I didn't get any responses, but I believe I've figured out my issue.
The problem was that when I set up my ldapAuthenticationHandler, it
had a reference to a PrincipalResolver, so even though I had set up
the principalAttributeMap, it wasn't being used. This was in the bean
definition for authenticationManager; I had this line:
<entry key-ref="ldapAuthenticationHandler"
value-ref="usernamePasswordCredentialsResolver" />
I changed that to:
<entry key-ref="ldapAuthenticationHandler" value="#{ null }" />
And then things worked -- I got my attributes, both via saml
(samlValidate) and p3 (p3/serviceValidate).
What led to this is that I had copied snippets of config from so many
places, and it wasn't clear what it all meant, how all the things
interacted. That's a problem with the documentation, it covers a
number of different config options, each with their own snippets of
config, but it's not always clear how to use them in the complete
config, when combined with other snippets. (I'm not sure there's an
easy way to fix that.)
Finally, on one of the doc pages I saw the usage of the value null,
and that got me thinking along the lines that led me to the solution.
Oh, and seeing lines like this in catalina.out:
DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
<Attribute map for mepstein: {}>
That made me realize that maybe it wasn't resolving the attributes as
I had thought.
BTW, I also modified mod_auth_cas to handle the attributes from the p3
validate. So I don't need to use saml.
I'm still only partway through the things I need to get set up for
this upgrade -- mainly I still need to customize the interface (i.e.,
the style) and get something set up for service registry (likely the
JSON file setup) -- so I may have some further questions. But this
was a big step.
Milt Epstein
Applications Developer
Graduate School of Library and Information Science (GSLIS)
University of Illinois at Urbana-Champaign (UIUC)
[email protected]
On Tue, 18 Nov 2014, Milt Epstein wrote:
> I'm setting up a new version of CAS, in anticipation of upgrading our
> existing setup. I'm following the instructions on the website (i.e.,
> https://jasig.github.io/cas/4.0.0/). A little background: Our
> authentication is done via LDAP, and we also need to get some
> attributes from LDAP. Some of our main CAS clients are Moodle and
> mod_auth_cas.
>
> Following instructions on the website for using LDAP, I set up the
> bean ldapAuthenticationHandler in deployerConfigContext.xml. That
> includes the property principalAttributeMap, which includes this
> comment:
>
> <!--
> | This map provides a simple attribute resolution mechanism.
> | Keys are LDAP attribute names, values are CAS attribute
> names.
> | Use this facility instead of a PrincipalResolver if LDAP is
> | the only attribute source.
> -->
>
> That sounds great, it fits our usage perfectly.
>
> My question, though -- is this sufficient for releasing attributes via
> SAML?
>
> I ask because I set up mod_auth_cas to use SAML (I had some issues
> with that, which I posted to the mod_auth_cas list, and they're almost
> resolved). But I'm not getting any attributes. I can see information
> about the attributes in CAS logs -- lines like this:
>
> ... [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Found
> principal attribute: [uid[mepstein]]>
>
> so I believe attribute resolution is working fine.
>
> If I can use the above, any ideas on what else I'm missing?
>
> If I can't, then I assume it's a matter of using a PrincipalResolver
> or modifying mod_auth_cas to handle CAS protocol 3, correct?
>
> Thanks.
>
> Milt Epstein
> Applications Developer
> Graduate School of Library and Information Science (GSLIS)
> University of Illinois at Urbana-Champaign (UIUC)
> [email protected]
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
