Misagh,
I have the LDAP component using this example:
<bean id="ldapPersonAttributeDao"
class="org.jasig.cas.persondir.LdapPersonAttributeDao"
p:connectionFactory-ref="pooledLdapConnectionFactory"
p:baseDN="${ldap.baseDn}"
p:searchControls-ref="searchControls"
p:searchFilter="mail={0}">
<property name="resultAttributeMapping">
<map>
<!--
| Key is LDAP attribute name, value is principal attribute name.
-->
<entry key="member" value="member" />
<entry key="mail" value="mail" />
<entry key="displayName" value="displayName" />
</map>
</property>
</bean>
I believe I need to add this as well:
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="0" />
<property name="name" value="HTTPS Services" />
<property name="description" value="YOUR HTTP Service" />
<property name="serviceId" value="https://**"; />
<property name="allowedAttributes">
<list>
<value>yourAttributeName</value>
</list>
</property>
</bean>
My question is, can I do this to release the same set of attributes for any
service? This looks like it’s going to require me to set this up for every new
service.
Sincerely,
Christopher Irwin
From: Misagh Moayyed [mailto:[email protected]]
Sent: Friday, August 14, 2015 1:50 PM
To: [email protected]
Subject: RE: [cas-user] Attribute Release
You are not getting anything from CAS because you’re not allowing any
attributes to be released. Your logs/config show you’re only resolving
attributes. Your service registry needs to release them next.
See:
http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html
From: Ray Bon [mailto:[email protected]]
Sent: Friday, August 14, 2015 10:25 AM
To: [email protected]<mailto:[email protected]>
Subject: Re:[cas-user] Attribute Release
Chris,
Clearly I did not look closely enough at the logs.
In the log you have "Created seed map='{username=[cirwin]}' for uid='cirwin'"
followed by "Generated query builder 'null' from query Map {username=[cirwin]}"
In my log between these two lines I get "Adding attribute 'uid' with value
'[rbon]' to query builder 'null'"
followed by "Generated query builder '(uid=rbon)' from query Map
{username=[rbon]}"
In your configuration you have <util:map id="queryAttributeMap">
<entry key="user" value="uid" />
</util:map>
Try changing the key in the configuration from 'user' to 'username'.
Ray
________________________________
From: Chris Irwin
<[email protected]<mailto:[email protected]>>
Sent: August 14, 2015 05:02
To: [email protected]<mailto:[email protected]>
Subject: RE:[cas-user] Attribute Release
Ray,
In the log below you can see the results of the query. You can also see the
attributes I have listed in the ldapAuthenticationHandler’s
principalAttributeMap get returned in the “Found principal attribute” This is
what I want to return back to the app but all I’m getting is the following:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>cirwin</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
I thought I just needed to wire up so that the attributes resolved here are
released:
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [sAMAccountName[CIrwin]]
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [cn[Chris Irwin]]
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [givenName[Chris]]
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [sn[Irwin]]
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [mail[[email protected]]]
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [displayName[Chris Irwin]]
Is that different?
Chris
From: Ray Bon [mailto:[email protected]]
Sent: Thursday, August 13, 2015 6:17 PM
To: [email protected]<mailto:[email protected]>
Subject: Re:[cas-user] Attribute Release
Check what attributes are being released from your LDAP server.
The items in the LDAP response may be provided as part of the authenticated
user info but not necessarily the released attributes.
