Ok. I've make the changes as you said and it works great, cool !
<property name="queryAttributeMapping">
<map>
<entry key="username">
<list>
<value>eduPersonPrincipalName</value>
<value>uid</value>
<value>mail</value>
</list>
</entry>
</map>
</property>
Thanks Misagh and have a nice day !
Sylvain
Le 02/02/2015 12:33, Misagh Moayyed a écrit :
>
> Because a map cannot contain duplicate keys. You have specified 3
> different values for the same key that is “username”. Each one is
> going to overwrite the previous, which should just have you using
> “mail” as the query attribute. (I don’t know how uid works. It should
> not, unless its value matches mail somehow).
>
> Instead of a single one-to-one key->value, specify the key as username
> but as the value, give it a list of possible values. That might work.
>
> You can also enable DEBUG logs for persondirectory and observe the
> query that gets constructed.
>
> *From:*Sylvain DEROSIAUX [mailto:[email protected]]
> *Sent:* Monday, February 2, 2015 3:44 AM
> *To:* [email protected]
> *Subject:* Re: [cas-user] Cannot retrieve attributes from LDAP with
> CAS 3.5.3
>
> Arf ! It does'nt work at 100% :-(
> I permit my users to log in with differents username (uid,
> eduPersonPrincipalName or mail).
> If they log with uid or mail, it's works. Otherwise, it won't works.
>
> The attribute which must be sent to CAS client are dependant from the
> service via the /usernameAttribute/ property of services.
> The attributeRepository is as follow :
>
> <bean id="attributeRepository"
> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
> <property name="baseDN"
> value="ou=people,dc=univ-lille3,dc=fr"/>
> <property name="contextSource" ref="contextSource" />
> <property name="requireAllQueryAttributes" value="false"/>
> * <property name="queryType" value="OR" />*
> <property name="queryAttributeMapping">
> <map>
> <entry key="username"
> value="*eduPersonPrincipalName*" />
> <entry key="username" value="*uid*" />
> <entry key="username" value="*mail*" />
> </map>
> </property>
> <property name="resultAttributeMapping">
> <map>
> <entry key="uid" value="uid" />
> <entry key="mail" value="mail" />
> <entry key="eduPersonPrincipalName"
> value="eduPersonPrincipalName" />
> </map>
> </property>
> </bean>
>
> I have turned on the LDAP log and show that CAS doesn't do what I'm
> excepted it to do :
> Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH
> base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3
> filter="(*mail*=sderosiaux)"
> Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH attr=uid
> mail eduPersonPrincipalName
> ...
> Feb 2 11:32:43 ldap-test slapd[61387]: conn=3526 op=28 SRCH
> base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3
> filter="(*uid*=sderosiaux)"
> Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH attr=uid
> mail eduPersonPrincipalName
>
> Why CAS doesn't try with eduPersonPrincipalName attribute ?
>
> Sylvain
>
> Le 30/01/2015 11:43, Sylvain DEROSIAUX a écrit :
>
> Yes, I misunderstood this parameter, so I replace this part with only
>
> <entry key="username" value="uid" />
>
> But it did'nt work too.
> A friend give me a working solution so I compared source code and
> see he doesn't use CredentialsToLDAPAttributePrincipalResolver
> bean. I remove it from my configuration and now it's works like a
> charm !
>
> Thanks
> Sylvain
>
> Le 29/01/2015 19:38, John Gasper a écrit :
>
> I don't think the queryAttributeMapping is working the way you
> think it is... At least I've never been able to get it to work
> like that. You'll need to split it up because "username" is
> essentially the placeholder where the identity (jdoe) is
> inserted when the ldap query runs. (unfortunately it is the
> key so multiple search attributes (uid, mail, etc) can't be
> done here).
>
> Checkout
>
> https://github.com/jtgasper3/raspberrypi-iam/blob/master/cas-war-overlay/src/main/webapp/WEB-INF/deployerConfigContext.xml.
> It has a split config that uses an inherited base bean config.
>
>
> ---
> *John Gasper*
> IAM Consultant
> Unicon, Inc.
