Try using plain UsernamePasswordCredentialsToPrincipalResolver without wrapping it in CredentialsToLDAPAttributePrincipalResolver.
Best, Dmitriy. Sent from my iPad On Nov 19, 2013, at 9:10 PM, Baron Fujimoto <[email protected]> wrote: > Anyone? Is there a perhaps a more useful way to frame my query? > > Specifically, I'm trying to ensure that REMOTE_USER is set to the > actual username credential that was used to authenticate to CAS. > More generally, it would be useful to have a better understanding > of what gets mapped to REMOTE_USER and how to configure such. > > Aloha, > -baron > > On Wed, Nov 13, 2013 at 05:34:10PM -1000, Baron Fujimoto wrote: >> I'm trying to debug/resolve an issue we recently encountered. >> >> Our setup is as follows: >> >> - We authenticate Google Apps using SSO via the Shibboleth IdP. [1] >> - Our Shib IdP authenticates using CAS using RemoteUser. [2] >> - Our CAS authenticates against and obtains attributes from LDAP. >> >> The issue we've encountered is that we have a few users with more than one >> uid attribute in their LDAP entries (let's say their values are "u1" and >> "u2"). Google wants the principal to identify their user, and per the >> Shibboleth-CAS+Integration docs referenced below, appears to be getting >> it via REMOTE_USER. The problem is that when the user authenticates as u2, >> it looks like REMOTE_USER is being set to u1 instead of u2. >> >> I think this is the relevant(?) config snippet from >> deployerConfigContext.xml >> >> <bean >> >> class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> >> <!-- The Principal resolver form the credentials --> >> <property name="credentialsToPrincipalResolver"> >> <bean >> >> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >> /> >> </property> >> >> <!-- >> The query made to find the Principal ID. >> "%u" will be replaced by the resolved Principal >> --> >> <property name="filter" value="(uid=%u)" /> >> >> <!-- The attribute used to define the new Principal ID --> >> <property name="principalAttributeName" value="uid" /> >> <property name="searchBase" value="${ldap.searchBase}" /> >> <property name="contextSource" ref="contextSource" /> >> >> <property name="attributeRepository"> >> <ref bean="attributeRepository" /> >> </property> >> </bean> >> >> Is there a way keeping the the username/credential that was used to >> authenticate as the principal, or otherwise have that mapped to >> REMOTE_USER? >> >> Any help would be appreciated, even if it's just RTFM if you can point me >> to some appropriate FM. >> >> [1] <https://developers.google.com/google-apps/help/articles/shibboleth2.0> >> [2] <https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration> >> >> -- >> Baron Fujimoto <[email protected]> :: UH Information Technology Services >> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum >> >> -- >> You are currently subscribed to [email protected] as: [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > Baron Fujimoto <[email protected]> :: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum desendus pantorum > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
