Because a map cannot contain duplicate keys. You have specified 3 different values for the same key that is “username”. Each one is going to overwrite the previous, which should just have you using “mail” as the query attribute. (I don’t know how uid works. It should not, unless its value matches mail somehow).
Instead of a single one-to-one key->value, specify the key as username but as the value, give it a list of possible values. That might work. You can also enable DEBUG logs for persondirectory and observe the query that gets constructed. From: Sylvain DEROSIAUX [mailto:[email protected]] Sent: Monday, February 2, 2015 3:44 AM To: [email protected] Subject: Re: [cas-user] Cannot retrieve attributes from LDAP with CAS 3.5.3 Arf ! It does'nt work at 100% :-( I permit my users to log in with differents username (uid, eduPersonPrincipalName or mail). If they log with uid or mail, it's works. Otherwise, it won't works. The attribute which must be sent to CAS client are dependant from the service via the usernameAttribute property of services. The attributeRepository is as follow : <bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="baseDN" value="ou=people,dc=univ-lille3,dc=fr"/> <property name="contextSource" ref="contextSource" /> <property name="requireAllQueryAttributes" value="false"/> <property name="queryType" value="OR" /> <property name="queryAttributeMapping"> <map> <entry key="username" value="eduPersonPrincipalName" /> <entry key="username" value="uid" /> <entry key="username" value="mail" /> </map> </property> <property name="resultAttributeMapping"> <map> <entry key="uid" value="uid" /> <entry key="mail" value="mail" /> <entry key="eduPersonPrincipalName" value="eduPersonPrincipalName" /> </map> </property> </bean> I have turned on the LDAP log and show that CAS doesn't do what I'm excepted it to do : Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3 filter="(mail=sderosiaux)" Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH attr=uid mail eduPersonPrincipalName ... Feb 2 11:32:43 ldap-test slapd[61387]: conn=3526 op=28 SRCH base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3 filter="(uid=sderosiaux)" Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH attr=uid mail eduPersonPrincipalName Why CAS doesn't try with eduPersonPrincipalName attribute ? Sylvain Le 30/01/2015 11:43, Sylvain DEROSIAUX a écrit : Yes, I misunderstood this parameter, so I replace this part with only <entry key="username" value="uid" /> But it did'nt work too. A friend give me a working solution so I compared source code and see he doesn't use CredentialsToLDAPAttributePrincipalResolver bean. I remove it from my configuration and now it's works like a charm ! Thanks Sylvain Le 29/01/2015 19:38, John Gasper a écrit : I don't think the queryAttributeMapping is working the way you think it is... At least I've never been able to get it to work like that. You'll need to split it up because "username" is essentially the placeholder where the identity (jdoe) is inserted when the ldap query runs. (unfortunately it is the key so multiple search attributes (uid, mail, etc) can't be done here). Checkout https://github.com/jtgasper3/raspberrypi-iam/blob/master/cas-war-overlay/src/main/webapp/WEB-INF/deployerConfigContext.xml. It has a split config that uses an inherited base bean config. --- John Gasper IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 1/29/15 5:47 AM, Sylvain DEROSIAUX wrote: Hi ! I want to use the principalAttributeName feature following CAS documentation (https://wiki.jasig.org/display/casum/attributes) but it didn't work because my CAS (v3.5.3) cannot retrieve attributes from my LDAP (login is OK) : 2015-01-29 14:07:45,730 WARN [org.jasig.cas.CentralAuthenticationServiceImpl] - Principal [xxx] did not have attribute [mail] among attributes [{}] so CAS cannot provide on the validation response the user attribute the registered service *** expects. CAS will instead return the default username attribute [xxx] I have checked access to attributes with the user, it's ok. In the LDAP log, attributes are not requested : Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3 filter="(&(!(lille3BlockedDate=*))(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx)))" Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH attr=1.1 ... Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3 filter="(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx))" Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH attr=uid Now, here the relevant part from my deployerConfigContext.xml file : The use of the attribute repository : <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> <!-- The Principal resolver form the credentials --> <property name="credentialsToPrincipalResolver"> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> </property> <property name="filter" value="(|(eduPersonPrincipalName=%u)(uid=%u)(mail=%u))" /> <property name="principalAttributeName" value="uid" /> <property name="searchBase" value="ou=people,dc=univ-lille3,dc=fr" /> <property name="contextSource" ref="contextSource" /> </bean> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > <property name="attributeRepository" ref="attributeRepository" /> </bean> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> The configuration of the attribute repository : <bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="baseDN" value="ou=people,dc=univ-lille3,dc=fr"/> <property name="contextSource" ref="contextSource" /> <property name="requireAllQueryAttributes" value="true"/> <property name="queryAttributeMapping"> <map> <entry key="uid" value="uid" /> <entry key="mail" value="mail" /> </map> </property> <property name="resultAttributeMapping"> <map> <entry key="uid" value="uid" /> <entry key="mail" value="mail" /> </map> </property> </bean> The configuration of the services : <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="0" /> <property name="name" value="Test" /> <property name="description" value="" /> <property name="serviceId" value="***" /> <property name="usernameAttribute" value="mail" /> <property name="evaluationOrder" value="0" /> <property name="allowedAttributes"> <list> <value>mail</value> </list> </property> </bean> ... </list> </property> </bean> Any help will be welcome :) Sylvain -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
