Hello,We're using CAS 3.3.5 + AD as LDAP directory in our organization. Some AD attributes are forwarded to applications (thanks to service manager :-) ), our configuration is similar as your needs I think. there's excerpts from our deployerConfigContext.xml :
1st we need a contextSource to do authentication & LDAP lookups :
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="false"/>
<property name="urls">
<list>
<value>${ldap.host.1}</value>
<value>${ldap.host.2}</value>
</list>
</property>
<property name="userDn" value="${ldap.userName}"/>
<property name="password" value="${ldap.password}"/>
<property name="baseEnvironmentProperties">
<map>
<entry key="com.sun.jndi.ldap.connect.timeout" value="100" />
<entry key="com.sun.jndi.ldap.read.timeout" value="250" />
<entry key="java.naming.security.authentication" value="simple" />
</map>
</property>
</bean>
2nd a bean to handle LDAP login/password stuffs :
<bean id="ldapHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="${ldap.filter}" />
<property name="searchBase" value="${ldap.baseDn}" />
<!-- Workaround problème de referrals avec AD -->
<property name="ignorePartialResultException" value="yes" />
<property name="contextSource" ref="contextSource" />
</bean>
3rd two attribute repository beans (we're using samAccountName as CAS
principal):
<bean id="attribRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="contextSource" />
<property name="baseDN" value="${ldap.baseDn}" />
<property name="requireAllQueryAttributes" value="true" />
<!--
Attribute mapping beetween principal (key) and LDAP (value) names
used to perform the LDAP search. By default, multiple search criteria
are ANDed together. Set the queryType property to change to OR.
-->
<property name="queryAttributeMapping">
<map>
<entry key="username" value="samAccountName" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<!-- Mapping beetween LDAP entry attributes (key) and Principal's (value) -->
<entry key="sn" value="nom"/>
<entry key="givenName" value="prenom"/>
<entry key="displayName" value="nomAffiche"/>
<entry key="memberOf" value="groupes"/>
<entry key="mail" value="email"/>
<entry key="url" value="cpsCN"/>
</map>
</property>
</bean>
According to the documentation, this bean seems to list the allowed attributes that can be
shown to services (used only by service manager if I'm not mistaken) :
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="nom" value="" />
<entry key="prenom" value="" />
<entry key="nomAffiche" value="" />
<entry key="groupes" value="" />
<entry key="email" value="" />
<entry key="cpsCN" value="" />
</map>
</property>
</bean>
And at last, the authenticationManager bean which contains :
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
...
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<!-- The Principal resolver form the credentials --> <property name="credentialsToPrincipalResolver"><bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
</property>
<!-- The query made to find the Principal ID.
"%u" will be replaced by the resolved Principal
-->
<property name="filter" value="${ldap.filter}" />
<!-- The attribute used to define the new Principal ID -->
<property name="principalAttributeName" value="samAccountName" />
<property name="searchBase" value="${ldap.baseDn}" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository" ref="attribRepository" />
</bean>
...
</list>
...
</bean>
Rgds.
Le 15/06/2011 01:35, Jeff Abernathy a écrit :
Hello,I believe I have managed to confuse myself, but I'm hopeful this group will be able to help me out.I'm just getting started with CAS, and am trying to setup a SAML provider with AD as the authenticating backend. So far, I've gotten plain CAS working no problem with AD, using LDAP and LdapContextSource. Now I'm trying to get Attributes read from AD to populate. This seems to be a rather common problem, but I'm seeing multiple answers, and I believe I'm getting tied up with different possible solutions.Could someone post (or send privately) their deployerConfigContext.xml that : * Uses Active Directory * provides attributes for SAML (perhaps even Google Apps/SAML 2.0) * uses a Bind user to do the lookup (LdapContextSource) Thanks, Jeff Abernathy Saint Louis University
-- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
smime.p7s
Description: S/MIME Cryptographic Signature
