The issue is missing code in the file: casServiceValidationSuccess.jsp I make no claim for writing this, I found it on a blog somewhere.
<!-- Begin Ldap Attributes -->
<c:if test="${fn:length(assertion.chainedAuthentications) > 0}">
<cas:attributes>
<c:forEach var="auth" items="${assertion.chainedAuthentications}">
<c:forEach var="attr" items="${auth.principal.attributes}" >
<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}>
</c:forEach>
</c:forEach>
</cas:attributes>
</c:if>
<!-- End Ldap Attributes -->
The problem I have now, is that I'm only getting attributes from one of the two
AD servers. I'm still tracing down what the issue might be.
Jason Nethercott
Architect, Technology Group
[email protected]<mailto:[email protected]>
Phone:519.451.2323 x6023 Fax:519.451.6615
[cid:[email protected]]
This e-mail and any files transmitted with it are confidential information of
Autodata Solutions, intended only for the use of the recipient. If you have
received this email in error, please notify the sender and delete all copies.
From: Jérôme LELEU [mailto:[email protected]]
Sent: September-18-13 8:41 AM
To: [email protected]
Subject: Re: [cas-user] Getting attributes from AD??
Hi,
I don't see anything strange in your configuration. Did you turn on DEBUG logs
on org.jasig ?
Best regards,
Jérôme
2013/9/17 Jason Nethercott
<[email protected]<mailto:[email protected]>>
A question for all the CAS gurus out there. Please note, I'm not an AD admin,
and barely know how LDAP works... so bear with me.
I have a working CAS (3.5.2) implementation. It connects and does authenticate
to multiple AD servers. (We just merged with another company so we have
multiple). Now, I'm trying to get more attributes from the AD servers down to
my java applications using Spring CAS integration.
So, problem #1... I can't seem to get the groups or anything else from the AD
servers. No errors or anything... the response from CAS is just:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>jason.nethercott</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
I'll start with one of the Principal resolvers that I have defined.
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<!-- The Principal resolver form the credentials
-->
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<!-- "%u" will be replaced by the resolved
Principal -->
<property name="filter"
value="(sAMAccountName=%u)" />
<!-- The attribute used to define the new
Principal ID -->
<property name="principalAttributeName"
value="sAMAccountName" />
<property name="searchBase"
value="DC=london,DC=autodata,DC=net" />
<property name="contextSource"
ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
And the attribute repository:
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="contextSource"/>
<property name="baseDN" value="DC=london,DC=autodata,DC=net"/>
<property name="requireAllQueryAttributes" value="true" />
<property name="ldapTemplate" ref="ldapTemplate" />
<!--
Attribute mapping between principal (key) and LDAP (value) names
used to perform the LDAP search.
-->
<property name="queryAttributeMapping">
<map>
<entry key="username" value="sAMAccountName" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<!-- Mapping between LDAP attributes (key) and
Principal's (value) -->
<entry value="CN" key="cn" />
<entry value="DN" key="distinguishedName" />
<entry value="Email" key="mail" />
<entry value="Groups" key="memberOf" />
</map>
</property>
</bean>
And finally, the service registry (we are not planning on a database
implementation of this (yet))
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="0" />
<property name="name" value="HTTP and IMAP" />
<property name="description" value="Allows HTTP(S) and
IMAP(S) protocols" />
<property name="serviceId"
value="^(https?|imaps?)://.*" />
<property name="evaluationOrder" value="10000001" />
<property name="allowedAttributes">
<list>
<value>CN</value>
<value>DN</value>
<value>Email</value>
<value>Groups</value>
</list>
</property>
</bean>
What am I missing? Or, do I need to talk to my AD administrators about a
possible security or setting issue in our AD servers?
Thanks.
Jason Nethercott
Architect, Technology Group
[email protected]<mailto:[email protected]>
Phone:519.451.2323 x6023 Fax:519.451.6615
[cid:[email protected]]
This e-mail and any files transmitted with it are confidential information of
Autodata Solutions, intended only for the use of the recipient. If you have
received this email in error, please notify the sender and delete all copies.
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user<<inline: image001.png>>
