Hello and thank you Marvin, We have applied the patched version to our test server and it seems the attributes are mapped correctly.
What are doing wrong so that the attributes are not passed on the Principal
when querying with clients : phpcas or java client using mywebapp from CAS wiki
?
Here is our log output from cas (full log below) :
------------------------
[org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal
hlepesant
2011-03-17 14:31:47,120 DEBUG
[org.jasig.cas.authentication.AuthenticationManagerImpl] - Attribute map for
hlepesant: {sn=Lepesant, uid=hlepesant, [email protected],
givenName=Hugues}
------------------------
Ldap replies with data :
-----------------
Mar 17 14:22:13 vp-cas02-mdcbuild slapd[6105]: conn=178 op=2 SRCH
base="ou=Holdings,cn=VeeGAS,dc=veepee,dc=com" scope=2 deref=3
filter="(&(objectClass=top)(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=veeGasUser)(uid=hlepesant))"
Mar 17 14:22:13 vp-cas02-mdcbuild slapd[6105]: conn=178 op=2 SRCH attr=sn
givenName uid mail navisionErpId
Mar 17 14:22:13 vp-cas02-mdcbuild slapd[6105]: conn=178 op=2 SEARCH RESULT
tag=101 err=0 nentries=1 text=
-----------------
Detailed log from phpcas :
-------------------
D992 .START phpCAS-1.2.0 ****************** [CAS.php:471]
D992 .=> phpCAS::client('S1', 'auth.veepee.net', 443, '/cas') [index.php:30]
D992 .| => CASClient::CASClient('S1', false, 'auth.veepee.net', 443, '/cas',
true) [CAS.php:374]
D992 .| | Starting a new session [client.php:680]
D992 .| | SA 'ST-2-NjcgwX05s26aipbDeGdr-casd' found [client.php:776]
D992 .| <= ''
D992 .<= ''
D992 .=> phpCAS::setNoCasServerValidation() [index.php:39]
D992 .<= ''
D992 .=> CASClient::handleLogoutRequests(true, array ( 0 =>
'auth.veepee.net',)) [CAS.php:1161]
D992 .| Not a logout request [client.php:1292]
D992 .<= ''
D992 .=> phpCAS::forceAuthentication() [index.php:48]
D992 .| => CASClient::forceAuthentication() [CAS.php:950]
D992 .| | => CASClient::isAuthenticated() [client.php:952]
D992 .| | | => CASClient::wasPreviouslyAuthenticated()
[client.php:1047]
D992 .| | | | no user found [client.php:1216]
D992 .| | | <= false
D992 .| | | SA `ST-2-NjcgwX05s26aipbDeGdr-casd' is present
[client.php:1099]
D992 .| | | => CASClient::validateSA('', NULL, NULL) [client.php:1100]
D992 .| | | | => CASClient::getServerSamlValidateURL()
[client.php:1744]
D992 .| | | | | => CASClient::getURL() [client.php:530]
D992 .| | | | | | Final URI: http://phpcas.veepee.net/
[client.php:2805]
D992 .| | | | | <= 'http://phpcas.veepee.net/'
D992 .| | | | <=
'https://auth.veepee.net/cas/samlValidate?TARGET=http%3A%2F%2Fphpcas.veepee.net%2F'
D992 .| | | | => CASClient::getURL() [client.php:531]
D992 .| | | | <= 'http://phpcas.veepee.net/'
D992 .| | | | => CASClient::buildSAMLPayload() [client.php:2347]
D992 .| | | | <= '<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1"
MinorVersion="1" RequestID="_192.168.16.51.1024506224022"
IssueInstant="2002-06-19T17:03:44.022Z"><samlp:AssertionArtifact>ST-2-NjcgwX05s26aipbDeGdr-casd</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>'
D992 .| | | | => CAS_CurlRequest::_sendRequest()
[AbstractRequest.php:188]
D992 .| | | | | Response Body:
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><Response
xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
IssueInstant="2011-03-17T13:31:47.192Z" MajorVersion="1" MinorVersion="1"
Recipient="http://phpcas.veepee.net/";
ResponseID="_423630610fe42f551bb2c1718efd49f1"><Status><StatusCode
Value="samlp:Success"></StatusCode></Status><Assertion
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_59ad9b2b05c3ed3b18e8f8ad728856b5"
IssueInstant="2011-03-17T13:31:47.192Z" Issuer="localhost" MajorVersion="1"
MinorVersion="1"><Conditions NotBefore="2011-03-17T13:31:47.192Z"
NotOnOrAfter="2011-03-17T13:32:17.192Z"><AudienceRestrictionConditi
on><Audience>http://phpcas.veepee.net/</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement
AuthenticationInstant="2011-03-17T13:31:47.120Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier>hlepesant</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
[CurlRequest.php:129]
D992 .| | | | <= true
D992 .| | | | server version: S1 [client.php:1752]
D992 .| | | | NameIdentifier found [client.php:1792]
D992 .| | | | user = `hlepesant` [client.php:1794]
D992 .| | | | => CASClient::setSessionAttributes('<?xml
version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><Response
xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
IssueInstant="2011-03-17T13:31:47.192Z" MajorVersion="1" MinorVersion="1"
Recipient="http://phpcas.veepee.net/";
