The issue is that this happens before the service release policy can trigger.
For some reason it is going against AD with 'richard.frovarp ', which results
in a failed AD lookup. So it can't even get the extra attributes to return.
So it appears that the result of the principal transformation isn't use in
attribute resolution. I'm doing a lowercase transformation, which does trim.
That is then used to do the auth, but when attribute resolution fires, it isn't
using the transformed principal to do the lookup, and I don't see anyway of
transforming the value that is used to do the lookup. But maybe I'm missing
something in the documentation for Person Directory.
On Tue, 2021-08-31 at 21:08 -0700, Andy Ng wrote:
Hi Richard,
I am also not aware on any native attribute trimming feature, maybe other can
chime in on that.
However, if you think groovy can solve your issue but you don't want external
files, you can always use inline Groovy.
Ref:
https://apereo.github.io/cas/6.3.x/integration/Attribute-Release-Policies.html#inline-groovy-attributes
So, you can do it with something like this:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "sample",
"name" : "sample",
"id" : 300,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"uid" : "groovy { return attributes['uid'].trim() }"
}
}
}
This would not be the prettiest solution, but should be able to get the job
done.
Cheers!
- Andy
On Wednesday, 1 September 2021 at 05:28:09 UTC+8 richard.frovarp wrote:
What's the way to do that? I thought I figured that out, but it turns
out I haven't. I think one of my systems is accomplishing it via JS in
the page. Another CAS instance for a different org doesn't have that JS.
Random trailing spaces is causing attribute resolution to fail. Somehow
authentication is working, despite both of them using the same LDAP/AD
filter:
sAMAccountName={user}
I can always add the JS and redeploy, but this feels like something that
should be able to be done via config file. I know you can specify an
external Groovy file for principalTransformation, but I'm not entirely
sure if that goes through attribute retrieval, and I would prefer to not
reference an external file.
Thanks,
Richard
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cc44e33b1f5251a2e068d4bf0f1beb076f9ce764.camel%40ndsu.edu.
