Just to follow up, this issue is resolved in recent RC4-SNAPSHOT. It's no longer necessary to set the following to override default mapping of cn to commonName.
cas.authn.attributeRepository.attributes.cn=cn On Tue, Oct 04, 2016 at 01:32:22PM -1000, Baron Fujimoto wrote: >While testing CAS 5 RC3, we discovered it was not releasing the cn >attribute as we expected. > >We are authenticating via LDAP and using it as an attribute source. > >The following was defined in our cas.properties: > >cas.authn.ldap[0].principalAttributeList=cn,uhUuid >cas.authn.attributeRepository.defaultAttributesToRelease=cn,uhUuid > >This is logged: > >DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP >response: >[org.ldaptive.auth.AuthenticationResponse@1770400845::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, > resolvedDn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, >ldapEntry=[dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu[[uid[baron]], >[displayName[Baron K Fujimoto]], [uhUuid[10101010]], [cn[Baron K Fujimoto]]], >responseControls=null, messageId=-1], accountState=null, result=true, >resultCode=SUCCESS, message=null, controls=null]> >DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Applying >password policy to >[org.ldaptive.auth.AuthenticationResponse@1770400845::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, > resolvedDn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, >ldapEntry=[dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu[[uid[baron]], >[displayName[Baron K Fujimoto]], [uhUuid[10101010]], [cn[Baron K Fujimoto]]], >responseControls=null, messageId=-1], accountState=null, result=true, >resultCode=SUCCESS, message=null, controls=null]> >DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Retrieved >principal id attribute baron> >DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found >principal attribute: [uid[baron]]> >DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found >principal attribute: [uhUuid[10101010]]> >DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found >principal attribute: [displayName[Baron K Fujimoto]]> >DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found >principal attribute: [cn[Baron K Fujimoto]]> >DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Created >LDAP principal for id baron and 5 attributes> >DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - ><Final principal resolved for this authentication event is baron> > >DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - ><Attribute map for baron: {commonName=Baron K Fujimoto, displayName=Baron K >Fujimoto, >LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, >uhUuid=10101010, uid=baron}> > >DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - ><Collected principal attributes [{commonName=Baron K Fujimoto, uid=baron, >LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, >displayName=Baron K Fujimoto, uhUuid=10101010}] for inclusion in this result >for principal [baron]> > >DEBUG >[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] >- <DefaultPrincipalAttributesRepository will return the collection of >attributes directly associated with the principal object which are >[{commonName=Baron K Fujimoto, displayName=Baron K Fujimoto, >LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, >uhUuid=10101010, uid=baron}]> >2016-10-03 17:37:47,729 DEBUG >[org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository] > - <Found [5] cached attributes for principal [baron] that are >{commonName=Baron K Fujimoto, displayName=Baron K Fujimoto, >LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, >uhUuid=10101010, uid=baron}> >DEBUG >[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - ><Found principal attributes {commonName=Baron K Fujimoto, displayName=Baron K >Fujimoto, >LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, >uhUuid=10101010, uid=baron} for baron> >DEBUG >[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - ><Calling attribute policy ReturnAllowedAttributeReleasePolicy to process >attributes for baron> >DEBUG >[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - ><Attribute policy ReturnAllowedAttributeReleasePolicy allows release of {} for >baron> >DEBUG >[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - ><Checking default attribute policy attributes> >DEBUG >[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - ><Located application context. Retrieving default attributes for release, if >any> >DEBUG >[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - ><Default attributes for release are: [cn, uhUuid]> >DEBUG >[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - ><Found and added default attribute for release: uhUuid> >DEBUG >[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - ><Default attributes found to be released are {uhUuid=10101010}> >DEBUG >[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - ><Attempting to merge policy attributes and default attributes> >DEBUG >[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - ><Adding default attributes first to the released set of attributes> >DEBUG >[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - ><Adding policy attributes to the released set of attributes> >DEBUG >[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - ><Final collection of attributes allowed are: {uhUuid=10101010}> > >At this point, it seems that cn (by virtue of having been mapped to >commonName?) is no longer in the set of attibutes to release, and thus not >released by default > >My theory, based on the observed behavior where it also gets the >displayName, despite it not being requested or used anywhere in my config >that I can discern, and the apparent mapping if cn=commonName is that stub >defaults for Authentication Attributes described in the cas.properties >documentation are still in effect despite specifying a >principalAttributeList. > >"If no other attribute source is defined, the below attributes are used >to create a static/stub attribute repository." > ><https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes> > >I've found I can work around this if I set this in cas.properties > >cas.authn.attributeRepository.attributes.cn=cn > >This apparently overrides the default remapping of cn to commonName and >thus makes it available for release. > >Is this the expected behavior? It seems counterintuitive to have cn >remapped by default and require some sort of kludge like that if you want >to release cn as an attribute. It's not explicitly stated in the docs, but >I assumed that specifying .principalAttributeList would supercede stub >defaults. Or am I mixing things up or approaching this the wrong way? -- Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum -- CAS gitter chatroom: https://gitter.im/apereo/cas CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html CAS documentation website: https://apereo.github.io/cas CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20161013225714.GH23083%40praenomen.mgt.hawaii.edu. For more options, visit https://groups.google.com/a/apereo.org/d/optout.