Hi, its an old question but i'm trying this in cas 6.3 too.
I'm cannot change de principal, even when principaltype was RFC822_EMAIL,
as far as i know principalDescriptor only change $username not $principal,
and in order of make ldap attribute repository work i need to configure
searchfilter as <LDAPfield>={<x509cert_attribute} like this:
cas.authn.x509.principal.active-attribute-repository-ids=ldap_attrRepository
cas.authn.attribute-repository.ldap[0].searchFilter=mail={x509Rfc822Email}
cas.authn.attribute-repository.ldap[0].id=ldap_attrRepository
this work for me independently of principaltype because x509Rfc822Email is
a field that x509 auth metod try to find always and my cert have it. I can
retrive more attributes from LDAP with this conf but when i try to only
auth cert who has attributes in LDAP i have not able to. I try with this
conf:
cas.authn.x509.principal.returnNull=true
cas.authn.x509.principal.principalResolutionFailureFatal=true
If you solve your problem, did you manage this kind of restriction???
Thanks :)
El jueves, 13 de mayo de 2021 a las 11:35:42 UTC+2, Klaus-Dieter Krannich
escribió:
> Hi all,
>
> I'm trying to upgrade a CAS-6.1 installation to CAS-6.2. We are using
> X509-Authentication an retrieving additional attributes from an
> LDAP-attribute-repository. Principal resolution in X509-Authentication is
> configured as:
> principalType: SUBJECT
> principalDescriptor: $EMAILADDRESS
>
> In CAS-6.1 this works like expected, in CAS-6.2 I get:
> DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
> <Attempting authentication of [[[email protected],
> SERIALNUMBER=x, CN=x, O=x, L=x, ST=x, C=x,serialNumber=x]] using
> [X509CredentialsAuthenticationHandler]>
> DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
> <Authentication handler [X509CredentialsAuthenticationHandler] successfully
> authenticated [AbstractCredential()]>
> TRACE
> [org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver]
>
> - <Attempting to resolve a principal via [X509SubjectPrincipalResolver]>
> TRACE
> [org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver]
>
> - <Creating principal for [[email protected]]>
> WARN
> [org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher]
> - <No person records were fetched from attribute repositories for
> [{principal=[[email protected], SERIALNUMBER=x, CN=x,
> O=x, L=x, ST=x, C=x,serialNumber=x], x509Rfc822Email=[[email protected]],
> issuerDn=[CN=x, OU=x, O=x, C=x], sigAlgOid=[x],
> issuerX500Principal=[CN=x,OU=x,C=x], subjectX500Principal=
> [1.2.840.113549.1.9.1=x,2.5.4.5=x,CN=x,O=x,L=x,ST=x,C=x], username=
> [email protected], subjectDn=[[email protected], SERIALNUMBER=x, CN=x,
> O=x, L=x, ST=x, C=x]}]>
>
> It looks like, that a wrong principal is passed to the
> LDAP-attribute-resolver - the default X509 subjectDN principal, and not the
> configured email principal.
> Am I missing a changed/new configuration option or is this a bug?
>
> Thank you for your comments.
>
> Regards
>
> Klaus-Dieter Krannich
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8c03016e-87c5-4679-b9ac-c99a1f133646n%40apereo.org.
