RE:[cas-user] Attribute Release

Fri, 14 Aug 2015 05:04:19 -0700 

Ray,

In the log below you can see the results of the query.  You can also see the 
attributes I have listed in the ldapAuthenticationHandler’s 
principalAttributeMap get returned in the “Found principal attribute”  This is 
what I want to return back to the app but all I’m getting is the following:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>cirwin</cas:user>


</cas:authenticationSuccess>
</cas:serviceResponse>

I thought I just needed to wire up so that the attributes resolved here are 
released:

2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sAMAccountName[CIrwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [cn[Chris Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [givenName[Chris]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sn[Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [mail[[email protected]]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [displayName[Chris Irwin]]

Is that different?

Chris
From: Ray Bon [mailto:[email protected]]
Sent: Thursday, August 13, 2015 6:17 PM
To: [email protected]
Subject: Re:[cas-user] Attribute Release


​Check what attributes are being released from your LDAP server.

The items in the LDAP response may be provided as part of the authenticated 
user info but not necessarily the released attributes.



Ray

________________________________
From: Chris Irwin 
<[email protected]<mailto:[email protected]>>
Sent: August 13, 2015 13:58
To: [email protected]<mailto:[email protected]>
Subject: [cas-user] Attribute Release


I'm not sure what i'm missing here.  I can see the attributes resolved but they 
are never released to the client:



2015-08-13 16:31:20,456 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP 
authentication for cirwin+password
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: 
[org.ldaptive.auth.AuthenticationResponse@110158567::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
 ldapEntry=[dn=CN=Chris 
Irwin,OU=SADA,OU=Consultants,dc=root,dc=njcu[[mail[[email protected]]],
 [uSNCreated[75502415]], [description[SADA Consultant]], 
[whenChanged[20150805152738.0Z]], [objectClass[top, person, 
organizationalPerson, user]], [primaryGroupID[513]], [givenName[Chris]], 
[objectGUID[??????D?a??[??]], [objectSid[        q??K9?l??>u??V  ]], 
[instanceType[4]], [whenCreated[20150410141222.0Z]], 
[dSCorePropagationData[20150520202442.0Z, 20150410142342.0Z, 
16010101000000.0Z]], [sn[Irwin]], [userAccountControl[66048]], 
[lastLogonTimestamp[130832620538887202]], [cn[Chris Irwin]], 
[sAMAccountName[CIrwin]], [sAMAccountType[805306368]], 
[userPrincipalName[[email protected]]], [displayName[Chris Irwin]], 
[pwdLastSet[130731491217059125]], [name[Chris Irwin]], 
[objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=root,DC=njcu]], 
[distinguishedName[CN=Chris Irwin,OU=SADA,OU=Consultants,DC=root,DC=njcu]], 
[memberOf[CN=rdpadmins,CN=Users,DC=root,DC=njcu, 
CN=VPN,CN=Users,DC=root,DC=njcu, CN=Domain Admins,CN=Users,DC=root,DC=njcu]], 
[uSNChanged[90371268]]], responseControls=null, messageId=-1], 
accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sAMAccountName[CIrwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [cn[Chris Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [givenName[Chris]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [sn[Irwin]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [mail[[email protected]]]
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal 
attribute: [displayName[Chris Irwin]]
2015-08-13 16:31:20,565 INFO 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
LdapAuthenticationHandler successfully authenticated cirwin+password
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - 
Attempting to resolve a principal...
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] - 
Creating SimplePrincipal for [cirwin]
2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao] 
- Created seed map='{username=[cirwin]}' for uid='cirwin'
2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao] 
- Generated query builder 'null' from query Map {username=[cirwin]}.
2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao] 
- No queryBuilder was generated for query {username=[cirwin]}, null will be 
returned
2015-08-13 16:31:20,565 DEBUG 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver@e1fa433<mailto:org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver@e1fa433>
 resolved cirwin from cirwin+password
2015-08-13 16:31:20,581 INFO 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Authenticated 
cirwin with credentials [cirwin+password].
2015-08-13 16:31:20,581 DEBUG 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Attribute map 
for cirwin: {}
2015-08-13 16:31:20,581 INFO 
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail 
record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [cirwin+password]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Aug 13 16:31:20 EDT 2015
CLIENT IP ADDRESS: 208.104.112.159
SERVER IP ADDRESS: 10.0.2.73
=============================================================





I have included the deployerConfigContext.xml for reference:



<?xml version="1.0" encoding="UTF-8"?>
<!--

    Licensed to Jasig under one or more contributor license
    agreements. See the NOTICE file distributed with this work
    for additional information regarding copyright ownership.
    Jasig licenses this file to you under the Apache License,
    Version 2.0 (the "License"); you may not use this file
    except in compliance with the License.  You may obtain a
    copy of the License at the following location:

      http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.

