We’ve never had to release attributes before, but we now have a requirement to
do so. Rather than work with our rather old version of CAS, I figured I would
take the opportunity to upgrade to CAS 4. I have the Unicon cas4 overlay
working with AD authentication. My deployerConfigContext.xml is using the
bind+search authentication to AD, and I can see the attributes returning to the
ldapAuthenticationHandler in the cas log:
2015-07-30 11:29:17,560 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [mail[[email protected]]]
2015-07-30 11:29:17,560 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [displayName[Mark McCoy]]
2015-07-30 11:29:17,560 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [employeeID[********]]
Where I am having issues is that I can’t seem to find an example of pulling
these attributes into the PersonDirectory. From the documentation, it seems
like the ldapAuthenticationHandler example can populate the attributes directly
without a second LDAP call but I can't see how to make that work form the
documentation and examples provided. Please let me know if I'm on the right
path.
What I've done so far is copied the ldapAuthenticationHandler from
http://jasig.github.io/cas/4.0.x/installation/LDAP-Authentication.html#ldap_requiring_authenticated_search,
and changed the handler in the authenticationManager bean from the default
primaryAuthenticationManager to ldapAuthenticationManager.
This is what the relevant parts of the deployerConfigContext.xml looks like
(the rest is unchanged from the overlay):
<bean id="authenticationManager"
class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
<entry key-ref="proxyAuthenticationHandler"
value-ref="proxyPrincipalResolver" />
<entry key-ref="ldapAuthenticationHandler"
value-ref="primaryPrincipalResolver" />
</map>
</constructor-arg>
<property name="authenticationPolicy">
<bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy"
/>
</property>
</bean>
<bean id="primaryPrincipalResolver"
class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
>
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<!--
Bean that defines the attributes that a service may return. This example
uses the Stub/Mock version. A real implementation
may go against a database or LDAP server. The id should remain
"attributeRepository" though.
-->
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao"
p:backingMap-ref="attrRepoBackingMap" />
<util:map id="attrRepoBackingMap">
<entry key="uid" value="uid" />
<entry key="mail" value="mail" />
<entry key="employeeID" value="UC_IDENTIFIER" />
</util:map>
<bean id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="sAMAccountName"
c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<!--
| This map provides a simple attribute resolution mechanism.
| Keys are LDAP attribute names, values are CAS attribute names.
| Use this facility instead of a PrincipalResolver if LDAP is
| the only attribute source.
-->
<entry key="sAMAccountName" value="uid" />
<entry key="memberOf" value="member" />
<entry key="mail" value="mail" />
<entry key="displayName" value="displayName" />
<entry key="employeeID" value="employeeID" />
</map>
</property>
</bean>
<!-- the rest of the LDAP connection pool/search beans from the CAS docs -->
Thanks,
Mark
---
Mark McCoy
Identity Management
The University of Texas at San Antonio
210-458-5871
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
