[cas-user] CAS with LDAP: ObjectGUID retrieved with attribute repository different than with authentication handler

Mon, 04 May 2020 01:43:10 -0700 

 
Hello,

I need your help on a problem I have with my CAS environment.

Here is my CAS configuration:



# LDAP Authentication
#cas.authn.ldap[0].type=AD
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].ldapUrl=${ldap.url}
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].bindDn=${ldap.bindDn}
cas.authn.ldap[0].bindCredential=${ldap.bindCredential}
cas.authn.ldap[0].minPoolSize=2
cas.authn.ldap[0].maxPoolSize=5
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].baseDn=${ldap.baseDn}
cas.authn.ldap[0].searchFilter=${ldap.searchFilter}
cas.authn.ldap[0].dnFormat=${ldap.dnFormat}
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributeList=objectGUID:objectGUIDFromAuthHandler


# LDAP Attribute Repository
cas.authn.attributeRepository.ldap[0].attributes.uid=uid
cas.authn.attributeRepository.ldap[0].attributes.objectGUID=objectGUIDFromAttrRepo
cas.authn.attributeRepository.ldap[0].attributes.mail=email
cas.authn.attributeRepository.ldap[0].attributes.givenName=prenom
cas.authn.attributeRepository.ldap[0].attributes.sn=nom
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName=username
cas.authn.attributeRepository.ldap[0].ldapUrl=${ldap.url}
cas.authn.attributeRepository.ldap[0].useSsl=false
cas.authn.attributeRepository.ldap[0].useStartTls=false
cas.authn.attributeRepository.ldap[0].baseDn=${ldap.baseDn}
cas.authn.attributeRepository.ldap[0].searchFilter=${ldap.searchFilter}
cas.authn.attributeRepository.ldap[0].bindDn=${ldap.bindDn}
cas.authn.attributeRepository.ldap[0].bindCredential=${ldap.bindCredential}

 

As a test, I get the "objectGUID" attribute from my ActiveDirectory twice, 
once from the authentication handler directly, once from the LDAP Attribute 
Repository. My goal is to get it only from the AttributeRepository (because 
I also have SPNEGO authentication activated).

The problem is that I do not get the same objectGUID in both cases! From 
the AuthenticatoinHandler I get a base64 encoded GUID. From the 
AttributeRepository I get a binary object corresponding to ANOTHER GUID 
when I encode it to base64. Strangely, other attributes are ok: if I get 
displayName or givenName from the AuthenticationHandler and the 
AttributeRepository, they are the same.


Is this a known issue? Is there a problem with my configuration? Can I do 
anything to solve this or provide any other information for someone to help 
me with this issue?


Thank you a lot for your help.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b21002fd-23e7-4abd-93b5-5e7145253789%40apereo.org.

Reply via email to