Arf ! It does'nt work at 100% :-(
I permit my users to log in with differents username (uid,
eduPersonPrincipalName or mail).
If they log with uid or mail, it's works. Otherwise, it won't works.
The attribute which must be sent to CAS client are dependant from the
service via the /usernameAttribute/ property of services.
The attributeRepository is as follow :
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="baseDN"
value="ou=people,dc=univ-lille3,dc=fr"/>
<property name="contextSource" ref="contextSource" />
<property name="requireAllQueryAttributes" value="false"/>
* <property name="queryType" value="OR" />*
<property name="queryAttributeMapping">
<map>
<entry key="username"
value="*eduPersonPrincipalName*" />
<entry key="username" value="*uid*" />
<entry key="username" value="*mail*" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="uid" value="uid" />
<entry key="mail" value="mail" />
<entry key="eduPersonPrincipalName"
value="eduPersonPrincipalName" />
</map>
</property>
</bean>
I have turned on the LDAP log and show that CAS doesn't do what I'm
excepted it to do :
Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH
base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3
filter="(*mail*=sderosiaux)"
Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH attr=uid
mail eduPersonPrincipalName
...
Feb 2 11:32:43 ldap-test slapd[61387]: conn=3526 op=28 SRCH
base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3
filter="(*uid*=sderosiaux)"
Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH attr=uid
mail eduPersonPrincipalName
Why CAS doesn't try with eduPersonPrincipalName attribute ?
Sylvain
Le 30/01/2015 11:43, Sylvain DEROSIAUX a écrit :
> Yes, I misunderstood this parameter, so I replace this part with only
>
> <entry key="username" value="uid" />
>
> But it did'nt work too.
> A friend give me a working solution so I compared source code and see
> he doesn't use CredentialsToLDAPAttributePrincipalResolver bean. I
> remove it from my configuration and now it's works like a charm !
>
> Thanks
> Sylvain
>
> Le 29/01/2015 19:38, John Gasper a écrit :
>> I don't think the queryAttributeMapping is working the way you think
>> it is... At least I've never been able to get it to work like that.
>> You'll need to split it up because "username" is essentially the
>> placeholder where the identity (jdoe) is inserted when the ldap query
>> runs. (unfortunately it is the key so multiple search attributes
>> (uid, mail, etc) can't be done here).
>>
>> Checkout
>> https://github.com/jtgasper3/raspberrypi-iam/blob/master/cas-war-overlay/src/main/webapp/WEB-INF/deployerConfigContext.xml.
>>
>> It has a split config that uses an inherited base bean config.
>>
>> ---
>> *John Gasper*
>> IAM Consultant
>> Unicon, Inc.
>> PGP/GPG Key: 0xbafee3ef
>>
>> On 1/29/15 5:47 AM, Sylvain DEROSIAUX wrote:
>>> Hi !
>>>
>>> I want to use the /principalAttributeName/ feature following CAS
>>> documentation (https://wiki.jasig.org/display/casum/attributes) but
>>> it didn't work because my CAS (v3.5.3) cannot retrieve attributes
>>> from my LDAP (login is OK) :
>>>
>>> 2015-01-29 14:07:45,730 WARN
>>> [org.jasig.cas.CentralAuthenticationServiceImpl] - Principal [xxx]
>>> did not have attribute [mail] among attributes *[{}] *so CAS cannot
>>> provide on the validation response the user attribute the registered
>>> service *** expects. CAS will instead return the default username
>>> attribute [xxx]
>>>
>>> I have checked access to attributes with the user, it's ok.
>>> In the LDAP log, attributes are not requested :
>>>
>>> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH
>>> base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3
>>> filter="(&(!(lille3BlockedDate=*))(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx)))"
>>> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH attr=1.1
>>> ...
>>> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH
>>> base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3
>>> filter="(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx))"
>>> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH attr=uid
>>>
>>> Now, here the relevant part from my /deployerConfigContext.xml/ file :
>>>
>>> The use of the attribute repository :
>>>
>>> <property name="credentialsToPrincipalResolvers">
>>> <list>
>>> <bean
>>> class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
>>> <!-- The Principal resolver form the credentials -->
>>> <property name="credentialsToPrincipalResolver">
>>> <bean
>>> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
>>>
>>> />
>>> </property>
>>> <property name="filter"
>>> value="(|(eduPersonPrincipalName=%u)(uid=%u)(mail=%u))" />
>>> <property name="principalAttributeName" value="uid" />
>>> <property name="searchBase" value="ou=people,dc=univ-lille3,dc=fr" />
>>> <property name="contextSource" ref="contextSource" />
>>> </bean>
>>> <bean
>>> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
>>>
>>> >
>>> <property name="attributeRepository" ref="attributeRepository" />
>>> </bean>
>>> <bean
>>> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
>>>
>>> />
>>> </list>
>>> </property>
>>>
>>> The configuration of the attribute repository :
>>>
>>> <bean id="attributeRepository"
>>> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
>>> <property name="baseDN" value="ou=people,dc=univ-lille3,dc=fr"/>
>>> <property name="contextSource" ref="contextSource" />
>>> <property name="requireAllQueryAttributes" value="true"/>
>>>
>>> <property name="queryAttributeMapping">
>>> <map>
>>> <entry key="uid" value="uid" />
>>> <entry key="mail" value="mail" />
>>> </map>
>>> </property>
>>>
>>> <property name="resultAttributeMapping">
>>> <map>
>>> <entry key="uid" value="uid" />
>>> <entry key="mail" value="mail" />
>>> </map>
>>> </property>
>>> </bean>
>>>
>>> The configuration of the services :
>>>
>>> <bean id="serviceRegistryDao"
>>> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
>>> <property name="registeredServices">
>>> <list>
>>> <bean class="org.jasig.cas.services.RegexRegisteredService">
>>> <property name="id" value="0" />
>>> <property name="name" value="Test" />
>>> <property name="description" value="" />
>>> <property name="serviceId" value="***" />
>>> <property name="usernameAttribute" value="mail" />
>>> <property name="evaluationOrder" value="0" />
>>> <property name="allowedAttributes">
>>> <list>
>>> <value>mail</value>
>>> </list>
>>> </property>
>>> </bean>
>>> ...
>>> </list>
>>> </property>
>>> </bean>
>>>
>>> Any help will be welcome :)
>>>
>>> Sylvain
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
