6.1.0 RC6 Attributes Values being doubled when surrogacy is enabled

[Robert Bond]

Running into an odd doubling of attribute values when surrogate access is enabled. 

On CAS 6.1.0 RC6

Here is my Surrogate config, Active Directory Auth config, and Attribute repository:

# Surrogate config 

cas.authn.surrogate.separator=+

cas.authn.surrogate.json.location=file:/etc/cas/config/surrogates.json

# set some properties we can re-use in authn and attributeRepository configuration

ldap-url=         ldaps://ad01.example.edu:636

ldap-binddn=      cn=logon_ldap_user,ou=Application Users,ou=All_Users,dc=example,dc=edu

ldap-bindpw=      examplePass

ldap-auth-type=   DIRECT

ldap-basedn=      ou=All_Users,dc=example,dc=edu

ldap-dnformat=    cn=%s,ou=All_Users,dc=example,dc=edu

ldap-user-filter= (cn={user})

ldap-max-pool-size=20

ldap-tls=false

ldap-ssl=true

# configure ldap authentication

cas.authn.ldap[0].trustCertificates=file:/etc/cas/trustedexamplecert.der

cas.authn.ldap[0].base-dn=${ldap-basedn}

cas.authn.ldap[0].bind-credential=${ldap-bindpw}

cas.authn.ldap[0].bind-dn=${ldap-binddn}

cas.authn.ldap[0].dn-format=${ldap-dnformat}

cas.authn.ldap[0].ldap-url=${ldap-url}

cas.authn.ldap[0].max-pool-size=${ldap-max-pool-size}

cas.authn.ldap[0].min-pool-size=0

cas.authn.ldap[0].subtree-search=true

cas.authn.ldap[0].type=${ldap-auth-type}

cas.authn.ldap[0].searchFilter=${ldap-user-filter}

cas.authn.ldap[0].use-ssl=${ldap-ssl}

cas.authn.ldap[0].use-start-tls=${ldap-tls}

# configure ldap attribute repository

cas.authn.attributeRepository.ldap[0].trustCertificates=file:/etc/cas/trustedexamplecert.der

cas.authn.attributeRepository.ldap[0].ldapUrl=${ldap-url}

cas.authn.attributeRepository.ldap[0].order=0

cas.authn.attributeRepository.ldap[0].useSsl=${ldap-ssl}

cas.authn.attributeRepository.ldap[0].useStartTls=${ldap-tls}

cas.authn.attributeRepository.ldap[0].baseDn=${ldap-basedn}

cas.authn.attributeRepository.ldap[0].searchFilter=${ldap-user-filter}

cas.authn.attributeRepository.ldap[0].subtreeSearch=true

cas.authn.attributeRepository.ldap[0].bindDn=${ldap-binddn}

cas.authn.attributeRepository.ldap[0].bindCredential=${ldap-bindpw}

cas.authn.attributeRepository.ldap[0].minPoolSize=0

cas.authn.attributeRepository.ldap[0].maxPoolSize=${ldap-max-pool-size}

cas.authn.attributeRepository.ldap[0].validateOnCheckout=true

# configure validator for attribute repository

cas.authn.attributeRepository.ldap[0].validator.type=SEARCH

cas.authn.attributeRepository.ldap[0].validator.baseDn=${ldap-basedn}

cas.authn.attributeRepository.ldap[0].validator.searchFilter=(objectClass=*)

cas.authn.attributeRepository.ldap[0].validator.scope=OBJECT

cas.authn.attributeRepository.ldap[0].validator.attributeName=objectClass

cas.authn.attributeRepository.ldap[0].validator.attributeValues=top

# Get AD attributes

cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName=samAccountName

cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName

cas.authn.attributeRepository.ldap[0].attributes.mail=email

cas.authn.attributeRepository.ldap[0].attributes.mail=emailAddress

cas.authn.attributeRepository.ldap[0].attributes.givenName=givenName

cas.authn.attributeRepository.ldap[0].attributes.sn=surname

cas.authn.attributeRepository.ldap[0].attributes.cn=commonName

cas.authn.attributeRepository.ldap[0].attributes.memberOf=memberOf

When the surrogacy dependency is added to build.gradle the attributeRepository returns doubled values for the attributes. See the example attributes below"

cn [BONDR, BONDR]

displayName [Robert Bond, Robert Bond]

distinguishedName [CN=BONDR,OU=NSU,OU=All_Users,DC=example,DC=edu, CN=BONDR,OU=All_Users,DC=example,DC=edu]

Any thoughts? When I remove the surrogate dependency from build.gradle it returns the attributes correctly. ex: cn [BONDR]

Thanks!