Ray
________________________________
From: Chris Irwin
<[email protected]<mailto:[email protected]>>
Sent: August 13, 2015 13:58
To: [email protected]<mailto:[email protected]>
Subject: [cas-user] Attribute Release
I'm not sure what i'm missing here. I can see the attributes resolved but they
are never released to the client:
2015-08-13 16:31:20,456 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP
authentication for cirwin+password
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response:
[org.ldaptive.auth.AuthenticationResponse@110158567::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
ldapEntry=[dn=CN=Chris
Irwin,OU=SADA,OU=Consultants,dc=root,dc=njcu[[mail[[email protected]]],
[uSNCreated[75502415]], [description[SADA Consultant]],
[whenChanged[20150805152738.0Z]], [objectClass[top, person,
organizationalPerson, user]], [primaryGroupID[513]], [givenName[Chris]],
[objectGUID[??????D?a??[??]], [objectSid[ � q??K9?l??>u??V ]],
[instanceType[4]], [whenCreated[20150410141222.0Z]],
[dSCorePropagationData[20150520202442.0Z, 20150410142342.0Z,
16010101000000.0Z]], [sn[Irwin]], [userAccountControl[66048]],
[lastLogonTimestamp[130832620538887202]], [cn[Chris Irwin]],
[sAMAccountName[CIrwin]], [sAMAccountType[805306368]],
[userPrincipalName[[email protected]]], [displayName[Chris Irwin]],
[pwdLastSet[130731491217059125]], [name[Chris Irwin]],
[objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=root,DC=njcu]],
[distinguishedName[CN=Chris Irwin,OU=SADA,OU=Consultants,DC=root,DC=njcu]],
[memberOf[CN=rdpadmins,CN=Users,DC=root,DC=njcu,
CN=VPN,CN=Users,DC=root,DC=njcu, CN=Domain Admins,CN=Users,DC=root,DC=njcu]],
[uSNChanged[90371268]]], responseControls=null, messageId=-1],
accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [sAMAccountName[CIrwin]]
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [cn[Chris Irwin]]
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [givenName[Chris]]
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [sn[Irwin]]
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [mail[[email protected]]]
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Found principal
attribute: [displayName[Chris Irwin]]
2015-08-13 16:31:20,565 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
LdapAuthenticationHandler successfully authenticated cirwin+password
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] -
Attempting to resolve a principal...
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver] -
Creating SimplePrincipal for [cirwin]
2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao]
- Created seed map='{username=[cirwin]}' for uid='cirwin'
2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao]
- Generated query builder 'null' from query Map {username=[cirwin]}.
2015-08-13 16:31:20,565 DEBUG [org.jasig.cas.persondir.LdapPersonAttributeDao]
- No queryBuilder was generated for query {username=[cirwin]}, null will be
returned
2015-08-13 16:31:20,565 DEBUG
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver@e1fa433<mailto:org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver@e1fa433>
resolved cirwin from cirwin+password
2015-08-13 16:31:20,581 INFO
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Authenticated
cirwin with credentials [cirwin+password].
2015-08-13 16:31:20,581 DEBUG
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Attribute map
for cirwin: {}
2015-08-13 16:31:20,581 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail
record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [cirwin+password]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Aug 13 16:31:20 EDT 2015
CLIENT IP ADDRESS: 208.104.112.159
SERVER IP ADDRESS: 10.0.2.73
=============================================================
I have included the deployerConfigContext.xml for reference:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to Jasig under one or more contributor license
agreements. See the NOTICE file distributed with this work
for additional information regarding copyright ownership.
Jasig licenses this file to you under the Apache License,
Version 2.0 (the "License"); you may not use this file
except in compliance with the License. You may obtain a
copy of the License at the following location:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:c="http://www.springframework.org/schema/c";
xmlns:tx="http://www.springframework.org/schema/tx";
xmlns:util="http://www.springframework.org/schema/util";
xmlns:sec="http://www.springframework.org/schema/security";
xmlns:context="http://www.springframework.org/schema/context";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd<http://www.springframework.org/schema/beans%20http:/www.springframework.org/schema/beans/spring-beans-3.2.xsd%0b
%20http:/www.springframework.org/schema/tx%20http:/www.springframework.org/schema/tx/spring-tx-3.2.xsd%0b
%20http:/www.springframework.org/schema/security%20http:/www.springframework.org/schema/security/spring-security-3.2.xsd%0b
%20http:/www.springframework.org/schema/util%20http:/www.springframework.org/schema/util/spring-util.xsd>">
<bean id="authenticationManager"
class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
<entry key-ref="proxyAuthenticationHandler"
value-ref="proxyPrincipalResolver" />
<!-- Old Value - <entry key-ref="ldapAuthenticationHandler"
value-ref="primaryPrincipalResolver" /> -->
<entry key-ref="ldapAuthenticationHandler"
value-ref="primaryPrincipalResolver" />
</map>
</constructor-arg>
<property name="authenticationPolicy">
<bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy"
/>
</property>
</bean>
<!-- Required for proxy ticket mechanism. -->
<bean id="proxyAuthenticationHandler"
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
<property name="users">
<map>
<entry key="casuser" value="Mellon"/>
</map>
</property>
</bean>
<!-- Required for proxy ticket mechanism -->
<bean id="proxyPrincipalResolver"
class="org.jasig.cas.authentication.principal.BasicPrincipalResolver"
/>
<!--
| Resolves a principal from a credential using an attribute repository
that is configured to resolve
| against a deployer-specific store (e.g. LDAP).
