I believe the problem is here:
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="0" />
<property name="name" value="HTTP" />
<property name="description" value="Only Allows
HTTP Urls" />
<property name="serviceId" value="http://**"; />
<property name="allowedAttributes"
value="uid,cn,isMemberOf" />
</bean>
You need to either remove allowedAttributes attribute, or list all
attributes by the name you've given them in the principal,
"username,Name,isMemberOf". All RegisteredServiceImpl entries should
be configured similarly.
M
On Thu, Mar 17, 2011 at 1:26 PM, Cyril GUILLERMINET
<[email protected]> wrote:
> Hi,
>
> I am running CAS 3.4.6 with OpenDS and user authentication is working as
> expected.
>
> However, I am not able to get LDAP attributes, could you please help me to
> find what I am doing wrong. Here is my configuration:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:p="http://www.springframework.org/schema/p";
> xmlns:sec="http://www.springframework.org/schema/security";
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
> http://www.springframework.org/schema/security
> http://www.springframework.org/schema/security/spring-security-3.0.xsd";>
> <bean id="authenticationManager"
> class="org.jasig.cas.authentication.AuthenticationManagerImpl">
> <property
> name="credentialsToPrincipalResolvers">
> <list>
> <bean
>
> class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
> <property
> name="credentialsToPrincipalResolver">
> <bean
>
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> />
> </property>
> <property name="filter" value="(uid=%u)" />
> <property name="principalAttributeName"
> value="uid" />
> <property name="searchBase"
> value="ou=people,dc=tinesys,dc=fr" />
> <property name="contextSource"
> ref="contextSource" />
> <property name="attributeRepository">
> <ref bean="attributeRepository" />
> </property>
> </bean>
> <bean
> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
> />
> </list>
> </property>
> <property name="authenticationHandlers">
> <list>
> <bean
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
> p:httpClient-ref="httpClient" />
> <!--
> <bean
>
> class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler"
> />
> +-->
> <bean
> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
> <property name="filter" value="uid=%u" />
> <property name="searchBase"
> value="ou=people,dc=tinesys,dc=fr" />
> <property name="contextSource"
> ref="contextSource" />
> </bean>
> </list>
> </property>
> </bean>
>
> <bean id="contextSource"
> class="org.springframework.ldap.core.support.LdapContextSource">
> <property name="pooled" value="false"/>
> <property name="urls">
> <list>
> <value>ldaps://myhost:1636/</value>
> </list>
> </property>
> <property name="userDn" value="cn=Directory Manager"/> <!-- eg
> uid=LdapUser,dc=yourdomain,dc=edu -->
> <property name="password" value="my secret password"/>
> <property name="baseEnvironmentProperties">
> <map>
> <entry>
> <key>
> <value>java.naming.security.authentication</value>
> </key>
> <value>simple</value>
> </entry>
> <entry>
> <key>
> <value>com.sun.jndi.ldap.connect.timeout</value>
> </key>
> <value>2000</value>
> </entry>
> <entry>
> <key>
> <value>com.sun.jndi.ldap.read.timeout</value>
> </key>
> <value>2000</value>
> </entry>
> </map>
> </property>
> </bean>
> <!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused"
> authorities="ROLE_ADMIN" />-->
>
> <sec:user-service id="userDetailsService">
> <sec:user name="battags" password="notused" authorities="ROLE_ADMIN" />
> </sec:user-service>
> <bean id="attributeRepository"
>
> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
> <property name="contextSource" ref="contextSource" />
> <property name="baseDN" value="ou=people,dc=tinesys,dc=fr" />
> <property name="requireAllQueryAttributes" value="true" />
> <!--
> Attribute mapping beetween principal (key) and LDAP (value) names
> used to perform the LDAP search. By default, multiple search
> criteria
> are ANDed together. Set the queryType property to change to OR.