ResponseID="_423630610fe42f551bb2c1718efd49f1"><Status><StatusCode
Value="samlp:Success"></StatusCode></Status><Assertion
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_59ad9b2b05c3ed3b18e8f8ad728856b5"
IssueInstant="2011-03-17T13:31:47.192Z" Issuer="localhost" MajorVersion="1"
MinorVersion="1"><Conditions NotBefore="2011-03-17T13:31:47.192Z" NotOn
OrAfter="2011-03-17T13:32:17.192Z"><AudienceRestrictionCondition><Audience>http://phpcas.veepee.net/</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement
AuthenticationInstant="2011-03-17T13:31:47.120Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier>hlepesant</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>')
[client.php:1796]
D992 .| | | | <= true
D992 .| | | | =>
CASClient::renameSession('ST-2-NjcgwX05s26aipbDeGdr-casd') [client.php:1807]
D992 .| | | | | Session ID: ST2NjcgwX05s26aipbDeGdrcasd
[client.php:826]
D992 .| | | | | Restoring old session vars [client.php:829]
D992 .| | | | <= ''
D992 .| | | <= true
D992 .| | | SA `ST-2-NjcgwX05s26aipbDeGdr-casd' was validated
[client.php:1101]
D992 .| | | => CASClient::getURL() [client.php:1123]
D992 .| | | <= 'http://phpcas.veepee.net/'
D992 .| | | => CASClient::getURL() [client.php:1124]
D992 .| | | <= 'http://phpcas.veepee.net/'
D992 .| | | Prepare redirect to : http://phpcas.veepee.net/
[client.php:1124]
D992 .| | | exit()
D992 .| | | -
D992 .| | -
D992
----------------
Deployer :
-----------------
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:sec="http://www.springframework.org/schema/security";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd";>
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver">
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter"
value="(&(objectClass=top)(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=veeGasUser)(uid=%u))"
/>
<property name="searchBase" value="ou=Holdings,cn=VeeGAS,dc=veepee,dc=com" />
<property name="maxNumberResults" value="1" />
<property name="contextSource" ref="contextSource" />
</bean>
</list>
</property>
</bean>
<sec:user-service id="userDetailsService">
<sec:user name="battags" password="notused" authorities="ROLE_ADMIN" />
<sec:user name="hlepesant" password="notused" authorities="ROLE_ADMIN" />
</sec:user-service>
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="contextSource" />
<property name="baseDN" value="ou=Holdings,cn=VeeGAS,dc=veepee,dc=com" />
<property name="queryTemplate"
value="(&(objectClass=top)(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=veeGasUser){0})"
/>
<property name="requireAllQueryAttributes" value="false" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="uid" />
<entry key="sn" value="sn" />
<entry key="givenName" value="givenName" />
<entry key="navisionErpId" value="navisionErpId" />
<entry key="mail" value="mail" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="sn" value="sn" />
<entry key="givenName" value="givenName" />
<entry key="uid" value="uid" />
<entry key="mail" value="mail" />
<entry key="navisionErpId" value="navisionErpId" />
</map>
</property>
</bean>
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="true" />
<property name="urls">
<list>
<value>ldap://ldap.veepee.net:389/</value>
</list>
</property>
<property name="userDn" value="cn=admin,dc=veepee,dc=com" />
<property name="anonymousReadOnly" value="false" />
<property name="password" value="secret" />
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="0" />
<property name="name" value="all" />
<property name="description" value="Allows All" />
<property name="serviceId" value="*://**" />
<property name="allowedToProxy" value="true" />
<property name="ssoEnabled" value="true" />
<property name="allowedAttributes"
value="sn,givenName,uid,navisionErpId,mail" />
</bean>
</list>
</property>
</bean>
<bean id="auditTrailManager"
class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
</beans>
-----------------
Antoine Coetsier
-----Message d'origine-----
De : Marvin Addison [mailto:[email protected]]
Envoyé : jeudi 24 février 2011 20:47
À : [email protected]
Objet : Re: [cas-user] Attribute Mapping fails
See https://issues.jasig.org/browse/CAS-954. Please grab source from
https://source.jasig.org/cas3/branches/cas-3_4_x_maintenance/cas-server-3.4.2/,
which contains additional logging. Please try that and see if it
confirms whether or not the principal contains the expected
attributes.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
cas-debug.log
Description: Binary data
openldap.log
Description: Binary data
phpcas.log
Description: Binary data
