Bill,
In `cas.properties`, in your LDAP section, you want a property like this:
cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf
That says that the principal that is authenticated should get the above list of LDAP attributes. For the ones that have 2 items separated by a colon, that is just a rename from the LDAP attribute to the name that will be exposed via CAS.
In your service file for an individual service, you specify what attributes from the above list you want to release. The following sections from a service file are an example:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"attributeFilter" : {
"@class": "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
"patterns": {
"@class" : "java.util.HashMap",
"memberOf": "cn=administrators,ou=groups,dc=example,dc=org"
},
"excludeUnmappedAttributes": false,
"completeMatch": false,
"order": 0
},
"allowedAttributes" : [ "java.util.ArrayList",
[
"uid",
"memberOf",
"email",
"givenName",
"surname"
]
]
},
The "attributeReleasePolicy" is used to filer the "memberOf" attribute down to a specific value (because he attribute is multi-valued, and you usually only want to release only one or a few of the values to a service). The "allowedAttributes" section specifies what attributes from the principal will be released at all.
Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College
--
- Website:
https://apereo.github.io/cas
- Gitter Chatroom:
https://gitter.im/apereo/cas
- List Guidelines:
https://goo.gl/1VRrw7
- Contributions:
https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cas-user+u...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.