> -->
> <property name="queryAttributeMapping">
> <map>
> <entry key="username" value="uid" />
> </map>
> </property>
> <property name="resultAttributeMapping">
> <map>
> <!-- Mapping beetween LDAP entry attributes (key) and
> Principal's (value) -->
> <entry key="cn" value="Name"/>
> <entry key="uid" value="username"/>
> <entry value="isMemberOf" key="isMemberOf" />
> </map>
> </property>
> </bean>
>
> <bean
> id="serviceRegistryDao"
> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
> <property name="registeredServices">
> <list>
> <bean class="org.jasig.cas.services.RegisteredServiceImpl">
> <property name="id" value="0" />
> <property name="name" value="HTTP" />
> <property name="description" value="Only Allows HTTP
> Urls" />
> <property name="serviceId" value="http://**"; />
> <property name="allowedAttributes"
> value="uid,cn,isMemberOf" />
> </bean>
>
> <bean class="org.jasig.cas.services.RegisteredServiceImpl">
> <property name="id" value="1" />
> <property name="name" value="HTTPS" />
> <property name="description" value="Only Allows HTTPS
> Urls" />
> <property name="serviceId" value="https://**"; />
> </bean>
>
> <bean class="org.jasig.cas.services.RegisteredServiceImpl">
> <property name="id" value="2" />
> <property name="name" value="IMAPS" />
> <property name="description" value="Only Allows HTTPS
> Urls" />
> <property name="serviceId" value="imaps://**" />
> </bean>
>
> <bean class="org.jasig.cas.services.RegisteredServiceImpl">
> <property name="id" value="3" />
> <property name="name" value="IMAP" />
> <property name="description" value="Only Allows IMAP
> Urls" />
> <property name="serviceId" value="imap://**" />
> </bean>
> </list>
> </property>
> </bean>
>
> <bean id="auditTrailManager"
> class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
> </beans>
>
> Here are some logs:
> 2011-03-17 12:54:04,949 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> AuthenticationHandler:
> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully
> authenticated the user which provided the following credentials: [username:
> someone]
> 2011-03-17 12:54:04,949 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
> - Attempting to resolve a principal...
> 2011-03-17 12:54:04,949 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
> - Attempting to resolve a principal...
> 2011-03-17 12:54:04,949 DEBUG
> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
> - Attempting to resolve a principal...
> 2011-03-17 12:54:04,949 DEBUG
> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
> - Attempting to resolve a principal...
> 2011-03-17 12:54:04,949 DEBUG
> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
> - Creating SimplePrincipal for [someone]
> 2011-03-17 12:54:04,949 DEBUG
> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
> - Creating SimplePrincipal for [someone]
> 2011-03-17 12:54:04,951 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
> - Resolved someone. Trying LDAP resolve now...
> 2011-03-17 12:54:04,951 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
> - Resolved someone. Trying LDAP resolve now...
> 2011-03-17 12:54:04,951 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
> - LDAP search with filter "(uid=someone)"
> 2011-03-17 12:54:04,951 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
> - LDAP search with filter "(uid=someone)"
> 2011-03-17 12:54:04,951 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
> - returning searchcontrols: scope=2; search base=ou=people,dc=xxxxx,dc=xxxx;
> attributes=[uid]; timeout=1000
> 2011-03-17 12:54:04,951 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
> - returning searchcontrols: scope=2; search base=ou=people,dc=xxxxx,dc=xxxx;
> attributes=[uid]; timeout=1000
> 2011-03-17 12:54:04,997 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
> - Resolved someone to someone
> 2011-03-17 12:54:04,997 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
> - Resolved someone to someone
> 2011-03-17 12:54:04,997 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
> - Creating SimplePrincipal for [someone]
> 2011-03-17 12:54:04,997 DEBUG
> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver]
> - Creating SimplePrincipal for [someone]
> 2011-03-17 12:54:04,998 DEBUG
> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Created
> seed map='{username=[someone]}' for uid='someone'
> 2011-03-17 12:54:04,998 DEBUG
> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Created
> seed map='{username=[someone]}' for uid='someone'
> 2011-03-17 12:54:04,998 DEBUG
> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Adding
> attribute 'uid' with value '[someone]' to query builder 'null'
> 2011-03-17 12:54:04,998 DEBUG
> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Adding
> attribute 'uid' with value '[someone]' to query builder 'null'
> 2011-03-17 12:54:05,001 DEBUG
> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
> Generated query builder '(uid=cguillerminet)' from query Map
> {username=[cguillerminet]}.
> 2011-03-17 12:54:05,001 DEBUG
> [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] -
> Generated query builder '(uid=cguillerminet)' from query Map
> {username=[cguillerminet]}.
