You should be able to use sAMAccountName if you want. -Scott
On Dec 10, 2007 10:20 AM, Jonathan Hayward http://JonathansCorner.com < [EMAIL PROTECTED]> wrote: > We are having trouble getting CAS to get the usernames from LDAP; in our > LDAP server, the "uid" field is not populated ("sAMAccountName" does its > work). > > Do any problems jump out, or any "usual suspects" for trouble getting > usernames from LDAP? > > <?xml version="1.0" encoding="UTF-8"?> > <!-- > | deployerConfigContext.xml centralizes into one file some of > the declarative configuration that > | all CAS deployers will need to modify. > | > | This file declares some of the Spring-managed JavaBeans that > make up a CAS deployment. > | The beans declared in this file are instantiated at context > initialization time by the Spring > | ContextLoaderListener declared in web.xml. It finds this > file because this > | file is among those declared in the context parameter > "contextConfigLocation". > | > | By far the most common change you will need to make in this > file is to change the last bean > | declaration to replace the default > SimpleTestUsernamePasswordAuthenticationHandler with > | one implementing your approach for authenticating usernames > and passwords. > +--> > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> > <!-- > | This bean declares our AuthenticationManager. > The CentralAuthenticationService service bean > | declared in applicationContext.xml picks up this > AuthenticationManager by reference to its id, > | "authenticationManager". Most deployers will be > able to use the default AuthenticationManager > | implementation and so do not need to change the > class of this bean. We include the whole > | AuthenticationManager here in the > userConfigContext.xml so that you can see the things you will > | need to change in context. > +--> > > <bean id="contextSource" class=" > org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > <property name="urls"> > <list> > > <value>ldap://[DELETED]:389/OU=Accounts,OU=[DELETED],OU=[DELETED],DC=[DELETED],DC=[DELETED],DC=[DELETED]</value> > </list> > </property> > <property name="userName" value="[DELETED]"/> > <property name="password" value="[DELETED]"/> > <property name="baseEnvironmentProperties"> > <map> > <entry> > <key> > <value>java.naming.security.authentication</value> > </key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > <bean id="authenticationManager" > class=" > org.jasig.cas.authentication.AuthenticationManagerImpl"> > <!-- > | This is the List of > CredentialToPrincipalResolvers that identify what Principal is trying to > authenticate. > | The AuthenticationManagerImpl > considers them in order, finding a CredentialToPrincipalResolver which > | supports the presented credentials. > | > | AuthenticationManagerImpl uses these > resolvers for two purposes. First, it uses them to identify the Principal > | attempting to authenticate to CAS > /login . In the default configuration, it is the > DefaultCredentialsToPrincipalResolver > | that fills this role. If you are > using some other kind of credentials than UsernamePasswordCredentials, you > will need to replace > | > DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver > that supports the credentials you are > | using. > | > | Second, AuthenticationManagerImpl > uses these resolvers to identify a service requesting a proxy granting > ticket. > | In the default configuration, it is > the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. > > | You will need to change this list if > you are identifying services by something more or other than their callback > URL. > +--> > <property name="credentialsToPrincipalResolvers"> > <list> > <!-- > | > UsernamePasswordCredentialsToPrincipalResolver supports the > UsernamePasswordCredentials that we use for /login > | by default > and produces SimplePrincipal instances conveying the username from the > credentials. > | > | If you've > changed your LoginFormAction to use credentials other than > UsernamePasswordCredentials then you will also > | need to > change this bean declaration (or add additional declarations) to declare a > CredentialsToPrincipalResolver that supports the > | Credentials > you are using. > +--> > <bean > class=" > org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > > > <property > name="attributeRepository"> > > <ref bean="attributeRepository" /> > </property> > </bean> > <!-- > | > HttpBasedServiceCredentialsToPrincipalResolver supports > HttpBasedCredentials. It supports the CAS 2.0 approach of > | > authenticating services by SSL callback, extracting the callback URL from > the Credentials and representing it as a > | > SimpleService identified by that callback URL. > | > | If you are > representing services by something more or other than an HTTPS URL whereat > they are able to > | receive a > proxy callback, you will need to change this bean declaration (or add > additional declarations). > +--> > <bean > class=" > org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > /> > </list> > </property> > <!-- > | Whereas > CredentialsToPrincipalResolvers identify who it is some Credentials might > authenticate, > | AuthenticationHandlers actually > authenticate credentials. Here we declare the AuthenticationHandlers that > | authenticate the Principals that the > CredentialsToPrincipalResolvers identified. CAS will try these handlers in > turn > | until it finds one that both > supports the Credentials presented and succeeds in authenticating. > +--> > <property name="authenticationHandlers"> > <list> > <!-- > | This is the > authentication handler that authenticates services by means of callback via > SSL, thereby validating > | a server > side SSL certificate. > +--> > <bean class=" > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler > " > > p:httpClient-ref="httpClient" /> > <!-- > | This is the > authentication handler declaration that every CAS deployer will need to > change before deploying CAS > | into > production. The default SimpleTestUsernamePasswordAuthenticationHandler > authenticates UsernamePasswordCredentials > | where the > username equals the password. You will need to replace this with an > AuthenticationHandler that implements your > | local > authentication strategy. You might accomplish this by coding a new such > handler and declaring > | > edu.someschool.its.cas.MySpecialHandler here, or you might use one of the > handlers provided in the adaptors modules. > +--> > <!-- > <bean > class=" > org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" > /> > --> > > <bean class=" > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > <property > name="filter" value="sAMAccountName=%u" /> > <property > name="searchBase" value="DC=[DELETED],DC=[DELETED],DC=[DELETED]" /> > <property > name="contextSource" ref="contextSource" /> > <property > name="ignorePartialResultException" value="yes" /> > </bean> > </list> > </property> > </bean> > > <!-- > This bean defines the security roles for the Services > Management application. Simple deployments can use the in-memory version. > More robust deployments will want to use another option, such > as the Jdbc version. > > The name of this should remain "userDetailsService" in order > for Acegi to find it. > > To use this, you should add an entry similar to the following > between the two value tags: > battags=notused,ROLE_ADMIN > > where battags is the username you want to grant access to. > You can put one entry per line. > --> > <bean id="userDetailsService" class=" > org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> > <property name="userMap"> > <value> > </value> > </property> > </bean> > > <!-- > Bean that defines the attributes that a service may return. > This example uses the Stub/Mock version. A real implementation > may go against a database or LDAP server. The id should > remain "attributeRepository" though. > --> > <bean id="attributeRepository" > class=" > org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> > <property name="baseDN" > > value="OU=[DELETED],OU=[DELETED],OU=[DELETED],DC=[DELETED],DC=[DELETED],DC=[DELETED]" > /> > <property name="principalAttributeName" > value="sAMAccountName" /> > > <!-- This query is used to find the entry for > populating attributes. {0} will be replaced by the new Principal ID > extracted from the ldap--> > <property name="query" > value="(sAMAccountName={0})" /> > <property name="contextSource" ref="contextSource" > /> > > </bean> > > <!-- > Sample, in-memory data store for the ServiceRegistry. A real > implementation > would probably want to replace this with the JPA-backed > ServiceRegistry DAO > The name of this bean should remain "serviceRegistryDao". > --> > <bean > id="serviceRegistryDao" > class=" > org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> > </beans> > -- > ++ Jonathan Hayward, [EMAIL PROTECTED] > ** To see an award-winning website with stories, essays, artwork, > ** games, and a four-dimensional maze, why not visit my home page? > ** All of this is waiting for you at http://JonathansCorner.com > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
