Re: [cas-user] SAML attribute release

Tue, 21 Sep 2010 15:23:37 -0700 

 On 21/09/10 17:26, Marvin Addison wrote:

The logs are attached.

It's suspect that the last attribute query entry is the following:

[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
Generated query builder '([email protected])'
from query Map {username=[[email protected]]}.

In the case of successful attribute release, you should see entries
like the following:

2010-09-21 09:57:43,655 DEBUG
[org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl] -
Retrieved 
attributes='[NamedPersonImpl[name=username,attributes={accountState=[ACTIVE],
authId=[username], Formatted Name=[username],
groupMembership=[uugid=group1,ou=Groups,dc=vt,dc=edu,
uugid=group2,ou=Groups,dc=vt,dc=edu,
uugid=group3,ou=Groups,dc=vt,dc=edu], uid=[12345],
UDC_IDENTIFIER=[7CF7812347C17395E0441234BA624FA9],
virginiaTechAffiliation=[VT-EMPLOYEE-STATE, VT-EMPLOYEE,
VT-ACTIVE-MEMBER, VT-STAFF, VT-STUDENT, VT-ALUM-CONSTITUENT, VT-ALUM,
VT-ALUM-PARENT]}]]' for query='{username=[username]}',
isFirstQuery=false,
currentlyConsidering='org.jasig.services.persondir.support.ldap.ldappersonattribute...@569764bd',
resultAttributes='null'

Can you confirm that your LDAP query is valid and that you can execute
it against your LDAP server using the same parameters as those defined
in your deployerConfigContext.xml?  I typically use ldapsearch, part
of the ldap-utils package, for investigations like that.

M



I've never seen MergingPersonAttributeDaoImpl and this kind of entries...

Yes the ldap query '([email protected])'
is valid and returns 1 object.

I can also see the CAS server requesting for the attributes
I have defined to be released for this service from the ldap server:
[22/Sep/2010:01:05:49 +0300] conn=25719 op=1 msgId=2 - SRCH base="dc=example,dc=com" scope=2 filter="([email protected])" attrs="cn telephoneNumber facsimileTelephoneNumber mail eduPersonPrincipalName uid" 

but they are never released. The later query is also valid
from ldapsearch and returns all the attributes (cn is multivalue: cn, cn;lang-en, cn;lang-el). 
facsimileTelephoneNumber does not exist but I have defined
<property name="requireAllQueryAttributes" value="false" />
in attributeRepository

Is there a way to make my logging more extensive on this?

Giannis




--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to