There is. See: http://jasig.github.io/cas/4.0.x/installation/Service-Management.html#regi stered-services
Set "ignoreAttributes" to true and remove your allowedAttributes config. Filters are entirely optional. You only need them if you, well, actually need to filter stuff. So if you plan to make everything available for release, you can use ignoreAttributs=true, and then filter the ones you want to be released. -----Original Message----- From: Simon [mailto:[email protected]] Sent: Thursday, April 30, 2015 7:37 AM To: [email protected] Subject: RE:[cas-user] CAS 4.0 LDAP attributes to registered services Hello Chris, Hello Misagh, thank you very very much for your fast responds and help! I appreciate your help very much! @Misagh I'm really astonish that you are right :-) I changed the service as followed: <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="1" /> <property name="name" value="All Websites" /> <property name="serviceId" value="^(https?)://.*" /> <property name="evaluationOrder" value="0" /> <property name="allowedAttributes"> <list> <value>mail</value> </list> </property> </bean> Now I got the mail attribute in my phpCAS as I ever wanted to. After that I tried the regex filter ".*" as additional (!) property in my service setup. This worked also as expected and the debug log was: <Received 1 attributes. Filtered and released 1> But for my understanding is this a little bit inconvenient. First you setup every single attribute you want to pass to the service and after that you do a regex filter on the defined list? Is there no possibility to allow all and every attributes which are resolving by the authentication handler? @Chris I read about this in another post. I'm sort of glad that there is no need for it and I can stick to the FastBind technic with only one single LDAP query and no need for a special manager credentials. -----Original Message----- From: Misagh Moayyed [mailto:[email protected]] Sent: Donnerstag, 30. April 2015 16:25 To: [email protected] Subject: RE: [cas-user] CAS 4.0 LDAP attributes to registered services What you have is not enough. Your logs only show you are resolving attributes. You are not releasing them. These are two different steps. The authentication handler simply makes those attributes available for release. That does not mean they all will be, unless you add in the configuration for allowedAttributes in the doc page I referenced earlier. -----Original Message----- From: Christopher Myers [mailto:[email protected]] Sent: Donnerstag, 30. April 2015 16:25 To: [email protected] Subject: RE:[cas-user] CAS 4.0 LDAP attributes to registered services Out of curiosity... Is your "mail" attribute publicly queryable? If not, you may need to add some authentication to the attribute release section of code as well. I ran into that as well; ended up adding this code to my deployerConfigContext.xml file: <bean id="searchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="searchConnectionConfig" /> <bean id="searchConnectionConfig" parent="abstractConnectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" /> <bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" p:bindDn="${ldap.managerDn}"> <property name="bindCredential"> <bean class="org.ldaptive.Credential" c:password="${ldap.managerPassword}" /> </property> </bean> <bean id="abstractConnectionConfig" abstract="true" class="org.ldaptive.ConnectionConfig" p:ldapUrl="${ldap.url}" p:connectTimeout="${ldap.connectTimeout}" /> and then modified my searchConnectionPool bean to reference the searchConnectionFactory: <bean id="searchConnectionPool" parent="abstractConnectionPool" p:connectionFactory-ref="searchConnectionFactory" /> and then added the ldap.managerDN and ldap.managerPassword attributes to my cas.properties file. After doing so, I was able to get the attributes on the second query. URLs I referenced: http://jasig.275507.n4.nabble.com/ldaptive-integration-td4660076.html , which led me to http://jasig.github.io/cas/development/installation/LDAP-Authentication.ht ml#active-directory-authentication Chris >>> Simon <[email protected]> 04/30/15 9:17 AM >>> Hello Christopher, Hello Misagh, thank you very much, but I as far as I see this, my setup already corresponds your recommendation: @Christopher **Also, make sure the CAS URL you're referencing has ".../p3/..." in it** I'm using phpCAS::client(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context); It generates the url: https://mycasserver:8443/cas/p3/serviceValidate?service=http%3A%2F%2F192.1 68.0.1%2Fcastest%2Findex.php @Misagh **Possibly because you are not allowing any attributes to be released** My LDAP setup definied with the principalAttributeMap an entry 'mail' which is logged correctly as DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Attribute map for testuser: {displayName=Test User, [email protected], memberOf=[CN=allusers,OU=Users,DC=mydomain,DC=local]}> The attributeFilter in the serviceRegistryDao/registeredServices should allowed the mail attribute, because of the regex filter .*(mail).