Re: [cas-user] 6.1.0 RC6 Attributes Values being doubled when surrogacy is enabled

Michael Daley Mon, 06 Apr 2020 11:12:26 -0700

Robert, 

I'm running 6.1.5 and when I try this config for my surrogate 
authentication, no attributes get resolved for the surrogate (attributes 
were 'map[[empty]]').  I've found that I need to add a separate attribute 
repository for the same ldap in order to pull in any attributes for the 
surrogate.  Can you confirm if your configuration still works for you?


# This config will resolve memberOf attribute successfully for surrogates 
and tradational logins.
cas.authn.ldap[0].principalAttributeList=memberOf
cas.authn.attribute-repository.ldap[0].attributes.memberOf=memberOf

The interesting part is that I do not receive double up attributes using 
this config.  

Any help would be appreciated.

On Tuesday, October 8, 2019 at 1:21:25 PM UTC-4, Robert Bond wrote:
>
> I changed my ldap active directory config, removed the attribute 
> repository stuff and changed the type to AUTHENTICATED.
>
> The below config seems to be working well for me while using surrogacy 
> with LDAPS Active Directory:
>
>
> # set some properties we can re-use in authn and attributeRepository 
> configuration
> ldap-url=         ldaps://ad01.example.edu:636
> ldap-binddn=      cn=logon_ldap_user,ou=Application Users,ou=All_Users,dc
> =example,dc=edu
> ldap-bindpw=      asdfasdfasdfasdfasdf
> ldap-auth-type=   AUTHENTICATED
> ldap-basedn=      ou=All_Users,dc=example,dc=edu
> ldap-user-filter= (cn={user})
> ldap-max-pool-size=20
> ldap-tls=false
> ldap-ssl=true
>
> # configure ldap authentication
> cas.authn.ldap[0].trustCertificates=file:/etc/cas/trustedexamplecert.der
> cas.authn.ldap[0].base-dn=${ldap-basedn}
> cas.authn.ldap[0].bind-credential=${ldap-bindpw}
> cas.authn.ldap[0].bind-dn=${ldap-binddn}
> cas.authn.ldap[0].ldap-url=${ldap-url}
> cas.authn.ldap[0].max-pool-size=${ldap-max-pool-size}
> cas.authn.ldap[0].min-pool-size=0
> cas.authn.ldap[0].type=${ldap-auth-type}
> cas.authn.ldap[0].searchFilter=${ldap-user-filter}
> cas.authn.ldap[0].use-ssl=${ldap-ssl}
> cas.authn.ldap[0].use-start-tls=${ldap-tls}
> # list of attributes to be collected and mapped
> cas.authn.ldap[0].principalAttributeList
> =cn:commonName,sn:surname,displayName:displayName,mail:email,givenName,memberOf,samAccountName,mail:emailAddress,samAccountName
>
>
>
> I had troubles getting surrogacy to work on previous versions with 
> anything put the JSON file method which works for our current purposes. 
>
> Thanks,
> Robert Bond.
>
> On Tuesday, October 8, 2019 at 11:14:06 AM UTC-5, rbon wrote:
>>
>> Surrogates is on my todo list. Hopefully some else with more experience 
>> will chime in.
>>
>> Ray
>>
>> On Tue, 2019-10-08 at 06:41 -0700, 'Robert Bond' via CAS Community wrote:
>>
>> No error messages on login. I do not think that is is expected behavior. 
>> When logging in as a surrogate it does not have duplicated values for the 
>> properties.  
>> See example below: 
>>    cn [bansecr_bondr] 
>>
>> The service registiries do not handle when there is duplicated values 
>> like the "cn [BONDR, BONDR]" that I am getting when I do not use surrogate 
>> access.
>> I have 5 surrogates configured for my account in side the json file. When 
>> I disable surrogate access completely and remove the build.gradle 
>> dependency: 
>>     compile "org.apereo.cas:cas-server-support-surrogate-webflow:${
>> project.'cas.version'}"
>> Cas then returns the attributes correctly as "cn [BONDR]"
>>
>> I think this is a bug. Any thoughts on how to better document and report 
>> it?
>> Or maybe I have something wrong with my Active Directory 
>> LDAP attributeRepository config in cas.
>>
>>
>> Thanks!
>>
>> On Monday, October 7, 2019 at 4:39:19 PM UTC-5, rbon wrote: 
>>
>> Robert,
>>
>> Is log in failing? Any error messages?
>>
>> Could it be that the second entry is the surrogate; and if no surrogate 
>> is supplied in the log in form, then the same subject exists for both [that 
>> is, for the surrogate plugin, an array is required]?
>>
>> Ray
>>
>> On Mon, 2019-10-07 at 13:10 -0700, 'Robert Bond' via CAS Community wrote:
>>
>> Running into an odd doubling of attribute values when surrogate access is 
>> enabled.  
>> On CAS 6.1.0 RC6
>>
>>
>> Here is my Surrogate config, Active Directory Auth config, and Attribute 
>> repository:
>>
>> # Surrogate config 
