Hello,
I am trying to setting up a CAS 6.2.0 Server and I have a problem with LDAP
attributes release.
I am following this guide :
https://dacurry-tns.github.io/deploying-apereo-cas/
The LDAP connection is successful but it returns only the REMOTE_USER
attribute.
Here is a part of my cas.properties :
cas.authn.ldap[0].name=Active Directory
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].validatePeriod=300
cas.authn.ldap[0].poolPassivator=NONE
cas.authn.ldap[0].ldapUrl=ldaps://ad1.domain.com ldaps://ad2.domain.com
cas.authn.ldap[0].baseDn=OU=users,DC=domain,DC=com
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].dnFormat=%[email protected]
Here is the service registry :
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://castest.domain.com/secured-by-cas(\\z|/.*)",
"name" : "Apache Secured By CAS",
"id" : 1592052371,
"description" : "CAS development Apache mod_auth_cas server with
username/password protection",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
}
And here is the mod_auth_cas configuration on castest.domain.com :
LoadModule auth_cas_module /etc/httpd/modules/mod_auth_cas.so
<Directory /var/www/html/secured-by-cas>
<IfModule mod_auth_cas.c>
AuthType CAS
CASAuthNHeader On
</IfModule>
Require valid-user
</Directory>
<IfModule mod_auth_cas.c>
CASLoginUrl https://cas.domain.com/cas/login
CASValidateUrl https://cas.domain.com/cas/serviceValidate
# CASValidateUrl https://cas.domain.com/cas/samlValidate
CASCookiePath /var/cache/httpd/mod_auth_cas/
CASSSOEnabled On
CASDebug On
LogLevel debug
CASValidateSAML Off
</IfModule>
These are the last lines of logs :
2020-06-13 14:56:44,656 DEBUG [org.apereo.cas.ticket.registry.
AbstractMapBasedTicketRegistry] - <Added ticket [ST-1-
Q8ZYncR1PUKX0hlIszVJgOktT1E-cas] to registry.>
2020-06-13 14:56:44,656 INFO [org.apereo.inspektr.audit.support.
Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: hordo
WHAT: ST-1-Q8ZYncR1PUKX0hlIszVJgOktT1E-cas for https:
//castest.domain.com/secured-by-cas/index.php
ACTION: SERVICE_TICKET_VALIDATE_SUCCESS
APPLICATION: CAS
WHEN: Sat Jun 13 14:56:44 CEST 2020
CLIENT IP ADDRESS: *.*.*.*
SERVER IP ADDRESS: *.*.*.*
=============================================================
>
2020-06-13 14:56:44,687 DEBUG [org.apereo.cas.validation.
AuthenticationPolicyAwareServiceTicketValidationAuthorizer] - <Evaluating
service
[AbstractWebApplicationService(id=https://castest.domain.com/secured-by-cas/index.php,
originalUrl=https://castest.domain.com/secured-by-cas/index.php,
artifactId=ST-1-Q8ZYncR1PUKX0hlIszVJgOktT1E-cas, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={})] to
ensure required authentication handlers can satisfy assertion>
2020-06-13 14:56:44,689 DEBUG [org.apereo.cas.authentication.policy.
AtLeastOneCredentialValidatedAuthenticationPolicy] - <Authentication policy
is satisfied having found at least one authentication transactions>
2020-06-13 14:56:44,689 DEBUG [org.apereo.cas.authentication.
DefaultRequestedAuthenticationContextValidator] - <No particular
authentication context is required for this request>
2020-06-13 14:56:44,689 DEBUG [org.apereo.cas.web.
AbstractServiceValidateController] - <No service credentials specified, and/
or the proxy handler [org.apereo.cas.ticket.proxy.support.
Cas20ProxyHandler@454bde11] cannot handle credentials>
2020-06-13 14:56:44,689 DEBUG [org.apereo.cas.web.
AbstractServiceValidateController] - <Successfully validated service ticket
[ST-1-Q8ZYncR1PUKX0hlIszVJgOktT1E-cas] for service [https:
//castest.domain.com/secured-by-cas/index.php]>
2020-06-13 14:56:44,699 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] -
<View name 'scopedTarget.cas3ServiceSuccessView', model {assertion=
ImmutableAssertion(primaryAuthentication=org.apereo.cas.authentication.