> 2011-03-17 12:54:05,064 INFO
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit
> trail record BEGIN
> =============================================================
> WHO: [username: someone]
> WHAT: supplied credentials: [username: someone]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Thu Mar 17 12:54:05 EDT 2011
> CLIENT IP ADDRESS: xxx.xx.xx.xx
> SERVER IP ADDRESS: xxx.xx.xx.xx
> =============================================================
>
>
> 2011-03-17 12:54:05,070 INFO
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit
> trail record BEGIN
> =============================================================
> WHO: [username: someone]
> WHAT: TGT-1-gxBJlnF2jeUWpnwel20dUcq0DBOMJ51cRlxKGBRgRctlM4k5gE-cas
> ACTION: TICKET_GRANTING_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Thu Mar 17 12:54:05 EDT 2011
> CLIENT IP ADDRESS: xxx.xx.xx.xx
> SERVER IP ADDRESS: xxx.xx.xx.xx
> =============================================================
>
>
> 2011-03-17 12:54:05,071 INFO
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit
> trail record BEGIN
> =============================================================
> WHO: audit:unknown
> WHAT: TGT-1-WdrIcWoeCRAOXdievaMQze0ItGXgdUY9te0DobCFhcV2dfN7Bs-cas
> ACTION: TICKET_GRANTING_TICKET_DESTROYED
> APPLICATION: CAS
> WHEN: Thu Mar 17 12:54:05 EDT 2011
> CLIENT IP ADDRESS: xxx.xx.xx.xx
> SERVER IP ADDRESS: xxx.xx.xx.xx
> =============================================================
>
>
> 2011-03-17 12:54:05,073 INFO [org.jasig.cas.CentralAuthenticationServiceImpl]
> - Granted service ticket [ST-1-7sFZLYHxwnNne1wzshAj-cas] for service
> [http://172.22.95.75/] for user [cguillerminet]
> 2011-03-17 12:54:05,074 INFO
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit
> trail record BEGIN
> =============================================================
> WHO: someone
> WHAT: ST-1-7sFZLYHxwnNne1wzshAj-cas for http://xxx.xx.xx.xx/
> ACTION: SERVICE_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Thu Mar 17 12:54:05 EDT 2011
> CLIENT IP ADDRESS: xxx.xx.xx.xx
> SERVER IP ADDRESS: xxx.xx.xx.xx
> =============================================================
>
>
> 2011-03-17 12:54:05,125 DEBUG
> [org.jasig.cas.authentication.principal.SamlService] - Attempted to extract
> Request from HttpServletRequest. Results:
> 2011-03-17 12:54:05,125 DEBUG
> [org.jasig.cas.authentication.principal.SamlService] - Attempted to extract
> Request from HttpServletRequest. Results:
> 2011-03-17 12:54:05,125 DEBUG
> [org.jasig.cas.authentication.principal.SamlService] - Request Body:
> <SOAP-ENV:Envelope
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request
> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1"
> MinorVersion="1" RequestID="_192.168.16.51.1024506224022"
> IssueInstant="2002-06-19T17:03:44.022Z"><samlp:AssertionArtifact>ST-1-7sFZLYHxwnNne1wzshAj-cas</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>
> 2011-03-17 12:54:05,125 DEBUG
> [org.jasig.cas.authentication.principal.SamlService] - Request Body:
> <SOAP-ENV:Envelope
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request
> xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1"
> MinorVersion="1" RequestID="_192.168.16.51.1024506224022"
> IssueInstant="2002-06-19T17:03:44.022Z"><samlp:AssertionArtifact>ST-1-7sFZLYHxwnNne1wzshAj-cas</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>
> 2011-03-17 12:54:05,125 DEBUG
> [org.jasig.cas.authentication.principal.SamlService] - Extracted ArtifactId:
> ST-1-7sFZLYHxwnNne1wzshAj-cas
> 2011-03-17 12:54:05,125 DEBUG
> [org.jasig.cas.authentication.principal.SamlService] - Extracted ArtifactId:
> ST-1-7sFZLYHxwnNne1wzshAj-cas
> 2011-03-17 12:54:05,125 DEBUG
> [org.jasig.cas.authentication.principal.SamlService] - Extracted Request Id:
> _192.168.16.51.1024506224022
> 2011-03-17 12:54:05,125 DEBUG
> [org.jasig.cas.authentication.principal.SamlService] - Extracted Request Id:
> _192.168.16.51.1024506224022
> 2011-03-17 12:54:05,129 INFO
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit
> trail record BEGIN
> =============================================================
> WHO: audit:unknown
> WHAT: ST-1-7sFZLYHxwnNne1wzshAj-cas
> ACTION: SERVICE_TICKET_VALIDATED
> APPLICATION: CAS
> WHEN: Thu Mar 17 12:54:05 EDT 2011
> CLIENT IP ADDRESS: xxx.xx.xx.xx
> SERVER IP ADDRESS: xx.xx.xx.xx
> =============================================================
>
> Regards.
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
