Reig,
We are having a similar problem running 3.5.2.1, (using REMOTE_USER) , we had
it working in the last 3.4.x but it is no longer working in 3.5.2.1.
Section from our deployerConfig:
<property name="credentialsToPrincipalResolvers">
<list>
<!--
| UsernamePasswordCredentialsToPrincipalResolver supports the
UsernamePasswordCredentials that we use for /login
| by default and produces SimplePrincipal instances conveying the username from
the credentials.
|
| If you've changed your LoginFormAction to use credentials other than
UsernamePasswordCredentials then you will also
| need to change this bean declaration (or add additional declarations) to
declare a CredentialsToPrincipalResolver that supports the
| Credentials you are using.
+-->
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
>
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<!--
| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials.
It supports the CAS 2.0 approach of
| authenticating services by SSL callback, extracting the callback URL from the
Credentials and representing it as a
| SimpleService identified by that callback URL.
|
| If you are representing services by something more or other than an HTTPS URL
whereat they are able to
| receive a proxy callback, you will need to change this bean declaration (or
add additional declarations).
+-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
<bean
class="org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver"
>
<property name="attributeRepository"
ref="attributeRepository" />
</bean>
</list>
</property>
<!--
| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials
might authenticate,
| AuthenticationHandlers actually authenticate credentials. Here we declare
the AuthenticationHandlers that
| authenticate the Principals that the CredentialsToPrincipalResolvers
identified. CAS will try these handlers in turn
| until it finds one that both supports the Credentials presented and succeeds
in authenticating.
+-->
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler"
/>
<!--
| This is the authentication handler that authenticates services by means of
callback via SSL, thereby validating
| a server side SSL certificate.
+-->
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<!--
| This is the authentication handler declaration that every CAS deployer will
need to change before deploying CAS
| into production. The default SimpleTestUsernamePasswordAuthenticationHandler
authenticates UsernamePasswordCredentials
| where the username equals the password. You will need to replace this with
an AuthenticationHandler that implements your
| local authentication strategy. You might accomplish this by coding a new
such handler and declaring
| edu.someschool.its.cas.MySpecialHandler here, or you might use one of the
handlers provided in the adaptors modules.
+-->
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:filter="${ldap.authentication.filter}"
p:searchBase="${ldap.searchBase}"
p:contextSource-ref="contextSource"
p:searchContextSource-ref="pooledContextSource" />
<ref
bean="lppeEnabledLdapAuthenticationHandler" />
</list>
</property>
</bean>
Rhian Resnick
Assistant Director Middleware and High Performance Computing
Enterprise Systems, Office of Information Technology
Florida Atlantic University
________________________________
From: Reig Gonzalez, Alvaro <[email protected]>
Sent: Thursday, March 06, 2014 4:56 AM
To: [email protected]
Subject: [cas-user] CAS returns user attributes with other
credentialsToPrincipalResolvers, but not with kerberos
Hi there,
I have a CAS Server that uses three credentialsToPrincipalResolvers: x509v3
certificate, Openldap user and password, and kerberos.
It all works fine, except CAS only returns the user attributes when the user
logs in through x509v3 certificate or user/password. If the user has used
Kerberos, CAS only returns the username.
Here's the relevant parts of my depoyerConfigContext.xml. I have stripped what
I didn't consider important (really large file), but will put it if necessary.
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
>
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
<bean class="com.orga.cas.X509CertificateLDAPEntryMapperResolver"
p:contextSource-ref="contextSource"
p:base="*****"
>
<property name="attributeRepository"
ref="attributeRepository"/>
(...)
</bean>
<bean
class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository"/>
</bean>
</list>
</property>
(...)
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="contextSource" />
<property name="baseDN" value="**********" />
<property name="requireAllQueryAttributes" value="true" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="cn" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="cn" value="cn" />
<entry key="sn" value="sn" />
<entry key="employeeNumber" value="employeeNumber" />
<entry key="givenName" value="givenName" />
<entry key="mail" value="mail" />
<entry key="entryDN" value="entryDN" />
</map>
</property>
</bean>
I don't get any error in tomcat's log, I just don't get the attributes.
Does anyone use Kerberos with a LdapPersonAttributeDao?
Thanks in advance, regards.
Álvaro Reig González
Consejero Técnico
informática - Gerencia
Instituto Nacional de Administración Pública
[logo_mhap]
C/ Atocha 106, 28012 Madrid
Teléfono: 91-273.92.89 - Centralita: 91.00 - Fax: 92.70
[email protected]<[email protected]>
www.inap.es
Antes de imprimir este e-mail piense bien si es necesario hacerlo P
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
