!
- Andy
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ddc3147f-cbe2-4bd8-a349-38b88df25115%40apereo.org
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ddc3147f-cbe2-4bd8-a349-38b88df25115%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad1569a2-1f2b-6519-eb77-4022ed0b420e%40caveo.ca.