-->
<beans xmlns="http://www.springframework.org/schema/beans";
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
       xmlns:p="http://www.springframework.org/schema/p";
       xmlns:c="http://www.springframework.org/schema/c";
       xmlns:tx="http://www.springframework.org/schema/tx";
       xmlns:util="http://www.springframework.org/schema/util";
       xmlns:sec="http://www.springframework.org/schema/security";
    xmlns:context="http://www.springframework.org/schema/context";
       xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
       http://www.springframework.org/schema/tx 
http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
       http://www.springframework.org/schema/security 
http://www.springframework.org/schema/security/spring-security-3.2.xsd
       http://www.springframework.org/schema/util 
http://www.springframework.org/schema/util/spring-util.xsd<http://www.springframework.org/schema/beans%20http:/www.springframework.org/schema/beans/spring-beans-3.2.xsd%0b
      
%20http:/www.springframework.org/schema/tx%20http:/www.springframework.org/schema/tx/spring-tx-3.2.xsd%0b
      
%20http:/www.springframework.org/schema/security%20http:/www.springframework.org/schema/security/spring-security-3.2.xsd%0b
      
%20http:/www.springframework.org/schema/util%20http:/www.springframework.org/schema/util/spring-util.xsd>">

    <bean id="authenticationManager" 
class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
        <constructor-arg>
            <map>
                <entry key-ref="proxyAuthenticationHandler" 
value-ref="proxyPrincipalResolver" />
                <!-- Old Value - <entry key-ref="ldapAuthenticationHandler" 
value-ref="primaryPrincipalResolver" /> -->
    <entry key-ref="ldapAuthenticationHandler" 
value-ref="primaryPrincipalResolver" />
            </map>
        </constructor-arg>
        <property name="authenticationPolicy">
            <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" 
/>
        </property>
    </bean>

    <!-- Required for proxy ticket mechanism. -->
    <bean id="proxyAuthenticationHandler"
          
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
          p:httpClient-ref="httpClient" />

    <bean id="primaryAuthenticationHandler"
          class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
        <property name="users">
            <map>
                <entry key="casuser" value="Mellon"/>
            </map>
        </property>
    </bean>

    <!-- Required for proxy ticket mechanism -->
    <bean id="proxyPrincipalResolver"
          class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" 
/>

    <!--
       | Resolves a principal from a credential using an attribute repository 
that is configured to resolve
       | against a deployer-specific store (e.g. LDAP).
       -->
    <bean id="primaryPrincipalResolver"
          
class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" 
>
        <property name="attributeRepository" ref="attributeRepository" />
    </bean>

    <!--
    Bean that defines the attributes that a service may return.  This example 
uses the Stub/Mock version.  A real implementation
    may go against a database or LDAP server.  The id should remain 
"attributeRepository" though.

    <bean id="attributeRepository" 
class="org.jasig.services.persondir.support.StubPersonAttributeDao"
            p:backingMap-ref="attrRepoBackingMap" />

    <util:map id="attrRepoBackingMap">
        <entry key="uid" value="uid" />
        <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
        <entry key="groupMembership" value="groupMembership" />
    </util:map>
-->
 <bean id="attributeRepository" 
class="org.jasig.cas.persondir.LdapPersonAttributeDao"
    p:baseDN="${ldap.baseDn}"
    p:searchFilter="samAccountName={0}"
    p:searchControls-ref="searchControls"
    p:connectionFactory-ref="searchPooledLdapConnectionFactory"
    p:queryAttributeMapping-ref="queryAttributeMap"
    p:resultAttributeMapping-ref="resultAttributeMap"
    />
  <util:map id="queryAttributeMap">
   <entry key="user" value="uid" />
  </util:map>

  <util:map id="resultAttributeMap">
     <entry key="samAccountName" value="userName" />
   <entry key="cn" value="Student ID" />
   <entry key="givenName" value="First Name" />
   <entry key="sn" value="Last Name" />
            <entry key="mail" value="email" />
            <entry key="displayName" value="displayName" />
  </util:map>
 <bean id="searchControls" class="javax.naming.directory.SearchControls"
    p:searchScope="2"
 />
    <!--
    Sample, in-memory data store for the ServiceRegistry. A real implementation
    would probably want to replace this with the JPA-backed ServiceRegistry DAO
    The name of this bean should remain "serviceRegistryDao".
    +-->
    <bean id="serviceRegistryDao" 
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
            p:registeredServices-ref="registeredServicesList" />

    <util:list id="registeredServicesList">
        <bean class="org.jasig.cas.services.RegexRegisteredService"
              p:id="0" p:name="HTTP and IMAP" p:description="Allows HTTP(S) and 
IMAP(S) protocols"
              p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001" 
/>
        <!--
        Use the following definition instead of the above to further restrict 
access
        to services within your domain (including sub domains).
        Note that example.com must be replaced with the domain you wish to 
permit.
        This example also demonstrates the configuration of an attribute filter
        that only allows for attributes whose length is 3.
        -->
        <!--
        <bean class="org.jasig.cas.services.RegexRegisteredService">
            <property name="id" value="1" />
            <property name="name" value="HTTP and IMAP on example.com" />
            <property name="description" value="Allows HTTP(S) and IMAP(S) 
protocols on example.com" />
            <property name="serviceId" 
value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" />
            <property name="evaluationOrder" value="0" />
            <property name="attributeFilter">
              <bean 
class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter" 
c:regex="^\w{3}$" />
            </property>
        </bean>
        -->
    </util:list>