> PGP/GPG Key: 0xbafee3ef
>
> On 1/29/15 5:47 AM, Sylvain DEROSIAUX wrote:
>
> Hi !
>
> I want to use the /principalAttributeName/ feature
> following CAS documentation
> (https://wiki.jasig.org/display/casum/attributes) but it
> didn't work because my CAS (v3.5.3) cannot retrieve
> attributes from my LDAP (login is OK) :
>
> 2015-01-29 14:07:45,730 WARN
> [org.jasig.cas.CentralAuthenticationServiceImpl] -
> Principal [xxx] did not have attribute [mail] among
> attributes *[{}] *so CAS cannot provide on the validation
> response the user attribute the registered service ***
> expects. CAS will instead return the default username
> attribute [xxx]
>
> I have checked access to attributes with the user, it's ok.
> In the LDAP log, attributes are not requested :
>
> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1
> SRCH base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3
>
> filter="(&(!(lille3BlockedDate=*))(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx)))"
> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1
> SRCH attr=1.1
> ...
> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1
> SRCH base="ou=people,dc=univ-lille3,dc=fr" scope=2 deref=3
> filter="(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx))"
> Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1
> SRCH attr=uid
>
> Now, here the relevant part from my
> /deployerConfigContext.xml/ file :
>
> The use of the attribute repository :
>
> <property name="credentialsToPrincipalResolvers">
> <list>
> <bean
>
> class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
> <!-- The Principal resolver form the
> credentials -->
> <property name="credentialsToPrincipalResolver">
> <bean
>
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> />
> </property>
> <property name="filter"
> value="(|(eduPersonPrincipalName=%u)(uid=%u)(mail=%u))" />
> <property name="principalAttributeName"
> value="uid" />
> <property name="searchBase"
> value="ou=people,dc=univ-lille3,dc=fr" />
> <property name="contextSource"
> ref="contextSource" />
> </bean>
> <bean
>
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> >
> <property name="attributeRepository"
> ref="attributeRepository" />
> </bean>
> <bean
>
> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
> />
> </list>
> </property>
>
> The configuration of the attribute repository :
>
> <bean id="attributeRepository"
>
> class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
> <property name="baseDN"
> value="ou=people,dc=univ-lille3,dc=fr"/>
> <property name="contextSource" ref="contextSource" />
> <property name="requireAllQueryAttributes" value="true"/>
>
> <property name="queryAttributeMapping">
> <map>
> <entry key="uid" value="uid" />
> <entry key="mail" value="mail" />
> </map>
> </property>
>
> <property name="resultAttributeMapping">
> <map>
> <entry key="uid" value="uid" />
> <entry key="mail" value="mail" />
> </map>
> </property>
> </bean>
>
> The configuration of the services :
>
> <bean id="serviceRegistryDao"
> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
> <property name="registeredServices">
> <list>
> <bean
> class="org.jasig.cas.services.RegexRegisteredService">
> <property name="id" value="0" />
> <property name="name" value="Test" />
> <property name="description" value="" />
> <property name="serviceId" value="***" />
> <property name="usernameAttribute"
> value="mail" />
> <property name="evaluationOrder" value="0" />
> <property name="allowedAttributes">
> <list>
> <value>mail</value>
> </list>
> </property>
> </bean>
> ...
> </list>
> </property>
> </bean>
>
> Any help will be welcome :)
>
> Sylvain
>
>
> --
> You are currently subscribed [email protected]
> <mailto:[email protected]> as:[email protected]
> <mailto:[email protected]>
> To unsubscribe, change settings or access archives,
> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
+---------------------------------------+
| Sylvain DEROSIAUX |
| Administrateur Systèmes |
| |
| Direction des Systèmes d'Information |
| Bureau A3-209 |
| Domaine universitaire du Pont de bois |
| BP 60149 59653 Villeneuve d'Ascq |
| |
| Tél : 03-20-41-69-47 |
| Fax : 03-20-41-60-01 |
+---------------------------------------+
| GNU/Linux Debian, what else ? |
+---------------------------------------+
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
