Hello everyone,
I'm trying to get CAS up and running. Authentication works fine, but my client
application needs to get a user's ldap groups. I added a
CredentialsToLDAPAttributePrincipalResolver to my authentication manager, and
on the client side I added the Saml11TicketValidationFilter. It looks like cas
is querying for my attributes. tcpdump shows that the cas server is contacting
my ldap server and getting attributes properly. But on the client side, the
map returned by the getAttributes() is empty. Can anyone see where I'm going
wrong?
Here's my deployerConfigContext.xml:
<bean id="LdapCredentialtoPrincipalResolver"
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<property name="filter" value="(mail=%u)" />
<property name="principalAttributeName" value="sAMAccountName" />
<property name="searchBase"
value="CN=Users,DC=EmmiSolutions,DC=local" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<ref bean="LdapCredentialtoPrincipalResolver" />
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter"
value="(proxyaddresses=SMTP:%u)" />
<property name="searchBase"
value="CN=Users,DC=EmmiSolutions,DC=local" />
<property name="contextSource"
ref="contextSource" />
<property
name="ignorePartialResultException" value="yes" />
</bean>
</list>
</property>
</bean>
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="baseDN" value="cn=Users,DC=EmmiSolutions,DC=local"
/>
<property name="contextSource" ref="contextSource" />
<property name="requireAllQueryAttributes" value="true" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="sAMAccountName" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="cn" value="Name"/>
<entry value="memberOf" key="memberOf" />
<entry value="mail" key="mail" />
</map>
</property>
</bean>
On the client side, my web.xml has the following:
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://devcas1.emmisolutions.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://192.168.101.156:8080</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://devcas1.emmisolutions.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://192.168.101.156:8080</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<!--
Adjust to accommodate clock drift between
client/server. Increasing
tolerance has security consequences, so it is
preferable to correct
the source of clock drift instead.
-->
<param-name>tolerance</param-name>
<param-value>5000</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I don't see any issues in my logs:
2011-02-22 16:26:07,038 DEBUG
[org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Performing LDAP
bind with credential: CN=Laura Griffel,CN=Users,DC=EmmiSolution
s,DC=local>
2011-02-22 16:26:07,040 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler su
ccessfully authenticated the user which provided the following credentials:
[username: [email protected]]>
2011-02-22 16:26:07,040 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- <Attempting to resolve a principal...>
2011-02-22 16:26:07,040 DEBUG
[org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
- <Attempting to resolve a principal...>
2011-02-22 16:26:07,040 DEBUG
[org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
- <Creating SimplePrincipal for [lgriffel@emmisolution
s.com]>
2011-02-22 16:26:07,042 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- <Resolved [email protected]. Trying LDAP resolve now...>
2011-02-22 16:26:07,042 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- <LDAP search with filter "([email protected])">
2011-02-22 16:26:07,042 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- <returning searchcontrols: scope=2; search base=CN=User
s,DC=EmmiSolutions,DC=local; attributes=[sAMAccountName]; timeout=1000>
2011-02-22 16:26:07,047 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- <Resolved [email protected] to LGRIFFEL>
2011-02-22 16:26:07,047 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- <Creating SimplePrincipal for [LGRIFFEL]>
2011-02-22 16:26:07,047 DEBUG
[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Created
seed map='{username=[LGRIFFEL]}' for uid='LGRIFFEL'>
2011-02-22 16:26:07,048 DEBUG
[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Adding
attribute 'sAMAccountName' with value '[LGRIFFEL]' to query build
er 'null'>
2011-02-22 16:26:07,051 DEBUG
[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Generated
query builder '(sAMAccountName=LGRIFFEL)' from query Map {user
name=[LGRIFFEL]}.>
So my logs look OK - any suggestions what is going on?
Thanks,
Laura
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
