Try removing the baseDN property from the attributeRepository entry.
Seems that setting that in the context and the attributeRepository
causes issues.
Benito J. Gonzalez
Manager, Enterprise Web Application Development
Information Technology Department
University of California, Merced
Desk: 209.228.2974
Cell: 209.201.5052
Email: [email protected]
On 02/22/11 15:18, Laura Griffel wrote:
Hello everyone,
I'm trying to get CAS up and running. Authentication works fine, but
my client application needs to get a user's ldap groups. I added a
CredentialsToLDAPAttributePrincipalResolver to my authentication
manager, and on the client side I added the
Saml11TicketValidationFilter. It looks like cas is querying for my
attributes. tcpdump shows that the cas server is contacting my ldap
server and getting attributes properly. But on the client side, the
map returned by the getAttributes() is empty. Can anyone see where I'm
going wrong?
Here's my deployerConfigContext.xml:
<bean id="LdapCredentialtoPrincipalResolver"
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<property name="filter" value="(mail=%u)" />
<property name="principalAttributeName" value="sAMAccountName" />
<property name="searchBase" value="CN=Users,DC=EmmiSolutions,DC=local" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<ref bean="LdapCredentialtoPrincipalResolver" />
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="(proxyaddresses=SMTP:%u)" />
<property name="searchBase" value="CN=Users,DC=EmmiSolutions,DC=local" />
<property name="contextSource" ref="contextSource" />
<property name="ignorePartialResultException" value="yes" />
</bean>
</list>
</property>
</bean>
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="baseDN" value="cn=Users,DC=EmmiSolutions,DC=local" />
<property name="contextSource" ref="contextSource" />
<property name="requireAllQueryAttributes" value="true" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="sAMAccountName" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="cn" value="Name"/>
<entry value="memberOf" key="memberOf" />
<entry value="mail" key="mail" />
</map>
</property>
</bean>
On the client side, my web.xml has the following:
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://devcas1.emmisolutions.com:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://192.168.101.156:8080</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://devcas1.emmisolutions.com:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://192.168.101.156:8080</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<!--
Adjust to accommodate clock drift
between client/server. Increasing
tolerance has security consequences,
so it is preferable to correct
the source of clock drift instead.
-->
<param-name>tolerance</param-name>
<param-value>5000</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I don't see any issues in my logs:
2011-02-22 16:26:07,038 DEBUG
[org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] -
<Performing LDAP bind with credential: CN=Laura
Griffel,CN=Users,DC=EmmiSolution
s,DC=local>
2011-02-22 16:26:07,040 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler su
ccessfully authenticated the user which provided the following
credentials: [username: [email protected]]>
2011-02-22 16:26:07,040 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- <Attempting to resolve a principal...>
2011-02-22 16:26:07,040 DEBUG
[org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
- <Attempting to resolve a principal...>
2011-02-22 16:26:07,040 DEBUG
[org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
- <Creating SimplePrincipal for [lgriffel@emmisolution
s.com]>
2011-02-22 16:26:07,042 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- <Resolved [email protected]. Trying LDAP resolve now...>
2011-02-22 16:26:07,042 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- <LDAP search with filter "([email protected])">
2011-02-22 16:26:07,042 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- <returning searchcontrols: scope=2; search base=CN=User
s,DC=EmmiSolutions,DC=local; attributes=[sAMAccountName]; timeout=1000>
2011-02-22 16:26:07,047 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- <Resolved [email protected] to LGRIFFEL>
2011-02-22 16:26:07,047 DEBUG
[org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
- <Creating SimplePrincipal for [LGRIFFEL]>
2011-02-22 16:26:07,047 DEBUG
[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
<Created seed map='{username=[LGRIFFEL]}' for uid='LGRIFFEL'>
2011-02-22 16:26:07,048 DEBUG
[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
<Adding attribute 'sAMAccountName' with value '[LGRIFFEL]' to query build
er 'null'>
2011-02-22 16:26:07,051 DEBUG
[org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
<Generated query builder '(sAMAccountName=LGRIFFEL)' from query Map {user
name=[LGRIFFEL]}.>
So my logs look OK - any suggestions what is going on?
Thanks,
Laura
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