-->
<bean id="primaryPrincipalResolver"
class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
>
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<!--
Bean that defines the attributes that a service may return. This example
uses the Stub/Mock version. A real implementation
may go against a database or LDAP server. The id should remain
"attributeRepository" though.
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao"
p:backingMap-ref="attrRepoBackingMap" />
<util:map id="attrRepoBackingMap">
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</util:map>
-->
<bean id="attributeRepository"
class="org.jasig.cas.persondir.LdapPersonAttributeDao"
p:baseDN="${ldap.baseDn}"
p:searchFilter="samAccountName={0}"
p:searchControls-ref="searchControls"
p:connectionFactory-ref="searchPooledLdapConnectionFactory"
p:queryAttributeMapping-ref="queryAttributeMap"
p:resultAttributeMapping-ref="resultAttributeMap"
/>
<util:map id="queryAttributeMap">
<entry key="user" value="uid" />
</util:map>
<util:map id="resultAttributeMap">
<entry key="samAccountName" value="userName" />
<entry key="cn" value="Student ID" />
<entry key="givenName" value="First Name" />
<entry key="sn" value="Last Name" />
<entry key="mail" value="email" />
<entry key="displayName" value="displayName" />
</util:map>
<bean id="searchControls" class="javax.naming.directory.SearchControls"
p:searchScope="2"
/>
<!--
Sample, in-memory data store for the ServiceRegistry. A real implementation
would probably want to replace this with the JPA-backed ServiceRegistry DAO
The name of this bean should remain "serviceRegistryDao".
+-->
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
p:registeredServices-ref="registeredServicesList" />
<util:list id="registeredServicesList">
<bean class="org.jasig.cas.services.RegexRegisteredService"
p:id="0" p:name="HTTP and IMAP" p:description="Allows HTTP(S) and
IMAP(S) protocols"
p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001"
/>
<!--
Use the following definition instead of the above to further restrict
access
to services within your domain (including sub domains).
Note that example.com must be replaced with the domain you wish to
permit.
This example also demonstrates the configuration of an attribute filter
that only allows for attributes whose length is 3.
-->
<!--
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="1" />
<property name="name" value="HTTP and IMAP on example.com" />
<property name="description" value="Allows HTTP(S) and IMAP(S)
protocols on example.com" />
<property name="serviceId"
value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" />
<property name="evaluationOrder" value="0" />
<property name="attributeFilter">
<bean
class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter"
c:regex="^\w{3}$" />
</property>
</bean>
-->
</util:list>
<bean id="auditTrailManager"
class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
<bean id="healthCheckMonitor"
class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList"
/>
<util:list id="monitorsList">
<bean class="org.jasig.cas.monitor.MemoryMonitor"
p:freeMemoryWarnThreshold="10" />
<!--
NOTE
The following ticket registries support SessionMonitor:
* DefaultTicketRegistry
* JpaTicketRegistry
Remove this monitor if you use an unsupported registry.
