Andy,
Seems almost like your "issue" with the mysterious tight linkage to MFA
and Radius and this are related.
Is there a way to enable MFA radius but have it behave as a single factor?
Side note is there a way using Radius Authentication to dynamically add
a realm identifier to the users provided userID on a user by users basis..
Colin
On 2019-11-07 4:57 a.m., Andy Ng wrote:
Hi Colin,
I have take a look into your problem, which is using *Radius
Authentication a*nd *LDAP *attribute, and LDAP attribute don't come up.
I am using CAS 6.1.1 + Freeradius + OpenLDAP as demo, but I think the
solution should be applicable to CAS 6.0 and other technology as well.
Before going for the fix, I did some research and deducing:
- LDAP Attribute + other authentication *do work* (e.g. JSON / REST) ....
- So the problems seems to be *Radius Authetication*
- I am suspecting that, because Radius Authentication is so deeply
coupled with MFA, if we don't enabled MFA Radius will have weird behavior.
After some trail and error, here what I did to make LDAP attribute
appears:
- In here
https://github.com/apereo/cas/blob/v6.1.1/support/cas-server-support-radius/src/main/java/org/apereo/cas/config/RadiusConfiguration.java#L168
plan.registerAuthenticationHandler(radiusAuthenticationHandler());
Change it to
plan.registerAuthenticationHandlerWithPrincipalResolver(radiusAuthenticationHandler(),
defaultPrincipalResolver.getObject());
And add defaultPrincipalResolver back to the file:
@Autowired
@Qualifier("defaultPrincipalResolver")
private ObjectProvider<PrincipalResolver> defaultPrincipalResolver;
And... after that change, as you can see in the below capture, I can
login with Radius Authentication and also output LDAP Attribute.
Annotation 2019-11-07 173857.png
I am using hard coded method to fix the above, you should use more
elegant way to fix it, or better yet submit a PR to CAS to fix the
source of problem :)
If you have docker installed, I have also a github branch here:
https://github.com/NgSekLong/SelectUrCAS/tree/test_radius_problem_20191107
Which contain the fixed version demo for your testing.
You can see the demo after cloning the above repository, and execute
the below Command to generate the demo:
docker-compose -f docker-compose.yml -f
./source/authentication/freeradius/docker-compose.yml -f
./source/authentication-attribute/openldap/docker-compose.yml -f
./source/client/phpcas/docker-compose.yml -f
./source/service-registry/json-1001/docker-compose.yml up
Go to *Total Mail Defense warning: numerical links are often
malicious:* https://127.0.0.1:8443/cas/login
<http://127.0.0.1:8443/cas/login>
casuser:Mellon
Should see the result
See if the above helps you...
Cheers!
- Andy
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ddc3147f-cbe2-4bd8-a349-38b88df25115%40apereo.org
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ddc3147f-cbe2-4bd8-a349-38b88df25115%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad1569a2-1f2b-6519-eb77-4022ed0b420e%40caveo.ca.
