Folks,
I am sorry to post so much detail, but I am not entirely sure why I have
the repetitive elements in the prescribed changes to
deployerConfigContext.xml by Banner, which in turn are causing me to feel
uncertain of where to place <entry key-ref ..> statements.
Ellucian repeats the filters for a principal identity in two places and
adds beans for credential resolution. Because of their very explicit
instructions for implementation, I am not sure I can replace the
Authentication Manager Class. I provide an excerpt here:
*Authentication Manager & Authentication Handler*
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver"
/>
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<property name="filter"
value="(|(sAMAccountName=%u)(uaIdentifier=%u))" />
<property name="principalAttributeName"
value="sAMAccountName" >
</property>
<property name="searchBase"
value="${ad.userBindAuthHandler.searchBase" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
<property name="filter"
value="(|(sAMAccountName=%u)(uaIdentifier=%u))" />
ETC ...
I want to move to the following, but now that I am revisiting this issue, I
don't understand why Ellucian is providing two filters in this way. I have
gone back through the JASIG-CAS documentation and addresses the situation
by giving examples with attribute filters in the authentication handlers
only:
<bean id="authenticationManager"
class="org.jasig.cas.authentication.LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager">
<constructor-arg index="0">
<map>
<entry key-ref="SunDS-LdapAuthHandler"
value-ref="UsernameCredentialtoPrincipalResolver" />
<entry key-ref="AD-LdapAuthHandler"
value-ref="LdapCredentialtoPrincipalResolver" />
<entry key-ref="HTTPAuthHandler"
value-ref="HTTPCredentialtoPrincipalResolver" />
</map>
</constructor-arg>
</bean>
<bean id="SunDS-LdapAuthHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="(uid=%u)" />
<property name="searchBase" value="ou=usf,o=usf.edu" />
<property name="contextSource" ref="SunDS-LdapAuthcontext" />
</bean>
<bean id="UsernameCredentialtoPrincipalResolver"
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<bean id="AD-LdapAuthHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="(proxyaddresses=SMTP:%u)" />
<property name="searchBase" value="DC=usf,DC=edu" />
<property name="contextSource" ref="AD-LdapAuthcontext" />
<!-- fix for how AD returns results -->
<property name="ignorePartialResultException" value="yes" />
</bean>
Linda Toth
University of Alaska - Office of Information Technology (OIT) - Identity
and Access Management
910 Yukon Drive, Suite 103
Fairbanks, Alaska 99775
Tel: 907-450-8320
Fax: 907-450-8381
[email protected] | www.alaska.edu/oit/
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
