CAS 5 RC3: not releasing cn
21 views
Skip to first unread message
Baron Fujimoto
Oct 4, 2016, 7:32:39 PM10/4/16
to CAS Users
While testing CAS 5 RC3, we discovered it was not releasing the cn
attribute as we expected.
We are authenticating via LDAP and using it as an attribute source.
The following was defined in our cas.properties:
cas.authn.ldap[0].principalAttributeList=cn,uhUuid
cas.authn.attributeRepository.defaultAttributesToRelease=cn,uhUuid
This is logged:
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response: [org.ldaptive.auth.AuthenticationResponse@1770400845::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, ldapEntry=[dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu[[uid[baron]], [displayName[Baron K Fujimoto]], [uhUuid[10101010]], [cn[Baron K Fujimoto]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Applying password policy to [org.ldaptive.auth.AuthenticationResponse@1770400845::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, ldapEntry=[dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu[[uid[baron]], [displayName[Baron K Fujimoto]], [uhUuid[10101010]], [cn[Baron K Fujimoto]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Retrieved principal id attribute baron>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [uid[baron]]>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [uhUuid[10101010]]>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [displayName[Baron K Fujimoto]]>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [cn[Baron K Fujimoto]]>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Created LDAP principal for id baron and 5 attributes>
DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final principal resolved for this authentication event is baron>
DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Attribute map for baron: {commonName=Baron K Fujimoto, displayName=Baron K Fujimoto, LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, uhUuid=10101010, uid=baron}>
DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Collected principal attributes [{commonName=Baron K Fujimoto, uid=baron, LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, displayName=Baron K Fujimoto, uhUuid=10101010}] for inclusion in this result for principal [baron]>
DEBUG [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] - <DefaultPrincipalAttributesRepository will return the collection of attributes directly associated with the principal object which are [{commonName=Baron K Fujimoto, displayName=Baron K Fujimoto, LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, uhUuid=10101010, uid=baron}]>
2016-10-03 17:37:47,729 DEBUG [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository] - <Found [5] cached attributes for principal [baron] that are {commonName=Baron K Fujimoto, displayName=Baron K Fujimoto, LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, uhUuid=10101010, uid=baron}>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes {commonName=Baron K Fujimoto, displayName=Baron K Fujimoto, LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, uhUuid=10101010, uid=baron} for baron>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy ReturnAllowedAttributeReleasePolicy to process attributes for baron>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy ReturnAllowedAttributeReleasePolicy allows release of {} for baron>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [cn, uhUuid]>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added default attribute for release: uhUuid>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are {uhUuid=10101010}>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: {uhUuid=10101010}>
At this point, it seems that cn (by virtue of having been mapped to
commonName?) is no longer in the set of attibutes to release, and thus not
released by default
My theory, based on the observed behavior where it also gets the
displayName, despite it not being requested or used anywhere in my config
that I can discern, and the apparent mapping if cn=commonName is that stub
defaults for Authentication Attributes described in the cas.properties
documentation are still in effect despite specifying a
principalAttributeList.
"If no other attribute source is defined, the below attributes are used
to create a static/stub attribute repository."
<https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes>
I've found I can work around this if I set this in cas.properties
cas.authn.attributeRepository.attributes.cn=cn
This apparently overrides the default remapping of cn to commonName and
thus makes it available for release.
Is this the expected behavior? It seems counterintuitive to have cn
remapped by default and require some sort of kludge like that if you want
to release cn as an attribute. It's not explicitly stated in the docs, but
I assumed that specifying .principalAttributeList would supercede stub
defaults. Or am I mixing things up or approaching this the wrong way?
-baron
--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
attribute as we expected.
We are authenticating via LDAP and using it as an attribute source.
The following was defined in our cas.properties:
cas.authn.ldap[0].principalAttributeList=cn,uhUuid
cas.authn.attributeRepository.defaultAttributesToRelease=cn,uhUuid
This is logged:
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response: [org.ldaptive.auth.AuthenticationResponse@1770400845::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, ldapEntry=[dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu[[uid[baron]], [displayName[Baron K Fujimoto]], [uhUuid[10101010]], [cn[Baron K Fujimoto]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Applying password policy to [org.ldaptive.auth.AuthenticationResponse@1770400845::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, resolvedDn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, ldapEntry=[dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu[[uid[baron]], [displayName[Baron K Fujimoto]], [uhUuid[10101010]], [cn[Baron K Fujimoto]]], responseControls=null, messageId=-1], accountState=null, result=true, resultCode=SUCCESS, message=null, controls=null]>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Retrieved principal id attribute baron>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [uid[baron]]>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [uhUuid[10101010]]>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [displayName[Baron K Fujimoto]]>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [cn[Baron K Fujimoto]]>
DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Created LDAP principal for id baron and 5 attributes>
DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final principal resolved for this authentication event is baron>
DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Attribute map for baron: {commonName=Baron K Fujimoto, displayName=Baron K Fujimoto, LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, uhUuid=10101010, uid=baron}>
DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Collected principal attributes [{commonName=Baron K Fujimoto, uid=baron, LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, displayName=Baron K Fujimoto, uhUuid=10101010}] for inclusion in this result for principal [baron]>
DEBUG [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] - <DefaultPrincipalAttributesRepository will return the collection of attributes directly associated with the principal object which are [{commonName=Baron K Fujimoto, displayName=Baron K Fujimoto, LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, uhUuid=10101010, uid=baron}]>
2016-10-03 17:37:47,729 DEBUG [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository] - <Found [5] cached attributes for principal [baron] that are {commonName=Baron K Fujimoto, displayName=Baron K Fujimoto, LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, uhUuid=10101010, uid=baron}>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes {commonName=Baron K Fujimoto, displayName=Baron K Fujimoto, LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, uhUuid=10101010, uid=baron} for baron>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy ReturnAllowedAttributeReleasePolicy to process attributes for baron>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy ReturnAllowedAttributeReleasePolicy allows release of {} for baron>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [cn, uhUuid]>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added default attribute for release: uhUuid>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are {uhUuid=10101010}>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: {uhUuid=10101010}>
At this point, it seems that cn (by virtue of having been mapped to
commonName?) is no longer in the set of attibutes to release, and thus not
released by default
My theory, based on the observed behavior where it also gets the
displayName, despite it not being requested or used anywhere in my config
that I can discern, and the apparent mapping if cn=commonName is that stub
defaults for Authentication Attributes described in the cas.properties
documentation are still in effect despite specifying a
principalAttributeList.
"If no other attribute source is defined, the below attributes are used
to create a static/stub attribute repository."
<https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-attributes>
I've found I can work around this if I set this in cas.properties
cas.authn.attributeRepository.attributes.cn=cn
This apparently overrides the default remapping of cn to commonName and
thus makes it available for release.
Is this the expected behavior? It seems counterintuitive to have cn
remapped by default and require some sort of kludge like that if you want
to release cn as an attribute. It's not explicitly stated in the docs, but
I assumed that specifying .principalAttributeList would supercede stub
defaults. Or am I mixing things up or approaching this the wrong way?
-baron
--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
Baron Fujimoto
Oct 13, 2016, 6:57:22 PM10/13/16
to CAS Users
Just to follow up, this issue is resolved in recent RC4-SNAPSHOT.
It's no longer necessary to set the following to override default
mapping of cn to commonName.
cas.authn.attributeRepository.attributes.cn=cn
It's no longer necessary to set the following to override default
mapping of cn to commonName.
cas.authn.attributeRepository.attributes.cn=cn
Reply all
Reply to author
Forward
0 new messages