Thanks. (Does your silence on other points mean that you don't see other errors?)
On Dec 10, 2007 10:55 AM, Scott Battaglia <[EMAIL PROTECTED]> wrote: > You should be able to use sAMAccountName if you want. > > -Scott > > On Dec 10, 2007 10:20 AM, Jonathan Hayward http://JonathansCorner.com < > [EMAIL PROTECTED]> wrote: > > > We are having trouble getting CAS to get the usernames from LDAP; in > > our LDAP server, the "uid" field is not populated ("sAMAccountName" does its > > work). > > > > Do any problems jump out, or any "usual suspects" for trouble getting > > usernames from LDAP? > > > > <?xml version="1.0" encoding="UTF-8"?> > > <!-- > > | deployerConfigContext.xml centralizes into one file some > > of the declarative configuration that > > | all CAS deployers will need to modify. > > | > > | This file declares some of the Spring-managed JavaBeans > > that make up a CAS deployment. > > | The beans declared in this file are instantiated at > > context initialization time by the Spring > > | ContextLoaderListener declared in web.xml. It finds this > > file because this > > | file is among those declared in the context parameter > > "contextConfigLocation". > > | > > | By far the most common change you will need to make in > > this file is to change the last bean > > | declaration to replace the default > > SimpleTestUsernamePasswordAuthenticationHandler with > > | one implementing your approach for authenticating > > usernames and passwords. > > +--> > > <beans xmlns="http://www.springframework.org/schema/beans"; > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > xmlns:p="http://www.springframework.org/schema/p"; > > xsi:schemaLocation="http://www.springframework.org/schema/beans > > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> > > <!-- > > | This bean declares our AuthenticationManager. > > The CentralAuthenticationService service bean > > | declared in applicationContext.xml picks up > > this AuthenticationManager by reference to its id, > > | "authenticationManager". Most deployers will > > be able to use the default AuthenticationManager > > | implementation and so do not need to change > > the class of this bean. We include the whole > > | AuthenticationManager here in the > > userConfigContext.xml so that you can see the things you will > > | need to change in context. > > +--> > > > > <bean id="contextSource" class=" > > org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > > <property name="urls"> > > <list> > > > > <value>ldap://[DELETED]:389/OU=Accounts,OU=[DELETED],OU=[DELETED],DC=[DELETED],DC=[DELETED],DC=[DELETED]</value> > > </list> > > </property> > > <property name="userName" value="[DELETED]"/> > > <property name="password" value="[DELETED]"/> > > <property name="baseEnvironmentProperties"> > > <map> > > <entry> > > <key> > > <value>java.naming.security.authentication</value> > > </key> > > <value>simple</value> > > </entry> > > </map> > > </property> > > </bean> > > <bean id="authenticationManager" > > class=" > > org.jasig.cas.authentication.AuthenticationManagerImpl"> > > <!-- > > | This is the List of > > CredentialToPrincipalResolvers that identify what Principal is trying to > > authenticate. > > | The AuthenticationManagerImpl > > considers them in order, finding a CredentialToPrincipalResolver which > > | supports the presented > > credentials. > > | > > | AuthenticationManagerImpl uses > > these resolvers for two purposes. First, it uses them to identify the > > Principal > > | attempting to authenticate to CAS > > /login . In the default configuration, it is the > > DefaultCredentialsToPrincipalResolver > > | that fills this role. If you are > > using some other kind of credentials than UsernamePasswordCredentials, you > > will need to replace > > | > > DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver > > that supports the credentials you are > > | using. > > | > > | Second, AuthenticationManagerImpl > > uses these resolvers to identify a service requesting a proxy granting > > ticket. > > | In the default configuration, it > > is the HttpBasedServiceCredentialsToPrincipalResolver that serves this > > purpose. > > | You will need to change this list > > if you are identifying services by something more or other than their > > callback URL. > > +--> > > <property > > name="credentialsToPrincipalResolvers"> > > <list> > > <!-- > > | > > UsernamePasswordCredentialsToPrincipalResolver supports the > > UsernamePasswordCredentials that we use for /login > > | by default > > and produces SimplePrincipal instances conveying the username from the > > credentials. > > | > > | If you've > > changed your LoginFormAction to use credentials other than > > UsernamePasswordCredentials then you will also > > | need to > > change this bean declaration (or add additional declarations) to declare a > > CredentialsToPrincipalResolver that supports the > > | > > Credentials you are using. > > +--> > > <bean > > class=" > > org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > > > > > <property > > name="attributeRepository"> > > > > <ref bean="attributeRepository" /> > > </property> > > </bean> > > <!