Re: [cas-user] CAS 5: Changing the principal resolver in application.properties
Turn this back on: cas.authn.ldap[0].principalAttributeId=sAMAccountName Or blank it out. If that doesn't work, you are welcome to file an issue. From: "Erdal Gunyar" <gun...@gmail.com> To: "CAS Community" <cas-user@apereo.org> Cc: "Misagh Moayyed" <mmoay...@unicon.net> Sent: Tuesday, October 18, 2016 6:06:23 PM Subject: Re: [cas-user] CAS 5: Changing the principal resolver in application.properties Thanks, I think I see better the logic; but I've just tried and if I comment the attribute part of the LDAP authentication it fails to authenticate: 2016-10-18 16:27:33,579 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - 2016-10-18 16:27:33,607 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - 2016-10-18 16:27:33,611 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - 2016-10-18 16:27:33,612 DEBUG [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - 2016-10-18 16:27:33,613 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - 2016-10-18 16:27:33,614 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - 2016-10-18 16:27:33,615 ERROR [org.apereo.cas.authentication.LdapAuthenticationHandler] - 2016-10-18 16:27:33,618 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 2016-10-18 16:27:33,618 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 2016-10-18 16:27:33,620 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 2016-10-18 16:27:33,622 DEBUG [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - The configuration being: cas.authn.ldap[0].* ... # Except those which are commented: # cas.authn.ldap[0].principalAttributeId=sAMAccountName # cas.authn.ldap[0].principalAttributePassword= # cas.authn.ldap[0].principalAttributeList= cas.personDirectory.principalAttribute = sAMAccountName cas.personDirectory.returnNull = false cas.authn.attributeRepository.attributes.uid = sAMAccountName cas.authn.attributeRepository.attributes.displayName = displayName cas.authn.attributeRepository.attributes.cn = cn cas.authn.attributeRepository.attributes.affiliation = department cas.authn.attributeRepository.jdbc.* ... Note that if I put back principalAttributeId, then the resolver will be the default LDAP stuff like the previous posts. What could I be do wrong? :/ Maybe in the way I try to nuke the default LDAP resolver? Erdal. Le mardi 18 octobre 2016 14:06:01 UTC+2, Misagh Moayyed a écrit : BQ_BEGIN BQ_BEGIN As I said earlier, this works for the LDAP attributes but doesn't merge with the JDBC ones (no query sent). BQ_END See this section: https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes > If no other attribute source is defined and if attributes are not retrieved > as part of primary authentication via LDAP…. You are doing that; which is that you are getting attributes from LDAP as part of authn. When you do, CAS disables external principal resolvers because it is taught that attributes come from ldap directly. If you wish to merge multiple sources, you need to disable that part and nuke out the attributes and define attribute repository sources for each source via the properties. That will activate merging. BQ_BEGIN I can open an issue, I don't know what's the best process. BQ_END https://github.com/apereo/cas/issues Might be worth introducing flexibility into the configuration to allow what you have defined. BQ_END -- CAS gitter chatroom: https://gitter.im/apereo/cas CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html CAS documentation website: https://apereo.github.io/cas CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org . To post to this group, send email to cas-user@apereo.org . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6777bcc2-4218-4c51-8b04-44d26a39f1c7%40apereo.org . For more options, visit https://groups.google.com/a/apereo.org/d/optout . -- CAS gitter chatroom: https://gitter.im/apereo/cas CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html CAS documentation website: https://apereo.github.io/cas CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-u
Re: [cas-user] CAS 5: Changing the principal resolver in application.properties
Thanks, I think I see better the logic; but I've just tried and if I comment the attribute part of the LDAP authentication it fails to authenticate: 2016-10-18 16:27:33,579 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - LDAP authentication for egunyar> > 2016-10-18 16:27:33,607 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - [org.ldaptive.auth.AuthenticationResponse@2012506855::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, > > resolvedDn=egunyar@COMPANY.LOCAL, ldapEntry=[dn=CN=GUNYAR > Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL[[displayName[GUNYAR > Erdal]], [cn[GUNYAR Erdal]]], responseControls=null, messageId=-1], > accountState=null, result=true, resultCode=SUCCESS, message=null, > controls=null]> > 2016-10-18 16:27:33,611 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - password policy to > [org.ldaptive.auth.AuthenticationResponse@2012506855::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, > > resolvedDn=egunyar@COMPANY.LOCAL, ldapEntry=[dn=CN=GUNYAR > Erdal,OU=France,OU=COMPANY Users,DC=COMPANY,DC=LOCAL[[displayName[GUNYAR > Erdal]], [cn[GUNYAR Erdal]]], responseControls=null, messageId=-1], > accountState=null, result=true, resultCode=SUCCESS, message=null, > controls=null]> > 2016-10-18 16:27:33,612 DEBUG > [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - > > 2016-10-18 16:27:33,613 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - returned as result. Creating the final LDAP principal> > 2016-10-18 16:27:33,614 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - principal for egunyar based on CN=GUNYAR Erdal,OU=France,OU=COMPANY > Users,DC=COMPANY,DC=LOCAL> > 2016-10-18 16:27:33,615 ERROR > [org.apereo.cas.authentication.LdapAuthenticationHandler] - id attribute uid is not found. CAS cannot construct the final authenticated > principal if it's unable to locate the attribute that is designated as the > principal id. Attributes available are [[displayName[GUNYAR Erdal]], > [cn[GUNYAR Erdal]]]> > 2016-10-18 16:27:33,618 INFO > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > > 2016-10-18 16:27:33,618 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > egunyar> > 2016-10-18 16:27:33,620 WARN > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > authentication handler that supports [egunyar] of type > [UsernamePasswordCredential], which suggests a configuration problem.> > 2016-10-18 16:27:33,622 DEBUG > [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - principal at audit point [execution(Authentication > org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(AuthenticationTransaction))] > > with thrown exception > [org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 > successes]> The configuration being: cas.authn.ldap[0].* ... # Except those which are commented: # cas.authn.ldap[0].principalAttributeId=sAMAccountName # cas.authn.ldap[0].principalAttributePassword= # cas.authn.ldap[0].principalAttributeList= cas.personDirectory.principalAttribute=sAMAccountName cas.personDirectory.returnNull=false cas.authn.attributeRepository.attributes.uid=sAMAccountName cas.authn.attributeRepository.attributes.displayName=displayName cas.authn.attributeRepository.attributes.cn=cn cas.authn.attributeRepository.attributes.affiliation=department cas.authn.attributeRepository.jdbc.* ... Note that if I put back principalAttributeId, then the resolver will be the default LDAP stuff like the previous posts. What could I be do wrong? :/ Maybe in the way I try to nuke the default LDAP resolver? Erdal. Le mardi 18 octobre 2016 14:06:01 UTC+2, Misagh Moayyed a écrit : > > As I said earlier, this works for the LDAP attributes but doesn't merge > with the JDBC ones (no query sent). > > See this section: > https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes > > > > If no other attribute source is defined and if attributes are not > retrieved as part of primary authentication via LDAP…. > > You are doing that; which is that you are getting attributes from LDAP as > part of authn. When you do, CAS disables external principal resolvers > because it is taught that attributes come from ldap directly. If you wish > to merge multiple sources, you need to disable that part and nuke out the > attributes and define attribute repository sources for each source via the > properties. That will activate merging. > > I can open an issue, I don't know what's the best process. > > https://github.com/apereo/cas/issues > > Might be worth introducing flexibility into the configuration to allow > what you have defined. > > > -- CAS gitter chatroom: https://gitter.im/apereo/cas CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html CAS
Re: [cas-user] CAS 5: Changing the principal resolver in application.properties
As I said earlier, this works for the LDAP attributes but doesn't merge with the JDBC ones (no query sent). See this section: https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes > If no other attribute source is defined and if attributes are not retrieved >as part of primary authentication via LDAP…. You are doing that; which is that you are getting attributes from LDAP as part of authn. When you do, CAS disables external principal resolvers because it is taught that attributes come from ldap directly. If you wish to merge multiple sources, you need to disable that part and nuke out the attributes and define attribute repository sources for each source via the properties. That will activate merging. I can open an issue, I don't know what's the best process. https://github.com/apereo/cas/issues Might be worth introducing flexibility into the configuration to allow what you have defined. -- CAS gitter chatroom: https://gitter.im/apereo/cas CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html CAS documentation website: https://apereo.github.io/cas CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.58061014.cc80231.3323%40unicon.net. For more options, visit https://groups.google.com/a/apereo.org/d/optout.