[cas-user] CAS-6.2 X509-Authentication and LDAP Atrribute Resolution

[Klaus-Dieter Krannich]

Hi all,

I'm trying to upgrade a CAS-6.1 installation to CAS-6.2. We are using 
X509-Authentication an retrieving additional attributes from an 
LDAP-attribute-repository. Principal resolution in X509-Authentication is 
configured as:
     principalType: SUBJECT
     principalDescriptor: $EMAILADDRESS

In CAS-6.1 this works like expected, in CAS-6.2 I get:
DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<Attempting authentication of [[subjectDn=EMAILADDRESS=k...@b-tu.de, 
SERIALNUMBER=x, CN=x, O=x, L=x, ST=x, C=x,serialNumber=x]] using 
[X509CredentialsAuthenticationHandler]>
DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<Authentication handler [X509CredentialsAuthenticationHandler] successfully 
authenticated [AbstractCredential()]>
TRACE 
[org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver]
 
- <Attempting to resolve a principal via [X509SubjectPrincipalResolver]>
TRACE 
[org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver]
 
- <Creating principal for [k...@b-tu.de]>
WARN 
[org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] 
- <No person records were fetched from attribute repositories for 
[{principal=[subjectDn=EMAILADDRESS=k...@b-tu.de, SERIALNUMBER=x, CN=x, O=x, 
L=x, ST=x, C=x,serialNumber=x], x509Rfc822Email=[k...@b-tu.de], 
issuerDn=[CN=x, OU=x, O=x, C=x], sigAlgOid=[x], 
issuerX500Principal=[CN=x,OU=x,C=x], subjectX500Principal= 
[1.2.840.113549.1.9.1=x,2.5.4.5=x,CN=x,O=x,L=x,ST=x,C=x], 
username=k...@b-tu.de, subjectDn=[EMAILADDRESS=k...@b-tu.de, SERIALNUMBER=x, 
CN=x, O=x, L=x, ST=x, C=x]}]>

It looks like, that a wrong principal is passed to the 
LDAP-attribute-resolver - the default X509 subjectDN principal, and not the 
configured email principal.
Am I missing a changed/new configuration option or is this a bug?

Thank you for your comments. 

Regards 
  
   Klaus-Dieter Krannich

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/38ea9abf-2730-4737-bb6c-1695f69e84can%40apereo.org.