Thought I'd share a mishap I had with attribute merging on CAS so it might benefit someone someday :]
Context: We are implementing CAS to authenticate our users to Active Directory and our applications will pull attributes through SAML requests (those are on MySQL databases pulled through JDBC). The Proof-of-concept was fine, so we go to dev/test/prod environment implementations and this is gets ugly: the CAS server never pulls the JDBC attributes, no matter what I try - I'd only get the attributes from the LDAP (Active Directory). The error was: my JDBC queryAttributeMapping was using fields from the LDAP query - my users were authenticating with their email address and the matching on the SELECT was done using AD's distinguishedName. The attribute merging part I was using was MergingPersonAttributeDaoImpl, which apparently processes queries in parallel. I should have used CascadingPersonAttributeDao and first specify the LDAP source. The reason why the Proof of concept worked? Production team changed their mind -> map fields by Distinguished name and not by username. Sometimes, you really have to read everything and not just follow a procedure - understand is the key! :] ___________________________________________________ SEBASTIEN TOULMONDE UNIX System Administrator Information Services Department BISNODE Direct: +32 2 555 96 86 Mobile: +32 475 49 81 45 Office fax: +32 2 521 21 98 E-mail: [email protected] Address: Researchdreef 65 Allée de la Recherche, 1070 Brussels, Belgium www.bisnode.be **** DISCLAIMER **** "This e-mail and any attachments thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s)named above. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form)by persons other than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer. Thank you for your cooperation." -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
