Hello
I too struggled too much to retrieve the attributes initially and spend too
much time....
Latter I decided to retrieve the needed LDAP attributes myself after
successful login.
In my case I used Java, Spring framework, etc... if you too use the same
the below may help....
I have my class MyCasAuthenticationUserDetailsService that would looks like
below and
extends
org.springframework.security.core.userdetails.AuthenticationUserDetailsService
And in initialiseAdditionalUserDetails() method I retrieve the needed
attributes and set in my own CasUser class which
extends org.springframework.security.core.userdetails.User
public class MyCasAuthenticationUserDetailsService implements
AuthenticationUserDetailsService<Authentication> {
@Override
public UserDetails loadUserDetails(Authentication token) throws
UsernameNotFoundException {
sAMAccountName = token.getName();
init();
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for (String role : getRoles()) {
authorities.add(new SimpleGrantedAuthority(role));
}
CasUser user = new CasUser(sAMAccountName, NON_EXISTENT_PASSWORD_VALUE,
authorities);
// Sets additional user details
user = initialiseAdditionalUserDetails(sAMAccountName, user);
return user;
}
/**
* Initialise additional user details like country, ISO country code,
email,
* etc
*
*/
private CasUser initialiseAdditionalUserDetails(String sAMAccountName,
CasUser user) {
try {
SearchResult searchResult = searchExecutor.search(connectionFactory,
"(sAMAccountname=" + sAMAccountName + ")", "c", "co", "mail",
"givenName", "sn", "displayName").getResult();
LdapEntry entry = searchResult.getEntry();
if (entry != null) {
if (entry.getAttribute("givenName") != null) {
String firstName = entry.getAttribute("givenName").getStringValue();
user.setFirstName(firstName);
}
if (entry.getAttribute("sn") != null) {
String lastName = entry.getAttribute("sn").getStringValue();
user.setLastName(lastName);
}
if (entry.getAttribute("displayName") != null) {
String fullName = entry.getAttribute("displayName").getStringValue();
user.setFullName(fullName);
}
if (entry.getAttribute("c") != null) {
String isoCountryCode = entry.getAttribute("c").getStringValue();
user.setIsoCountryCode(isoCountryCode);
}
if (entry.getAttribute("co") != null) {
String country = entry.getAttribute("co").getStringValue();
user.setCountry(country);
}
if (entry.getAttribute("mail") != null) {
String email = entry.getAttribute("mail").getStringValue();
user.setEmail(email);
}
}
} catch (LdapException e) {
LOG.error(e);
}
return user;
}
}
And finally on the CAS Java clients .... I configure
myCasAuthenticationUserDetailsService as below.....
<beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator" ref="ticketValidator" />
<beans:property name="authenticationUserDetailsService"
ref="myCasAuthenticationUserDetailsService" />
<beans:property name="key" value="notification" />
</beans:bean>
<beans:bean id="myCasAuthenticationUserDetailsService"
class="com.jai.cas.MyCasAuthenticationUserDetailsService">
<beans:property name="ldapUrl" value="${ldapUrl}" />
<beans:property name="ldapAdminDn" value="${ldapAdminDn}" />
<beans:property name="ldapAdminPwd" value="${ldapAdminPwd}" />
<beans:property name="ldapUserBaseDn" value="${ldapUserBaseDn}" />
</beans:bean>
This would retrieve all the needed attributes....
Cheers
Jay
On Thu, Jan 29, 2015 at 1:47 PM, Sylvain DEROSIAUX <
[email protected]> wrote:
> Hi !
>
> I want to use the *principalAttributeName* feature following CAS
> documentation (https://wiki.jasig.org/display/casum/attributes) but it
> didn't work because my CAS (v3.5.3) cannot retrieve attributes from my LDAP
> (login is OK) :
>
> 2015-01-29 14:07:45,730 WARN
> [org.jasig.cas.CentralAuthenticationServiceImpl] - Principal [xxx] did not
> have attribute [mail] among attributes *[{}] *so CAS cannot provide on
> the validation response the user attribute the registered service ***
> expects. CAS will instead return the default username attribute [xxx]
>
> I have checked access to attributes with the user, it's ok.
> In the LDAP log, attributes are not requested :
>
> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH
> base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3
> filter="(&(!(lille3BlockedDate=*))(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx)))"
> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH attr=1.1
> ...
> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH
> base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3
> filter="(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx))"
> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH attr=uid
>
> Now, here the relevant part from my *deployerConfigContext.xml* file :
>
> The use of the attribute repository :
>
> <property name="credentialsToPrincipalResolvers">
> <list>
> <bean
> class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
> <!-- The Principal resolver form the credentials -->
> <property name="credentialsToPrincipalResolver">
> <bean
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> />
> </property>
> <property name="filter"
> value="(|(eduPersonPrincipalName=%u)(uid=%u)(mail=%u))" />
> <property name="principalAttributeName" value="uid" />
> <property name="searchBase"
> value="ou=people,dc=univ-lille3,dc=fr" />
> <property name="contextSource" ref="contextSource" />
> </bean>
> <bean
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> >
> <property name="attributeRepository"
> ref="attributeRepository" />
> </bean>
> <bean
> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
> />
> </list>
> </property>
>
> The configuration of the attribute repository :
>
> <bean id="attributeRepository"
>
> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
> <property name="baseDN" value="ou=people,dc=univ-lille3,dc=fr"/>
> <property name="contextSource" ref="contextSource" />
> <property name="requireAllQueryAttributes" value="true"/>
>
> <property name="queryAttributeMapping">
> <map>
> <entry key="uid" value="uid" />
> <entry key="mail" value="mail" />
> </map>
> </property>
>
> <property name="resultAttributeMapping">
> <map>
> <entry key="uid" value="uid" />
> <entry key="mail" value="mail" />
> </map>
> </property>
> </bean>
>
> The configuration of the services :
>
> <bean id="serviceRegistryDao"
> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
> <property name="registeredServices">
> <list>
> <bean class="org.jasig.cas.services.RegexRegisteredService">
> <property name="id" value="0" />
> <property name="name" value="Test" />
> <property name="description" value="" />
> <property name="serviceId" value="***" />
> <property name="usernameAttribute" value="mail" />
> <property name="evaluationOrder" value="0" />
> <property name="allowedAttributes">
> <list>
> <value>mail</value>
> </list>
> </property>
> </bean>
> ...
> </list>
> </property>
> </bean>
>
> Any help will be welcome :)
>
> Sylvain
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
