Joachim,
thanks a lot. Enabling the debug feature in the log4 has helped:
I have not thought, that the order of the beans in the
<property name="credentialsToPrincipalResolvers">
is important. So the CredentialsToLDAPAttributePrincipalResolver was the
last one, but should be the first one.
Now it still does not work, but the debug output is more informative:
12:15:26,741 DEBUG [...FastBindLdapAuthenticationHandler] - Performing
LDAP bind with credential: uid=kevin,ou=students,dc=uni-hildesheim,dc=de
12:15:26,760 INFO [...AuthenticationManagerImpl] -
AuthenticationHandler: ...FastBindLdapAuthenticationHandler successfully
authenticated the user which provided the following credentials:
[username: kevin]
12:15:26,760 DEBUG [...CredentialsToLDAPAttributePrincipalResolver] -
Attempting to resolve a principal...
12:15:26,760 DEBUG [...UsernamePasswordCredentialsToPrincipalResolver] -
Attempting to resolve a principal...
12:15:26,760 DEBUG [...UsernamePasswordCredentialsToPrincipalResolver] -
Creating SimplePrincipal for [kevin]
12:15:26,761 DEBUG [...CredentialsToLDAPAttributePrincipalResolver] -
Resolved kevin. Trying LDAP resolve now...
12:15:26,761 DEBUG [...CredentialsToLDAPAttributePrincipalResolver] -
LDAP search with filter "(uid=kevin)"
12:15:26,761 DEBUG [...CredentialsToLDAPAttributePrincipalResolver] -
returning searchcontrols: scope=2; search
base=ou=students,dc=uni-hildesheim,dc=de; attributes=[uid]; timeout=1000
12:15:26,818 DEBUG [...CredentialsToLDAPAttributePrincipalResolver] -
LDAP search returned zero results.
12:15:26,818 INFO [...CredentialsToLDAPAttributePrincipalResolver] -
Initial principal "kevin" was not found in LDAP, returning null
12:15:26,819 INFO [...AuthenticationManagerImpl] - Resolved principal null
12:15:26,819 DEBUG [...UsernamePasswordCredentialsToPrincipalResolver] -
Attempting to resolve a principal...
12:15:26,819 DEBUG [...UsernamePasswordCredentialsToPrincipalResolver] -
Creating SimplePrincipal for [kevin]
12:15:26,819 INFO [...AuthenticationManagerImpl] - Resolved principal kevin
12:15:26,819 INFO [...AuthenticationManagerImpl] - Principal found: kevin
12:15:26,819 DEBUG [...AuthenticationManagerImpl] - Attribute map for
kevin: {}
The problem is clear:
The user "uid=kevin,ou=students,dc=uni-hildesheim,dc=de" is not allowed
to do a directory search. But it is not really needed:
env.put(Context.SECURITY_PRINCIPAL,
"uid=kevin,ou=students,dc=uni-hildesheim,dc=de");
env.put(Context.SECURITY_CREDENTIALS, "...");
DirContext ctx = new InitialDirContext(env);
Attributes attrs =
ctx.getAttributes("uid=kevin,ou=students,dc=uni-hildesheim,dc=de");
A simple getAttributes() should get all the attributes, because the dn
is known. There is no need for a search.
Is this possible?
If yes, how?
Thanks,
Kevin
Am 11.06.2011 07:20, schrieb Joachim Fritschi:
> Kevin,
>
> please check in the cas server logs that the attributes are actually
> read and added to the "Principal". (debug flag enabled in the log4
> config) Checking in the cas-client is a bit far from the "source" unless
> you are sure that your cas server actually does works correct.
>
> The snippet you posted seems ok and should normally get you the data you
> recieve.
>
> Regards,
>
> Joachim
>
> Am 11.06.2011 01:35, schrieb Kevin Richter:
>> Yeah, I do:
>>
>> require_once('CAS.php');
>> phpCAS::client(SAML_VERSION_1_1, 'cas.mywebsite.de', 443, '/cas');
>> phpCAS::setNoCasServerValidation();
>> phpCAS::setServerSamlValidateURL(
>> 'http://internalip:8080/cas/samlValidate' );
>> phpCAS::setDebug( 'casdebug.txt' );
>>
>>
>> Bye,
>> Kevin
>>
>>
>> Am 10.06.2011 23:34, schrieb Philippe MARASSE:
>>> Hi,
>>>
>>> Do your PHP test script validate ticket through SAML in order to get
>>> the attributes ?
>>>
>>> Rgds.
>>>
>>>
>>> ----- Mail Original -----
>>> De: "Kevin Richter"<[email protected]>
>>> À: [email protected]
>>> Envoyé: Vendredi 10 Juin 2011 23:26:28
>>> Objet: [cas-user] Attributes/SAML
>>>
>>> Hi,
>>>
>>> I am trying to get some attributes (mail adress, full name) from the
>>> LDAP directory using the FastBindLdapAuthenticationHandler method.
>>> In our environment each user is allowed to read his own attributes (like
>>> cn oder mail), so I have thought there is no need for a special bind
>>> user.
>>>
>>> Is this possible?
>>> At the moment all my tries were not successful.
>>> See below for my config. Any ideas whats wrong there?
>>>
>>> Of course I have selected the attributes (mail, cn) for my test platform
>>> in the services management (cas/services/manage.html).
>>> My test platform is a PHP script:
>>> print_r(phpCAS::getAttributes())
>>> But it always prints "Array ( )"... no attributes :-(
>>>
>>>
>>> Thanks,
>>> Kevin
>>>
>>>
>>>
>>> [snip]
>>>
>>> <bean id="attributeRepository"
>>> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
>>>
>>> <property name="contextSource" ref="contextSource" />
>>> <property name="baseDN"
>>> value="ou=students,dc=uni-hildesheim,dc=de" />
>>> <property name="requireAllQueryAttributes"
>>> value="true" />
>>> <property name="queryAttributeMapping">
>>> <map>
>>> <entry key="username" value="uid" />
>>> </map>
>>> </property>
>>> <property name="resultAttributeMapping">
>>> <map>
>>> <!-- Mapping beetween LDAP entry attributes
>>> (key) and Principal's (value) -->
>>> <entry key="cn" value="Name"/>
>>> <entry key="mail" value="EMail" />
>>> </map>
>>> </property>
>>> </bean>
>>>
>>> [/snip]
>>>
>>> [snip]
>>>
>>> <bean
>>> class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
>>>
>>>
>>> <!-- The Principal resolver form the
>>> credentials -->
>>> <property
>>> name="credentialsToPrincipalResolver">
>>> <bean
>>> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
>>>
>>> />
>>> </property>
>>>
>>> <!-- The query made to find the
>>> Principal ID. "%u" will be replaced by the resolved Principal -->
>>> <property name="filter"
>>> value="(uid=%u)" />
>>>
>>> <!-- The attribute used to define the
>>> new Principal ID -->
>>> <property name="principalAttributeName"
>>> value="uid" />
>>> <property name="searchBase"
>>> value="ou=students,dc=uni-hildesheim,dc=de" />
>>> <property name="contextSource"
>>> ref="contextSource" />
>>> <property name="attributeRepository">
>>> <ref
>>> bean="attributeRepository" />
>>> </property>
>>> </bean>
>>>
>>> [/snip]
>>>
>>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