-- > > | > > HttpBasedServiceCredentialsToPrincipalResolver supports > > HttpBasedCredentials. It supports the CAS 2.0 approach of > > | > > authenticating services by SSL callback, extracting the callback URL from > > the Credentials and representing it as a > > | > > SimpleService identified by that callback URL. > > | > > | If you are > > representing services by something more or other than an HTTPS URL whereat > > they are able to > > | receive a > > proxy callback, you will need to change this bean declaration (or add > > additional declarations). > > +--> > > <bean > > class=" > > org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > > /> > > </list> > > </property> > > <!-- > > | Whereas > > CredentialsToPrincipalResolvers identify who it is some Credentials might > > authenticate, > > | AuthenticationHandlers actually > > authenticate credentials. Here we declare the AuthenticationHandlers that > > | authenticate the Principals that > > the CredentialsToPrincipalResolvers identified. CAS will try these handlers > > in turn > > | until it finds one that both > > supports the Credentials presented and succeeds in authenticating. > > +--> > > <property name="authenticationHandlers"> > > <list> > > <!-- > > | This is > > the authentication handler that authenticates services by means of callback > > via SSL, thereby validating > > | a server > > side SSL certificate. > > +--> > > <bean class=" > > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler > > " > > > > p:httpClient-ref="httpClient" /> > > <!-- > > | This is > > the authentication handler declaration that every CAS deployer will need to > > change before deploying CAS > > | into > > production. The default SimpleTestUsernamePasswordAuthenticationHandler > > authenticates UsernamePasswordCredentials > > | where the > > username equals the password. You will need to replace this with an > > AuthenticationHandler that implements your > > | local > > authentication strategy. You might accomplish this by coding a new such > > handler and declaring > > | > > edu.someschool.its.cas.MySpecialHandler here, or you might use one of > > the handlers provided in the adaptors modules. > > +--> > > <!-- > > <bean > > class=" > > org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" > > /> > > --> > > > > <bean class=" > > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > > <property > > name="filter" value="sAMAccountName=%u" /> > > <property > > name="searchBase" value="DC=[DELETED],DC=[DELETED],DC=[DELETED]" /> > > <property > > name="contextSource" ref="contextSource" /> > > <property > > name="ignorePartialResultException" value="yes" /> > > </bean> > > </list> > > </property> > > </bean> > > > > <!-- > > This bean defines the security roles for the Services > > Management application. Simple deployments can use the in-memory version. > > More robust deployments will want to use another option, > > such as the Jdbc version. > > > > The name of this should remain "userDetailsService" in order > > for Acegi to find it. > > > > To use this, you should add an entry similar to the > > following between the two value tags: > > battags=notused,ROLE_ADMIN > > > > where battags is the username you want to grant access to. > > You can put one entry per line. > > --> > > <bean id="userDetailsService" class=" > > org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> > > <property name="userMap"> > > <value> > > </value> > > </property> > > </bean> > > > > <!-- > > Bean that defines the attributes that a service may return. > > This example uses the Stub/Mock version. A real implementation > > may go against a database or LDAP server. The id should > > remain "attributeRepository" though. > > --> > > <bean id="attributeRepository" > > class=" > > org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> > > <property name="baseDN" > > > > value="OU=[DELETED],OU=[DELETED],OU=[DELETED],DC=[DELETED],DC=[DELETED],DC=[DELETED]" > > /> > > <property name="principalAttributeName" > > value="sAMAccountName" /> > > > > <!-- This query is used to find the entry for > > populating attributes. {0} will be replaced by the new Principal ID > > extracted from the ldap--> > > <property name="query" > > value="(sAMAccountName={0})" /> > > <property name="contextSource" > > ref="contextSource" /> > > > > </bean> > > > > <!-- > > Sample, in-memory data store for the ServiceRegistry. A real > > implementation > > would probably want to replace this with the JPA-backed > > ServiceRegistry DAO > > The name of this bean should remain "serviceRegistryDao". > > --> > > <bean > > id="serviceRegistryDao" > > class=" > > org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> > > </beans> > > -- > > ++ Jonathan Hayward, [EMAIL PROTECTED] > > ** To see an award-winning website with stories, essays, artwork, > > ** games, and a four-dimensional maze, why not visit my home page? > > ** All of this is waiting for you at http://JonathansCorner.com > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > -- > -Scott Battaglia > > LinkedIn: http://www.linkedin.com/in/scottbattaglia > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- ++ Jonathan Hayward, [EMAIL PROTECTED] ** To see an award-winning website with stories, essays, artwork, ** games, and a four-dimensional maze, why not visit my home page? ** All of this is waiting for you at http://JonathansCorner.com
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