    <bean id="auditTrailManager" 
class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />

    <bean id="healthCheckMonitor" 
class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" 
/>

    <util:list id="monitorsList">
      <bean class="org.jasig.cas.monitor.MemoryMonitor" 
p:freeMemoryWarnThreshold="10" />
      <!--
        NOTE
        The following ticket registries support SessionMonitor:
          * DefaultTicketRegistry
          * JpaTicketRegistry
        Remove this monitor if you use an unsupported registry.
      -->
      <bean class="org.jasig.cas.monitor.SessionMonitor"
          p:ticketRegistry-ref="ticketRegistry"
          p:serviceTicketCountWarnThreshold="5000"
          p:sessionCountWarnThreshold="100000" />
    </util:list>
<!-- INSERT CONNECTION CONFIGURATIONS HERE -->
<bean id="ldapAuthenticationHandler"
      class="org.jasig.cas.authentication.LdapAuthenticationHandler"
      p:principalIdAttribute="samAccountName"
      c:authenticator-ref="authenticator">
    <property name="principalAttributeMap">
        <map>
            <!--
               | This map provides a simple attribute resolution mechanism.
               | Keys are LDAP attribute names, values are CAS attribute names.
               | Use this facility instead of a PrincipalResolver if LDAP is
               | the only attribute source.
               -->
   <entry key="samAccountName" value="userName" />
   <entry key="cn" value="Student ID" />
   <entry key="givenName" value="First Name" />
   <entry key="sn" value="Last Name" />
            <entry key="mail" value="email" />
            <entry key="displayName" value="displayName" />
        </map>
    </property>
</bean>

<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
      c:resolver-ref="dnResolver"
      c:handler-ref="authHandler" />

<bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
      p:baseDn="${ldap.baseDn}"
      p:subtreeSearch="true"
      p:allowMultipleDns="false"
      p:connectionFactory-ref="searchPooledLdapConnectionFactory"
      p:userFilter="${ldap.authn.searchFilter}" />

<bean id="searchPooledLdapConnectionFactory"
      class="org.ldaptive.pool.PooledConnectionFactory"
      p:connectionPool-ref="searchConnectionPool" />

<bean id="searchConnectionPool" parent="abstractConnectionPool"
      p:connectionFactory-ref="searchConnectionFactory" />

<bean id="searchConnectionFactory"
      class="org.ldaptive.DefaultConnectionFactory"
      p:connectionConfig-ref="searchConnectionConfig" />

<bean id="searchConnectionConfig" parent="abstractConnectionConfig"
      p:connectionInitializer-ref="bindConnectionInitializer" />

<bean id="bindConnectionInitializer"
      class="org.ldaptive.BindConnectionInitializer"
      p:bindDn="[email protected]<mailto:[email protected]>">
    <property name="bindCredential">
        <bean class="org.ldaptive.Credential"
              c:password="${ldap.authn.managerPassword}" />
    </property>
</bean>

<bean id="abstractConnectionPool" abstract="true"
      class="org.ldaptive.pool.BlockingConnectionPool"
      init-method="initialize"
      p:poolConfig-ref="ldapPoolConfig"
      p:blockWaitTime="${ldap.pool.blockWaitTime}"
      p:validator-ref="searchValidator"
      p:pruneStrategy-ref="pruneStrategy" />

<bean id="abstractConnectionConfig" abstract="true"
      class="org.ldaptive.ConnectionConfig"
      p:ldapUrl="${ldap.url}"
      p:connectTimeout="${ldap.connectTimeout}"
      p:useStartTLS="${ldap.useStartTLS}"
      p:sslConfig-ref="sslConfig" />

<bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
      p:minPoolSize="${ldap.pool.minSize}"
      p:maxPoolSize="${ldap.pool.maxSize}"
      p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
      p:validatePeriodically="${ldap.pool.validatePeriodically}"
      p:validatePeriod="${ldap.pool.validatePeriod}" />

<bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
    <property name="credentialConfig">
        <bean class="org.ldaptive.ssl.X509CredentialConfig"
              p:trustCertificates="${ldap.trustedCert}" />
    </property>
</bean>

<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
      p:prunePeriod="${ldap.pool.prunePeriod}"
      p:idleTime="${ldap.pool.idleTime}" />

<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />

<bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
      p:connectionFactory-ref="bindPooledLdapConnectionFactory" />

<bean id="bindPooledLdapConnectionFactory"
      class="org.ldaptive.pool.PooledConnectionFactory"
      p:connectionPool-ref="bindConnectionPool" />

<bean id="bindConnectionPool" parent="abstractConnectionPool"
      p:connectionFactory-ref="bindConnectionFactory" />

<bean id="bindConnectionFactory"
      class="org.ldaptive.DefaultConnectionFactory"
      p:connectionConfig-ref="bindConnectionConfig" />

<bean id="bindConnectionConfig" parent="abstractConnectionConfig" />
<!-- Cirwin - Add Attribute release bean
<context:component-scan base-package="org.jasig.cas" />
<context:annotation-config />
 -->

</beans>



Chris

--

You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--

You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to