You may want to check out this project: https://github.com/robertoschwald/jasig-cas-examples-robertoschwald
Basically, when CAS validates a users' login attempt, it tends to pull attributes at that time if so configured. Then, for whatever reason, it does a subsequent request to pull all of the attributes to be used for the services. This project maps the second to the first, so the attributes are stored internally and reused for the services, thus saving the second login. In your case though, it would serve as a way to use the users' credentials to pull their own attributes. If you have the alternative of being able to provide a "master" user to pull the attributes for users, you can refer to my notes when I ran into a similar situation: Found this: http://jasig.275507.n4.nabble.com/ldaptive-integration-td4660076.html Which points to this: http://jasig.github.io/cas/development/installation/LDAP-Authentication.html#active-directory-authentication Had to add this to the deployerConfigContext.xml file: <bean id="searchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="searchConnectionConfig" /> <bean id="searchConnectionConfig" parent="abstractConnectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" /> <bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" p:bindDn="${ldap.managerDn}"> <property name="bindCredential"> <bean class="org.ldaptive.Credential" c:password="${ldap.managerPassword}" /> </property> </bean> <bean id="abstractConnectionConfig" abstract="true" class="org.ldaptive.ConnectionConfig" p:ldapUrl="${ldap.url}" p:connectTimeout="${ldap.connectTimeout}" /> and modify the seardhConnectionPool bean to reference the searchConnectionFactory: <bean id="searchConnectionPool" parent="abstractConnectionPool" p:connectionFactory-ref="searchConnectionFactory" /> then add the ldap.managerDn and ldap.managerPassword attrs to the cas.properties file. After doing so, the attrs are returned correctly For full details of what I ran into, you can search the archives for my message titled "Some notes/doc updates on configuring attributes in CASv4" from March 6, 2015. Hope that helps! Chris >>> "Borys Pogoreło"<[email protected]> 04/23/15 7:58 AM >>> Hi, As this is my first post here: welcome everyone! I have a problem with CAS 3.5.3. We are authenticating against two LDAP servers, our own and external. The second one has very strict access policy and we can't change its configuration. User can access only his attributes, nothing else, even the tree he is in. We are able to successfully authenticate using FastBindLdapAuthenticationHandler, but it doesn't return attributes (I believe it binds anonymously to fetch attributes, which is not allowed by this server). All I see with DEBUG enabled is [{}] as attributes returned. I was unable to configure BindLdapAuthenticationHandler with this server. Let's say we are authenticating as user "123" on "server", who has DN: uid=123, ou=People, cn=test (Base DN: ou=People, cn=test) The only proper way to fetch user's record on this server would be: ldapsearch -L -W -x -H ldaps://server \ -b "ou=People, cn=test" \ -D "uid=123, ou=People, cn=test" \ "uid=123" Our configuration (shortened and without first source): <bean id="secondLDAPSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="pooled" value="false"/> <property name="url" value="ldap://server"; /> </bean> <bean id="secondAttributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="contextSource" ref="secondLDAPSource" /> <property name="baseDN" value="ou=People, cn=test" /> <property name="requireAllQueryAttributes" value="false" /> p:filter="uid=%u, ou=People, cn=test" p:contextSource-ref="secondLDAPSource" /> <!-- <bean id="secondLdapAuthHandler" class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" p:filter="uid=%u" p:searchBase="ou=People, cn=test" p:contextSource-ref="secondLDAPSource" /> --> <bean id="secondResolver" class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > <property name="attributeRepository" ref="secondAttributeRepository" /> </bean> <bean id="authenticationManager" class="org.jasig.cas.authentication.LinkedAuthenticationHandlerAndCredentialsToPrincipalResolverAuthenticationManager"> <constructor-arg index="0"> <map> <entry key-ref="HttpAuthHandler" value-ref="HttpResolver" /> <entry key-ref="firstLdapAuthHandler" value-ref="firstResolver" /> <entry key-ref="secondLdapAuthHandler" value-ref="secondResolver" /> </map> </constructor-arg> </bean> <bean id="attributeRepository" class="org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl"> <property name="personAttributeDaos"> <list> <ref bean="firstAttributeRepository" /> <ref bean="secondAttributeRepository" /> </list> </property> </bean> I tried using authenticationSource on LdapContextSource, but all I got was a lot of Java exceptions related to Spring. How can I access user's attributes using this person credentials? -- Borys Pogoreło -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