* But nevertheless, the filter logged following debug message: DEBUG [org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter] - <Received 0 attributes. Filtered and released 0> For me it looks like the attributes are comming from the ldap to the authenticationManager but then they are not pass to the service?! I don't know what to do... -----Original Message----- From: Christopher Myers [mailto:[email protected]] Sent: Donnerstag, 30. April 2015 15:43 To: [email protected] Subject: RE: [cas-user] CAS 4.0 LDAP attributes to registered services Also, make sure the CAS URL you're referencing has ".../p3/..." in it, such as: https://portal.millikin.edu/cas/p3/serviceValidate?ticket=ST-3-KVPbJUgg6hp I32knvrJq-CAS_HOST_1&service=https%3A%2F%2Fportal.millikin.edu%2Fmuportal% 2Fsecure%2F Otherwise, everything can be configured correctly, but no attributes will be released. >>> Misagh Moayyed <[email protected]> 04/30/15 4:39 AM >>> Possibly because you are not allowing any attributes to be released: http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html#config uration Also, do please review this section as well: http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html#attrib ute-filters Your filter says: filter the collection of attributes received to only include those that have the word "mail" in them. But it received none, because nothing is allowed. -----Original Message----- From: Simon [mailto:[email protected]] Sent: Thursday, April 30, 2015 1:19 AM To: [email protected] Subject: [cas-user] CAS 4.0 LDAP attributes to registered services Hello, I'm using CAS 4.0 on Tomcat 8.0 with Oracle Java JVM 1.8.0 The authentication against a LDAP directory which is managed by a Microsoft Active Directory Server 2008 R2 works as expected. But the LDAP attributes are not passed to the service. The class PolicyBasedAuthenticationManager debugs the correct attribute map with all correct values at the moment of the authentication on the CAS server. But these attributes are not passed to the registered services. The class RegisteredServiceRegexAttributeFilter debugs that it received 0 attributes. And also my phpCAS 1.3.3 gives me an empty array for phpCAS::getAttributes() - but the correct username with phpCAS::getUser(). Has anyone an idea where my mistake is? Thank you very much for your help! My deployerConfigContext.xml is: <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> <constructor-arg> <map> <entry key-ref="firstLDAP" value="#{null}" /> </map> </constructor-arg> <property name="authenticationPolicy"> <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> </property> </bean> <bean id="firstLDAP" class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:principalIdAttribute="sAMAccountName" c:authenticator-ref="authenticator"> <property name="principalAttributeMap"> <map> <entry key="displayName" value="displayName" /> <entry key="mail" value="mail" /> <entry key="memberOf" value="memberOf" /> </map> </property> </bean> ... see complete config at http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#act ive-directory-authentication <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="1" /> <property name="name" value="All Websites" /> <property name="serviceId" value="^(https?)://.*" /> <property name="evaluationOrder" value="0" /> <property name="attributeFilter"> <bean class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilte r" c:regex=".*(mail).*" /> </property> </bean> </list> </property> </bean> My debug log is: INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler successfully authenticated testuser+password> DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <No resolver configured for LdapAuthenticationHandler. Falling back to handler principal testuser> INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated testuser with credentials [testuser+password].> DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Attribute map for testuser: {displayName=Test User, [email protected], memberOf=[CN=allusers,OU=Users,DC=mydomain,DC=local]}> Audit trail record ... Slf4jLoggingAuditTrailManager ... CookieRetrievingCookieGenerator ... DefaultTicketRegistry ... DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://192.168.0.1/castest/> DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-1-lfDFJh6WF04IUOTvOatP-mydomaincluster]> DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-1-lfDFJh6WF04IUOTvOatP-mydomaincluster] found in registry.> DEBUG [org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter] - <Received 0 attributes. Filtered and released 0> DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Principal id to return for service [All Websites] is [testuser]. The default principal id is [testuser].> DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [ST-1-lfDFJh6WF04IUOTvOatP-mydomaincluster] from registry> DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-1-lfDFJh6WF04IUOTvOatP-mydomaincluster]> INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ...> DEBUG [org.jasig.cas.web.ServiceValidateController] - <Successfully validated service ticket ST-1-lfDFJh6WF04IUOTvOatP-mydomaincluster for service [http://192.168.0.1/castest/]> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
