Borys, Since you are on CAS 3.5.3, you want to configure a separate attribute repository instead. None of the handlers in CAS 3.5 are able to resolve and retrieve attributes. See https://wiki.jasig.org/display/CASUM/Attributes
From: Christopher Myers [mailto:[email protected]] Sent: Thursday, April 23, 2015 7:41 AM To: [email protected] Subject: Re: [cas-user] Fetching LDAP attributes with user credentials If that works, that would be awesome! I fought with trying to make that type of thing work for about two days, but all the Google hits I came across said that it wasn't possible without using something like that third-party add-on I'd found. I didn't try what you suggested though, so if Borys would want to try it out and let us all know, that could save folks a ton of time in the future too, especially if we could get the change documented on the github pages :D >>> Milt Epstein <[email protected] <mailto:[email protected]> > >>> 04/23/15 9:32 AM >>> I didn't follow all of this thread, but if I understand you correctly, it is possible to do the authentication and pull out the attributes in one call to ldap. I'm doing this with CAS version 4.0.x. The key is to configure the principalAttributeMap property in the ldapAuthenticationHandler bean, as I believe Chris Myers showed -- but then not use attributeRepository (which may come pre-configured in the default deployerConfigContext.xml). I do the latter by changing the following line, in the authenticationManager bean, from: <entry key-ref="ldapAuthenticationHandler" value-ref="usernamePasswordCredentialsResolver" /> to: <entry key-ref="ldapAuthenticationHandler" value="#{ null }" /> Milt Epstein Programmer in Computational Genomics Institute for Genomic Biology (IGB) University of Illinois at Urbana-Champaign (UIUC) [email protected] <mailto:[email protected]> On Thu, 23 Apr 2015, "Borys Pogore³o" wrote: > > > > But I guess if you were using database for auth and ldap for > > attrs, then this would be necessary to have separated out. > > I think you're right. But I believe that the most common scenario is using > one source for both authentication and attributes. Separation should be an > option, not the default... > > -- > Borys > > > -- > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
