I don't think the queryAttributeMapping is working the way you think it is... At least I've never been able to get it to work like that. You'll need to split it up because "username" is essentially the placeholder where the identity (jdoe) is inserted when the ldap query runs. (unfortunately it is the key so multiple search attributes (uid, mail, etc) can't be done here).
Checkout https://github.com/jtgasper3/raspberrypi-iam/blob/master/cas-war-overlay/src/main/webapp/WEB-INF/deployerConfigContext.xml. It has a split config that uses an inherited base bean config. --- *John Gasper* IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 1/29/15 5:47 AM, Sylvain DEROSIAUX wrote: > Hi ! > > I want to use the /principalAttributeName/ feature following CAS > documentation (https://wiki.jasig.org/display/casum/attributes) but it > didn't work because my CAS (v3.5.3) cannot retrieve attributes from my > LDAP (login is OK) : > > 2015-01-29 14:07:45,730 WARN > [org.jasig.cas.CentralAuthenticationServiceImpl] - Principal [xxx] did > not have attribute [mail] among attributes *[{}] *so CAS cannot > provide on the validation response the user attribute the registered > service *** expects. CAS will instead return the default username > attribute [xxx] > > I have checked access to attributes with the user, it's ok. > In the LDAP log, attributes are not requested : > > Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH > base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3 > filter="(&(!(lille3BlockedDate=*))(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx)))" > Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH attr=1.1 > ... > Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH > base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3 > filter="(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx))" > Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH attr=uid > > Now, here the relevant part from my /deployerConfigContext.xml/ file : > > The use of the attribute repository : > > <property name="credentialsToPrincipalResolvers"> > <list> > <bean > class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> > <!-- The Principal resolver form the credentials --> > <property name="credentialsToPrincipalResolver"> > <bean > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > /> > </property> > <property name="filter" > value="(|(eduPersonPrincipalName=%u)(uid=%u)(mail=%u))" /> > <property name="principalAttributeName" value="uid" /> > <property name="searchBase" > value="ou=people,dc=univ-lille3,dc=fr" /> > <property name="contextSource" ref="contextSource" /> > </bean> > <bean > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > > > <property name="attributeRepository" > ref="attributeRepository" /> > </bean> > <bean > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > /> > </list> > </property> > > The configuration of the attribute repository : > > <bean id="attributeRepository" > > class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> > <property name="baseDN" value="ou=people,dc=univ-lille3,dc=fr"/> > <property name="contextSource" ref="contextSource" /> > <property name="requireAllQueryAttributes" value="true"/> > > <property name="queryAttributeMapping"> > <map> > <entry key="uid" value="uid" /> > <entry key="mail" value="mail" /> > </map> > </property> > > <property name="resultAttributeMapping"> > <map> > <entry key="uid" value="uid" /> > <entry key="mail" value="mail" /> > </map> > </property> > </bean> > > The configuration of the services : > > <bean id="serviceRegistryDao" > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> > <property name="registeredServices"> > <list> > <bean class="org.jasig.cas.services.RegexRegisteredService"> > <property name="id" value="0" /> > <property name="name" value="Test" /> > <property name="description" value="" /> > <property name="serviceId" value="***" /> > <property name="usernameAttribute" value="mail" /> > <property name="evaluationOrder" value="0" /> > <property name="allowedAttributes"> > <list> > <value>mail</value> > </list> > </property> > </bean> > ... > </list> > </property> > </bean> > > Any help will be welcome :) > > Sylvain > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