[Ray Bon]

Robert,

Is log in failing? Any error messages?

Could it be that the second entry is the surrogate; and if no surrogate is supplied in the log in form, then the same subject exists for both [that is, for the surrogate plugin, an array is required]?

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Robert Bond]

No error messages on login. I do not think that is is expected behavior. When logging in as a surrogate it does not have duplicated values for the properties. 

See example below:

   cn [bansecr_bondr] 

The service registiries do not handle when there is duplicated values like the "cn [BONDR, BONDR]" that I am getting when I do not use surrogate access.

I have 5 surrogates configured for my account in side the json file. When I disable surrogate access completely and remove the build.gradle dependency: 

    compile "org.apereo.cas:cas-server-support-surrogate-webflow:${project.'cas.version'}"

Cas then returns the attributes correctly as "cn [BONDR]"

I think this is a bug. Any thoughts on how to better document and report it?

Or maybe I have something wrong with my Active Directory LDAP attributeRepository config in cas.

Thanks!

[Ray Bon]

Surrogates is on my todo list. Hopefully some else with more experience will chime in.

Ray

[Robert Bond]

I changed my ldap active directory config, removed the attribute repository stuff and changed the type to AUTHENTICATED.

The below config seems to be working well for me while using surrogacy with LDAPS Active Directory:

# set some properties we can re-use in authn and attributeRepository configuration

ldap-url=         ldaps://ad01.example.edu:636

ldap-binddn=      cn=logon_ldap_user,ou=Application Users,ou=All_Users,dc=example,dc=edu

ldap-bindpw=      asdfasdfasdfasdfasdf

ldap-auth-type=   AUTHENTICATED

ldap-basedn=      ou=All_Users,dc=example,dc=edu

ldap-user-filter= (cn={user})

ldap-max-pool-size=20

ldap-tls=false

ldap-ssl=true

# configure ldap authentication

cas.authn.ldap[0].trustCertificates=file:/etc/cas/trustedexamplecert.der

cas.authn.ldap[0].base-dn=${ldap-basedn}

cas.authn.ldap[0].bind-credential=${ldap-bindpw}

cas.authn.ldap[0].bind-dn=${ldap-binddn}

cas.authn.ldap[0].ldap-url=${ldap-url}

cas.authn.ldap[0].max-pool-size=${ldap-max-pool-size}

cas.authn.ldap[0].min-pool-size=0

cas.authn.ldap[0].type=${ldap-auth-type}

cas.authn.ldap[0].searchFilter=${ldap-user-filter}

cas.authn.ldap[0].use-ssl=${ldap-ssl}

cas.authn.ldap[0].use-start-tls=${ldap-tls}

# list of attributes to be collected and mapped

cas.authn.ldap[0].principalAttributeList=cn:commonName,sn:surname,displayName:displayName,mail:email,givenName,memberOf,samAccountName,mail:emailAddress,samAccountName

I had troubles getting surrogacy to work on previous versions with anything put the JSON file method which works for our current purposes. 

Thanks,

Robert Bond.

[Michael Daley]

Robert, 

I'm running 6.1.5 and when I try this config for my surrogate authentication, no attributes get resolved for the surrogate (attributes were 'map[[empty]]').  I've found that I need to add a separate attribute repository for the same ldap in order to pull in any attributes for the surrogate.  Can you confirm if your configuration still works for you?

# This config will resolve memberOf attribute successfully for surrogates and tradational logins.

cas.authn.ldap[0].principalAttributeList=memberOf

cas.authn.attribute-repository.ldap[0].attributes.memberOf=memberOf

The interesting part is that I do not receive double up attributes using this config.  

Any help would be appreciated.