Folks, I have been thinking this over and it seems to me the substitution will do the same thing as what Ellucian repeats in the Authentication Manager. Please correct me if I am wrong.
I am not sure why Ellucian did not make use of a key-ref, but there it is. I think an explanation of why attribute filters are defined in both places would be of great help to me .. this has always been murky in my understanding. If I replace the class for the Authentication Manager, I am still not sure if the interaction between LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager and PrincipalBearingCredentialsToPrincipalResolver affect outcome. In other words, are there some undercover dependencies? Thanks Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 [email protected] | www.alaska.edu/oit/ On Wed, Mar 5, 2014 at 12:00 PM, Linda Toth <[email protected]> wrote: > Folks, > > I am sorry to post so much detail, but I am not entirely sure why I have > the repetitive elements in the prescribed changes to > deployerConfigContext.xml by Banner, which in turn are causing me to feel > uncertain of where to place <entry key-ref ..> statements. > > Ellucian repeats the filters for a principal identity in two places and > adds beans for credential resolution. Because of their very explicit > instructions for implementation, I am not sure I can replace the > Authentication Manager Class. I provide an excerpt here: > > *Authentication Manager & Authentication Handler* > > <bean id="authenticationManager" > > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > > <property name="credentialsToPrincipalResolvers"> > > <list> > > <bean > class="org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver" > /> > > > <bean > class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> > > <property name="credentialsToPrincipalResolver"> > > <bean > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > /> > > </property> > > <property name="filter" > value="(|(sAMAccountName=%u)(uaIdentifier=%u))" /> > > <property name="principalAttributeName" > value="sAMAccountName" > > > </property> > > <property name="searchBase" > value="${ad.userBindAuthHandler.searchBase" /> > > <property name="attributeRepository"> > > <ref bean="attributeRepository" /> > > </property> > > </bean> > > </list> > > </property> > > > <property name="authenticationHandlers"> > > <list> > > <bean > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > > p:httpClient-ref="httpClient" /> > > <bean > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" > > > <property name="filter" > value="(|(sAMAccountName=%u)(uaIdentifier=%u))" /> > > > ETC ... > > I want to move to the following, but now that I am revisiting this issue, > I don't understand why Ellucian is providing two filters in this way. I > have gone back through the JASIG-CAS documentation and addresses the > situation by giving examples with attribute filters in the authentication > handlers only: > > <bean id="authenticationManager" > > > class="org.jasig.cas.authentication.LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager"> > > <constructor-arg index="0"> > > <map> > > <entry key-ref="SunDS-LdapAuthHandler" > value-ref="UsernameCredentialtoPrincipalResolver" /> > > <entry key-ref="AD-LdapAuthHandler" > value-ref="LdapCredentialtoPrincipalResolver" /> > > <entry key-ref="HTTPAuthHandler" > value-ref="HTTPCredentialtoPrincipalResolver" /> > > </map> > > </constructor-arg> > > </bean> > > <bean id="SunDS-LdapAuthHandler" > > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > > <property name="filter" value="(uid=%u)" /> > > <property name="searchBase" value="ou=usf,o=usf.edu" /> > > <property name="contextSource" ref="SunDS-LdapAuthcontext" /> > > </bean> > > <bean id="UsernameCredentialtoPrincipalResolver" > > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"> > > <property name="attributeRepository" ref="attributeRepository" /> > > </bean> > > > <bean id="AD-LdapAuthHandler" > > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > > <property name="filter" value="(proxyaddresses=SMTP:%u)" /> > > <property name="searchBase" value="DC=usf,DC=edu" /> > > <property name="contextSource" ref="AD-LdapAuthcontext" /> > > <!-- fix for how AD returns results --> > > <property name="ignorePartialResultException" value="yes" /> > > </bean> > > > > > > Linda Toth > University of Alaska - Office of Information Technology (OIT) - Identity > and Access Management > 910 Yukon Drive, Suite 103 > Fairbanks, Alaska 99775 > Tel: 907-450-8320 > Fax: 907-450-8381 > [email protected] | www.alaska.edu/oit/ > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