DefaultAuthentication@f5b3778f, chainedAuthentications=[org.apereo.cas.
authentication.DefaultAuthentication@f5b3778f], fromNewLogin=true, service=
AbstractWebApplicationService(id=https://castest.domain.com/secured-by-cas/index.php,
originalUrl=https://castest.domain.com/secured-by-cas/index.php,
artifactId=null, principal=hordo, source=service, loggedOutAlready=false,
format=XML, attributes={})),
service=AbstractWebApplicationService(id=https://castest.domain.com/secured-by-cas/index.php,
originalUrl=https://castest.domain.com/secured-by-cas/index.php,
artifactId=ST-1-Q8ZYncR1PUKX0hlIszVJgOktT1E-cas, principal=null,
source=service, loggedOutAlready=false, format=XML, attributes={}),
org.springframework.validation.BindingResult.assertion=org.springframework.validation.BeanPropertyBindingResult:
0 errors,
org.springframework.validation.BindingResult.service=org.springframework.validation.BeanPropertyBindingResult:
0 errors}>
2020-06-13 14:56:44,699 DEBUG [org.apereo.cas.services.web.view.
AbstractDelegatingCasView] - <Preparing the output model [[assertion,
service, org.springframework.validation.BindingResult.assertion, org.
springframework.validation.BindingResult.service]] to render view [
Cas30ResponseView]>
2020-06-13 14:56:44,700 DEBUG [org.apereo.cas.services.web.view.
AbstractCasView] - <Final collection of attributes for the response are [[
credentialType, samlAuthenticationStatementAuthMethod, isFromNewLogin, mail,
authenticationDate, sAMAccountName, authenticationMethod,
successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed, cn
, userPrincipalName]].>
2020-06-13 14:56:44,702 DEBUG [org.apereo.cas.authentication.support.
AbstractProtocolAttributeEncoder] - <[11] encoded attributes are available
for release to [Apache Secured By CAS]: [[credentialType,
samlAuthenticationStatementAuthMethod, isFromNewLogin, mail,
authenticationDate, sAMAccountName, authenticationMethod,
successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed, cn
, userPrincipalName]]>
2020-06-13 14:56:44,702 DEBUG [org.apereo.cas.services.web.view.
AbstractCasView] - <Encoded attributes for the response are [{credentialType
=[UsernamePasswordCredential], samlAuthenticationStatementAuthMethod=[urn:
oasis:names:tc:SAML:1.0:am:password], isFromNewLogin=[true], mail=[
[email protected]], authenticationDate=[2020-06-13T12:56:39.405973Z],
sAMAccountName=[hordo], authenticationMethod=[Active Directory],
successfulAuthenticationHandlers=[Active Directory],
longTermAuthenticationRequestTokenUsed=[false], cn=[Hordo PSN],
userPrincipalName=[[email protected]]}]>
2020-06-13 14:56:44,727 DEBUG [org.springframework.security.web.context.
HttpSessionSecurityContextRepository] - <SecurityContext is empty or
contents are anonymous - context will not be stored in HttpSession.>
2020-06-13 14:56:44,729 DEBUG [org.springframework.web.servlet.
DispatcherServlet] - <Completed 200 OK>
2020-06-13 14:56:44,729 DEBUG [org.springframework.security.web.access.
ExceptionTranslationFilter] - <Chain processed normally>
2020-06-13 14:56:44,729 DEBUG [org.springframework.security.web.context.
SecurityContextPersistenceFilter] - <SecurityContextHolder now cleared, as
request processing completed>
2020-06-13 14:56:59,174 DEBUG [org.apereo.cas.services.
AbstractServicesManager] - <Adding registered service
[^https://castest.domain.com/secured-by-cas(\z|/.*)]
with name [Apache Secured By CAS] and internal identifier [1592052371]>
2020-06-13 14:56:59,174 INFO [org.apereo.cas.services.
AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry
].>
I see three odd things, the first one is the "No service credentials
specified, and/or the proxy handler cannot handle credentials" and yet it
validate successfully the service ticket the line after.
The second one is the two hours difference of the authenticationDate
attribute compared to the real one.
The third one is the SecurityContext line, I really don't know how to solve
this.
Also, I tried with SAML but it didn't change anything.
I hope someone can help me.
Thanks.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/71af943d-b3e1-4ee9-888f-242c0f5d4094o%40apereo.org.
