I've solved my problem. See my reply this morning but thank for your
interesting workaround.
Sylvain
Le 30/01/2015 13:22, Jay a écrit :
> Hello
>
> I too struggled too much to retrieve the attributes initially and
> spend too much time....
> Latter I decided to retrieve the needed LDAP attributes myself after
> successful login.
>
> In my case I used Java, Spring framework, etc... if you too use the
> same the below may help....
>
> I have my class MyCasAuthenticationUserDetailsService that would looks
> like below and
> extends
> org.springframework.security.core.userdetails.AuthenticationUserDetailsService
>
> And in initialiseAdditionalUserDetails() method I retrieve the needed
> attributes and set in my own CasUser class which
> extends org.springframework.security.core.userdetails.User
>
>
>
> public class MyCasAuthenticationUserDetailsService implements
> AuthenticationUserDetailsService<Authentication> {
>
> @Override
> public UserDetails loadUserDetails(Authentication token) throws
> UsernameNotFoundException {
> sAMAccountName = token.getName();
>
> init();
>
> List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
> for (String role : getRoles()) {
> authorities.add(new SimpleGrantedAuthority(role));
> }
>
> CasUser user = new CasUser(sAMAccountName,
> NON_EXISTENT_PASSWORD_VALUE, authorities);
>
> // Sets additional user details
> user = initialiseAdditionalUserDetails(sAMAccountName, user);
>
> return user;
> }
>
>
>
> /**
> * Initialise additional user details like country, ISO country
> code, email,
> * etc
> *
> */
> private CasUser initialiseAdditionalUserDetails(String
> sAMAccountName, CasUser user) {
> try {
> SearchResult searchResult = searchExecutor.search(connectionFactory,
> "(sAMAccountname=" + sAMAccountName + ")", "c", "co", "mail",
> "givenName", "sn", "displayName").getResult();
> LdapEntry entry = searchResult.getEntry();
>
> if (entry != null) {
> if (entry.getAttribute("givenName") != null) {
> String firstName = entry.getAttribute("givenName").getStringValue();
> user.setFirstName(firstName);
> }
> if (entry.getAttribute("sn") != null) {
> String lastName = entry.getAttribute("sn").getStringValue();
> user.setLastName(lastName);
> }
> if (entry.getAttribute("displayName") != null) {
> String fullName = entry.getAttribute("displayName").getStringValue();
> user.setFullName(fullName);
> }
>
> if (entry.getAttribute("c") != null) {
> String isoCountryCode = entry.getAttribute("c").getStringValue();
> user.setIsoCountryCode(isoCountryCode);
> }
> if (entry.getAttribute("co") != null) {
> String country = entry.getAttribute("co").getStringValue();
> user.setCountry(country);
> }
> if (entry.getAttribute("mail") != null) {
> String email = entry.getAttribute("mail").getStringValue();
> user.setEmail(email);
> }
> }
>
> } catch (LdapException e) {
> LOG.error(e);
> }
>
> return user;
> }
>
>
> }
>
>
> And finally on the CAS Java clients .... I configure
> myCasAuthenticationUserDetailsService as below.....
>
>
> <beans:bean id="casAuthenticationProvider"
> class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
> <beans:property name="serviceProperties" ref="serviceProperties" />
> <beans:property name="ticketValidator" ref="ticketValidator" />
> <beans:property name="authenticationUserDetailsService"
> ref="myCasAuthenticationUserDetailsService" />
> <beans:property name="key" value="notification" />
> </beans:bean>
>
> <beans:bean id="myCasAuthenticationUserDetailsService"
> class="com.jai.cas.MyCasAuthenticationUserDetailsService">
> <beans:property name="ldapUrl" value="${ldapUrl}" />
> <beans:property name="ldapAdminDn" value="${ldapAdminDn}" />
> <beans:property name="ldapAdminPwd" value="${ldapAdminPwd}" />
> <beans:property name="ldapUserBaseDn" value="${ldapUserBaseDn}" />
> </beans:bean>
>
>
> This would retrieve all the needed attributes....
>
> Cheers
> Jay
>
>
> On Thu, Jan 29, 2015 at 1:47 PM, Sylvain DEROSIAUX
> <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hi !
>
> I want to use the /principalAttributeName/ feature following CAS
> documentation (https://wiki.jasig.org/display/casum/attributes)
> but it didn't work because my CAS (v3.5.3) cannot retrieve
> attributes from my LDAP (login is OK) :
>
> 2015-01-29 14:07:45,730 WARN
> [org.jasig.cas.CentralAuthenticationServiceImpl] - Principal [xxx]
> did not have attribute [mail] among attributes *[{}] *so CAS
> cannot provide on the validation response the user attribute the
> registered service *** expects. CAS will instead return the
> default username attribute [xxx]
>
> I have checked access to attributes with the user, it's ok.
> In the LDAP log, attributes are not requested :
>
> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH
> base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3
>
> filter="(&(!(lille3BlockedDate=*))(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx)))"
> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH attr=1.1
> ...
> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH
> base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3
> filter="(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx))"
> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH attr=uid
>
> Now, here the relevant part from my /deployerConfigContext.xml/ file :
>
> The use of the attribute repository :
>
> <property name="credentialsToPrincipalResolvers">
> <list>
> <bean
>
> class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
> <!-- The Principal resolver form the credentials -->
> <property name="credentialsToPrincipalResolver">
> <bean
>
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> />
> </property>
> <property name="filter"
> value="(|(eduPersonPrincipalName=%u)(uid=%u)(mail=%u))" />
> <property name="principalAttributeName" value="uid" />
> <property name="searchBase" value="ou=people,dc=univ-lille3,dc=fr" />
> <property name="contextSource" ref="contextSource" />
> </bean>
> <bean
>
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> >
> <property name="attributeRepository" ref="attributeRepository" />
> </bean>
> <bean
>
> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
> />
> </list>
> </property>
>
> The configuration of the attribute repository :
>
> <bean id="attributeRepository"
> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
> <property name="baseDN" value="ou=people,dc=univ-lille3,dc=fr"/>
> <property name="contextSource" ref="contextSource" />
> <property name="requireAllQueryAttributes" value="true"/>
>
> <property name="queryAttributeMapping">
> <map>
> <entry key="uid" value="uid" />
> <entry key="mail" value="mail" />
> </map>
> </property>
>
> <property name="resultAttributeMapping">
> <map>
> <entry key="uid" value="uid" />
> <entry key="mail" value="mail" />
> </map>
> </property>
> </bean>
>
> The configuration of the services :
>
> <bean id="serviceRegistryDao"
> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
> <property name="registeredServices">
> <list>
> <bean
> class="org.jasig.cas.services.RegexRegisteredService">
> <property name="id" value="0" />
> <property name="name" value="Test" />
> <property name="description" value="" />
> <property name="serviceId" value="***" />
> <property name="usernameAttribute" value="mail" />
> <property name="evaluationOrder" value="0" />
> <property name="allowedAttributes">
> <list>
> <value>mail</value>
> </list>
> </property>
> </bean>
> ...
> </list>
> </property>
> </bean>
>
> Any help will be welcome :)
>
> Sylvain
>
> --
> You are currently subscribed [email protected]
> <mailto:[email protected]> as:[email protected]
> <mailto:[email protected]>
> To unsubscribe, change settings or access archives,
> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
