Reposting essentially again as I just cannot make this go. My heartfelt
apologies that I'm circling to the list again on this.
As before. I want to be able to specifically require an exclusive
Authentication Resource per Service definition. I cannot seem to make
this work.
CAS 6.2.3
LDAP Resource Definition
==============
cas.authn.ldap[0].name=LDAP
cas.authn.ldap[0].order=0
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldap-url=ldap://100.10.1.230:3131
cas.authn.ldap[0].bind-dn=cn=<xxxx>
cas.authn.ldap[0].search-filter=(&(uid={user})(inetuserstatus=active))
cas.authn.ldap[0].base-dn=o=isp
cas.authn.ldap[0].bind-credential=yyyy
cas.authn.ldap[0].principal-attribute-id=uid
cas.authn.ldap[0].principal-attribute=uid
cas.authn.ldap[0].principal-attribute-list=uid,sn,cn:commonName,givenName,inetUserStatus,dn
cas.authn.ldap[0].use-ssl=false
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=false
cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
Radius:
=====
cas.authn.radius.name=Radius
cas.authn.radius.server.protocol=PAP
cas.authn.radius.server.retries=1
cas.authn.radius.client.authenticationPort=1645
cas.authn.radius.client.sharedSecret=zzzzzz
cas.authn.radius.client.inetAddress=100.10.1.184
cas.authn.radius.client.accountingPort=1646
cas.authn.radius.principal-attribute: username
cas.authn.radius.principal-attribute-id: username
Service Definition (Using HTTP Generic)
========================
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
"evaluationOrder": 99999,
"authenticationPolicy":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
"requiredAuthenticationHandlers": ["java.util.TreeSet", ["Radius"]],
"excludedAuthenticationHandlers": ["java.util.TreeSet", ["LDAP"]]
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
}
It just doesn't work. If I enter a credential set that fails in Radius
it will still fall into LDAP and succeed.
Also I'm trying to use LDAP attribute repository to round out the
attribute response from said Radius authentication. Again debug logging
of the the various elements implies that it should work but I'm not even
seeing the LDAP query for the attributes. Maybe I'm missing the point on
how it all works? For example how do you define that attributes that
link the PrincipalID etc etc.
^[[36m2020-10-28 14:59:16,984 DEBUG
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <LDAP attributes are
fetched from [ldap://100.10.1.230:3131] via filter [uid=zzzzz]>^[[m
^[[36m2020-10-28 14:59:16,986 DEBUG
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured result
attribute mapping for [ldap://100.10.1.230:3131] to be [{cn=commonName, dn=dn,
inetUserStatus=inetUserStatus, uid=uid, mail=mail}]>^[[m
^[[36m2020-10-28 14:59:16,990 DEBUG
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Setting binary
attributes [[objectGUID, objectSid]]>^[[m
^[[36m2020-10-28 14:59:16,990 DEBUG
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Configured subtree
searching for [ldap://100.10.1.230:3131]>^[[m
^[[36m2020-10-28 14:59:16,990 DEBUG
[org.apereo.cas.config.CasPersonDirectoryConfiguration] - <Adding LDAP attribute
source for [ldap://100.10.1.230:3131]>^[[m
Configurations
** Enabling ePerson stuff?
cas.person-directory.attribute-resolution-enabled: true
cas.personDirectory.activeAttributeRepositoryIds: LDAPAttr
cas.person-directory.return-null=false
cas.person-directory.principal-attribute=uid
cas.authn.attributeRepository.expirationTime=30
cas.authn.attributeRepository.expirationTimeUnit=seconds
cas.authn.attributeRepository.merger=MULTIVALUED
** Configuration the LDAP store (log output above seems to imply it's
picking this up)
cas.authn.attribute-repository.ldap[0].id=LDAPAttr
cas.authn.attribute-repository.ldap[0].order=0
cas.authn.attribute-repository.ldap[0].attributes.uid=uid
cas.authn.attribute-repository.ldap[0].attributes.cn=commonName
cas.authn.attribute-repository.ldap[0].attributes.dn=dn
cas.authn.attribute-repository.ldap[0].attributes.mail=mail
cas.authn.attribute-repository.ldap[0].attributes.inetUserStatus=inetUserStatus
cas.authn.attribute-repository.ldap[0].ldapUrl=ldap://100.10.1.230:3131
cas.authn.attribute-repository.ldap[0].useSsl=false
cas.authn.attribute-repository.ldap[0].useStartTls=false
cas.authn.attribute-repository.ldap[0].baseDn=o=isp
cas.authn.attribute-repository.ldap[0].search-filter: uid={0}
cas.authn.attribute-repository.ldap[0].bindDn=cn=xxxx
cas.authn.attribute-repository.ldap[0].bindCredential=yyyy
cas.authn.attribute-repository.default-attributes-to-release:
uid,dn,mail,commonName
Thoughts on either of these area's would be greatly appreciated.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/84103c62-6ce9-e6da-2376-5b72b155c562%40caveo.ca.