-->
<bean class="org.jasig.cas.monitor.SessionMonitor"
p:ticketRegistry-ref="ticketRegistry"
p:serviceTicketCountWarnThreshold="5000"
p:sessionCountWarnThreshold="100000" />
</util:list>
<!-- INSERT CONNECTION CONFIGURATIONS HERE -->
<bean id="ldapAuthenticationHandler"
class="org.jasig.cas.authentication.LdapAuthenticationHandler"
p:principalIdAttribute="samAccountName"
c:authenticator-ref="authenticator">
<property name="principalAttributeMap">
<map>
<!--
| This map provides a simple attribute resolution mechanism.
| Keys are LDAP attribute names, values are CAS attribute names.
| Use this facility instead of a PrincipalResolver if LDAP is
| the only attribute source.
-->
<entry key="samAccountName" value="userName" />
<entry key="cn" value="Student ID" />
<entry key="givenName" value="First Name" />
<entry key="sn" value="Last Name" />
<entry key="mail" value="email" />
<entry key="displayName" value="displayName" />
</map>
</property>
</bean>
<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
c:resolver-ref="dnResolver"
c:handler-ref="authHandler" />
<bean id="dnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"
p:baseDn="${ldap.baseDn}"
p:subtreeSearch="true"
p:allowMultipleDns="false"
p:connectionFactory-ref="searchPooledLdapConnectionFactory"
p:userFilter="${ldap.authn.searchFilter}" />
<bean id="searchPooledLdapConnectionFactory"
class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="searchConnectionPool" />
<bean id="searchConnectionPool" parent="abstractConnectionPool"
p:connectionFactory-ref="searchConnectionFactory" />
<bean id="searchConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="searchConnectionConfig" />
<bean id="searchConnectionConfig" parent="abstractConnectionConfig"
p:connectionInitializer-ref="bindConnectionInitializer" />
<bean id="bindConnectionInitializer"
class="org.ldaptive.BindConnectionInitializer"
p:bindDn="[email protected]<mailto:[email protected]>">
<property name="bindCredential">
<bean class="org.ldaptive.Credential"
c:password="${ldap.authn.managerPassword}" />
</property>
</bean>
<bean id="abstractConnectionPool" abstract="true"
class="org.ldaptive.pool.BlockingConnectionPool"
init-method="initialize"
p:poolConfig-ref="ldapPoolConfig"
p:blockWaitTime="${ldap.pool.blockWaitTime}"
p:validator-ref="searchValidator"
p:pruneStrategy-ref="pruneStrategy" />
<bean id="abstractConnectionConfig" abstract="true"
class="org.ldaptive.ConnectionConfig"
p:ldapUrl="${ldap.url}"
p:connectTimeout="${ldap.connectTimeout}"
p:useStartTLS="${ldap.useStartTLS}"
p:sslConfig-ref="sslConfig" />
<bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="${ldap.pool.minSize}"
p:maxPoolSize="${ldap.pool.maxSize}"
p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
p:validatePeriodically="${ldap.pool.validatePeriodically}"
p:validatePeriod="${ldap.pool.validatePeriod}" />
<bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
<property name="credentialConfig">
<bean class="org.ldaptive.ssl.X509CredentialConfig"
p:trustCertificates="${ldap.trustedCert}" />
</property>
</bean>
<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriod="${ldap.pool.prunePeriod}"
p:idleTime="${ldap.pool.idleTime}" />
<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
<bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
p:connectionFactory-ref="bindPooledLdapConnectionFactory" />
<bean id="bindPooledLdapConnectionFactory"
class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="bindConnectionPool" />
<bean id="bindConnectionPool" parent="abstractConnectionPool"
p:connectionFactory-ref="bindConnectionFactory" />
<bean id="bindConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="bindConnectionConfig" />
<bean id="bindConnectionConfig" parent="abstractConnectionConfig" />
<!-- Cirwin - Add Attribute release bean
<context:component-scan base-package="org.jasig.cas" />
<context:annotation-config />
-->
</beans>
Chris
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