>> cas.authn.surrogate.separator=+
>> cas.authn.surrogate.json.location=file:/etc/cas/config/surrogates.json
>>
>>
>> # set some properties we can re-use in authn and attributeRepository 
>> configuration
>> ldap-url=         ldaps://ad01.example.edu:636
>> ldap-binddn=      cn=logon_ldap_user,ou=Application Users,ou=All_Users,dc
>> =example,dc=edu
>> ldap-bindpw=      examplePass
>> ldap-auth-type=   DIRECT
>> ldap-basedn=      ou=All_Users,dc=example,dc=edu
>> ldap-dnformat=    cn=%s,ou=All_Users,dc=example,dc=edu
>> ldap-user-filter= (cn={user})
>> ldap-max-pool-size=20
>> ldap-tls=false
>> ldap-ssl=true
>> # configure ldap authentication
>> cas.authn.ldap[0].trustCertificates=file:/etc/cas/trustedexamplecert.der
>> cas.authn.ldap[0].base-dn=${ldap-basedn}
>> cas.authn.ldap[0].bind-credential=${ldap-bindpw}
>> cas.authn.ldap[0].bind-dn=${ldap-binddn}
>> cas.authn.ldap[0].dn-format=${ldap-dnformat}
>> cas.authn.ldap[0].ldap-url=${ldap-url}
>> cas.authn.ldap[0].max-pool-size=${ldap-max-pool-size}
>> cas.authn.ldap[0].min-pool-size=0
>> cas.authn.ldap[0].subtree-search=true
>> cas.authn.ldap[0].type=${ldap-auth-type}
>> cas.authn.ldap[0].searchFilter=${ldap-user-filter}
>> cas.authn.ldap[0].use-ssl=${ldap-ssl}
>> cas.authn.ldap[0].use-start-tls=${ldap-tls}
>>
>> # configure ldap attribute repository
>> cas.authn.attributeRepository.ldap[0].trustCertificates
>> =file:/etc/cas/trustedexamplecert.der
>> cas.authn.attributeRepository.ldap[0].ldapUrl=${ldap-url}
>> cas.authn.attributeRepository.ldap[0].order=0
>> cas.authn.attributeRepository.ldap[0].useSsl=${ldap-ssl}
>> cas.authn.attributeRepository.ldap[0].useStartTls=${ldap-tls}
>> cas.authn.attributeRepository.ldap[0].baseDn=${ldap-basedn}
>> cas.authn.attributeRepository.ldap[0].searchFilter=${ldap-user-filter}
>> cas.authn.attributeRepository.ldap[0].subtreeSearch=true
>> cas.authn.attributeRepository.ldap[0].bindDn=${ldap-binddn}
>> cas.authn.attributeRepository.ldap[0].bindCredential=${ldap-bindpw}
>> cas.authn.attributeRepository.ldap[0].minPoolSize=0
>> cas.authn.attributeRepository.ldap[0].maxPoolSize=${ldap-max-pool-size}
>> cas.authn.attributeRepository.ldap[0].validateOnCheckout=true
>>
>> # configure validator for attribute repository
>> cas.authn.attributeRepository.ldap[0].validator.type=SEARCH
>> cas.authn.attributeRepository.ldap[0].validator.baseDn=${ldap-basedn}
>> cas.authn.attributeRepository.ldap[0].validator.searchFilter=(objectClass
>> =*)
>> cas.authn.attributeRepository.ldap[0].validator.scope=OBJECT
>> cas.authn.attributeRepository.ldap[0].validator.attributeName=objectClass
>> cas.authn.attributeRepository.ldap[0].validator.attributeValues=top
>>
>> # Get AD attributes
>> cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName
>> =samAccountName
>> cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
>> cas.authn.attributeRepository.ldap[0].attributes.mail=email
>> cas.authn.attributeRepository.ldap[0].attributes.mail=emailAddress
>> cas.authn.attributeRepository.ldap[0].attributes.givenName=givenName
>> cas.authn.attributeRepository.ldap[0].attributes.sn=surname
>> cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
>> cas.authn.attributeRepository.ldap[0].attributes.memberOf=memberOf
>>
>>
>> When the surrogacy dependency is added to build.gradle the 
>> attributeRepository returns doubled values for the attributes. See the 
>> example attributes below"
>>
>> cn [BONDR, BONDR]
>> displayName [Robert Bond, Robert Bond]
>> distinguishedName [CN=BONDR,OU=NSU,OU=All_Users,DC=example,DC=edu, 
>> CN=BONDR,OU=All_Users,DC=example,DC=edu]
>>
>>
>> Any thoughts? When I remove the surrogate dependency from build.gradle it 
>> returns the attributes correctly. ex: cn [BONDR]
>>
>>
>> Thanks!
>>
>> -- 
>>
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | rb...@uvic.ca
>>
>> I respectfully acknowledge that my place of work is located within the 
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
>> WSÁNEĆ Nations.
>>
>> -- 
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | rb...@uvic.ca
>>
>> I respectfully acknowledge that my place of work is located within the 
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
>> WSÁNEĆ Nations.
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc4bb603-2cea-4cca-8634-724e65f1c049%40apereo.org.

Re: [cas-user] 6.1.0 RC6 Attributes Values being doubled when surrogacy is enabled

Reply via email to