A question for all the CAS gurus out there. Please note, I'm not an AD admin, and barely know how LDAP works... so bear with me.
I have a working CAS (3.5.2) implementation. It connects and does authenticate to multiple AD servers. (We just merged with another company so we have multiple). Now, I'm trying to get more attributes from the AD servers down to my java applications using Spring CAS integration. So, problem #1... I can't seem to get the groups or anything else from the AD servers. No errors or anything... the response from CAS is just: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>jason.nethercott</cas:user> </cas:authenticationSuccess> </cas:serviceResponse> I'll start with one of the Principal resolvers that I have defined. <bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> <!-- The Principal resolver form the credentials --> <property name="credentialsToPrincipalResolver"> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> </property> <!-- "%u" will be replaced by the resolved Principal --> <property name="filter" value="(sAMAccountName=%u)" /> <!-- The attribute used to define the new Principal ID --> <property name="principalAttributeName" value="sAMAccountName" /> <property name="searchBase" value="DC=london,DC=autodata,DC=net" /> <property name="contextSource" ref="contextSource" /> <property name="attributeRepository"> <ref bean="attributeRepository" /> </property> </bean> And the attribute repository: <bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="contextSource" ref="contextSource"/> <property name="baseDN" value="DC=london,DC=autodata,DC=net"/> <property name="requireAllQueryAttributes" value="true" /> <property name="ldapTemplate" ref="ldapTemplate" /> <!-- Attribute mapping between principal (key) and LDAP (value) names used to perform the LDAP search. --> <property name="queryAttributeMapping"> <map> <entry key="username" value="sAMAccountName" /> </map> </property> <property name="resultAttributeMapping"> <map> <!-- Mapping between LDAP attributes (key) and Principal's (value) --> <entry value="CN" key="cn" /> <entry value="DN" key="distinguishedName" /> <entry value="Email" key="mail" /> <entry value="Groups" key="memberOf" /> </map> </property> </bean> And finally, the service registry (we are not planning on a database implementation of this (yet)) <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="0" /> <property name="name" value="HTTP and IMAP" /> <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" /> <property name="serviceId" value="^(https?|imaps?)://.*" /> <property name="evaluationOrder" value="10000001" /> <property name="allowedAttributes"> <list> <value>CN</value> <value>DN</value> <value>Email</value> <value>Groups</value> </list> </property> </bean> What am I missing? Or, do I need to talk to my AD administrators about a possible security or setting issue in our AD servers? Thanks. Jason Nethercott Architect, Technology Group [email protected]<mailto:[email protected]> Phone:519.451.2323 x6023 Fax:519.451.6615 [cid:[email protected]] This e-mail and any files transmitted with it are confidential information of Autodata Solutions, intended only for the use of the recipient. If you have received this email in error, please notify the sender and delete all copies. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
<<inline: image001.png>>
