Thanks Daniel, the RecursiveEntryHandler is just the type of thing I was
looking for!
By adding the following to my deployerConfigContext.xml I've gotten CAS to
successfully return a merged list of direct and ancestor groups for users.
<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
c:resolver-ref="dnResolver"
- c:handler-ref="authHandler" />
+ c:handler-ref="authHandler">
+ <!-- Add the RecursiveEntryHandler to flatten the group
hierarchy and
+ include ancestor groups in the MemberOf response values. -->
+ <property name="entryResolver">
+ <bean
class="org.ldaptive.auth.PooledSearchEntryResolver"
+
p:connectionFactory-ref="searchPooledLdapConnectionFactory">
+ <property name="searchEntryHandlers">
+ <bean
class="org.ldaptive.handler.RecursiveEntryHandler"
+ p:searchAttribute="memberOf"
+
p:mergeAttributes="memberOf"/>
+ </property>
+ </bean>
+ </property>
+ </bean>
<bean id="dnResolver"
class="org.ldaptive.auth.PooledSearchDnResolver"
p:baseDn="${ldap.authn.baseDn}"
For those who are also trying to set this up, my full Ldap configuration
can be seen here: https://gist.github.com/adamfranc/83dfbe784aab1162c478
One final question:
I made an assumption that I should specify a PooledSearchEntryResolver with
a PooledConnectionFactory since that seems to be in line with what the Ldap
setup instructions specify
<https://jasig.github.io/cas/4.0.0/installation/LDAP-Authentication.html>
for the DN resolver. Is there anything else I might be missing or
mis-configuring that would cause other problems?
Thank you again for your assistance!
Adam
--
Adam Franco
Senior Software Developer
Information Technology Services
Middlebury College
Middlebury, VT 05753
[email protected]
802.443.2244
On Fri, Oct 17, 2014 at 10:56 AM, Daniel Fisher <[email protected]> wrote:
> On Thu, Oct 16, 2014 at 6:39 PM, Adam Franco <[email protected]
> <mailto:[email protected]>> wrote:
> For CAS 4.0, it seems that the LdapPersonAttributeDao is no longer used
> and the org.jasig.cas.authentication.LdapAuthenticationHandler handles
> attribute mapping instead. Would extending the LdapAuthenticationHandler in
> a similar way that I extended the LdapPersonAttributeDao be the best way to
> add this feature to CAS 4.0 or is there a better way to lookup and inject
> these extra attribute values?
>
> Ldaptive has a component that might work for you called
> RecursiveEntryHandler. You can wire this into your EntryResolver and if the
> user has permission to read the group structure it should populate it for
> you.
>
> SearchEntryResolver#setSearchEntryHandler(new
> RecursiveEntryHandler("memberOf", "memberOf"));
>
> --Daniel Fisher
>
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
