Hi, I don't see anything strange in your configuration. Did you turn on DEBUG logs on org.jasig ? Best regards, Jérôme
2013/9/17 Jason Nethercott <[email protected]> > A question for all the CAS gurus out there. Please note, I’m not an AD > admin, and barely know how LDAP works… so bear with me.**** > > ** ** > > I have a working CAS (3.5.2) implementation. It connects and does > authenticate to multiple AD servers. (We just merged with another company > so we have multiple). Now, I’m trying to get more attributes from the AD > servers down to my java applications using Spring CAS integration.**** > > ** ** > > So, problem #1… I can’t seem to get the groups or anything else from the > AD servers. No errors or anything… the response from CAS is just: **** > > ** ** > > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>**** > > <cas:authenticationSuccess>**** > > <cas:user>jason.nethercott</cas:user>**** > > ** ** > > ** ** > > </cas:authenticationSuccess>**** > > </cas:serviceResponse>**** > > ** ** > > I’ll start with one of the Principal resolvers that I have defined. **** > > ** ** > > <bean > class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> > **** > > ** ** > > <!-- The Principal resolver form the > credentials -->**** > > <property > name="credentialsToPrincipalResolver">**** > > <bean > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > />**** > > </property>**** > > ** ** > > <!-- "%u" will be replaced by the resolved > Principal -->**** > > <property name="filter" > value="(sAMAccountName=%u)" />**** > > ** ** > > <!-- The attribute used to define the new > Principal ID -->**** > > <property name="principalAttributeName" > value="sAMAccountName" />**** > > ** ** > > <property name="searchBase" > value="DC=london,DC=autodata,DC=net" />**** > > <property name="contextSource" > ref="contextSource" />**** > > ** ** > > <property name="attributeRepository">**** > > <ref bean="attributeRepository" />**** > > </property>**** > > </bean>**** > > ** ** > > And the attribute repository:**** > > ** ** > > <bean id="attributeRepository" > class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">* > *** > > <property name="contextSource" ref="contextSource"/>**** > > <property name="baseDN" value="DC=london,DC=autodata,DC=net"/> > **** > > ** ** > > <property name="requireAllQueryAttributes" value="true" />**** > > <property name="ldapTemplate" ref="ldapTemplate" />**** > > ** ** > > <!--**** > > Attribute mapping between principal (key) and LDAP (value) > names**** > > used to perform the LDAP search.**** > > -->**** > > <property name="queryAttributeMapping">**** > > <map>**** > > <entry key="username" value="sAMAccountName" />*** > * > > </map>**** > > </property>**** > > ** ** > > <property name="resultAttributeMapping">**** > > <map>**** > > <!-- Mapping between LDAP attributes (key) and > Principal's (value) -->**** > > <entry value="CN" key="cn" />**** > > <entry value="DN" key="distinguishedName" />**** > > <entry value="Email" key="mail" />**** > > <entry value="Groups" key="memberOf" />**** > > </map>**** > > </property>**** > > </bean>**** > > ** ** > > And finally, the service registry (we are not planning on a database > implementation of this (yet))**** > > ** ** > > <bean > class="org.jasig.cas.services.RegexRegisteredService">**** > > <property name="id" value="0" />**** > > <property name="name" value="HTTP and IMAP" />**** > > <property name="description" value="Allows HTTP(S) > and IMAP(S) protocols" />**** > > <property name="serviceId" > value="^(https?|imaps?)://.*" />**** > > <property name="evaluationOrder" value="10000001" > />**** > > <property name="allowedAttributes">*** > * > > <list>**** > > <value>CN</value>**** > > <value>DN</value>**** > > <value>Email</value>**** > > <value>Groups</value>**** > > </list> **** > > </property>**** > > </bean>**** > > ** ** > > What am I missing? Or, do I need to talk to my AD administrators about a > possible security or setting issue in our AD servers?**** > > ** ** > > Thanks.**** > > ** ** > > *Jason Nethercott** * > > *Architect, Technology Group* > > *[email protected]* > Phone:519.451.2323 x6023 Fax:519.451.6615**** > > [image: cid:[email protected]]**** > > *This e-mail and any files transmitted with it are confidential > information of Autodata Solutions, intended only for the use of the > recipient. If you have received this email in error, please notify the > sender and delete all copies.* > > ** ** > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
<<image001.png>>
